github · egregius313 · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024 · Dec 19, 2024
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added sink models for `NagivationManager::NavigateTo` and summaries for methods for adding query parameters to a URI using `NavigationManager`. The `cs/web/unvalidated-url-redirection` query is now more aware of URL redirection in Blazor.
@@ -3,16 +3,21 @@ extensions:
       pack: codeql/csharp-all
       extensible: sourceModel
     data:
-      - ["Microsoft.AspNetCore.Components", "NagivationManager", True, "get_BaseUri", "", "", "ReturnValue", "remote", "manual"]
-      - ["Microsoft.AspNetCore.Components", "NagivationManager", True, "get_Uri", "", "", "ReturnValue", "remote", "manual"]
+      - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_BaseUri", "", "", "ReturnValue", "remote", "manual"]
+      - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_Uri", "", "", "ReturnValue", "remote", "manual"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: summaryModel
     data:
-      - ["Microsoft.AspNetCore.Components", "NagivationManager", True, "ToAbsoluteUri", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "ToAbsoluteUri", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["Microsoft.AspNetCore.Components", "NavigationManagerExtensions", True, "GetUriWithQueryParameter", "", "", "Argument[1..2]", "ReturnValue", "taint", "manual"]
+      - ["Microsoft.AspNetCore.Components", "NavigationManagerExtensions", True, "GetUriWithQueryParameters", "", "", "Argument[1].Element.Property[System.Collections.Generic.KeyValuePair`2.Key]", "ReturnValue", "taint", "manual"]
+      - ["Microsoft.AspNetCore.Components", "NavigationManagerExtensions", True, "GetUriWithQueryParameters", "", "", "Argument[1].Element.Property[System.Collections.Generic.KeyValuePair`2.Value]", "ReturnValue", "taint", "manual"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: sinkModel
     data:
       - ["Microsoft.AspNetCore.Components", "MarkupString", False, "MarkupString", "(System.String)", "", "Argument[0]", "html-injection", "manual"]
       - ["Microsoft.AspNetCore.Components", "MarkupString", False, "op_Explicit", "(System.String)", "", "Argument[0]", "html-injection", "manual"]
+      - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "NavigateTo", "", "", "Argument[0]", "url-redirection", "manual"]
+      - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "NavigateToCore", "", "", "Argument[0]", "url-redirection", "manual"]
@@ -90,6 +90,8 @@ source
 | Dapper;SqlMapper;QuerySingleOrDefaultAsync;(System.Data.IDbConnection,System.Type,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>);ReturnValue;database;manual |
 | Dapper;SqlMapper;QuerySingleOrDefaultAsync<T>;(System.Data.IDbConnection,Dapper.CommandDefinition);ReturnValue;database;manual |
 | Dapper;SqlMapper;QuerySingleOrDefaultAsync<T>;(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>);ReturnValue;database;manual |
+| Microsoft.AspNetCore.Components;NavigationManager;get_BaseUri;();ReturnValue;remote;manual |
+| Microsoft.AspNetCore.Components;NavigationManager;get_Uri;();ReturnValue;remote;manual |
 | Microsoft.Extensions.Configuration.UserSecrets;PathHelper;GetSecretsPathFromSecretsId;(System.String);ReturnValue;environment;df-generated |
 | Microsoft.Extensions.Configuration;EnvironmentVariablesExtensions;AddEnvironmentVariables;(Microsoft.Extensions.Configuration.IConfigurationBuilder);Argument[0];environment;manual |
 | Microsoft.Extensions.Configuration;EnvironmentVariablesExtensions;AddEnvironmentVariables;(Microsoft.Extensions.Configuration.IConfigurationBuilder);ReturnValue;environment;manual |
@@ -252,6 +254,11 @@ sink
 | Dapper;SqlMapper;QuerySingleOrDefaultAsync<T>;(System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>);Argument[1];sql-injection;manual |
 | Microsoft.AspNetCore.Components;MarkupString;MarkupString;(System.String);Argument[0];html-injection;manual |
 | Microsoft.AspNetCore.Components;MarkupString;op_Explicit;(System.String);Argument[0];html-injection;manual |
+| Microsoft.AspNetCore.Components;NavigationManager;NavigateTo;(System.String,Microsoft.AspNetCore.Components.NavigationOptions);Argument[0];url-redirection;manual |
+| Microsoft.AspNetCore.Components;NavigationManager;NavigateTo;(System.String,System.Boolean);Argument[0];url-redirection;manual |
+| Microsoft.AspNetCore.Components;NavigationManager;NavigateTo;(System.String,System.Boolean,System.Boolean);Argument[0];url-redirection;manual |
+| Microsoft.AspNetCore.Components;NavigationManager;NavigateToCore;(System.String,Microsoft.AspNetCore.Components.NavigationOptions);Argument[0];url-redirection;manual |
+| Microsoft.AspNetCore.Components;NavigationManager;NavigateToCore;(System.String,System.Boolean);Argument[0];url-redirection;manual |
 | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRaw;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>);Argument[1];sql-injection;manual |
 | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRaw;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[]);Argument[1];sql-injection;manual |
 | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRawAsync;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>,System.Threading.CancellationToken);Argument[1];sql-injection;manual |
@@ -1117,8 +1124,55 @@ summary
