Skip to content

Commit d701159

Browse files
LWSimpkinsLWSimpkins
committed
add test
1 parent e842b1f commit d701159

File tree

5 files changed

+313
-0
lines changed

5 files changed

+313
-0
lines changed

csharp/ql/test/experimental/CWE-918/RequestForgeryWithAuthorizationHeader/RequestForgeryWithAuthorizationHeader.expected

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
edges
2+
| test.cs:16:34:16:42 | subdomain : String | test.cs:18:56:18:100 | $"..." : String | provenance | |
3+
| test.cs:16:34:16:42 | subdomain : String | test.cs:20:64:20:108 | $"..." : String | provenance | |
4+
| test.cs:16:34:16:42 | subdomain : String | test.cs:22:49:22:93 | $"..." : String | provenance | |
5+
| test.cs:18:56:18:100 | $"..." : String | test.cs:18:48:18:101 | object creation of type Uri | provenance | MaD:3700 Sink:MaD:2462 |
6+
| test.cs:20:64:20:108 | $"..." : String | test.cs:20:56:20:109 | object creation of type Uri | provenance | MaD:3700 Sink:MaD:2462 |
7+
| test.cs:22:49:22:93 | $"..." : String | test.cs:22:41:22:94 | object creation of type Uri | provenance | MaD:3700 Sink:MaD:2408 |
8+
| test.cs:38:59:38:67 | subdomain : String | test.cs:41:31:41:75 | $"..." : String | provenance | |
9+
| test.cs:41:17:41:19 | access to local variable uri : Uri | test.cs:43:72:43:74 | access to local variable uri | provenance | Sink:MaD:2462 |
10+
| test.cs:41:23:41:76 | object creation of type Uri : Uri | test.cs:41:17:41:19 | access to local variable uri : Uri | provenance | |
11+
| test.cs:41:31:41:75 | $"..." : String | test.cs:41:23:41:76 | object creation of type Uri : Uri | provenance | MaD:3700 |
12+
| test.cs:79:59:79:67 | subdomain : String | test.cs:82:31:82:75 | $"..." : String | provenance | |
13+
| test.cs:82:17:82:19 | access to local variable uri : Uri | test.cs:84:72:84:74 | access to local variable uri | provenance | Sink:MaD:2462 |
14+
| test.cs:82:23:82:76 | object creation of type Uri : Uri | test.cs:82:17:82:19 | access to local variable uri : Uri | provenance | |
15+
| test.cs:82:31:82:75 | $"..." : String | test.cs:82:23:82:76 | object creation of type Uri : Uri | provenance | MaD:3700 |
16+
| test.cs:161:59:161:67 | subdomain : String | test.cs:164:31:164:75 | $"..." : String | provenance | |
17+
| test.cs:164:17:164:19 | access to local variable uri : Uri | test.cs:166:72:166:74 | access to local variable uri | provenance | Sink:MaD:2462 |
18+
| test.cs:164:23:164:76 | object creation of type Uri : Uri | test.cs:164:17:164:19 | access to local variable uri : Uri | provenance | |
19+
| test.cs:164:31:164:75 | $"..." : String | test.cs:164:23:164:76 | object creation of type Uri : Uri | provenance | MaD:3700 |
20+
| test.cs:207:59:207:67 | subdomain : String | test.cs:214:31:214:75 | $"..." : String | provenance | |
21+
| test.cs:214:17:214:19 | access to local variable uri : Uri | test.cs:216:72:216:74 | access to local variable uri | provenance | Sink:MaD:2462 |
22+
| test.cs:214:23:214:76 | object creation of type Uri : Uri | test.cs:214:17:214:19 | access to local variable uri : Uri | provenance | |
23+
| test.cs:214:31:214:75 | $"..." : String | test.cs:214:23:214:76 | object creation of type Uri : Uri | provenance | MaD:3700 |
24+
nodes
25+
| test.cs:16:34:16:42 | subdomain : String | semmle.label | subdomain : String |
26+
| test.cs:18:48:18:101 | object creation of type Uri | semmle.label | object creation of type Uri |
27+
| test.cs:18:56:18:100 | $"..." : String | semmle.label | $"..." : String |
28+
| test.cs:20:56:20:109 | object creation of type Uri | semmle.label | object creation of type Uri |
29+
| test.cs:20:64:20:108 | $"..." : String | semmle.label | $"..." : String |
30+
| test.cs:22:41:22:94 | object creation of type Uri | semmle.label | object creation of type Uri |
31+
| test.cs:22:49:22:93 | $"..." : String | semmle.label | $"..." : String |
32+
| test.cs:38:59:38:67 | subdomain : String | semmle.label | subdomain : String |
33+
| test.cs:41:17:41:19 | access to local variable uri : Uri | semmle.label | access to local variable uri : Uri |
34+
| test.cs:41:23:41:76 | object creation of type Uri : Uri | semmle.label | object creation of type Uri : Uri |
35+
| test.cs:41:31:41:75 | $"..." : String | semmle.label | $"..." : String |
36+
| test.cs:43:72:43:74 | access to local variable uri | semmle.label | access to local variable uri |
37+
| test.cs:79:59:79:67 | subdomain : String | semmle.label | subdomain : String |
38+
| test.cs:82:17:82:19 | access to local variable uri : Uri | semmle.label | access to local variable uri : Uri |
39+
| test.cs:82:23:82:76 | object creation of type Uri : Uri | semmle.label | object creation of type Uri : Uri |
40+
| test.cs:82:31:82:75 | $"..." : String | semmle.label | $"..." : String |
41+
| test.cs:84:72:84:74 | access to local variable uri | semmle.label | access to local variable uri |
42+
| test.cs:161:59:161:67 | subdomain : String | semmle.label | subdomain : String |
43+
| test.cs:164:17:164:19 | access to local variable uri : Uri | semmle.label | access to local variable uri : Uri |
44+
| test.cs:164:23:164:76 | object creation of type Uri : Uri | semmle.label | object creation of type Uri : Uri |
45+
| test.cs:164:31:164:75 | $"..." : String | semmle.label | $"..." : String |
46+
| test.cs:166:72:166:74 | access to local variable uri | semmle.label | access to local variable uri |
47+
| test.cs:207:59:207:67 | subdomain : String | semmle.label | subdomain : String |
48+
| test.cs:214:17:214:19 | access to local variable uri : Uri | semmle.label | access to local variable uri : Uri |
49+
| test.cs:214:23:214:76 | object creation of type Uri : Uri | semmle.label | object creation of type Uri : Uri |
50+
| test.cs:214:31:214:75 | $"..." : String | semmle.label | $"..." : String |
51+
| test.cs:216:72:216:74 | access to local variable uri | semmle.label | access to local variable uri |
52+
subpaths
53+
#select
54+
| test.cs:43:72:43:74 | access to local variable uri | test.cs:38:59:38:67 | subdomain : String | test.cs:43:72:43:74 | access to local variable uri | Potential server side request forgery due to $@ flowing to a constructor or method from class $@. | test.cs:38:59:38:67 | subdomain | a user-provided value | System.Net.WebRequest | System.Net.WebRequest |
55+
| test.cs:84:72:84:74 | access to local variable uri | test.cs:79:59:79:67 | subdomain : String | test.cs:84:72:84:74 | access to local variable uri | Potential server side request forgery due to $@ flowing to a constructor or method from class $@. | test.cs:79:59:79:67 | subdomain | a user-provided value | System.Net.WebRequest | System.Net.WebRequest |
56+
| test.cs:166:72:166:74 | access to local variable uri | test.cs:161:59:161:67 | subdomain : String | test.cs:166:72:166:74 | access to local variable uri | Potential server side request forgery due to $@ flowing to a constructor or method from class $@. | test.cs:161:59:161:67 | subdomain | a user-provided value | System.Net.WebRequest | System.Net.WebRequest |
57+
| test.cs:216:72:216:74 | access to local variable uri | test.cs:207:59:207:67 | subdomain : String | test.cs:216:72:216:74 | access to local variable uri | Potential server side request forgery due to $@ flowing to a constructor or method from class $@. | test.cs:207:59:207:67 | subdomain | a user-provided value | System.Net.WebRequest | System.Net.WebRequest |

csharp/ql/test/experimental/CWE-918/RequestForgeryWithAuthorizationHeader/RequestForgeryWithAuthorizationHeader.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
experimental/CWE-918/RequestForgeryWithAuthorizationHeader.ql

csharp/ql/test/experimental/CWE-918/RequestForgeryWithAuthorizationHeader/options

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
semmle-extractor-options: /nostdlib /noconfig
2+
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
3+
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
4+
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Runtime.InteropServices\4.3.0\System.Runtime.InteropServices.csproj
5+
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Newtonsoft.Json/13.0.3/Newtonsoft.Json.csproj
6+
semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs

csharp/ql/test/experimental/CWE-918/RequestForgeryWithAuthorizationHeader/stubs.cs

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
using Microsoft.VisualStudio.Services.WebApi;
2+
using System;
3+
4+
namespace Microsoft.VisualStudio.Services.WebApi
5+
{
6+
public class VssConnection
7+
{
8+
public VssConnection(Uri baseUrl) { }
9+
}
10+
}

csharp/ql/test/experimental/CWE-918/RequestForgeryWithAuthorizationHeader/test.cs

Lines changed: 239 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,239 @@
1+
using Microsoft.AspNetCore.Mvc;
2+
using Newtonsoft.Json.Linq;
3+
using System;
4+
using System.IO;
5+
using System.Net;
6+
using System.Net.Http;
7+
using System.Text;
8+
using System.Threading.Tasks;
9+
10+
namespace Test
11+
{
12+
13+
// These should not be flagged since no authorization header is set
14+
public class TestController : Controller
15+
{
16+
public void Index(string subdomain)
17+
{
18+
var webrequest = WebRequest.Create(new Uri($"http://{subdomain}.contoso.com/api/getdata"));
19+
20+
var httpWebrequest = HttpWebRequest.Create(new Uri($"http://{subdomain}.contoso.com/api/getdata"));
21+
22+
(new HttpClient()).GetAsync(new Uri($"http://{subdomain}.contoso.com/api/getdata"));
23+
}
24+
}
25+
26+
// NOTES: test cases where the authorization header is set using
27+
// a simple key-value assignment expression where the key is a string with a
28+
// case-insensitive text "Authorization".
29+
//
30+
// Example:
31+
//
32+
// req.Headers["Authorization"] = token;
33+
// req.Headers["authorization"] = token;
34+
// req.Headers["aUtHoRiZaTiOn"] = token;
35+
36+
public class Test1Controller : Controller
37+
{
38+
public async Task<string> DownloadDataFrom(string subdomain)
39+
{
40+
string result = string.Empty;
41+
var uri = new Uri($"http://{subdomain}.contoso.com/api/getdata");
42+
43+
HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(uri);
44+
45+
req.Method = "GET";
46+
req.ContentType = "application/json";
47+
req.Headers["Authorization"] = "Bearer FAKE_TOKEN";
48+
49+
using (WebResponse res = req.GetResponse())
50+
{
51+
if (res != null)
52+
{
53+
using (Stream stream = res.GetResponseStream())
54+
{
55+
using (StreamReader reader = new StreamReader(stream, Encoding.UTF8))
56+
{
57+
result = reader.ReadToEnd();
58+
}
59+
}
60+
}
61+
}
62+
63+
return result;
64+
}
65+
}
66+
67+
// NOTES: test cases where the authorization header is set using
68+
// the function call Headers.Add(key, value) where the key is a string with a
69+
// case-insensitive text "Authorization".
70+
//
71+
// Example:
72+
//
73+
// req.Headers.Add("Authorization", token);
74+
// req.Headers.Add("authorization", token);
75+
// req.Headers.Add("aUtHoRiZaTiOn", token);
76+
77+
public class Test2Controller : Controller
78+
{
79+
public async Task<string> DownloadDataFrom(string subdomain)
80+
{
81+
string result = string.Empty;
82+
var uri = new Uri($"http://{subdomain}.contoso.com/api/getdata");
83+
84+
HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(uri);
85+
86+
req.Method = "GET";
87+
req.ContentType = "application/json";
88+
req.Headers.Add("Authorization", "Bearer FAKE_TOKEN");
89+
90+
using (WebResponse res = req.GetResponse())
91+
{
92+
if (res != null)
93+
{
94+
using (Stream stream = res.GetResponseStream())
95+
{
96+
using (StreamReader reader = new StreamReader(stream, Encoding.UTF8))
97+
