Csharp: fix cs/web/missing-x-frame-options to also consider location elements

redsun82 · redsun82 · commit c3fd06c8a4ac · 2025-10-17T11:27:31.000+02:00
As explained in https://learn.microsoft.com/en-us/previous-versions/aspnet/ms178692(v=vs.100), it is possible to add `system.webServer` elements nested inside `location` elements in `Web.config`.
diff --git a/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql b/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
@@ -30,13 +30,16 @@ predicate hasWebConfigXFrameOptions(WebConfigXml webConfig) {
   //   </httpProtocol>
   // </system.webServer>
   // ```
-  webConfig
-      .getARootElement()
-      .getAChild("system.webServer")
-      .getAChild("httpProtocol")
-      .getAChild("customHeaders")
-      .getAChild("add")
-      .getAttributeValue("name") = "X-Frame-Options"
+  // This can also be in a `location`
+  exists(XmlElement root |
+    root = webConfig.getARootElement() and
+    [root, root.getAChild("location")]
+        .getAChild("system.webServer")
+        .getAChild("httpProtocol")
+        .getAChild("customHeaders")
+        .getAChild("add")
+        .getAttributeValue("name") = "X-Frame-Options"
+  )
 }
 
 /**
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.cs b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.cs
@@ -0,0 +1,18 @@
+using System;
+using System.Web;
+
+public class AddXFrameOptions : IHttpHandler
+{
+
+    public void ProcessRequest(HttpContext ctx)
+    {
+    }
+
+    public bool IsReusable
+    {
+        get
+        {
+            return true;
+        }
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.expected b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.qlref b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.qlref
@@ -0,0 +1 @@
+Security Features/CWE-451/MissingXFrameOptions.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/Web.config
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <location path="." inheritInChildApplications="false">
+    <system.webServer>
+      <httpProtocol>
+        <customHeaders>
+          <add name="X-Frame-Options" value="SAMEORIGIN" />
+        </customHeaders>
+      </httpProtocol>
+    </system.webServer>
+  </location>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/options b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/options
@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security Features/CWE-451/MissingXFrameOptions.ql`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+semmle-extractor-options: /nostdlib /noconfig`
	`2`	`+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj`
	`3`	`+semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs`