Merge pull request #2356 from cldrn/ASPNetRequestValidationMode

Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET

Author: calumgrant

change-notes/1.24/analysis-csharp.md

@@ -2,18 +2,24 @@
 
 The following changes in version 1.24 affect C# analysis in all applications.
 
-## General improvements
-
 ## New queries
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
+| Insecure configuration for ASP.NET requestValidationMode (`cs/insecure-request-validation-mode`) | security, external/cwe/cwe-016 | Finds where this attribute has been set to a value less than 4.5, which turns off some validation features and makes the application less secure. |
 
 ## Changes to existing queries
 
-| **Query**                  | **Expected impact**    | **Change**                                                       |
-|----------------------------|------------------------|------------------------------------------------------------------|
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+
+## Removal of old queries
+
+## Changes to code extraction
 
 ## Changes to libraries
 
 * The taint tracking library now tracks flow through (implicit or explicit) conversion operator calls.
+
+## Changes to autobuilder
+

csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp

@@ -0,0 +1,52 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+	<overview>
+		<p>
+			The <code>requestValidationMode</code> attribute in ASP.NET is used to configure built-in validation to
+			protect applications against code injections. Downgrading or disabling
+			this configuration is not recommended. The default value of 4.5
+			is the only recommended value, as previous versions only test a subset of requests.
+		</p>
+
+	</overview>
+	<recommendation>
+
+		<p>
+			Always set <code>requestValidationMode</code> to 4.5, or leave it at its default value.
+		</p>
+
+	</recommendation>
+	<example>
+
+		<p>
+			The following example shows the <code>requestValidationMode</code>
+			attribute set to a value of 4.0, which disables some protections and
+			ignores individual <code>Page</code> directives:
+		</p>
+
+		<sample src="ASPNetRequestValidationModeBad.config" />
+
+		<p>
+			Setting the value to 4.5 enables request validation for all requests:
+		</p>
+
+		<sample src="ASPNetRequestValidationModeGood.config" />
+
+	</example>
+	<references>
+
+		<li>
+			Microsoft:
+			<a
+				href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8">HttpRuntimeSection.RequestValidationMode Property
+				</a>.
+		</li>
+		<li>
+			OWASP:
+			<a
+				href="https://www.owasp.org/index.php/ASP.NET_Request_Validation">ASP.NET Request Validation</a>.
+		</li>
+	</references>
+
+</qhelp>

csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Insecure configuration for ASP.NET requestValidationMode
+ * @description Setting 'requestValidationMode' to less than 4.5 disables built-in validations
+ *              included by default in ASP.NET. Disabling or downgrading this protection is not
+ *              recommended.
+ * @kind problem
+ * @id cs/insecure-request-validation-mode
+ * @problem.severity warning
+ * @tags security
+ *       external/cwe/cwe-016
+ */
+
+import csharp
+
+from XMLAttribute reqValidationMode
+where
+  reqValidationMode.getName().toLowerCase() = "requestvalidationmode" and
+  reqValidationMode.getValue().toFloat() < 4.5
+select reqValidationMode,
+  "Insecure value for requestValidationMode (" + reqValidationMode.getValue() + ")."

csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationModeBad.config

@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <httpRuntime requestValidationMode="4.0"/>
+  </system.web>
+</configuration>

csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationModeGood.config

@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <httpRuntime requestValidationMode="4.5"/>
+  </system.web>
+</configuration>