{
98+
result = reader.ReadToEnd();
99+
}
100+
}
101+
}
102+
}
103+
104+
return result;
105+
}
106+
}
107+
108+
// NOTES: test cases where the authorization header is set using
109+
// the function call Headers.Add(key, value) where the key is a constant with
110+
// a case-insensitive text "Authorization".
111+
//
112+
// Example:
113+
//
114+
// req.Headers.Add(AuthorizationHeaderName, token);
115+
// req.Headers.Add(Constants.AuthHeaderName, token);
116+
117+
public class Test3Controller : Controller
118+
{
119+
[HttpPost]
120+
[Route("testRoute")]
121+
public async Task<IActionResult> Create([FromBody] JObject requestObj)
122+
{
123+
string hostServerName = requestObj["hostServerName"].ToString();
124+
string apiVersion = requestObj["apiVersion"].ToString();
125+
string tenantId = requestObj["tenantId"].ToString();
126+
HttpWebRequest req = WebRequest.CreateHttp(
127+
string.Format(
128+
"CultureInfo.CurrentCulture",
129+
"https://{0}/{1}/something?api-version={2}",
130+
hostServerName,
131+
tenantId,
132+
apiVersion)); // TODO fix
133+
134+
req.Method = "GET";
135+
req.Accept = "application/json";
136+
req.Headers.Add(HttpRequestHeader.Authorization, "Bearer FAKE_TOKEN");
137+
req.AllowAutoRedirect = false;
138+
139+
using (HttpWebResponse response = req.GetResponse() as HttpWebResponse)
140+
{
141+
}
142+
return StatusCode(201); // System.Net.HttpStatusCode.Created
143+
}
144+
}
145+
146+
// NOTES: test cases where the authorization header is set using
147+
// a simple key-value assignment expression where the key is a constant with
148+
// a case-insensitive text "Authorization".
149+
//
150+
// Example:
151+
//
152+
// req.Headers[AuthorizationHeaderName] = token;
153+
// req.Headers[Constants.AuthHeaderName] = token;
154+
//
155+
// Not supported:
156+
//
157+
// req.Headers[this.Config["AuthHeader"]] = token;
158+
159+
public class Test4Controller : Controller
160+
{
161+
public async Task<string> DownloadDataFrom(string subdomain)
162+
{
163+
string result = string.Empty;
164+
var uri = new Uri($"http://{subdomain}.contoso.com/api/getdata");
165+
166+
HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(uri);
167+
168+
req.Method = "GET";
169+
req.ContentType = "application/json";
170+
req.Headers[Constants.AuthHeaderName] = "Bearer FAKE_TOKEN";
171+
172+
using (WebResponse res = req.GetResponse())
173+
{
174+
if (res != null)
175+
{
176+
using (Stream stream = res.GetResponseStream())
177+
{
178+
using (StreamReader reader = new StreamReader(stream, Encoding.UTF8))
179+
{
180+
result = reader.ReadToEnd();
181+
}
182+
}
183+
}
184+
}
185+
186+
return result;
187+
}
188+
189+
public static class Constants
190+
{
191+
public const string AuthHeaderName = "Authorization";
192+
}
193+
}
194+
195+
// NOTES: test cases where the authorization header is set using
196+
// an explicit setter inherited from the headers collection. In this case, the
197+
// name of the property must match "Authorization".
198+
//
199+
// Example:
200+
//
201+
// req.Headers.Authorization = token;
202+
203+
public class Test5Controller : Controller
204+
{
205+
// private static readonly HttpClient Client = new HttpClient();
206+
207+
public async Task<string> DownloadDataFrom(string subdomain)
208+
{
209+
// TODO fix
210+
// var req = new HttpRequestMessage(HttpMethod.Get, "https://" + subdomain + ".contoso.com/api/getdata");
211+
// req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "FAKE_TOKEN");
212+
// return await Client.SendAsync(req);
213+
string result = string.Empty;
214+
var uri = new Uri($"http://{subdomain}.contoso.com/api/getdata");
215+
216+
HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(uri);
217+
218+
req.Method = "GET";
219+
req.ContentType = "application/json";
220+
req.Headers["Authorization"] = "Bearer FAKE_TOKEN";
221+
222+
using (WebResponse res = req.GetResponse())
223+
{
224+
if (res != null)
225+
{
226+
using (Stream stream = res.GetResponseStream())
227+
{
228+
using (StreamReader reader = new StreamReader(stream, Encoding.UTF8))
229+
{
230+
result = reader.ReadToEnd();
231+
}
232+
}
233+
}
234+
}
235+
236+
return result;
237+
}
238+
}
239+
}

0 commit comments

Comments
 (0)