Skip to content

Update MaD for System.Web.HttpUtility #21299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LWSimpkins wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Update MaD for System.Web.HttpUtility #21299

LWSimpkins wants to merge 3 commits into from
+16 −0

Conversation

@LWSimpkins
Copy link
Contributor

@LWSimpkins LWSimpkins commented Feb 9, 2026

Update MaD for C# related to SSRF and URL path traversal scenarios.

System.Web.HttpUtility UrlDecode Method

Update model to treat UrlDecode as a taint method. UrlEncode is already treated as a taint method.

Example:

var untrustedUrl = HttpUtility.UrlDecode(untrustedUrl_raw); // This was missing in MaD
var untrustedUrl_bytes = Convert.FromBase64String(untrustedUrl);
untrustedUrl = Encoding.UTF8.GetString(untrustedUrl_bytes); // untrustedUrl used later in SSRF

@LWSimpkins LWSimpkins requested a review from a team as a code owner February 9, 2026 22:12
Copilot AI review requested due to automatic review settings February 9, 2026 22:12
Copilot AI reviewed Feb 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the C# Models-as-Data (MaD) for System.Web.HttpUtility so that UrlDecode is treated as a taint-propagating method, improving dataflow tracking for SSRF and URL path traversal scenarios.

Changes:

  • Add taint-propagation summaries for System.Web.HttpUtility.UrlDecode overloads in the MaD YAML model.
  • Update library-test expected summary outputs to include the new UrlDecode entries.
  • Add a change note describing the modeling update.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
csharp/ql/lib/ext/System.Web.model.yml Adds summary model entries marking HttpUtility.UrlDecode overloads as taint-propagating.
csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected Updates expected library summary output to include UrlDecode taint flow.
csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected Updates filtered expected summary output similarly.
csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md Adds a change note for the modeling update (currently contains a namespace/type mistake).

@github-actions
Copy link
Contributor

github-actions bot commented Feb 9, 2026

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    System,"``System.*``, ``System``",47,12491,59,5
+    System,"``System.*``, ``System``",47,12495,59,5
-    Totals,,107,14904,415,9
+    Totals,,107,14908,415,9
  • Changes to framework-coverage-csharp.csv:
- System,59,47,12491,,6,5,12,,,4,1,,31,2,,6,15,17,4,3,,6378,6113
+ System,59,47,12495,,6,5,12,,,4,1,,31,2,,6,15,17,4,3,,6382,6113

@LWSimpkins
Fix typo in change note
677949e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@michaelnebel michaelnebel self-requested a review February 10, 2026 09:25
michaelnebel
michaelnebel reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
Lets run DCA before merging (I will start a DCA run now).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

C# documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LWSimpkins @michaelnebel