From ba3fc0a769e53ba971ea4795fc01f09322d210b0 Mon Sep 17 00:00:00 2001
From: Lindsay Simpkins <lsimpkins@microsoft.com>
Date: Mon, 9 Feb 2026 16:09:37 -0500
Subject: [PATCH 1/3] update csharp MaD for System.Web.HttpUtility for tainted
 URIs

---
 csharp/ql/lib/ext/System.Web.model.yml                        | 4 ++++
 .../library-tests/dataflow/library/FlowSummaries.expected     | 4 ++++
 .../dataflow/library/FlowSummariesFiltered.expected           | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/csharp/ql/lib/ext/System.Web.model.yml b/csharp/ql/lib/ext/System.Web.model.yml
index 6d05cdae75b5..63c539fbe5ec 100644
--- a/csharp/ql/lib/ext/System.Web.model.yml
+++ b/csharp/ql/lib/ext/System.Web.model.yml
@@ -29,6 +29,10 @@ extensions:
       - ["System.Web", "HttpUtility", False, "JavaScriptStringEncode", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "JavaScriptStringEncode", "(System.String,System.Boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "ParseQueryString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["System.Web", "HttpUtility", False, "UrlDecode", "(System.Byte[],System.Int32,System.Int32,System.Text.Encoding)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["System.Web", "HttpUtility", False, "UrlDecode", "(System.Byte[],System.Text.Encoding)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["System.Web", "HttpUtility", False, "UrlDecode", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["System.Web", "HttpUtility", False, "UrlDecode", "(System.String,System.Text.Encoding)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "UrlEncode", "(System.Byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "UrlEncode", "(System.Byte[],System.Int32,System.Int32)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["System.Web", "HttpUtility", False, "UrlEncode", "(System.String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
index be6a2302cc35..b7ae291bf0fb 100644
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
@@ -18591,6 +18591,10 @@ summary
 | System.Web;HttpUtility;JavaScriptStringEncode;(System.String,System.Boolean);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;ParseQueryString;(System.String);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;ParseQueryString;(System.String,System.Text.Encoding);Argument[0];ReturnValue;taint;manual |
+| System.Web;HttpUtility;UrlDecode;(System.Byte[],System.Int32,System.Int32,System.Text.Encoding);Argument[0];ReturnValue;taint;manual |
+| System.Web;HttpUtility;UrlDecode;(System.Byte[],System.Text.Encoding);Argument[0];ReturnValue;taint;manual |
+| System.Web;HttpUtility;UrlDecode;(System.String);Argument[0];ReturnValue;taint;manual |
+| System.Web;HttpUtility;UrlDecode;(System.String,System.Text.Encoding);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;UrlEncode;(System.Byte[]);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;UrlEncode;(System.Byte[],System.Int32,System.Int32);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;UrlEncode;(System.String);Argument[0];ReturnValue;taint;manual |
diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected
index c88c901bd75b..8aff8d0e1788 100644
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected
@@ -14340,6 +14340,10 @@
 | System.Web;HttpUtility;JavaScriptStringEncode;(System.String,System.Boolean);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;ParseQueryString;(System.String);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;ParseQueryString;(System.String,System.Text.Encoding);Argument[0];ReturnValue;taint;manual |
+| System.Web;HttpUtility;UrlDecode;(System.Byte[],System.Int32,System.Int32,System.Text.Encoding);Argument[0];ReturnValue;taint;manual |
+| System.Web;HttpUtility;UrlDecode;(System.Byte[],System.Text.Encoding);Argument[0];ReturnValue;taint;manual |
+| System.Web;HttpUtility;UrlDecode;(System.String);Argument[0];ReturnValue;taint;manual |
+| System.Web;HttpUtility;UrlDecode;(System.String,System.Text.Encoding);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;UrlEncode;(System.Byte[]);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;UrlEncode;(System.Byte[],System.Int32,System.Int32);Argument[0];ReturnValue;taint;manual |
 | System.Web;HttpUtility;UrlEncode;(System.String);Argument[0];ReturnValue;taint;manual |

From fe10fb37e95c1bbe205158a7b3b83897c2a45062 Mon Sep 17 00:00:00 2001
From: Lindsay Simpkins <lsimpkins@microsoft.com>
Date: Mon, 9 Feb 2026 16:12:20 -0500
Subject: [PATCH 2/3] add changenote

---
 .../2026-02-09-update-system.web.httputility-model.md         | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md

diff --git a/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md b/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md
new file mode 100644
index 000000000000..e2efaaf6efeb
--- /dev/null
+++ b/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The model for `System.Net.HttpUtility` has been modified to better model the flow of tainted URIs.
\ No newline at end of file

From 677949e409f90eb6c64da50e59bba2f25b2d68d5 Mon Sep 17 00:00:00 2001
From: Lindsay Simpkins <LWSimpkins@users.noreply.github.com>
Date: Mon, 9 Feb 2026 17:16:10 -0500
Subject: [PATCH 3/3] Fix typo in change note

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../2026-02-09-update-system.web.httputility-model.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md b/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md
index e2efaaf6efeb..750761fdf377 100644
--- a/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md
+++ b/csharp/ql/lib/change-notes/2026-02-09-update-system.web.httputility-model.md
@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* The model for `System.Net.HttpUtility` has been modified to better model the flow of tainted URIs.
\ No newline at end of file
+* The model for `System.Web.HttpUtility` has been modified to better model the flow of tainted URIs.
\ No newline at end of file