Reword of help file

h3ku · web-flow · commit 16e39414bc0e · 2020-05-15T18:14:52.000+01:00
diff --git a/csharp/ql/src/experimental/CWE-099/TaintedWebClient.qhelp b/csharp/ql/src/experimental/CWE-099/TaintedWebClient.qhelp
@@ -1,34 +1,48 @@
 <!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
 <qhelp>
 <overview>
-<p>The WebClient class provices common methods for sending data to and receiving data from a resource identified by a URI.
-Even that the name of the class is WebClient the support is not only limited to WebResources but also local resources. This
-can result in sensitive information being revealed.</p>
-
-<p>URIs that are naively constructed from data controlled by a user may contain local paths with unexpected special characters,
-such as "..". Such a path may potentially point to any directory on the file system.</p>
+<p>The WebClient class provides a variety of methods for data transmission and
+communication with a particular URI. Despite of the class' naming convention,
+the URI scheme can also identify local resources, not only remote ones. Tainted
+by user-supplied input, the URI can be leveraged to access resources available
+on the local file system, therefore leading to the disclosure of sensitive
+information. This can be trivially achieved by supplying path traversal
+sequences (../) followed by an existing directory or file path.</p>
+
+<p>Sanitization of  user-supplied URI values using the
+<code>StartsWith("https://")</code> method is deemed insufficient in preventing
+arbitrary file reads. This is due to the fact that .NET ignores the protocol
+handler (https in this case) in URIs like the following:
+"https://../../../../etc/passwd".</p>
 
 </overview>
 <recommendation>
 
-<p>Validate user input before using it to ensure that is a URI of an external resource and not a local one. 
-Pontetial solutions:</p>
+<p>Validate user input before using it to ensure that is a URI of an external
+resource and not a local one. 
+Potential solutions:</p>
 
 <ul>
-<li>Sanitize potentially tainted paths using <code>System.Uri.IsWellFormedUriString</code>.</li>
+<li>Sanitize potentially tainted paths using
+<code>System.Uri.IsWellFormedUriString</code>.</li>
 </ul>
 
 </recommendation>
 <example>
 
-<p>In the first example, a domain name is read from a <code>HttpRequest</code> and then used to request this domain. However, a
-malicious user could enter a local path - for example, "../../../etc/passwd". In the second example, it
-appears that user is restricted to the HTTPS protocol handler. However, a malicious user could
-still enter a local path. For example, the string "../../../etc/passwd" will result in the code
-reading the file located at "/etc/passwd", which is the system's password file. This file would then be
-sent back to the user, giving them access to all the system's passwords.</p>
+<p>In the first example, a domain name is read from a <code>HttpRequest</code>
+and then this domain is requested using the method <code>DownloadString</code>.
+However, a malicious user could enter a local path - for example,
+"../../../etc/passwd" instead of a domain. 
+In the second example, it appears that the user is restricted to the HTTPS
+protocol handler. However, a malicious user could still enter a local path,
+since as explained above the protocol handler will be ignored by .net. For
+example, the string "https://../../../etc/passwd" will result in the code
+reading the file located at "/etc/passwd", which is the system's password file.
+This file would then be sent back to the user, giving them access to all the
+system's passwords.</p>
 
 <sample src="TaintedWebClient.cs" />
 
@@ -41,7 +55,8 @@ OWASP:
 </li>
 <li>
 CWE-099:
-<a href="https://cwe.mitre.org/data/definitions/99.html">Resource Injection</a>.
+<a href="https://cwe.mitre.org/data/definitions/99.html">Resource
+Injection</a>.
 </li>
 
 </references>
