Skip to main content

C# queries for CodeQL analysis

Explore the queries that CodeQL uses to analyze code written in C# when you select the default or the security-extended query suite.

Who can use this feature?

CodeQL is available for the following repository types:

CodeQL includes many queries for analyzing C# code. All queries in the default query suite are run by default. If you choose to use the security-extended query suite, additional queries are run. For more information, see CodeQL query suites.

Built-in queries for C# analysis

This table lists the queries available with the latest release of the CodeQL action and CodeQL CLI. For more information, see CodeQL change logs in the CodeQL documentation site.

Query nameRelated CWEsDefaultExtendedCopilot Autofix
'requireSSL' attribute is not set to true 319, 614
Arbitrary file access during archive extraction ("Zip Slip") 022
ASP.NET config file enables directory browsing 548
Assembly path injection 114
Clear text storage of sensitive information 312, 315, 359
Cookie security: overly broad domain 287
Cookie security: overly broad path 287
Cookie security: persistent cookie 539
Creating an ASP.NET debug binary may reveal sensitive information 011, 532
Cross-site scripting 079, 116
Denial of Service from comparison of user input against expensive regex 1333, 730, 400
Deserialization of untrusted data 502
Deserialized delegate 502
Encryption using ECB 327
Exposure of private information 359
Failure to abandon session 384
Header checking disabled 113
Improper control of generation of code 094, 095, 096
Information exposure through an exception 209, 497
Information exposure through transmitted data 201
Insecure randomness 338
LDAP query built from user-controlled sources 090
Log entries created from user input 117
Missing cross-site request forgery token validation 352
Missing global error handler 012, 248
Missing X-Frame-Options HTTP header 451, 829
Page request validation is disabled 016
Regular expression injection 730, 400
Resource injection 099
SQL query built from user-controlled sources 089
Uncontrolled command line 078, 088
Uncontrolled data used in path expression 022, 023, 036, 073, 099
Uncontrolled format string 134
Untrusted XML is read insecurely 611, 827, 776
Unvalidated local pointer arithmetic 119, 120, 122, 788
URL redirection from remote source 601
User-controlled bypass of sensitive method 807, 247, 350
Weak encryption 327
Weak encryption: inadequate RSA padding 327, 780
Weak encryption: Insufficient key size 326
XML injection 091
XPath injection 643
Empty password in configuration file 258, 862
Insecure Direct Object Reference 639
Insecure SQL connection 327
Missing function level access control 285, 284, 862
Missing XML validation 112
Serialization check bypass 020
Thread-unsafe capturing of an ICryptoTransform object 362
Thread-unsafe use of a static ICryptoTransform field 362
Use of file upload 434
Value shadowing 348
Value shadowing: server variable 348

AltStyle によって変換されたページ (->オリジナル) /