Skip to content

Commit e8c0fce

Browse files
joefarebrotherjoefarebrother
committed
Use post-update nodes for this access in void handler
1 parent 7d11e44 commit e8c0fce

File tree

2 files changed

+8
-8
lines changed
  • csharp/ql
    • lib/semmle/code/csharp/frameworks
    • test/query-tests/Security Features/CWE-079/XssPageModels

2 files changed

+8
-8
lines changed

csharp/ql/lib/semmle/code/csharp/frameworks/Razor.qll

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ private import csharp
44
private import codeql.util.Unit
55
private import codeql.util.FilePath
66
private import semmle.code.csharp.frameworks.microsoft.AspNetCore
7+
private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
78

89
/** A call to the `View` method */
910
private class ViewCall extends MethodCall {
@@ -251,17 +252,18 @@ private MethodCall getAPageCall(PageModelClass pm) {
251252
["Page", "RedirectToPage"])
252253
}
253254

254-
private MethodCall getThisCallInVoidHandler(PageModelClass pm) {
255+
private ThisAccess getThisCallInVoidHandler(PageModelClass pm) {
255256
result.getEnclosingCallable() = pm.getAHandlerMethod() and
256-
result.getEnclosingCallable().getReturnType() instanceof VoidType and
257-
result.getQualifier() instanceof ThisAccess
257+
result.getEnclosingCallable().getReturnType() instanceof VoidType
258258
}
259259

260260
private class PageModelJumpNode extends DataFlow::NonLocalJumpNode {
261261
PageModelClass pm;
262262

263263
PageModelJumpNode() {
264-
this.asExpr() = [getAPageCall(pm), getThisCallInVoidHandler(pm)].getQualifier()
264+
this.asExpr() = getAPageCall(pm).getQualifier()
265+
or
266+
this.(PostUpdateNode).getPreUpdateNode().asExpr() = getThisCallInVoidHandler(pm)
265267
}
266268

267269
override DataFlow::Node getAJumpSuccessor(boolean preservesValue) {

csharp/ql/test/query-tests/Security Features/CWE-079/XssPageModels/test.expected

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,9 @@ edges
33
| TestModel.cs:13:21:13:28 | call to method source : String | TestModel.cs:13:9:13:12 | [post] this access : TestModel [property Name] : String |
44
| TestModel.cs:14:16:14:21 | this access : TestModel [property Name] : String | TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String |
55
| TestModel.cs:14:16:14:21 | this access : TestModel [property Name] : String | TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String |
6-
| TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String | TestModel.cs:18:16:18:23 | this access : TestModel [property Name] : String |
6+
| TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String | TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String |
7+
| TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String | TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String |
78
| TestModel.cs:18:16:18:23 | call to method source : String | TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String |
8-
| TestModel.cs:18:16:18:23 | this access : TestModel [property Name] : String | TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String |
9-
| TestModel.cs:18:16:18:23 | this access : TestModel [property Name] : String | TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String |
109
| TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String | TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String |
1110
| TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String | TestPage.cshtml:5:16:5:25 | access to property Name |
1211
nodes
@@ -15,7 +14,6 @@ nodes
1514
| TestModel.cs:14:16:14:21 | this access : TestModel [property Name] : String | semmle.label | this access : TestModel [property Name] : String |
1615
| TestModel.cs:18:9:18:12 | [post] this access : TestModel [property Name] : String | semmle.label | [post] this access : TestModel [property Name] : String |
1716
| TestModel.cs:18:16:18:23 | call to method source : String | semmle.label | call to method source : String |
18-
| TestModel.cs:18:16:18:23 | this access : TestModel [property Name] : String | semmle.label | this access : TestModel [property Name] : String |
1917
| TestPage.cshtml.g.cs:63:35:63:48 | access to property Model : TestModel [property Name] : String | semmle.label | access to property Model : TestModel [property Name] : String |
2018
| TestPage.cshtml:5:16:5:20 | access to property Model : TestModel [property Name] : String | semmle.label | access to property Model : TestModel [property Name] : String |
2119
| TestPage.cshtml:5:16:5:25 | access to property Name | semmle.label | access to property Name |

0 commit comments

Comments
 (0)