treat relative URLs as safe for url-redirects

Author: erik-krogh

csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll

@@ -161,6 +161,27 @@ class ContainsUrlSanitizer extends Sanitizer {
   }
 }
 
+/**
+ * A check that the URL is relative, and therefore safe for URL redirects.
+ */
+private predicate isRelativeUrlSanitizer(Guard guard, Expr e, AbstractValue v) {
+  exists(PropertyAccess access | access = guard |
+    access.getProperty().getName() = "IsAbsoluteUri" and
+    // TOOD: type = URL?
+    e = access.getQualifier() and
+    v.(AbstractValues::BooleanValue).getValue() = false
+  )
+}
+
+/**
+ * A check that the URL is relative, and therefore safe for URL redirects.
+ */
+class RelativeUrlSanitizer extends Sanitizer {
+  RelativeUrlSanitizer() {
+    this = DataFlow::BarrierGuard<isRelativeUrlSanitizer/3>::getABarrierNode()
+  }
+}
+
 /**
  * A call to the getter of the RawUrl property, whose value is considered to be safe for URL
  * redirects.

csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect2.cs

@@ -20,6 +20,12 @@ public void ProcessRequest(HttpContext ctx)
             // GOOD: the request parameter is validated against set of known fixed strings
             ctx.Response.Redirect(redirectUrl);
         }
+
+        var url = new Uri(redirectUrl, UriKind.RelativeOrAbsolute);
+        if (!url.IsAbsoluteUri) {
+            // GOOD: The redirect is to a relative URL
+            ctx.Response.Redirect(url.ToString());
+        }
 
     }
 }