Skip to content

Csharp: fix cs/web/missing-x-frame-options to also consider location elements #20658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 27, 2025
Merged

Csharp: fix cs/web/missing-x-frame-options to also consider location elements #20658

merged 6 commits into from
Oct 27, 2025
+51 −2

Conversation

@redsun82
Copy link
Contributor

@redsun82 redsun82 commented Oct 17, 2025
edited
Loading

As explained in

https://learn.microsoft.com/en-us/previous-versions/aspnet/ms178692(v=vs.100),

it is possible to add system.webServer elements nested inside location elements in Web.config.

@redsun82
Csharp: fix cs/web/missing-x-frame-options to also consider `locati…
c3fd06c 
…on` elements

As explained in

https://learn.microsoft.com/en-us/previous-versions/aspnet/ms178692(v=vs.100),

it is possible to add `system.webServer` elements nested inside
`location` elements in `Web.config`.
@redsun82 redsun82 requested a review from a team as a code owner October 17, 2025 09:29
Copilot AI review requested due to automatic review settings October 17, 2025 09:29
Copilot AI reviewed Oct 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Fixes the C# security query for missing X-Frame-Options headers to properly detect when these headers are configured within location elements in Web.config files, as supported by ASP.NET.

  • Updated the query logic to check for X-Frame-Options headers in both direct system.webServer elements and those nested inside location elements
  • Added comprehensive test coverage for the new location element scenario

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
MissingXFrameOptions.ql Updated query logic to support detection of X-Frame-Options headers within location elements
Web.config Test configuration demonstrating X-Frame-Options header configured within a location element
MissingXFrameOptions.cs Test C# code with HTTP handler for testing the security query
MissingXFrameOptions.qlref Query reference file for the test case
options Test configuration options for the CodeQL extractor

@github-actions github-actions bot added the C# label Oct 17, 2025
@redsun82 redsun82 changed the title Csharp: fix cs/web/missing-x-frame-options to also consider `locati… Csharp: fix cs/web/missing-x-frame-options to also consider location elements Oct 17, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 17, 2025
View reviewed changes
...tures/CWE-451/MissingXFrameOptions/WebConfigAddedHeaderInLocation/MissingXFrameOptions.qlref
@@ -0,0 +1 @@
Security Features/CWE-451/MissingXFrameOptions.ql

Check warning

Code scanning / CodeQL

Query test without inline test expectations Warning test

Query test does not use inline test expectations.
@michaelnebel michaelnebel self-requested a review October 20, 2025 08:19
michaelnebel
michaelnebel reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for doing this!
Maybe we should also run DCA before merging.

@redsun82 redsun82 force-pushed the redsun82/csharp-fix-xframe-options-in-location branch from 4c0391e to 316225b Compare October 21, 2025 09:48
michaelnebel
michaelnebel reviewed Oct 21, 2025
View reviewed changes
michaelnebel
michaelnebel reviewed Oct 21, 2025
View reviewed changes
csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
import semmle.code.asp.WebConfig
import semmle.code.csharp.frameworks.system.Web

XmlElement getAWebConfigRoot(WebConfigXml webConfig) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great!

@redsun82 redsun82 requested a review from michaelnebel October 27, 2025 08:51
michaelnebel
michaelnebel approved these changes Oct 27, 2025
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! LGTM!

@redsun82 redsun82 merged commit 105f810 into main Oct 27, 2025
23 checks passed
@redsun82 redsun82 deleted the redsun82/csharp-fix-xframe-options-in-location branch October 27, 2025 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@michaelnebel michaelnebel michaelnebel approved these changes

Assignees

No one assigned

Labels

C# documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@redsun82 @michaelnebel