C#: Post-processing query for inline test expectations

Author: hvitved

csharp/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -1,5 +1,5 @@
 /**
- * Inline expectation tests for CSharp.
+ * Inline expectation tests for C#.
  * See `shared/util/codeql/util/test/InlineExpectationsTest.qll`
  */
 

csharp/ql/test/TestUtilities/InlineExpectationsTestQuery.ql

@@ -0,0 +1,21 @@
+/**
+ * @kind test-postprocess
+ */
+
+private import csharp
+private import codeql.util.test.InlineExpectationsTest as T
+private import internal.InlineExpectationsTestImpl
+import T::TestPostProcessing
+import T::TestPostProcessing::Make<Impl, Input>
+
+private module Input implements T::TestPostProcessing::InputSig<Impl> {
+  string getRelativeUrl(Location location) {
+    exists(File f, int startline, int startcolumn, int endline, int endcolumn |
+      location.hasLocationInfo(_, startline, startcolumn, endline, endcolumn) and
+      f = location.getFile()
+    |
+      result =
+        f.getRelativePath() + ":" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn
+    )
+  }
+}

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/Index.cshtml.g.cs

@@ -30,15 +30,15 @@ public class Pages_Index : global::Microsoft.AspNetCore.Mvc.RazorPages.Page
 #line 3 "Index.cshtml"
 
     ViewData["Title"] = "ASP.NET Core";
-    var message = Request.Query["m"];
+    var message = Request.Query["m"]; // $ Source=message
 
 #line default
 #line hidden
 #nullable disable
             WriteLiteral("<div class=\"cli\">\n    <div class=\"cli-example\">        \n");
 #nullable restore
 #line 14 "Index.cshtml"
-Write(Html.Raw(message)); // BAD
+Write(Html.Raw(message)); // $ Alert=message
 
 #line default
 #line hidden

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSS.expected

@@ -1,2 +1,4 @@
 query: Security Features/CWE-079/XSS.ql
-postprocess: TestUtilities/PrettyPrintModels.ql
+postprocess:
+  - TestUtilities/PrettyPrintModels.ql
+  - TestUtilities/InlineExpectationsTestQuery.ql

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSS.qlref

@@ -16,14 +16,14 @@ public override void Execute()
         {
             Layout = "~/_SiteLayout.cshtml";
             Page.Title = "Contact";
-            var sayHi = Request.QueryString["sayHi"];
+            var sayHi = Request.QueryString["sayHi"]; // $ Source=sayHi
             if (sayHi.IsEmpty())
             {
                 WriteLiteral("<script>alert(\"XSS via WriteLiteral\")</script>"); // GOOD: hard-coded, not user input
             }
             else
             {
-                WriteLiteral(sayHi); // BAD: user input flows to HTML unencoded
+                WriteLiteral(sayHi); // $ Alert=sayHi
                 WriteLiteral(HttpUtility.HtmlEncode(sayHi)); // Good: user input is encoded before it flows to HTML
             }
 
@@ -33,15 +33,16 @@ public override void Execute()
             }
             else
             {
-                WriteLiteralTo(Output, sayHi); // BAD: user input flows to HTML unencoded
+                WriteLiteralTo(Output, sayHi); // $ Alert=sayHi
                 WriteLiteralTo(Output, Html.Encode(sayHi)); // Good: user input is encoded before it flows to HTML
             }
 
             BeginContext("~/Views/Home/Contact.cshtml", 288, 32, false);
 
             Write(Html.Raw("<script>alert(\"XSS via Html.Raw()\")</script>")); // GOOD: hard-coded, not user input
-            Write(Html.Raw(Request.QueryString["sayHi"])); // BAD: user input flows to HTML unencoded
-            Write(Html.Raw(HttpContext.Current.Server.HtmlEncode(Request.QueryString["sayHi"]))); // Good: user input is encoded before it flows to HTML
+            var sayHi2 = Request.QueryString["sayHi"]; // $ Source=sayHi2
+            Write(Html.Raw(sayHi2)); // $ Alert=sayHi2
+            Write(Html.Raw(HttpContext.Current.Server.HtmlEncode(sayHi2))); // Good: user input is encoded before it flows to HTML
             EndContext("~/Views/Home/Contact.cshtml", 288, 32, false);
         }
     }

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSSAspNet.cs

@@ -18,7 +18,8 @@ public IActionResult Index()
         {
             // BAD: flow of content type to.
             var v = new ViewResult();
-            v.ViewData["BadData"] = new HtmlString(Request.Query["Bad data"]);
+            var source = Request.Query["Bad data"]; // $ Source=req1
+            v.ViewData["BadData"] = new HtmlString(source); // $ Alert=req1
 
             StringValues vOut;
             Request.Query.TryGetValue("Foo", out vOut);
@@ -37,39 +38,44 @@ public IActionResult Index()
 
         [HttpPost("Test")]
         [ValidateAntiForgeryToken]
-        public IActionResult Submit([FromQuery] string foo)
+        public IActionResult Submit([FromQuery] string foo) // $ Source=foo
         {
             var view = new ViewResult();
             //BAD: flow of submitted value to view in HtmlString.
-            view.ViewData["FOO"] = new HtmlString(foo);
+            view.ViewData["FOO"] = new HtmlString(foo); // $ Alert=foo
             return view;
         }
 
         public IActionResult IndexToModel()
         {
             //BAD: flow of submitted value to view in HtmlString.
-            HtmlString v = new HtmlString(Request.QueryString.Value);
+            var req2 = Request.QueryString.Value; // $ Source=req2
+            HtmlString v = new HtmlString(req2); // $ Alert=req2
             return View(new HomeViewModel() { Message = "Message from Index", Description = v });
         }
 
         public IActionResult About()
         {
             //BAD: flow of submitted value to view in HtmlString.
-            HtmlString v = new HtmlString(Request.Query["Foo"].ToString());
+            var req3 = Request.Query["Foo"].ToString(); // $ Source=req3
+            HtmlString v = new HtmlString(req3); // $ Alert=req3
 
             //BAD: flow of submitted value to view in HtmlString.
-            HtmlString v1 = new HtmlString(Request.Query["Foo"][0]);
+            var req4 = Request.Query["Foo"][0]; // $ Source=req4
+            HtmlString v1 = new HtmlString(req4); // $ Alert=req4
 
             return View(new HomeViewModel() { Message = "Message from About", Description = v });
         }
 
         public IActionResult Contact()
         {
             //BAD: flow of user content type to view in HtmlString.
-            HtmlString v = new HtmlString(Request.ContentType);
+            var ct = Request.ContentType; // $ Source=ct
+            HtmlString v = new HtmlString(ct); // $ Alert=ct
 
             //BAD: flow of headers to view in HtmlString.
-            HtmlString v1 = new HtmlString(value: Request.Headers["Foo"]);
+            var header = Request.Headers["Foo"]; // $ Source=header
+            HtmlString v1 = new HtmlString(value: header); // $ Alert=header
 
             return View(new HomeViewModel() { Message = "Message from Contact", Description = v });
         }

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSSAspNetCore.cs

@@ -3,13 +3,13 @@ class UnusedLabelTest
     void F1()
     {
         goto a;
-        a:  // GOOD
+    a:  // GOOD
         ;
     }
 
     void F2()
     {
-        a:  // BAD
+    a:  // $ Alert
         ;
     }
 }

csharp/ql/test/query-tests/Useless Code/UnusedLabel/UnusedLabel.cs

@@ -1 +1 @@
-| UnusedLabel.cs:12:9:12:9 | a: | This label is not used. |
+| UnusedLabel.cs:12:5:12:5 | a: | This label is not used. |

csharp/ql/test/query-tests/Useless Code/UnusedLabel/UnusedLabel.expected

@@ -1 +1,2 @@
-Useless code/UnusedLabel.ql
+query: Useless code/UnusedLabel.ql
+postprocess: TestUtilities/InlineExpectationsTestQuery.ql