Skip to content

C#: Blazor: Add non-local jump node for parameter passing#18930

Closed
egregius313 wants to merge 11 commits intogithub:mainfrom
egregius313:egregius313/csharp/blazor/parameter-passing-jumpnode
Closed

C#: Blazor: Add non-local jump node for parameter passing#18930
egregius313 wants to merge 11 commits intogithub:mainfrom
egregius313:egregius313/csharp/blazor/parameter-passing-jumpnode

Conversation

@egregius313
Copy link
Contributor

@egregius313 egregius313 commented Mar 5, 2025

Establishes the pattern that when a variable is passed to a subcomponent, the reads of the set property are considered tainted.

For example, if in the following example Names was tainted,

@foreach (string name in Names)
{
    <DisplayName Name="name"/>
}

Then a read in the DisplayName component would be considered tainted

@* Bad: rendering unsanitized strings *@
<p>@((MarkupString)Name)</p>

@code {
   [Parameter]
   string Name { get; set; }
}

@github-actions github-actions bot added the C# label Mar 5, 2025
@egregius313
Copy link
Contributor Author

egregius313 commented Mar 5, 2025
edited
Loading

I am running into an issue here: as far as I can tell from locally testing the characteristic predicate and getAJumpSuccessor, the class appears to be correct. But whenever I test it, the flow is not going from the source (the Name parameter in NameList.cs) to the sink ((MarkupString)TheName in Name.cs)

Update: It appears that changing them to share a variable fixed the issue (commit)

@egregius313 egregius313 requested review from hvitved and tamasvajk March 5, 2025 06:02
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 5, 2025
View reviewed changes
csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref
@@ -0,0 +1 @@
Security Features/CWE-079/XSS.ql No newline at end of file

Check warning

Code scanning / CodeQL

Query test without inline test expectations Warning test

Query test does not use inline test expectations.
@egregius313 egregius313 marked this pull request as ready for review March 5, 2025 06:11
@egregius313 egregius313 requested a review from a team as a code owner March 5, 2025 06:11
@egregius313 egregius313 force-pushed the egregius313/csharp/blazor/parameter-passing-jumpnode branch from 96566b5 to 133c6fa Compare March 5, 2025 06:13
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 5, 2025
View reviewed changes
csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/aspnetcore/Components.qll
}

private class ComponentParameterJump extends DataFlow::NonLocalJumpNode {
ParameterPassingCall call;

Check notice

Code scanning / CodeQL

Field only used in CharPred Note

Field is only used in CharPred.
tamasvajk
tamasvajk reviewed Mar 5, 2025
View reviewed changes
Copy link
Contributor

@tamasvajk tamasvajk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you might be able to add a single line of code to the integration tests, and see if the flow is working there as well. You could add something like the below to the TestPage.razor:

<MyOutput Value="@QueryParam" />

and this should result in an XSS vulnerability.

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/aspnetcore/Components.qll
Comment on lines +162 to +164
exists(NameOfExpr ne | ne = this.getArgument(1) |
result.getAnAccess() = ne.getAccess().(MemberAccess)
)
Copy link
Contributor

@tamasvajk tamasvajk Mar 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this also work if instead of a nameof, the name of the property is directly referenced as a string literal?

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 5, 2025
View reviewed changes
csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref
@@ -0,0 +1 @@
Security Features/CWE-079/XSS.ql No newline at end of file

Check warning

Code scanning / CodeQL

Query test without inline test expectations Warning

Query test does not use inline test expectations.
csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref
@@ -0,0 +1 @@
Security Features/CWE-079/XSS.ql No newline at end of file

Check warning

Code scanning / CodeQL

Query test without inline test expectations Warning

Query test does not use inline test expectations.
csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref
@@ -0,0 +1 @@
Security Features/CWE-079/XSS.ql No newline at end of file

Check warning

Code scanning / CodeQL

Query test without inline test expectations Warning

Query test does not use inline test expectations.
@egregius313 egregius313 mentioned this pull request Mar 8, 2025
Closed
@github github deleted a comment from Hamid054 Mar 11, 2025
@tamasvajk tamasvajk self-assigned this Mar 11, 2025
@tamasvajk tamasvajk mentioned this pull request Mar 26, 2025
Merged
@tamasvajk
Copy link
Contributor

tamasvajk commented Mar 26, 2025

I can't push to this branch, so continuing development in #19122.

@tamasvajk tamasvajk closed this Mar 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hvitved hvitved Awaiting requested review from hvitved

1 more reviewer

@tamasvajk tamasvajk tamasvajk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@tamasvajk tamasvajk

Labels

C#

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@egregius313 @tamasvajk