 | Microsoft.AspNetCore.Components;LayoutComponentBase;set_Body;(Microsoft.AspNetCore.Components.RenderFragment);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Components;LayoutView;set_ChildContent;(Microsoft.AspNetCore.Components.RenderFragment);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Components;NavigationManager;RegisterLocationChangingHandler;(System.Func<Microsoft.AspNetCore.Components.Routing.LocationChangingContext,System.Threading.Tasks.ValueTask>);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
+| Microsoft.AspNetCore.Components;NavigationManager;ToAbsoluteUri;(System.String);Argument[0];ReturnValue;taint;manual |
 | Microsoft.AspNetCore.Components;NavigationManager;add_LocationChanged;(System.EventHandler<Microsoft.AspNetCore.Components.Routing.LocationChangedEventArgs>);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Components;NavigationManager;remove_LocationChanged;(System.EventHandler<Microsoft.AspNetCore.Components.Routing.LocationChangedEventArgs>);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Boolean);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Boolean);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.DateOnly);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.DateOnly);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.DateTime);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.DateTime);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Decimal);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Decimal);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Double);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Double);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Guid);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Guid);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Int32);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Int32);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Int64);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Int64);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Boolean>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Boolean>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.DateOnly>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.DateOnly>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.DateTime>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.DateTime>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Decimal>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Decimal>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Double>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Double>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Guid>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Guid>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Int32>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Int32>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Int64>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Int64>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Single>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.Single>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.TimeOnly>);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Nullable<System.TimeOnly>);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Single);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Single);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.String);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.String);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.TimeOnly);Argument[1];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameter;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.TimeOnly);Argument[2];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameters;(Microsoft.AspNetCore.Components.NavigationManager,System.Collections.Generic.IReadOnlyDictionary<System.String,System.Object>);Argument[1].Element.Property[System.Collections.Generic.KeyValuePair`2.Key];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameters;(Microsoft.AspNetCore.Components.NavigationManager,System.Collections.Generic.IReadOnlyDictionary<System.String,System.Object>);Argument[1].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameters;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Collections.Generic.IReadOnlyDictionary<System.String,System.Object>);Argument[1].Element.Property[System.Collections.Generic.KeyValuePair`2.Key];ReturnValue;taint;manual |
+| Microsoft.AspNetCore.Components;NavigationManagerExtensions;GetUriWithQueryParameters;(Microsoft.AspNetCore.Components.NavigationManager,System.String,System.Collections.Generic.IReadOnlyDictionary<System.String,System.Object>);Argument[1].Element.Property[System.Collections.Generic.KeyValuePair`2.Value];ReturnValue;taint;manual |
 | Microsoft.AspNetCore.Components;PersistentComponentState;RegisterOnPersisting;(System.Func<System.Threading.Tasks.Task>);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Components;PersistentComponentState;RegisterOnPersisting;(System.Func<System.Threading.Tasks.Task>,Microsoft.AspNetCore.Components.IComponentRenderMode);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated |
 | Microsoft.AspNetCore.Components;RenderFragment;BeginInvoke;(Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder,System.AsyncCallback,System.Object);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |