add a sanitizer for List.Contains() in url-redirect

Author: erik-krogh

csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll

@@ -139,6 +139,28 @@ class LocalUrlSanitizer extends Sanitizer {
   LocalUrlSanitizer() { this = DataFlow::BarrierGuard<isLocalUrlSanitizer/3>::getABarrierNode() }
 }
 
+/**
+ * A argument to a call to `List.Contains()` that is a sanitizer for URL redirects.
+ */
+private predicate isContainsUrlSanitizer(Guard guard, Expr e, AbstractValue v) {
+  exists(MethodCall method | method = guard |
+    exists(Method m | m = method.getTarget() |
+      m.hasName("Contains") and
+      e = method.getArgument(0)
+    ) and
+    v.(AbstractValues::BooleanValue).getValue() = true
+  )
+}
+
+/**
+ * A URL argument to a call to `List.Contains()` that is a sanitizer for URL redirects.
+ */
+class ContainsUrlSanitizer extends Sanitizer {
+  ContainsUrlSanitizer() {
+    this = DataFlow::BarrierGuard<isContainsUrlSanitizer/3>::getABarrierNode()
+  }
+}
+
 /**
  * A call to the getter of the RawUrl property, whose value is considered to be safe for URL
  * redirects.

csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs

@@ -14,6 +14,12 @@ public void ProcessRequest(HttpContext ctx)
         ctx.Response.Redirect(ctx.Request.QueryString["page"]);
 
         List<string> VALID_REDIRECTS = new List<string>{ "http://cwe.mitre.org/data/definitions/601.html", "http://cwe.mitre.org/data/definitions/79.html" };
+        var redirectUrl = ctx.Request.QueryString["page"];
+        if (VALID_REDIRECTS.Contains(redirectUrl))
+        {
+            // GOOD: the request parameter is validated against set of known fixed strings
+            ctx.Response.Redirect(redirectUrl);
+        }
 
     }
 }