Merge pull request #2358 from cldrn/ASPNetPagesValidateRequest

calumgrant · web-flow · commit 3049bf2c85a2 · 2019-12-09T13:05:03.000Z
Adds CodeQL query to check for Pages with disabled built-in validation
diff --git a/change-notes/1.24/analysis-csharp.md b/change-notes/1.24/analysis-csharp.md
@@ -7,6 +7,7 @@ The following changes in version 1.24 affect C# analysis in all applications.
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Insecure configuration for ASP.NET requestValidationMode (`cs/insecure-request-validation-mode`) | security, external/cwe/cwe-016 | Finds where this attribute has been set to a value less than 4.5, which turns off some validation features and makes the application less secure. |
+| Page request validation is disabled (`cs/web/request-validation-disabled`) | security, frameworks/asp.net, external/cwe/cwe-016 | Finds where ASP.NET page request validation has been disabled, which could makes the application less secure. |
 
 ## Changes to existing queries
 
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.qhelp b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.qhelp
@@ -0,0 +1,51 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+	<overview>
+		<p>
+			Request validation is a feature in ASP.NET that protects web applications against
+			potentially malicious content in requests, specifically against
+			cross-site scripting attacks (XSS).
+		</p>
+
+	</overview>
+	<recommendation>
+
+		<p>
+			Enable the directive <code>validateRequest</code> in your <code>web.config</code> file:
+
+			<code>
+				&lt;pages validateRequest="true" /&gt;
+			</code>
+		</p>
+
+	</recommendation>
+	<example>
+
+		<p>
+			The following example shows the <code>validateRequest</code> flag set to <code>false</code>
+			in a <code>Web.config</code> file for ASP.NET. This will disable validation, and leave
+			the web application vulnerable against common XSS attacks:
+		</p>
+
+		<sample src="ASPNetPagesValidateRequestBad.config" />
+
+		<p>
+			If <code>validateRequest</code> is set to <code>true</code>, validation is enabled:
+		</p>
+
+		<sample src="ASPNetPagesValidateRequestGood.config" />
+
+	</example>
+	<references>
+
+		<li>
+			MSDN:
+			<a
+				href="https://docs.microsoft.com/en-us/previous-versions/aspnet/hh882339(v=vs.110)?redirectedfrom=MSDN">
+				Request Validation in ASP.NET
+			</a>.
+		</li>
+
+	</references>
+</qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Page request validation is disabled
+ * @description ASP.NET pages should not disable the built-in request validation.
+ * @kind problem
+ * @problem.severity warning
+ * @id cs/web/request-validation-disabled
+ * @tags security
+ *       frameworks/asp.net
+ *       external/cwe/cwe-16
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+
+from SystemWebXMLElement web, XMLAttribute requestvalidateAttribute
+where
+  requestvalidateAttribute = web.getAChild("pages").getAttribute("validateRequest") and
+  requestvalidateAttribute.getValue().toLowerCase() = "false"
+select requestvalidateAttribute, "The 'validateRequest' attribute is set to 'false'."
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequestBad.config b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequestBad.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <pages validateRequest="false" />
+  </system.web>
+</configuration>
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequestGood.config b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequestGood.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <pages validateRequest="true" />
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.expected b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.expected
@@ -0,0 +1 @@
+| ASPNetPagesValidateRequestBad.config:3:5:3:38 | validateRequest=false | The 'validateRequest' attribute is set to 'false'. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref
@@ -0,0 +1 @@
+Security Features/CWE-016/ASPNetPagesValidateRequest.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <pages validateRequest="false" />
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestGood.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestGood.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <pages validateRequest="true" />
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/Program.cs

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| ASPNetPagesValidateRequestBad.config:3:5:3:38 \| validateRequest=false \| The 'validateRequest' attribute is set to 'false'. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security Features/CWE-016/ASPNetPagesValidateRequest.ql`