C#: Add some stubs, a testcase and update the expected output without based on main.

Author: michaelnebel

csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Web;
+using System.Web.Helpers;
 using System.Web.Mvc;
 
 public class UrlRedirectHandler : IHttpHandler
@@ -48,6 +49,13 @@ public void ProcessRequest(HttpContext ctx)
 
         // GOOD: request parameter is URL encoded
         ctx.Response.Redirect(HttpUtility.UrlEncode(ctx.Request.QueryString["page"]));
+
+        // GOOD: whitelisted redirect
+        var url3 = ctx.Request.QueryString["page"];
+        if (new HttpRequestWrapper(ctx.Request).IsUrlLocalToHost(url3))
+        {
+            ctx.Response.Redirect(url3);
+        }
     }
 
     // Implementation as recommended by Microsoft.

csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected

@@ -1,10 +1,13 @@
 edges
-| UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:12:31:12:61 | access to indexer |
-| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:22:22:22:52 | access to indexer : String |
-| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:47:29:47:31 | access to local variable url |
-| UrlRedirect.cs:22:22:22:52 | access to indexer : String | UrlRedirect.cs:47:29:47:31 | access to local variable url |
-| UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:37:44:37:74 | access to indexer |
-| UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:47:38:77 | access to indexer |
+| UrlRedirect.cs:13:31:13:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:13:31:13:61 | access to indexer |
+| UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:23:22:23:52 | access to indexer : String |
+| UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:48:29:48:31 | access to local variable url |
+| UrlRedirect.cs:23:22:23:52 | access to indexer : String | UrlRedirect.cs:48:29:48:31 | access to local variable url |
+| UrlRedirect.cs:38:44:38:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:44:38:74 | access to indexer |
+| UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:39:47:39:77 | access to indexer |
+| UrlRedirect.cs:54:20:54:42 | access to property QueryString : NameValueCollection | UrlRedirect.cs:54:20:54:50 | access to indexer : String |
+| UrlRedirect.cs:54:20:54:42 | access to property QueryString : NameValueCollection | UrlRedirect.cs:57:35:57:38 | access to local variable url3 |
+| UrlRedirect.cs:54:20:54:50 | access to indexer : String | UrlRedirect.cs:57:35:57:38 | access to local variable url3 |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:16:22:16:26 | access to parameter value |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:25:46:25:50 | call to operator implicit conversion |
@@ -17,15 +20,18 @@ edges
 | UrlRedirectCore.cs:45:51:45:55 | value : String | UrlRedirectCore.cs:56:31:56:35 | access to parameter value |
 | UrlRedirectCore.cs:53:40:53:44 | access to parameter value : String | UrlRedirectCore.cs:53:32:53:45 | object creation of type Uri |
 nodes
-| UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| UrlRedirect.cs:12:31:12:61 | access to indexer | semmle.label | access to indexer |
-| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| UrlRedirect.cs:22:22:22:52 | access to indexer : String | semmle.label | access to indexer : String |
-| UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| UrlRedirect.cs:37:44:37:74 | access to indexer | semmle.label | access to indexer |
-| UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| UrlRedirect.cs:38:47:38:77 | access to indexer | semmle.label | access to indexer |
-| UrlRedirect.cs:47:29:47:31 | access to local variable url | semmle.label | access to local variable url |
+| UrlRedirect.cs:13:31:13:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:13:31:13:61 | access to indexer | semmle.label | access to indexer |
+| UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:23:22:23:52 | access to indexer : String | semmle.label | access to indexer : String |
+| UrlRedirect.cs:38:44:38:66 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:38:44:38:74 | access to indexer | semmle.label | access to indexer |
+| UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:39:47:39:77 | access to indexer | semmle.label | access to indexer |
+| UrlRedirect.cs:48:29:48:31 | access to local variable url | semmle.label | access to local variable url |
+| UrlRedirect.cs:54:20:54:42 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:54:20:54:50 | access to indexer : String | semmle.label | access to indexer : String |
+| UrlRedirect.cs:57:35:57:38 | access to local variable url3 | semmle.label | access to local variable url3 |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | semmle.label | value : String |
 | UrlRedirectCore.cs:16:22:16:26 | access to parameter value | semmle.label | access to parameter value |
 | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion | semmle.label | call to operator implicit conversion |
@@ -41,10 +47,11 @@ nodes
 | UrlRedirectCore.cs:56:31:56:35 | access to parameter value | semmle.label | access to parameter value |
 subpaths
 #select
-| UrlRedirect.cs:12:31:12:61 | access to indexer | UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:12:31:12:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:12:31:12:53 | access to property QueryString | user-provided value |
-| UrlRedirect.cs:37:44:37:74 | access to indexer | UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:37:44:37:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:37:44:37:66 | access to property QueryString | user-provided value |
-| UrlRedirect.cs:38:47:38:77 | access to indexer | UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:47:38:77 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:38:47:38:69 | access to property QueryString | user-provided value |
-| UrlRedirect.cs:47:29:47:31 | access to local variable url | UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:47:29:47:31 | access to local variable url | Untrusted URL redirection due to $@. | UrlRedirect.cs:22:22:22:44 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:13:31:13:61 | access to indexer | UrlRedirect.cs:13:31:13:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:13:31:13:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:13:31:13:53 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:38:44:38:74 | access to indexer | UrlRedirect.cs:38:44:38:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:44:38:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:38:44:38:66 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:39:47:39:77 | access to indexer | UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:39:47:39:77 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:39:47:39:69 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:48:29:48:31 | access to local variable url | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:48:29:48:31 | access to local variable url | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:57:35:57:38 | access to local variable url3 | UrlRedirect.cs:54:20:54:42 | access to property QueryString : NameValueCollection | UrlRedirect.cs:57:35:57:38 | access to local variable url3 | Untrusted URL redirection due to $@. | UrlRedirect.cs:54:20:54:42 | access to property QueryString | user-provided value |
 | UrlRedirectCore.cs:16:22:16:26 | access to parameter value | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:16:22:16:26 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:13:44:13:48 | value | user-provided value |
 | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:13:44:13:48 | value | user-provided value |
 | UrlRedirectCore.cs:25:46:25:50 | call to operator implicit conversion | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:25:46:25:50 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:13:44:13:48 | value | user-provided value |

