Skip to content

C#: Add Razor Page handler method parameters as remote flow sources#21984

Open
felickz wants to merge 2 commits into
github:mainfrom
forks-felickz:felickz/razor-page-handler-sources
Open

C#: Add Razor Page handler method parameters as remote flow sources#21984
felickz wants to merge 2 commits into
github:mainfrom
forks-felickz:felickz/razor-page-handler-sources

Conversation

@felickz

@felickz felickz commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

ASP.NET Core Razor Page handler method parameters (OnGet, OnPost, etc.) were not modeled as remote flow sources, causing security queries like SQL injection to miss vulnerabilities in PageModel subclasses.

What we now detect as sources

public class MyPageModel : PageModel
{
    // ✅ All handler method parameters are now recognized as remote flow sources
    public void OnGet(string id) { }
    public void OnPost(string command, int count) { }
    public async Task OnPostAsync(string data) { }
    public void OnPut(string value) { }
    public void OnDelete(string itemId) { }

    // ✅ Works through PageModel inheritance chains
    public class DerivedPage : MyPageModel
    {
        public void OnPost(string derivedParam) { }
    }

    // ❌ Regular methods are correctly excluded
    public void GetUser(string userId) { }

    // ❌ [NonHandler] attribute is respected
    [NonHandler]
    public void OnGetExcluded(string param) { }
}

Problem

AspNetCoreActionMethodParameter in Remote.qll only covers MicrosoftAspNetCoreMvcController.getAnActionMethod().getAParameter() — MVC controllers only. Razor Pages extend PageModel, not a controller, so handler method parameters like OnPost([FromForm] string command) were invisible to taint tracking.

This was discovered when a known SQL injection vulnerability in a Razor Page was not detected by cs/sql-injection.

Fix

Adds AspNetCorePageHandlerMethodParameter, analogous to AspNetCoreActionMethodParameter, using the existing PageModelClass.getAHandlerMethod() from Razor.qll. This properly handles:

  • All HTTP verb handlers (OnGet, OnPost, OnPut, OnDelete, etc.) and async variants
  • Subtypes of PageModel (including derived classes)
  • [NonHandler] exclusions (via the existing getAHandlerMethod() predicate)

Testing

  • Added positive test cases for OnGet, OnPost, OnPostAsync, OnPut, OnDelete handler parameters
  • Added negative test cases for non-handler methods and [NonHandler]-attributed methods
  • Added subtype test (DerivedPageModel extending MyPageModel)
  • Existing aspremote and remote flow source tests pass with no regressions

@felickz
C#: Add Razor Page handler method parameters as remote flow sources
ce9e61d 
ASP.NET Core Razor Page handler method parameters (OnGet, OnPost, etc.)
were not modeled as remote flow sources, causing security queries like
SQL injection to miss vulnerabilities in PageModel subclasses.

This adds AspNetCorePageHandlerMethodParameter, analogous to the existing
AspNetCoreActionMethodParameter for MVC controllers, using the existing
PageModelClass.getAHandlerMethod() from Razor.qll.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@felickz felickz requested a review from a team as a code owner June 12, 2026 23:50
Copilot AI review requested due to automatic review settings June 12, 2026 23:50
@github-actions github-actions Bot added the C# label Jun 12, 2026
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds CodeQL remote flow sources for ASP.NET Core Razor Pages handler method parameters, with accompanying library tests to validate detection.

Changes:

  • Introduces a new AspNetCorePageHandlerMethodParameter remote flow source in Remote.qll.
  • Adds Razor Pages PageModel handler-method test cases to the C# test fixture.
  • Updates the expected test output to include Razor Page handler parameters as remote sources.
Show a summary per file
File Description
csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll Adds Razor framework import and a new remote flow source for Razor Page handler method parameters.
csharp/ql/test/library-tests/dataflow/flowsources/aspremote/AspRemoteFlowSource.cs Adds Razor PageModel handler methods (and a derived PageModel) to exercise the new flow source.
csharp/ql/test/library-tests/dataflow/flowsources/aspremote/aspRemoteFlowSource.expected Updates expected results to include the newly-detected Razor handler parameters.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 2

Comment thread csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
Comment thread csharp/ql/test/library-tests/dataflow/flowsources/aspremote/AspRemoteFlowSource.cs
@felickz
C#: Add change note for Razor Page handler flow sources
23567eb 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

C# documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@felickz