codeql/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.cs at 8781d6762c154eaf42bcdf6f7785ca728d8a9f34 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
using System;
using System.IO;
using System.Web;
using System.Data;
using System.Data.SqlClient;
using System.Net;
using System.Web.UI.WebControls;

public class InappropriateEncoding
{
    public void Sql(string value)
    {
        var encodedValue = Encode(value);
        using (var connection = new SqlConnection(""))
        {
            var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + encodedValue + "' ORDER BY PRICE";
            // BAD
            var adapter = new SqlDataAdapter(query1, connection);

            var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=@category ORDER BY PRICE";
            // GOOD
            adapter = new SqlDataAdapter(query2, connection);
            var parameter = new SqlParameter("category", encodedValue);
            adapter.SelectCommand.Parameters.Add(parameter);
        }
    }

    public void Html(string value, Label label, System.Windows.Forms.HtmlElement html)
    {
        // BAD
        label.Text = Encode(value);
        label.Text = HttpUtility.UrlEncode(value);
        label.Text = HttpUtility.UrlEncode(HttpUtility.HtmlEncode(value));
        var encodedValue = HttpUtility.UrlEncode(value);
        html.SetAttribute("a", encodedValue);
        label.Text = "<img src=\"" + encodedValue + "\" />";
        label.Text = string.Format("<img src=\"{0}\" />", encodedValue);

        // GOOD
        label.Text = HttpUtility.HtmlEncode(value);
        label.Text = HttpUtility.HtmlEncode(HttpUtility.UrlEncode(value));
        encodedValue = HttpUtility.HtmlAttributeEncode(encodedValue);
        html.SetAttribute("a", encodedValue);
        label.Text = "<img src=\"" + encodedValue + "\" />";
        label.Text = string.Format("<img src=\"{0}\" />", encodedValue);
        encodedValue = HttpUtility.HtmlEncode(encodedValue);
        html.SetAttribute("a", encodedValue);
        label.Text = "<img src=\"" + encodedValue + "\" />";
        label.Text = string.Format("<img src=\"{0}\" />", encodedValue);
    }

    public void Url(string value, HttpServerUtility util, HttpContext ctx)
    {
        // BAD
        var encodedValue = HttpUtility.HtmlEncode(value);
        ctx.Response.Redirect(encodedValue);

        // GOOD
        ctx.Response.Redirect(HttpUtility.UrlEncode(encodedValue));
        ctx.Response.Redirect(util.UrlEncode(encodedValue));
        ctx.Response.Redirect(WebUtility.UrlEncode(encodedValue));
    }

    static string Encode(string value)
    {
        return value.Replace("\"", "\\\"");
    }
}