Skip to content

Commit 29df7f5

Browse files
committed
C#: Mark false-negatives.
1 parent 7fa442d commit 29df7f5

File tree

2 files changed

+11
-12
lines changed

2 files changed

+11
-12
lines changed
Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
| XSSAspNet.cs:27:30:27:34 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteral() method. | XSSAspNet.cs:20:25:20:43 | access to property QueryString | User-provided value |
22
| XSSAspNet.cs:37:40:37:44 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteralTo() method. | XSSAspNet.cs:20:25:20:43 | access to property QueryString | User-provided value |
33
| XSSAspNet.cs:44:28:44:55 | access to indexer | $@ flows to here and is written to HTML or JavaScript. | XSSAspNet.cs:44:28:44:46 | access to property QueryString | User-provided value |
4-
| XSSAspNetCore.cs:22:52:22:76 | call to operator implicit conversion | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:22:52:22:64 | access to property Query | User-provided value |
5-
| XSSAspNetCore.cs:45:51:45:53 | access to parameter foo | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:41:56:41:58 | foo | User-provided value |
6-
| XSSAspNetCore.cs:52:43:52:67 | access to property Value | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:52:43:52:67 | access to property Value | User-provided value |
7-
| XSSAspNetCore.cs:59:43:59:73 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:59:43:59:55 | access to property Query | User-provided value |
8-
| XSSAspNetCore.cs:62:44:62:66 | access to indexer | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:62:44:62:56 | access to property Query | User-provided value |
9-
| XSSAspNetCore.cs:70:43:70:61 | access to property ContentType | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:70:43:70:61 | access to property ContentType | User-provided value |
10-
| XSSAspNetCore.cs:73:51:73:72 | call to operator implicit conversion | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:73:51:73:65 | access to property Headers | User-provided value |
4+
| XSSAspNetCore.cs:21:52:21:76 | call to operator implicit conversion | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:21:52:21:64 | access to property Query | User-provided value |
5+
| XSSAspNetCore.cs:44:51:44:53 | access to parameter foo | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:40:56:40:58 | foo | User-provided value |
6+
| XSSAspNetCore.cs:51:43:51:67 | access to property Value | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:51:43:51:67 | access to property Value | User-provided value |
7+
| XSSAspNetCore.cs:58:43:58:73 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:58:43:58:55 | access to property Query | User-provided value |
8+
| XSSAspNetCore.cs:61:44:61:66 | access to indexer | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:61:44:61:56 | access to property Query | User-provided value |
9+
| XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | User-provided value |
10+
| XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:72:51:72:65 | access to property Headers | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSSAspNetCore.cs

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,4 @@
1-

2-
using System.Linq;
1+
using System.Linq;
32
using Microsoft.AspNetCore.Mvc;
43
using Microsoft.AspNetCore.Html;
54
using Microsoft.Extensions.Primitives;
@@ -24,13 +23,13 @@ public IActionResult Index()
2423
StringValues vOut;
2524
Request.Query.TryGetValue("Foo", out vOut);
2625

27-
// BAD: via Enumerable.
26+
// BAD: via Enumerable. (false negative)
2827
v.ViewData["FooFirst"] = new HtmlString(vOut.First());
2928

30-
// BAD: via toArray.
29+
// BAD: via toArray. (false negative)
3130
v.ViewData["FooArray0"] = new HtmlString(vOut.ToArray()[0]);
3231

33-
// BAD: via implicit conversion operator.
32+
// BAD: via implicit conversion operator. (false negative)
3433
v.ViewData["FooImplicit"] = new HtmlString(vOut);
3534

3635
return v;

0 commit comments

Comments
 (0)