C#: Fix a URL redirection from remote source false positive

rpmrmartin · rpmrmartin · commit 66b456d3c642 · 2023-11-29T13:46:47.000-07:00
When guarding the redirect with `HttpRequestBase.IsUrlLocalToHost()`
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
@@ -116,13 +116,19 @@ class HttpServerTransferSink extends Sink {
 }
 
 private predicate isLocalUrlSanitizer(Guard g, Expr e, AbstractValue v) {
-  g.(MethodCall).getTarget().hasName("IsLocalUrl") and
-  e = g.(MethodCall).getArgument(0) and
+  (
+    g.(MethodCall).getTarget().hasName("IsLocalUrl") and
+    e = g.(MethodCall).getArgument(0)
+    or
+    g.(MethodCall).getTarget().hasName("IsUrlLocalToHost") and
+    e = g.(MethodCall).getArgument(1)
+  ) and
   v.(AbstractValues::BooleanValue).getValue() = true
 }
 
 /**
- * A URL argument to a call to `UrlHelper.isLocalUrl()` that is a sanitizer for URL redirects.
+ * A URL argument to a call to `UrlHelper.IsLocalUrl()` or `HttpRequestBase.IsUrlLocalToHost()` that
+ * is a sanitizer for URL redirects.
  */
 class LocalUrlSanitizer extends Sanitizer {
   LocalUrlSanitizer() { this = DataFlow::BarrierGuard<isLocalUrlSanitizer/3>::getABarrierNode() }
diff --git a/csharp/ql/src/change-notes/2023-11-29-url-redirect-false-positive.md b/csharp/ql/src/change-notes/2023-11-29-url-redirect-false-positive.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed a URL redirection from remote source false positive when guarding a redirect with `HttpRequestBase.IsUrlLocalToHost()`

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Fixed a URL redirection from remote source false positive when guarding a redirect with `HttpRequestBase.IsUrlLocalToHost()`