Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET#2356
Merged
calumgrant merged 10 commits intogithub:masterfrom Dec 4, 2019
Merged
Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET#2356calumgrant merged 10 commits intogithub:masterfrom
calumgrant merged 10 commits intogithub:masterfrom
Conversation
calumgrant
force-pushed
the
ASPNetRequestValidationMode
branch
from
ef88084 to
5833b15
Compare
Contributor
|
Hi Paulino, Many thanks for your contribution, we really appreciate it. As you may have seen, I have added a few more commits to this PR in order to get it production ready for final review. I think this way would be easiest, in particular because external contributors don't have all the tools needed to author tests - we are working on that feature. |
Contributor
|
Hi @cldrn! I'll carry out a quick editorial review of the docs for this query later today. |
jf205
reviewed
Nov 28, 2019
Contributor
jf205
left a comment
jf205
left a comment
There was a problem hiding this comment.
Just a couple of docs suggestions from me 👍
csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql
Outdated
Show resolved
Hide resolved
This was referenced Nov 28, 2019
…nMode.qhelp built in to built-in Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com>
…nMode.qhelp Rephrasing. Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com>
…nMode.qhelp Missing comma. Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com>
…nMode.ql Added missing quotes. Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com>
Contributor
Author
|
Thanks for the feedback and help! |
calumgrant
previously approved these changes
Dec 2, 2019
…dationMode # Conflicts: # change-notes/1.24/analysis-csharp.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
requestValidationModeattribute in ASP.NET is used to configure built-in validations to protect applications against code injections. Downgrading or disabling this configuration is not recommended. The default value 4.5 is the only recommended value as previous versions only test a subset of requests.This PR includes a CodeQL query to detect applications with insecure values for
requestValidationMode:https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8