Value shadowing: server variable¶
ID: cs/web/ambiguous-server-variable
Kind: problem
Security severity:
Severity: warning
Precision: medium
Tags:
- security
- maintainability
- frameworks/asp.net
Query suites:
- csharp-security-extended.qls
- csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
Relying on HttpRequest to provide access to a particular server variable is not safe as it can be overridden by the client. The HttpRequest class implements an indexer to provide a simplified, combined access to its QueryString, Form , Cookies, or ServerVariables collections, in that particular order. When searching for a variable, the first match is returned: QueryString parameters hence supersede values from forms, cookies and server variables, and so on. This is a serious attack vector since an attacker could inject a value in the query string that you do not expect, and which supersedes the value of the server variable you were actually trying to check.
Recommendation¶
Explicitly restrict the search to the ServerVariables collection.
Example¶
In this example the server attempts to ensure the user is using an HTTPS connection. Because the programmer used the HttpRequest indexer, URLs like http://www.example.org/?HTTPS=ON appear to be from a secure connection even though they are not.
class ValueShadowingServerVariable
{
public bool isHTTPS(HttpRequest request)
{
String https = request["HTTPS"];
return https == "ON";
}
}
This can be easily fixed by explicitly specifying that we are looking for a server variable.
class ValueShadowingServerVariableFix
{
public bool isHTTPS(HttpRequest request)
{
String https = request.ServerVariables["HTTPS"];
return https == "ON";
}
}
References¶
MSDN: HttpRequest.Item.
MSDN: IIS Server Variables.