ejohn20
commented
7 years ago Confirmed bug. Add the IsLocalUrl to the acceptable cleanse methods for SEC0109.
Closed kyleherzog closed 6 years ago
ejohn20
commented
7 years ago Confirmed bug. Add the IsLocalUrl to the acceptable cleanse methods for SEC0109.
ejohn20
commented
7 years ago This will be addressed using a new code block analyzer for taint analysis within a block of code.
serbentraut
commented
7 years ago Same bug appears to apply to SEC110, which is a Web Forms redirect.
ejohn20
commented
7 years ago Perfect, we'll make sure both rules are fixable using the code suggestions. For now, you can suppress them by right clicking the warning and adding them to the suppression file.
ejohn20
commented
6 years ago In VS2017 SEC0109 is being raised with the following example code, which pretty much mirrors what the documentation says to do to fix it.
Confirmed this is fixed in 2.0 using the new code block analyzer. The method must be invoked on the tainted variable inside the same code block. The analyzers are not smart enough to traces this through multiple method calls.
Same bug appears to apply to SEC110, which is a Web Forms redirect.
The issues was also corrected by the code block analyzer. This code does not get flagged in the 2.0+ version of the analyzers:
Uri uri;
string url = Request.QueryString["returnUrl"];
if (Uri.TryCreate(url, UriKind.Relative, out uri))
{
Response.Redirect(url);
}
In VS2017 SEC0109 is being raised with the following example code, which pretty much mirrors what the documentation says to do to fix it.