Adds CodeQL query to check for Pages validateRequest directive

cldrn · calumgrant · commit eeffd7cf8df3 · 2019-11-28T14:22:08.000Z
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.qhelp b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.qhelp
@@ -0,0 +1,65 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+	<overview>
+		<p>
+			<code>Request validation</code>
+			is a feature in ASP.NET that protects web applications against
+			potentially malicious content
+			in requests, specifically against
+			cross-site scripting attacks (XSS).
+		</p>
+
+	</overview>
+	<recommendation>
+
+		<p>
+			Enable the directive validateRequest in your web.config file:
+			<code>
+				<pages validateRequest="true" />
+			</code>
+		</p>
+
+	</recommendation>
+	<example>
+
+		<p>
+			The following example shows the 'validateRequest' flag set to true in
+			a
+			<code>Web.config</code>
+			file for ASP.NET. This will protect the web application against
+			common XSS attacks:
+		</p>
+
+		<sample src="Web.config.ASPNetPagesValidateRequest.good" />
+
+		<p>
+			If validateRequest is set to
+			<code>false</code>
+			, validation is disabled:
+		</p>
+
+		<sample src="Web.config.ASPNetPagesValidateRequest.bad" />
+
+	</example>
+	<references>
+
+		<li>
+			MSDN:
+			<a
+				href=https://docs.microsoft.com/en-us/previous-versions/aspnet/hh882339(v=vs.110)?redirectedfrom=MSDN ">Request
+				Validation in ASP.NET</a>
+			.
+		</li>
+		<li>
+			MSDN:
+			<a
+				href="https://docs.microsoft.com/en-us/previous-versions/aspnet/debza5t0(v=vs.100)?redirectedfrom=MSDN">Validation ASP.NET Controls</a>
+			.
+		</li>
+
+
+	</references>
+</qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Page Request Validation is disabled
+ * @description ASP.NET Pages should not disable the built-in request validation.
+ * @kind problem
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+
+from SystemWebXMLElement web, XMLAttribute requestvalidateAttribute
+where
+  requestvalidateAttribute = web.getAChild("pages").getAttribute("validateRequest") and
+  requestvalidateAttribute.getValue().toLowerCase() = "false"
+select requestvalidateAttribute, "validateRequest is set to false"
diff --git a/csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetPagesValidateRequest.bad b/csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetPagesValidateRequest.bad
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <compilation
+      defaultLanguage="c#"
+    />
+    <pages validateRequest="false" />
+   ...
+  </system.web>
+</configuration>
diff --git a/csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetPagesValidateRequest.good b/csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetPagesValidateRequest.good
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <compilation
+      defaultLanguage="c#"
+    />
+    <pages validateRequest="true" />
+   ...
+  </system.web>
+</configuration>
