Skip to content

Update MaD for System.Web.HttpUtility#21299

Merged
michaelnebel merged 3 commits intogithub:mainfrom
microsoft:lwsimpkins/csharp-mad-httputility-upstream
Feb 11, 2026
Merged

Update MaD for System.Web.HttpUtility#21299
michaelnebel merged 3 commits intogithub:mainfrom
microsoft:lwsimpkins/csharp-mad-httputility-upstream

Conversation

@LWSimpkins
Copy link
Contributor

@LWSimpkins LWSimpkins commented Feb 9, 2026

Update MaD for C# related to SSRF and URL path traversal scenarios.

System.Web.HttpUtility UrlDecode Method

Update model to treat UrlDecode as a taint method. UrlEncode is already treated as a taint method.

Example:

var untrustedUrl = HttpUtility.UrlDecode(untrustedUrl_raw); // This was missing in MaD
var untrustedUrl_bytes = Convert.FromBase64String(untrustedUrl);
untrustedUrl = Encoding.UTF8.GetString(untrustedUrl_bytes); // untrustedUrl used later in SSRF

@LWSimpkins LWSimpkins requested a review from a team as a code owner February 9, 2026 22:12
Copilot AI review requested due to automatic review settings February 9, 2026 22:12
Copilot AI reviewed Feb 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the C# Models-as-Data (MaD) for System.Web.HttpUtility so that UrlDecode is treated as a taint-propagating method, improving dataflow tracking for SSRF and URL path traversal scenarios.

Changes:

  • Add taint-propagation summaries for System.Web.HttpUtility.UrlDecode overloads in the MaD YAML model.
  • Update library-test expected summary outputs to include the new UrlDecode entries.
  • Add a change note describing the modeling update.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
csharp/ql/lib/ext/System.Web.model.yml Adds summary model entries marking HttpUtility.UrlDecode overloads as taint-propagating.
csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected Updates expected library summary output to include UrlDecode taint flow.
csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected Updates filtered expected summary output similarly.
csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md Adds a change note for the modeling update (currently contains a namespace/type mistake).

@github-actions
Copy link
Contributor

github-actions bot commented Feb 9, 2026

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    System,"``System.*``, ``System``",47,12491,59,5
+    System,"``System.*``, ``System``",47,12495,59,5
-    Totals,,107,14904,415,9
+    Totals,,107,14908,415,9
  • Changes to framework-coverage-csharp.csv:
- System,59,47,12491,,6,5,12,,,4,1,,31,2,,6,15,17,4,3,,6378,6113
+ System,59,47,12495,,6,5,12,,,4,1,,31,2,,6,15,17,4,3,,6382,6113

@LWSimpkins
Fix typo in change note
677949e 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@michaelnebel michaelnebel self-requested a review February 10, 2026 09:25
michaelnebel
michaelnebel reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
Lets run DCA before merging (I will start a DCA run now).

michaelnebel
michaelnebel approved these changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DCA looks good.

@michaelnebel michaelnebel merged commit 0ac1bc4 into github:main Feb 11, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@michaelnebel michaelnebel michaelnebel approved these changes

Assignees

No one assigned

Labels

C# documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LWSimpkins @michaelnebel