C#: Edit qhelp for cs/insecure-request-validation-mode

calumgrant · calumgrant · commit c906a8238d39 · 2019-11-27T16:37:37.000Z
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp b/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp
@@ -3,84 +3,49 @@
 
 	<overview>
 		<p>
-			The
-			<code>requestValidationMode</code>
-			attribute in ASP.NET is used to configure
-			built-in validations to
-			protect applications against code injections. Downgrading or
-			disabling
-			this configuration is not recommended. The default value 4.5
-			is
-			the only recommended value as previous versions only
-			test a subset
-			of
-			requests.
+			The <code>requestValidationMode</code> attribute in ASP.NET is used to configure built in validation to
+			protect applications against code injections. Downgrading or disabling
+			this configuration is not recommended. The default value of 4.5
+			is the only recommended value as previous versions only test a subset of requests.
 		</p>
 
 	</overview>
 	<recommendation>
 
 		<p>
-			Always set
-			<code>requestValidationMode</code>
-			to 4.5. (Default value)
+			Always set <code>requestValidationMode</code> to 4.5, or leave it at its default value.
 		</p>
 
 	</recommendation>
 	<example>
 
 		<p>
-			The following example shows the
-			<code>requestValidationMode</code>
+			The following example shows the <code>requestValidationMode</code>
 			attribute set to the value 4.0 which disables some protections and
-			ignores individual
-			<code>Page</code>
-			directives:
-			<code>
-				<httpRuntime requestValidationMode="4.0" />
+			ignores individual <code>Page</code> directives:
 
-
-
-			</code>
+			<sample src="ConfigurationBad.config" />
 		</p>
 
 		<p>
-			If the value is set to 2.0, request validation is enabled for pages
-			but not for all requests:
+			Setting the value to 4.5 enables request validation for all requests:
 		</p>
 
-		<code>
-			<httpRuntime requestValidationMode="2.0" />
-
-
-
-		</code>
-
-		<p>
-			If the value is set to 0, request validation is completely disabled
-			(Only recognized in ASP.NET 4.6 and later):
-		</p>
-
-		<code>
-			<httpRuntime requestValidationMode="0.0" />
-
-
+		<sample src="ConfigurationGood.config" />
 
-		</code>
 	</example>
 	<references>
 
 		<li>
 			Microsoft:
 			<a
-				href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8">requestValidationMode configuration to protect against code
-				injection attacks</a>
-			.
+				href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8">HttpRuntimeSection.RequestValidationMode Property
+				</a>.
 		</li>
 		<li>
 			OWASP:
 			<a
-				href="https://www.owasp.org/index.php/ASP.NET_Request_Validation">ASP.NET Request Validation on OWASP</a>
+				href="https://www.owasp.org/index.php/ASP.NET_Request_Validation">ASP.NET Request Validation</a>.
 		</li>
 	</references>
 
diff --git a/csharp/ql/src/Security Features/CWE-016/ConfigurationBad.config b/csharp/ql/src/Security Features/CWE-016/ConfigurationBad.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <httpRuntime requestValidationMode="4.0"/>
+  </system.web>
+</configuration>
diff --git a/csharp/ql/src/Security Features/CWE-016/ConfigurationGood.config b/csharp/ql/src/Security Features/CWE-016/ConfigurationGood.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <httpRuntime requestValidationMode="4.5"/>
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.expected b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.expected
@@ -0,0 +1 @@
+| ConfigurationBad.config:3:5:3:47 | requestValidationMode=4.0 | Insecure value for requestValidationMode (4.0). |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ASPNetRequestValidationMode.qlref
@@ -0,0 +1 @@
+Security Features/CWE-016/ASPNetRequestValidationMode.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ConfigurationBad.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ConfigurationBad.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <httpRuntime requestValidationMode="4.0"/>
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ConfigurationGood.config b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/ConfigurationGood.config
@@ -0,0 +1,5 @@
+<configuration>
+  <system.web>
+    <httpRuntime requestValidationMode="4.5"/>
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/Program.cs b/csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetRequestValidationMode/Program.cs

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| ConfigurationBad.config:3:5:3:47 \| requestValidationMode=4.0 \| Insecure value for requestValidationMode (4.0). \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security Features/CWE-016/ASPNetRequestValidationMode.ql`