C#: Add MarkupString as an html-injection sink

github · Sep 3, 2024 · 66e6da3 · 66e6da3
1 parent 0ff7512
commit 66e6da3
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/csharp/ql/integration-tests/all-platforms/blazor/htmlSinks.expected b/csharp/ql/integration-tests/all-platforms/blazor/htmlSinks.expected
@@ -0,0 +1,8 @@
+| BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value |
+| BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam |
+| BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam |
+| BlazorTest/Components/Pages/TestPage.razor:29:53:29:63 | access to property InputValue1 |
+| BlazorTest/Components/Pages/TestPage.razor:38:53:38:63 | access to property InputValue2 |
+| BlazorTest/Components/Pages/TestPage.razor:47:53:47:68 | access to property Value |
+| BlazorTest/Components/Pages/TestPage.razor:56:53:56:63 | access to property InputValue3 |
+| BlazorTest/Components/Pages/TestPage.razor:65:53:65:63 | access to property InputValue4 |
diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sinkModel
+    data:
+      - ["Microsoft.AspNetCore.Components", "MarkupString", False, "MarkupString", "(System.String)", "", "Argument[0]", "html-injection", "manual"]
+      - ["Microsoft.AspNetCore.Components", "MarkupString", False, "op_Explicit", "(System.String)", "", "Argument[0]", "html-injection", "manual"]