Add additional test cases

Author: joefarebrother

csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSFlowSteps.qll

@@ -99,7 +99,7 @@ private predicate viewCallRefersToPageAbsolute(ViewCall vc, RazorPage rp) {
 }
 
 private predicate viewCallRefersToPageRelative(ViewCall vc, RazorPage rp) {
-  rp.getSourceFilepath() =
+  ["", "~"] + rp.getSourceFilepath() =
     min(int i, RelativeViewCallFilepath fp |
       fp.hasViewCallWithIndex(vc, i) and
       exists(RazorPage rp2 | rp2.getSourceFilepath() = fp.getNormalizedPath())

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Controllers/TestController.cs

@@ -67,9 +67,7 @@ public IActionResult test11(UserData tainted11) {
         return helper(tainted11);
     }
 
-    private IActionResult helper(UserData x) {
-        return View("Test11", x);
-    }
+    private IActionResult helper(UserData x) { return View("Test11", x); }
 
     public IActionResult Test12(UserData tainted12) {
         // Expected to find nothing.
@@ -79,4 +77,32 @@ public IActionResult Test12(UserData tainted12) {
     private IActionResult helper2(UserData x) {
         return View(x);
     }    
+
+    private IActionResult test13(UserData tainted13) {
+        // Expected to find file /Views/Other/Test13.cshtml
+        return Helper.helper3(this, tainted13);
+    }
+
+    private IActionResult test14(UserData tainted14) {
+        // Expected to find file /Views/Shared/Test14.cshtml and NOT /Views/Test2/Test14.cshtml
+        return Helper.helper4(this, tainted14);
+    }
+
+}
+
+class Helper {
+    public static IActionResult helper3(Controller c, UserData x) { return c.View("/Views/Other/Test13.cshtml", x); }
+
+    public static IActionResult helper4(Controller c, UserData x) { return c.View("Test14", x); }
+}
+
+public class Test3Controller : Controller {
+    public void Setup(RazorViewEngineOptions o) {
+        o.ViewLocationFormats.Add("/Views/Custom/{1}/{0}.cshtml");
+    }
+
+    private IActionResult Test15(UserData tainted14) {
+        // Expected to find file /Views/Custom/Test3/Test15.cshtml
+        return View(x);
+    }
 }

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Generated/Views_Custom_Test3_Test15.cshtml.g.cs

@@ -0,0 +1,74 @@
+// A test file that mimics the output of compiling a `.cshtml` file
+// <auto-generated/>
+#pragma warning disable 1591
+[assembly: global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemAttribute(typeof(test.Views.Views_Custom_Test3_Test15), @"mvc.1.0.view", @"/Views/Custom/Test3/Test15.cshtml")]
+namespace test.Views
+{
+    #line hidden
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Threading.Tasks;
+    using Microsoft.AspNetCore.Mvc;
+    using Microsoft.AspNetCore.Mvc.Rendering;
+    using Microsoft.AspNetCore.Mvc.ViewFeatures;
+#nullable restore
+using test;
+
+#line default
+#line hidden
+#nullable disable
+    [global::Microsoft.AspNetCore.Razor.Hosting.RazorCompiledItemMetadataAttribute("Identifier", "/Views/Custom/Test3/Test15.cshtml")]
+    public class Views_Custom_Test3_Test15 : global::Microsoft.AspNetCore.Mvc.Razor.RazorPage<UserData>
+    {
+        #pragma warning disable 1998
+        public async override global::System.Threading.Tasks.Task ExecuteAsync()
+        {
+#line 6 "Views/Custom/Test3/Test15.cshtml"
+ if (Model != null)
+{
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("    <h3>Hello \"");
+#nullable restore
+#line 8 "Views/Custom/Test3/Test15.cshtml"
+Write(Html.Raw(Model.Name));
+
+#line default
+#line hidden
+#nullable disable
+            WriteLiteral("\"</h3>\n");
+#nullable restore
+#line 9 "Views/Custom/Test3/Test15.cshtml"
+}
+
+#line default
+#line hidden
+#nullable disable
+        }
+        #pragma warning restore 1998
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.ViewFeatures.IModelExpressionProvider ModelExpressionProvider { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IUrlHelper Url { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.IViewComponentHelper Component { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IJsonHelper Json { get; private set; } = default!;
+        #nullable disable
+        #nullable restore
+        [global::Microsoft.AspNetCore.Mvc.Razor.Internal.RazorInjectAttribute]
+        public global::Microsoft.AspNetCore.Mvc.Rendering.IHtmlHelper<UserData> Html { get; private set; } = default!;
+        #nullable disable
+    }
+}
+#pragma warning restore 1591

csharp/ql/test/query-tests/Security Features/CWE-079/XSSRazorPages/Views/Custom/Test3/Test15.cshtml

@@ -0,0 +1,9 @@
+@namespace test
+@model UserData
+@{
+}
+
+@if (Model != null)
+{
+    <h3>Hello "@Html.Raw(Model.Name)"</h3>
+}