csharp/ql/test/resources/stubs/System.Web.cs

@@ -81,7 +81,7 @@ public class Control
 
     public class Page
     {
-        public System.Security.Principal.IPrincipal User { get; } 
+        public System.Security.Principal.IPrincipal User { get; }
         public System.Web.HttpRequest Request { get; }
     }
 
@@ -157,6 +157,11 @@ public class HttpRequest
         public HttpCookieCollection Cookies => null;
     }
 
+    public class HttpRequestWrapper : System.Web.HttpRequestBase
+    {
+        public HttpRequestWrapper(HttpRequest r) { }
+    }
+
     public class HttpResponse
     {
         public void Write(object o) { }
@@ -306,15 +311,16 @@ public class RequestContext
     {
     }
 
-    public class Route 
+    public class Route
     {
     }
 
-    public class RouteTable {
+    public class RouteTable
+    {
         public RouteCollection Routes { get; }
     }
 
-    public class RouteCollection 
+    public class RouteCollection
     {
         public Route MapPageRoute(string routeName, string routeUrl, string physicalFile, bool checkPhysicalUrlAccess) { return null; }
     }
@@ -367,6 +373,11 @@ public static class AntiForgery
     {
         public static void Validate() { }
     }
+
+    public static class RequestExtensions
+    {
+        public static bool IsUrlLocalToHost(this System.Web.HttpRequestBase request, string url) => throw null;
+    }
 }
 
 namespace System.Web.Script.Serialization