From a8885aeebd465ec65db7913b452d44a8179f9d00 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 13 Jul 2026 15:18:38 +0200 Subject: [PATCH 1/3] C#: Remove the HttpRequest.RawUrl barrier model. --- csharp/ql/lib/ext/System.Web.model.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/csharp/ql/lib/ext/System.Web.model.yml b/csharp/ql/lib/ext/System.Web.model.yml index 63c539fbe5ec..9e24158bc092 100644 --- a/csharp/ql/lib/ext/System.Web.model.yml +++ b/csharp/ql/lib/ext/System.Web.model.yml @@ -1,10 +1,4 @@ extensions: - - addsTo: - pack: codeql/csharp-all - extensible: barrierModel - data: - # The RawUrl property is considered to be safe for URL redirects - - ["System.Web", "HttpRequest", False, "get_RawUrl", "()", "", "ReturnValue", "url-redirection", "manual"] - addsTo: pack: codeql/csharp-all extensible: sinkModel From 03e44f548fcc56c8ccf07cf4b489e8fb63f10c57 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 13 Jul 2026 15:19:04 +0200 Subject: [PATCH 2/3] C#: Update test and expected output. --- .../Security Features/CWE-601/UrlRedirect/UrlRedirect.cs | 4 ++-- .../CWE-601/UrlRedirect/UrlRedirect.expected | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs index 498b004505e3..efb190365337 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.cs @@ -38,8 +38,8 @@ public void ProcessRequest(HttpContext ctx) ctx.Response.AddHeader("Location", ctx.Request.QueryString["page"]); // $ Alert=r3 Alert=r3 ctx.Response.AppendHeader("Location", ctx.Request.QueryString["page"]); // $ Alert=r4 Alert=r4 - // GOOD: Redirecting to the RawUrl only reloads the current Url - ctx.Response.Redirect(ctx.Request.RawUrl); + // BAD: The RawUrl contains the un-normalized request line. + ctx.Response.Redirect(ctx.Request.RawUrl); // $ Alert // GOOD: The attacker can only control the parameters, not the location ctx.Response.Redirect("foo.asp?param=" + url); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected index e7fced7fde3f..b5ff8e88234a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected @@ -3,6 +3,7 @@ | UrlRedirect.cs:13:31:13:61 | access to indexer | UrlRedirect.cs:13:31:13:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:13:31:13:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:13:31:13:53 | access to property QueryString | user-provided value | | UrlRedirect.cs:38:44:38:74 | access to indexer | UrlRedirect.cs:38:44:38:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:44:38:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:38:44:38:66 | access to property QueryString | user-provided value | | UrlRedirect.cs:39:47:39:77 | access to indexer | UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:39:47:39:77 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:39:47:39:69 | access to property QueryString | user-provided value | +| UrlRedirect.cs:42:31:42:48 | access to property RawUrl | UrlRedirect.cs:42:31:42:48 | access to property RawUrl | UrlRedirect.cs:42:31:42:48 | access to property RawUrl | Untrusted URL redirection due to $@. | UrlRedirect.cs:42:31:42:48 | access to property RawUrl | user-provided value | | UrlRedirect.cs:48:29:48:31 | access to local variable url | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:48:29:48:31 | access to local variable url | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value | | UrlRedirect.cs:64:31:64:52 | $"..." | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:64:31:64:52 | $"..." | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value | | UrlRedirect.cs:70:31:70:69 | call to method Format | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:70:31:70:69 | call to method Format | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value | @@ -66,6 +67,7 @@ nodes | UrlRedirect.cs:38:44:38:74 | access to indexer | semmle.label | access to indexer | | UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection | | UrlRedirect.cs:39:47:39:77 | access to indexer | semmle.label | access to indexer | +| UrlRedirect.cs:42:31:42:48 | access to property RawUrl | semmle.label | access to property RawUrl | | UrlRedirect.cs:48:29:48:31 | access to local variable url | semmle.label | access to local variable url | | UrlRedirect.cs:64:31:64:52 | $"..." | semmle.label | $"..." | | UrlRedirect.cs:70:31:70:69 | call to method Format | semmle.label | call to method Format | From ae06b778e5203ee3773b987c34bfa151bce6727a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 13 Jul 2026 15:29:18 +0200 Subject: [PATCH 3/3] C#: Add change-note. --- csharp/ql/src/change-notes/2026-07-13-CWE-601.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/src/change-notes/2026-07-13-CWE-601.md diff --git a/csharp/ql/src/change-notes/2026-07-13-CWE-601.md b/csharp/ql/src/change-notes/2026-07-13-CWE-601.md new file mode 100644 index 000000000000..237ee562a529 --- /dev/null +++ b/csharp/ql/src/change-notes/2026-07-13-CWE-601.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* `System.Web.HttpRequest.RawUrl` is no longer treated as a sanitizer for `cs/web/unvalidated-url-redirection`, since it contains the un-normalized request line. This may lead to more results.