codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

No support of .net minimal Api

Open feitzi opened this issue 3 years ago • 6 comments

It looks like codeql doesn't support .net minimalApi.

I created a sample project to describe this issue.

In this project I have two redirect methods, they to the same. One with Controllers and one with minimalApi. Both have no user validation and should trigger a security warning. But I only get a warning for the controller action, the minimalApi action will be ignored by codeq

Bad MinimalApi Action

app.MapGet("/minimalApi/redirect/{newUrl}",(string newUrl) => Results.Redirect(newUrl));

Bad Controller Action

   [HttpGet(Name = "Redirect")]
    public IActionResult Get(string newURl) {
       return Redirect(newURl);
    }

Code Scanning Alerts

With that code i get the following alerts: image

Problem

The alert for the bad minimalApi action is missing! So its seems like graphql doesn't understand .net minimalApi.

feitzi avatar Jul 16 '22 09:07 feitzi

I am not able to access the repos and can't see the full context in the code, but my guess is the following. (1) All input parameters to controller actions are considered remote flow sources, which is why the you get the alert of the Bad Controller Action. (2) The method MapGet is from a third party library, where the source code is not included in the project you are analyzing. There doesn't exist a flow summary or any other handwritten QL code for MapGet which will identify flow to sinks in the body of the delegate/func (ie. this is not supported).

michaelnebel avatar Jul 19 '22 05:07 michaelnebel

Sorry, the visibility was wrong. Now you should have access to the repo. And no, the MapGet is not from a third party library. This is .Net 6 stuff, no third party library involved. MinimalApi is the new way to be used in new projects according to Microsoft. Link For us, this is a big problem. Our project uses MinimalApi, and we want to use AdvancedSecurity, but CodeQl currently can't find any issues about MinimalApi.

feitzi avatar Jul 19 '22 06:07 feitzi

Sorry, the visibility was wrong. Now you should have access to the repo. And no, the MapGet is not from a third party library. This is .Net 6 stuff, no third party library involved. MinimalApi is the new way to be used in new projects according to Microsoft. Link For us, this is a big problem. Our project uses MinimalApi, and we want to use AdvancedSecurity, but CodeQl currently can't find any issues about MinimalApi.

Ah, sorry for the misconception from my side. By "third party library" I mean any library (including the .NET standard library and ASP.NET). The important bit (or reason for this not working) is that the source code of MapGet is not included in the analysis itself. I will open an internal issue for this.

michaelnebel avatar Jul 19 '22 06:07 michaelnebel

Thank you! Is there a possibility that codeql will support that in near future?

feitzi avatar Jul 21 '22 18:07 feitzi

Thank you! Is there a possibility that codeql will support that in near future?

It depends whether it will be prioritized compared other work that needs to be undertaken.

michaelnebel avatar Jul 22 '22 07:07 michaelnebel

https://docs.microsoft.com/en-us/aspnet/core/fundamentals/routing?view=aspnetcore-6.0 documents how routing works in AspNetCore 6. Adding support for MapGet, in particular, should be rather straightforward.

hvitved avatar Aug 03 '22 08:08 hvitved

@michaelnebel any news to that topic?

feitzi avatar Feb 26 '24 20:02 feitzi

@michaelnebel any news to that topic?

We forgot to close the issue. It was fixed in August 2022: https://github.com/github/codeql/pull/10050 Closing the issue now.

michaelnebel avatar Feb 27 '24 08:02 michaelnebel