From 6aa4c5c1876c3cdcf5413affb25c1db86ad3bd7b Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Tue, 23 Apr 2024 11:47:55 +0200 Subject: [PATCH 1/2] C#: Fix a bad join --- .../CWE-352/MissingAntiForgeryTokenValidation.ql | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql index 3b56d3d73777..48000667b570 100644 --- a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql +++ b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql @@ -16,11 +16,15 @@ import semmle.code.csharp.frameworks.system.Web import semmle.code.csharp.frameworks.system.web.Helpers import semmle.code.csharp.frameworks.system.web.Mvc +private Method getAValidatingMethod() { + result = any(AntiForgeryClass a).getValidateMethod() + or + result.calls(getAValidatingMethod()) +} + /** An `AuthorizationFilter` that calls the `AntiForgery.Validate` method. */ class AntiForgeryAuthorizationFilter extends AuthorizationFilter { - AntiForgeryAuthorizationFilter() { - this.getOnAuthorizationMethod().calls*(any(AntiForgeryClass a).getValidateMethod()) - } + AntiForgeryAuthorizationFilter() { this.getOnAuthorizationMethod() = getAValidatingMethod() } } /** From d8d7688f886b975921eac4fd3ec6785c5c11e1c1 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Tue, 23 Apr 2024 15:39:59 +0200 Subject: [PATCH 2/2] C#: Fix another bad join --- .../CWE-352/MissingAntiForgeryTokenValidation.ql | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql index 48000667b570..77fc64f65a74 100644 --- a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql +++ b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql @@ -27,6 +27,12 @@ class AntiForgeryAuthorizationFilter extends AuthorizationFilter { AntiForgeryAuthorizationFilter() { this.getOnAuthorizationMethod() = getAValidatingMethod() } } +private Method getAStartedMethod() { + result = any(WebApplication wa).getApplication_StartMethod() + or + getAStartedMethod().calls(result) +} + /** * Holds if the project has a global anti forgery filter. */ @@ -38,9 +44,7 @@ predicate hasGlobalAntiForgeryFilter() { // The filter is an antiforgery filter addGlobalFilter.getArgumentForName("filter").getType() instanceof AntiForgeryAuthorizationFilter and // The filter is added by the Application_Start() method - any(WebApplication wa) - .getApplication_StartMethod() - .calls*(addGlobalFilter.getEnclosingCallable()) + getAStartedMethod() = addGlobalFilter.getEnclosingCallable() ) }