Skip to content

Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET #5

Closed
Closed
Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET#5
Assignees
antonio-morales
Labels
All For OneSubmissions to the All for One, One for All bountyLowBounty entry rated as LowPR mergedCodeQL team just merge the contributionReviewed by the Lab 🧪GH Security Lab has rate the contribution
@cldrn

Description

@cldrn
cldrn
opened on Nov 16, 2019

Report

ASP.NET applications ship with requestValidationMode enabled by default as it consists of built-in validations to protect against code injections. It is not recommended to set it to other value different than 4.5 as doing so will disable some or all protections for HTTP requests. This check belongs to the category CWE-016 which didn't exist previously in QL and corresponds to common insecure configurations.

This issue is still commonly found in ASP.NET applications and CVEs caused by this usually get labeled as code injection vulnerabilities:

CodeQL query PR: github/codeql#2356

Metadata

Metadata

Assignees

Labels

All For OneSubmissions to the All for One, One for All bountyLowBounty entry rated as LowPR mergedCodeQL team just merge the contributionReviewed by the Lab 🧪GH Security Lab has rate the contribution

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions