Add case for void-returning handler methods

joefarebrother · joefarebrother · commit b9754df39025 · 2024-01-04T14:25:39.000Z
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Razor.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Razor.qll
@@ -251,10 +251,18 @@ private MethodCall getAPageCall(PageModelClass pm) {
         ["Page", "RedirectToPage"])
 }
 
+private MethodCall getImplicitThisCallInVoidHandler(PageModelClass pm) {
+  result.getEnclosingCallable() = pm.getAHandlerMethod() and
+  result.getEnclosingCallable().getReturnType() instanceof VoidType and
+  result.hasImplicitThisQualifier()
+}
+
 private class PageModelJumpNode extends DataFlow::NonLocalJumpNode {
   PageModelClass pm;
 
-  PageModelJumpNode() { this.asExpr() = getAPageCall(pm).getQualifier() }
+  PageModelJumpNode() {
+    this.asExpr() = [getAPageCall(pm), getImplicitThisCallInVoidHandler(pm)].getQualifier()
+  }
 
   override DataFlow::Node getAJumpSuccessor(boolean preservesValue) {
     preservesValue = true and
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XssPageModels/TestModel.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XssPageModels/TestModel.cs
@@ -5,12 +5,16 @@
 namespace test;
 
 class TestModel : PageModel {
-    public string Name {get; set; } = "abc";
+    public string Name { get; set; } = "abc";
 
     private string source() { return "x"; }
 
-    public async Task<IActionResult> OnGetAsync() {
+    public async Task<IActionResult> OnPostAsync() {
         Name = source();
         return Page();
     }
+
+    public void OnGet() { 
+        Name = source();
+    }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XssPageModels/test.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/XssPageModels/test.expected
@@ -1 +1,2 @@
 | TestPage.cshtml:5:16:5:25 | access to property Name | TestModel.cs:13:16:13:23 | call to method source | TestPage.cshtml:5:16:5:25 | access to property Name | Xss |
+| TestPage.cshtml:5:16:5:25 | access to property Name | TestModel.cs:18:16:18:23 | call to method source | TestPage.cshtml:5:16:5:25 | access to property Name | Xss |

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`\| TestPage.cshtml:5:16:5:25 \| access to property Name \| TestModel.cs:13:16:13:23 \| call to method source \| TestPage.cshtml:5:16:5:25 \| access to property Name \| Xss \|`
	`2`	`+\| TestPage.cshtml:5:16:5:25 \| access to property Name \| TestModel.cs:18:16:18:23 \| call to method source \| TestPage.cshtml:5:16:5:25 \| access to property Name \| Xss \|`