Increase accuracy of user controlled data

Author: Kwstubbs

csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml

@@ -3,7 +3,6 @@ extensions:
       pack: codeql/csharp-all
       extensible: sourceModel
     data:
-      - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_BaseUri", "", "", "ReturnValue", "remote", "manual"]
       - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_Uri", "", "", "ReturnValue", "remote", "manual"]
       - ["Microsoft.AspNetCore.Components", "SupplyParameterFromFormAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"]
       - ["Microsoft.AspNetCore.Components", "SupplyParameterFromQueryAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"]

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

@@ -237,8 +237,15 @@ class AspNetCoreQueryRemoteFlowSource extends AspNetCoreRemoteFlowSource, DataFl
       t instanceof MicrosoftAspNetCoreHttpQueryCollection or
       t instanceof MicrosoftAspNetCoreHttpQueryString
     |
-      this.getExpr().(Call).getTarget().getDeclaringType() = t or
-      this.asExpr().(Access).getTarget().getDeclaringType() = t
+      (
+        this.getExpr().(Call).getTarget().getDeclaringType() = t or
+        this.asExpr().(Access).getTarget().getDeclaringType() = t
+      ) and
+      not this.asExpr()
+          .(MemberAccess)
+          .getQualifiedDeclaration()
+          .hasFullyQualifiedName("Microsoft.AspNetCore.Http", "HttpRequest",
+            ["Method", "Scheme", "IsHttps", "Protocol"])
     )
     or
     exists(Call c |