Add unit tests + fix issue in stubs

Author: joefarebrother

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs

@@ -10,7 +10,73 @@ public class UserData
 }
 
 public class TestController : Controller {
-    public IActionResult test1(UserData tainted) {
-        return View("Test1", tainted);
+    public IActionResult test1(UserData tainted1) {
+        // Expected to find file /Views/Test/Test1.cshtml
+        return View("Test1", tainted1);
     }
+
+    public IActionResult test2(UserData tainted2) {
+        // Expected to find file /Views/Shared/Test2.cshtml
+        return View("Test2", tainted2);
+    }
+
+    public IActionResult test3(UserData tainted3) {
+        // Expected to find file /Views/Test/Test3.cshtml and NOT /Views/Shared/Test3.cshtml
+        return View("Test3", tainted3);
+    }
+
+    public IActionResult test4(UserData tainted4) {
+        // Expected to find file /Views/Test/Test4.cshtml
+        return View("./Test4", tainted4);
+    }
+
+    public IActionResult test5(UserData tainted5) {
+        // Expected to find file /Views/Other/Test5.cshtml
+        return View("../Other/Test5", tainted5);
+    }
+
+    public IActionResult test6(UserData tainted6) {
+        // Expected to find file /Views/Other/Test6.cshtml
+        return View("../../Views/.////Shared/../Other//Test6", tainted6);
+    }
+
+    public IActionResult Test7(UserData tainted7) {
+        // Expected to find file /Views/Test/Test7.cshtml
+        return View(tainted7);
+    }
+
+    public IActionResult test8(UserData tainted8) {
+        // Expected to find file /Views/Other/Test8.cshtml
+        return View("/Views/Other/Test8.cshtml", tainted8);
+    }
+
+    public IActionResult test9(UserData tainted9) {
+        // Expected to find file /Views/Test/Test9.cshtml
+        return View("~/Views/Other/Test9.cshtml", tainted9);
+    }
+}
+
+public class Test2Controller : Controller { 
+    public IActionResult test10(UserData tainted10) {
+        // Expected to find file /Views/Test2/Test10.cshtml
+        return View("Test10", tainted10);
+    }
+
+    public IActionResult test11(UserData tainted11) {
+        // Expected to find file /Views/Test2/Test10.cshtml
+        return helper(tainted11);
+    }
+
+    private IActionResult helper(UserData x) {
+        return View("Test11", x);
+    }
+
+    public IActionResult Test12(UserData tainted12) {
+        // Expected to find nothing.
+        return helper2(tainted12);
+    }
+
+    private IActionResult helper2(UserData x) {
+        return View(x);
+    }    
 }

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test13.cshtml.g.cs

@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test13), @"mvc.1.0.view", @"/Views/Other/Test13.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test13.cshtml")]
+    public class Views_Other_Test13 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test13.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test13.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test13.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test5.cshtml.g.cs

@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test5), @"mvc.1.0.view", @"/Views/Other/Test5.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test5.cshtml")]
+    public class Views_Other_Test5 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test5.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test5.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test5.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test6.cshtml.g.cs

@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test6), @"mvc.1.0.view", @"/Views/Other/Test6.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test6.cshtml")]
+    public class Views_Other_Test6 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test6.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test6.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test6.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Other_Test8.cshtml.g.cs

@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Other_Test8), @"mvc.1.0.view", @"/Views/Other/Test8.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Other/Test8.cshtml")]
+    public class Views_Other_Test8 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Other/Test8.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Other/Test8.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Other/Test8.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591