codeql/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs at d8eeae781be7b3949327ca75b3e3d24dadf3c6fd · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
// semmle-extractor-options: /r:${testdir}/../../../../resources/assemblies/System.Web.dll /r:${testdir}/../../../../resources/assemblies/System.Web.Mvc.dll /r:System.Collections.Specialized.dll /r:${testdir}/../../../../resources/assemblies/System.Net.Http.dll
using System;
using System.Net;
using System.Net.Http;
using System.Text;
using System.Web;
using System.Web.Mvc;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Collections.Specialized;
namespace Test
{
    class XSS
    {
        TextBox categoryTextBox;
        Calendar calendar;
        Table table;
        Label label;
        string connectionString;
        public Button button;

        public void WebUIXSS()
        {
            // BAD: Reading from textbox, then writing an amended value to a control that does not HTML encode
            StringBuilder userInput = new StringBuilder();
            userInput.AppendFormat("{0} test", categoryTextBox.Text);
            calendar.Caption = userInput.ToString();
            table.Caption = userInput.ToString();
            label.Text = userInput.ToString();

            // GOOD: Reading from textbox, then writing an amended value to a control that does HTML encode
            categoryTextBox.Text = userInput.ToString();
        }

        public void processRequest(HttpContext context)
        {
            // BAD: Read user input from a request, write it straight to a response
            string name = context.Request.QueryString["name"];
            context.Response.Write(name);

            // GOOD: Read user input from a request, but encode it before writing to the response
            string name2 = context.Request.QueryString["name"];
            name2 = HttpUtility.HtmlEncode(name2);
            context.Response.Write(name2);
        }

        public void processNumber(HttpContext context)
        {
            // GOOD: Read user input from a request, but parse it
            string stringCount = context.Request.QueryString["count"];
            int count = int.Parse(stringCount);
            context.Response.Write(count.ToString());
        }

        public void mvcProcess(HttpContext context)
        {
            // BAD: Mimic what happens in cshtml pages
            string name = context.Request.Unvalidated.QueryString["name"];
            HtmlHelper html = new HtmlHelper(null, null);
            html.Raw(name);
        }

        public void listener(HttpContext context)
        {
            // BAD: Writing user input directly to a HttpListenerResponse
            string name = context.Request.Unvalidated.QueryString["name"];
            HttpListener listener = new HttpListener();
            HttpListenerContext listenerContext = listener.GetContext();
            byte[] data = Encoding.ASCII.GetBytes(name);
            listenerContext.Response.OutputStream.Write(data, 0, data.Length);
        }

        public void contextBase(HttpContextBase context)
        {
            // BAD: Writing user input directly to a HttpListenerResponse
            string name = context.Request.QueryString["name"];
            context.Response.Write(name);
            // BAD: Writing user input directly to a HttpListenerResponse
            string name2 = context.Request["name"];
            context.Response.Write(name2);
        }

        public void htmlStrings(HttpContextBase context)
        {
            // BAD: Writing user input into a HtmlString without encoding
            string name = context.Request.QueryString["name"];
            new HtmlString(name);
            new MvcHtmlString(name);
            new MyHtmlString(context.Request);
        }

        public void WebContent(HttpContextBase context)
        {
            // BAD: Writing user input into a StringContent without encoding
            string name = context.Request.QueryString["name"];
            new StringContent(name);
        }

        public void HtmlEncoded(HttpContextBase context)
        {
            // GOOD: HTML encoding
            string name = context.Request.QueryString["name"];
            new StringContent(HttpUtility.HtmlEncode(name));

            // GOOD: Implicit HTML encoding
            string html = context.Request.QueryString["html"];
            button.Attributes.Add("data-href", html);
        }

        public void UrlEncoded(HttpContextBase context)
        {
            // GOOD: URL encoding
            string name = context.Request.QueryString["name"];
            new StringContent(HttpUtility.UrlEncode(name));
        }
    }

    class XSSPage : Page
    {
        string someJavascript()
        {
            // actually testing this sink involves putting local paths into the results
            //return Request.QueryString["yolo"];
            return "someJavascript";
        }

        private string Field { get; set; }
    }

    class MyHtmlString : IHtmlString
    {
        private HttpRequestBase Request { get; set; }
        public MyHtmlString(HttpRequestBase request)
        {
            this.Request = request;
        }

        public string ToHtmlString()
        {
            return Request.RawUrl;
        }
    }
}