Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET

cldrn · calumgrant · commit 6f346c6676b2 · 2019-11-27T16:37:37.000Z
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp b/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp
@@ -0,0 +1,89 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+	<overview>
+		<p>
+			The
+			<code>requestValidationMode</code>
+			attribute in ASP.NET is used to configure
+			built-in validations to
+			protect applications against code injections. Downgrading or
+			disabling
+			this configuration is not recommended. The default value 4.5
+			is
+			the only recommended value as previous versions only
+			test a subset
+			of
+			requests.
+		</p>
+
+	</overview>
+	<recommendation>
+
+		<p>
+			Always set
+			<code>requestValidationMode</code>
+			to 4.5. (Default value)
+		</p>
+
+	</recommendation>
+	<example>
+
+		<p>
+			The following example shows the
+			<code>requestValidationMode</code>
+			attribute set to the value 4.0 which disables some protections and
+			ignores individual
+			<code>Page</code>
+			directives:
+			<code>
+				<httpRuntime requestValidationMode="4.0" />
+
+
+
+			</code>
+		</p>
+
+		<p>
+			If the value is set to 2.0, request validation is enabled for pages
+			but not for all requests:
+		</p>
+
+		<code>
+			<httpRuntime requestValidationMode="2.0" />
+
+
+
+		</code>
+
+		<p>
+			If the value is set to 0, request validation is completely disabled
+			(Only recognized in ASP.NET 4.6 and later):
+		</p>
+
+		<code>
+			<httpRuntime requestValidationMode="0.0" />
+
+
+
+		</code>
+	</example>
+	<references>
+
+		<li>
+			Microsoft:
+			<a
+				href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8">requestValidationMode configuration to protect against code
+				injection attacks</a>
+			.
+		</li>
+		<li>
+			OWASP:
+			<a
+				href="https://www.owasp.org/index.php/ASP.NET_Request_Validation">ASP.NET Request Validation on OWASP</a>
+		</li>
+	</references>
+
+</qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Insecure configuration for ASP.NET requestValidationMode
+ * @description Setting requestValidationMode to less than 4.5 disables built-in validations
+ *              included by default in ASP.NET. Disabling or downgrading this protection is not
+ *              recommended.
+ * @kind problem
+ * @problem.severity warning
+ */
+
+import csharp
+
+from XMLAttribute reqValidationMode
+where
+  reqValidationMode.getName().toLowerCase() = "requestvalidationmode" and
+  reqValidationMode.getValue().toFloat() < 4.5
+select reqValidationMode,
+  "Insecure value for requestValidationMode (" + reqValidationMode.getValue() + ")."
