Add redirect sinks

rvermeulen · rvermeulen · commit 3818971b79d9 · 2021-02-09T13:09:02.000+01:00
Both the familiy of `Accepted` and `Created` method set the location
header based on provided input. If this is untrusted input this can
result in an URL redirect attack.
diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll b/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll
@@ -195,7 +195,13 @@ class MicrosoftAspNetCoreMvcController extends Class {
   /** Gets a `Redirect*` method. */
   Method getARedirectMethod() {
     result = this.getAMethod() and
-    result.getName().matches("Redirect%")
+    (
+      result.getName().matches("Redirect%")
+      or
+      result.getName().matches("Accepted%")
+      or
+      result.getName().matches("Created%")
+    )
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -195,7 +195,13 @@ class MicrosoftAspNetCoreMvcController extends Class {`
`195`	`195`	/** Gets a `Redirect` method. /
`196`	`196`	`Method getARedirectMethod() {`
`197`	`197`	`result = this.getAMethod() and`
`198`		`- result.getName().matches("Redirect%")`
	`198`	`+ (`
	`199`	`+ result.getName().matches("Redirect%")`
	`200`	`+ or`
	`201`	`+ result.getName().matches("Accepted%")`
	`202`	`+ or`
	`203`	`+ result.getName().matches("Created%")`
	`204`	`+ )`
`199`	`205`	`}`
`200`	`206`	`}`
`201`	`207`