C#: Tidy up docs, query metadata and add tests.

Author: calumgrant

csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.qhelp

@@ -1,65 +1,51 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
 <qhelp>
 
 	<overview>
 		<p>
-			<code>Request validation</code>
-			is a feature in ASP.NET that protects web applications against
-			potentially malicious content
-			in requests, specifically against
+			Request validation is a feature in ASP.NET that protects web applications against
+			potentially malicious content in requests, specifically against
 			cross-site scripting attacks (XSS).
 		</p>
 
 	</overview>
 	<recommendation>
 
 		<p>
-			Enable the directive validateRequest in your web.config file:
+			Enable the directive <code>validateRequest</code> in your <code>web.config</code> file:
+
 			<code>
-				<pages validateRequest="true" />
+				&lt;pages validateRequest="true" /&gt;
 			</code>
 		</p>
 
 	</recommendation>
 	<example>
 
 		<p>
-			The following example shows the 'validateRequest' flag set to true in
-			a
-			<code>Web.config</code>
-			file for ASP.NET. This will protect the web application against
-			common XSS attacks:
+			The following example shows the <code>validateRequest</code> flag set to <code>false</code>
+			in a <code>Web.config</code> file for ASP.NET. This will disable validation, and leave
+			the the web application vulnerable against common XSS attacks:
 		</p>
 
-		<sample src="Web.config.ASPNetPagesValidateRequest.good" />
+		<sample src="ASPNetPagesValidateRequestBad.config" />
 
 		<p>
-			If validateRequest is set to
-			<code>false</code>
-			, validation is disabled:
+			If validateRequest is set to <code>true</code>, validation is enabled:
 		</p>
 
-		<sample src="Web.config.ASPNetPagesValidateRequest.bad" />
+		<sample src="ASPNetPagesValidateRequestGood.config" />
 
 	</example>
 	<references>
 
 		<li>
 			MSDN:
 			<a
-				href=https://docs.microsoft.com/en-us/previous-versions/aspnet/hh882339(v=vs.110)?redirectedfrom=MSDN ">Request
-				Validation in ASP.NET</a>
-			.
-		</li>
-		<li>
-			MSDN:
-			<a
-				href="https://docs.microsoft.com/en-us/previous-versions/aspnet/debza5t0(v=vs.100)?redirectedfrom=MSDN">Validation ASP.NET Controls</a>
-			.
+				href="https://docs.microsoft.com/en-us/previous-versions/aspnet/hh882339(v=vs.110)?redirectedfrom=MSDN">
+				Request Validation in ASP.NET
+			</a>.
 		</li>
 
-
 	</references>
 </qhelp>

csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql

@@ -1,7 +1,12 @@
 /**
- * @name Page Request Validation is disabled
- * @description ASP.NET Pages should not disable the built-in request validation.
+ * @name Page request validation is disabled
+ * @description ASP.NET pages should not disable the built-in request validation.
  * @kind problem
+ * @problem.severity warning
+ * @id cs/web/request-validation-disabled
+ * @tags security
+ *       frameworks/asp.net
+ *       external/cwe/cwe-16
  */
 
 import csharp
@@ -11,4 +16,4 @@ from SystemWebXMLElement web, XMLAttribute requestvalidateAttribute
 where
   requestvalidateAttribute = web.getAChild("pages").getAttribute("validateRequest") and
   requestvalidateAttribute.getValue().toLowerCase() = "false"
-select requestvalidateAttribute, "validateRequest is set to false"
+select requestvalidateAttribute, "The 'validateRequest' attribute is set to 'false'."

…eb.config.ASPNetPagesValidateRequest.bad …016/ASPNetPagesValidateRequestBad.configcsharp/ql/src/Security Features/CWE-016/Web.config.ASPNetPagesValidateRequest.bad renamed to csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequestBad.config csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetPagesValidateRequest.bad renamed to csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequestBad.config

@@ -1,10 +1,5 @@
-<?xml version="1.0" encoding="utf-8" ?>
 <configuration>
   <system.web>
-    <compilation
-      defaultLanguage="c#"
-    />
     <pages validateRequest="false" />
-   ...
   </system.web>
 </configuration>

…b.config.ASPNetPagesValidateRequest.good …16/ASPNetPagesValidateRequestGood.configcsharp/ql/src/Security Features/CWE-016/Web.config.ASPNetPagesValidateRequest.good renamed to csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequestGood.config csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetPagesValidateRequest.good renamed to csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequestGood.config

@@ -1,10 +1,5 @@
-<?xml version="1.0" encoding="utf-8" ?>
 <configuration>
   <system.web>
-    <compilation
-      defaultLanguage="c#"
-    />
     <pages validateRequest="true" />
-   ...
   </system.web>
 </configuration>

csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.expected

@@ -0,0 +1 @@
+| ASPNetPagesValidateRequestBad.config:3:5:3:38 | validateRequest=false | The 'validateRequest' attribute is set to 'false'. |

csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequest.qlref

@@ -0,0 +1 @@
+Security Features/CWE-016/ASPNetPagesValidateRequest.ql

csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestBad.config

@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <pages validateRequest="false" />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetPagesValidateRequest/ASPNetPagesValidateRequestGood.config

@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <pages validateRequest="true" />
+  </system.web>
+</configuration>