C#: Blazor: Add non-local jump node for parameter passing by tamasvajk · Pull Request #19122 · github/codeql

tamasvajk · 2025-03-26T10:04:54Z

Continuation of #18930.

Establishes the pattern that when a variable is passed to a subcomponent, the reads of the set property are considered tainted.

For example, if in the following example Names was tainted,

@foreach (string name in Names)
{
    <DisplayName Name="name"/>
}

Then a read in the DisplayName component would be considered tainted

@* Bad: rendering unsanitized strings *@
<p>@((MarkupString)Name)</p>

@code {
   [Parameter]
   string Name { get; set; }
}

csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref

csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref

csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/aspnetcore/Components.qll

csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Xss.qlref

@@ -0,0 +1 @@
+Security Features/CWE-079/XSS.ql


michaelnebel

Thank you for following up on this @tamasvajk !
Would it be possible to add a brief explanation in the PR description on, which jump step we are modelling?

csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref

csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.expected

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/aspnetcore/Components.qll

csharp/ql/integration-tests/all-platforms/blazor/XSS.qlref

+query: Security Features/CWE-079/XSS.ql
+postprocess: utils/test/PrettyPrintModels.ql


csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.qlref

+query: Security Features/CWE-079/XSS.ql
+postprocess: utils/test/PrettyPrintModels.ql


csharp/ql/integration-tests/all-platforms/blazor_net_8/XSS.qlref

+query: Security Features/CWE-079/XSS.ql
+postprocess: utils/test/PrettyPrintModels.ql


michaelnebel

Thank you for looking into it; One clarifying follow-up question and one comment.

michaelnebel · 2025-03-27T13:47:11Z

csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/NameList.cs

+                {
+                    builder.OpenElement(2, "li");
+                    builder.OpenComponent<VulnerableBlazorApp.Components.Name>(3);
+                    builder.AddComponentParameter(4, nameof(VulnerableBlazorApp.Components.Name.TheName), name);


So, the jump step ensures that we have data flow from name into the property VulnerableBlazorApp.Components.Name.TheName?

Yes, there's flow from name to the property reads of VulnerableBlazorApp.Components.Name.TheName.

michaelnebel · 2025-03-27T13:49:47Z

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/aspnetcore/Components.qll

+    Expr getParameterValue() { result = this.getArgument(2) }
+  }
+
+  private class ComponentParameterJump extends DataFlow::NonLocalJumpNode {


The NonLocalJumpNode is a bi-directional imported abstract class, but this is not that evident. I think it makes sense to explicitly make a private import module above the NonLocalJumpNode declaration that imports all file modules that extends the class.

Do you mean the below?

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll @@ -147,6 +147,10 @@ predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) } pragma[inline] predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) } +private import semmle.code.csharp.frameworks.microsoft.aspnetcore.Components +private import semmle.code.csharp.frameworks.Razor +private import semmle.code.csharp.frameworks.NHibernate + /** * A data flow node that jumps between callables. This can be extended in * framework code to add additional data flow steps.

Yes, and just in a private module.

/** * A module importing the modules that provide non local jump node declarations, * ensuring that they are visible to the taint tracking / data flow library. */ private module JumpNodes { private import semmle.code.csharp.frameworks.microsoft.aspnetcore.Components private import semmle.code.csharp.frameworks.Razor private import semmle.code.csharp.frameworks.NHibernate }

michaelnebel

Excellent!

hvitved · 2025-03-28T07:38:23Z

I have started a DCA run. Also, it would be nicer to use inline test expectations, as suggested by QL4QL.

tamasvajk · 2025-03-28T08:28:48Z

it would be nicer to use inline test expectations, as suggested by QL4QL.

Should inline test expectations work when the source and sink locations are mapped to .razor files?

hvitved · 2025-03-28T09:05:35Z

Should inline test expectations work when the source and sink locations are mapped to .razor files?

Sorry, you are right, it doesn't work for .razor pages.

egregius313 and others added 12 commits March 5, 2025 01:13

Component parameter passing step

48b90b2

Add Name and NameList test classes

0463f48

fixup! Component parameter passing step

17da291

fixup! Add Name and NameList test classes

824b182

Fix formatting

97e00ae

XSS qlref

8ea6974

Fix jump node by using associated property

22e958b

Fix test expectations

133c6fa

Remove unused line

a0fe7d6

Add XSS test to integration tests

e2f0a61

Add likely XSS case to integration tests

ca14c57

Add expected XSS test results

f6968af

github-actions bot added the C# label Mar 26, 2025

tamasvajk mentioned this pull request Mar 26, 2025

C#: Blazor: Add non-local jump node for parameter passing #18930

Closed

github-advanced-security bot found potential problems Mar 26, 2025

View reviewed changes

Make working directory name the same on all OS

68f96d3

tamasvajk marked this pull request as ready for review March 26, 2025 11:50

tamasvajk requested a review from a team as a code owner March 26, 2025 11:50

Add change note

4e37e5a

github-actions bot added the documentation label Mar 26, 2025

michaelnebel reviewed Mar 27, 2025

View reviewed changes

Improve code quality

d824d24

github-advanced-security bot found potential problems Mar 27, 2025

View reviewed changes

michaelnebel reviewed Mar 27, 2025

View reviewed changes

Add imports for specific jump nodes

42278eb

michaelnebel approved these changes Mar 27, 2025

View reviewed changes

tamasvajk merged commit 342d4a6 into github:main Mar 28, 2025
24 checks passed

		@@ -0,0 +1 @@
		Security Features/CWE-079/XSS.ql No newline at end of file

		query: Security Features/CWE-079/XSS.ql
		postprocess: utils/test/PrettyPrintModels.ql

Conversation

tamasvajk commented Mar 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check warning

michaelnebel left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check warning

Check warning

Check warning

michaelnebel left a comment

Choose a reason for hiding this comment

Uh oh!

michaelnebel Mar 27, 2025

Choose a reason for hiding this comment

Uh oh!

tamasvajk Mar 27, 2025

Choose a reason for hiding this comment

Uh oh!

michaelnebel Mar 27, 2025

Choose a reason for hiding this comment

Uh oh!

tamasvajk Mar 27, 2025

Choose a reason for hiding this comment

Uh oh!

michaelnebel Mar 27, 2025

Choose a reason for hiding this comment

Uh oh!

michaelnebel left a comment

Choose a reason for hiding this comment

Uh oh!

hvitved commented Mar 28, 2025

Uh oh!

tamasvajk commented Mar 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

hvitved commented Mar 28, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

tamasvajk commented Mar 26, 2025 •

edited

Loading

tamasvajk commented Mar 28, 2025 •

edited

Loading