C#: Consider parameters passed to lambdas in MapGet remote flow sources.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll

@@ -357,3 +357,15 @@ class MicrosoftAspNetCoreHttpHtmlString extends Class {
     this.hasQualifiedName("Microsoft.AspNetCore.Html", "HtmlString")
   }
 }
+
+/**
+ * The `Microsoft.AspNetCore.Builder.EndpointRouteBuilderExtensions` class.
+ */
+class MicrosoftAspNetCoreBuilderEndpointRouteBuilderExtensions extends Class {
+  MicrosoftAspNetCoreBuilderEndpointRouteBuilderExtensions() {
+    this.hasQualifiedName("Microsoft.AspNetCore.Builder", "EndpointRouteBuilderExtensions")
+  }
+
+  /** Gets the `UseMap` extension method. */
+  Method getMapGetMethod() { result = this.getAMethod("MapGet") }
+}

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

@@ -171,6 +171,22 @@ class ActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode {
 /** A data flow source of remote user input (ASP.NET Core). */
 abstract class AspNetCoreRemoteFlowSource extends RemoteFlowSource { }
 
+/** A parameter to a routing method delegate. */
+class RoutingMethodParameter extends AspNetCoreRemoteFlowSource, DataFlow::ParameterNode {
+  RoutingMethodParameter() {
+    exists(Parameter p, MethodCall m |
+      p = this.getParameter() and
+      p.fromSource()
+    |
+      m.getTarget() =
+        any(MicrosoftAspNetCoreBuilderEndpointRouteBuilderExtensions c).getMapGetMethod() and
+      p = m.getArgument(2).(AnonymousFunctionExpr).getAParameter()
+    )
+  }
+
+  override string getSourceType() { result = "ASP.NET Core routing endpoint." }
+}
+
 /**
  * Data flow for ASP.NET Core.
  *

csharp/ql/test/library-tests/dataflow/flowsources/aspremote/aspRemoteFlowSource.expected

@@ -2,3 +2,4 @@ remoteFlowSourceMembers
 | AspRemoteFlowSource.cs:9:23:9:31 | RequestId |
 remoteFlowSources
 | AspRemoteFlowSource.cs:19:42:19:50 | viewModel |
+| AspRemoteFlowSource.cs:34:58:34:63 | newUrl |