Supress CodeQL warnings, update build agents (#484)

Tratcher · web-flow · commit b286086bb030 · 2022-11-15T13:34:49.000-08:00
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -69,10 +69,10 @@ stages:
         pool:
           ${{ if eq(variables['System.TeamProject'], 'public') }}:
             name: NetCore-Public
-            demands: ImageOverride -equals Build.Windows.10.Amd64.VS2019.Pre.Open
+            demands: ImageOverride -equals 1es-windows-2019-open
           ${{ if ne(variables['System.TeamProject'], 'public') }}:
             name: NetCore1ESPool-Internal
-            demands: ImageOverride -equals Build.Windows.10.Amd64.VS2019.Pre
+            demands: ImageOverride -equals 1es-windows-2019
         ${{ if eq(variables.runCodeQL3000, 'true') }}:
           # Component governance and SBOM creation are not needed here. Disable what Arcade would inject.
           disableComponentGovernance: true
diff --git a/src/Microsoft.Owin.Host.SystemWeb/SystemWebChunkingCookieManager.cs b/src/Microsoft.Owin.Host.SystemWeb/SystemWebChunkingCookieManager.cs
@@ -193,7 +193,7 @@ public void AppendResponseCookie(IOwinContext context, string key, string value,
             // Normal cookie
             if (!ChunkSize.HasValue || ChunkSize.Value > prefix.Length + escapedValue.Length + suffix.Length + (quoted ? 2 : 0))
             {
-                var cookie = new HttpCookie(escapedKey, escapedValue);
+                var cookie = new HttpCookie(escapedKey, escapedValue); // CodeQL [SM03822] False positive, this is an abstraction and the values are determined elsewhere.
                 SetOptions(cookie, options, domainHasValue, pathHasValue, expiresHasValue);
 
                 webContext.Response.AppendCookie(cookie);
diff --git a/src/Microsoft.Owin.Security.ActiveDirectory/WsFedCachingSecurityKeyProvider.cs b/src/Microsoft.Owin.Security.ActiveDirectory/WsFedCachingSecurityKeyProvider.cs
@@ -45,7 +45,7 @@ public WsFedCachingSecurityKeyProvider(string metadataEndpoint, ICertificateVali
                 {
                     throw new InvalidOperationException(Properties.Resources.Exception_ValidatorHandlerMismatch);
                 }
-                webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate;
+                webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.
             }
 
             RetrieveMetadata();
diff --git a/src/Microsoft.Owin.Security.ActiveDirectory/WsFedMetadataRetriever.cs b/src/Microsoft.Owin.Security.ActiveDirectory/WsFedMetadataRetriever.cs
@@ -20,7 +20,7 @@ internal static class WsFedMetadataRetriever
 
         public static IssuerSigningKeys GetSigningKeys(string metadataEndpoint, TimeSpan backchannelTimeout, HttpMessageHandler backchannelHttpHandler)
         {
-            using (var metadataRequest = new HttpClient(backchannelHttpHandler, false))
+            using (var metadataRequest = new HttpClient(backchannelHttpHandler, false))// CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.
             {
                 metadataRequest.Timeout = backchannelTimeout;
                 using (HttpResponseMessage metadataResponse = metadataRequest.GetAsync(metadataEndpoint).Result)
diff --git a/src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationMiddleware.cs b/src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationMiddleware.cs
@@ -61,7 +61,7 @@ public FacebookAuthenticationMiddleware(
                 Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
             }
 
-            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options));
+            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.
             _httpClient.Timeout = Options.BackchannelTimeout;
             _httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
         }
@@ -89,7 +89,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(FacebookAuthenticati
                 {
                     throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
                 }
-                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.
             }
 
             return handler;
diff --git a/src/Microsoft.Owin.Security.Google/GoogleOAuth2AuthenticationMiddleware.cs b/src/Microsoft.Owin.Security.Google/GoogleOAuth2AuthenticationMiddleware.cs
@@ -63,7 +63,7 @@ public GoogleOAuth2AuthenticationMiddleware(
                 Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
             }
 
-            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options));
+            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.
             _httpClient.Timeout = Options.BackchannelTimeout;
             _httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
         }
@@ -91,7 +91,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(GoogleOAuth2Authenti
                 {
                     throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
                 }
-                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.
             }
 
             return handler;
diff --git a/src/Microsoft.Owin.Security.MicrosoftAccount/MicrosoftAccountAuthenticationMiddleware.cs b/src/Microsoft.Owin.Security.MicrosoftAccount/MicrosoftAccountAuthenticationMiddleware.cs
@@ -61,7 +61,7 @@ public MicrosoftAccountAuthenticationMiddleware(
                 Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
             }
 
-            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options));
+            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.
             _httpClient.Timeout = Options.BackchannelTimeout;
             _httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
         }
@@ -89,7 +89,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(MicrosoftAccountAuth
                 {
                     throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
                 }
-                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.
             }
 
             return handler;
diff --git a/src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs b/src/Microsoft.Owin.Security.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs
@@ -69,7 +69,7 @@ public OpenIdConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder ap
 
             if (Options.Backchannel == null)
             {
-                Options.Backchannel = new HttpClient(ResolveHttpMessageHandler(Options));
+                Options.Backchannel = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.
                 Options.Backchannel.DefaultRequestHeaders.UserAgent.ParseAdd("Microsoft ASP.NET Core OpenIdConnect middleware");
                 Options.Backchannel.Timeout = Options.BackchannelTimeout;
                 Options.Backchannel.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
@@ -133,7 +133,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(OpenIdConnectAuthent
                     throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
                 }
 
-                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.
             }
 
             return handler;
diff --git a/src/Microsoft.Owin.Security.Twitter/TwitterAuthenticationHandler.cs b/src/Microsoft.Owin.Security.Twitter/TwitterAuthenticationHandler.cs
@@ -359,7 +359,7 @@ private static string GenerateTimeStamp()
 
         private static string ComputeSignature(string consumerSecret, string tokenSecret, string signatureData)
         {
-            using (var algorithm = new HMACSHA1())
+            using (var algorithm = new HMACSHA1()) // CodeQL [SM02200] Required by protocol.
             {
                 algorithm.Key = Encoding.ASCII.GetBytes(
                     string.Format(CultureInfo.InvariantCulture,
diff --git a/src/Microsoft.Owin.Security.Twitter/TwitterAuthenticationMiddleware.cs b/src/Microsoft.Owin.Security.Twitter/TwitterAuthenticationMiddleware.cs
@@ -67,7 +67,7 @@ public TwitterAuthenticationMiddleware(
                 Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();
             }
 
-            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options));
+            _httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.
             _httpClient.Timeout = Options.BackchannelTimeout;
             _httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
             _httpClient.DefaultRequestHeaders.Accept.ParseAdd("*/*");
@@ -100,7 +100,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(TwitterAuthenticatio
             }
             else if (options.BackchannelCertificateValidator != null)
             {
-                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.
             }
 
             return handler;
diff --git a/src/Microsoft.Owin.Security.WsFederation/WsFederationAuthenticationMiddleware.cs b/src/Microsoft.Owin.Security.WsFederation/WsFederationAuthenticationMiddleware.cs
@@ -71,7 +71,7 @@ public WsFederationAuthenticationMiddleware(OwinMiddleware next, IAppBuilder app
                 }
                 else
                 {
-                    HttpClient httpClient = new HttpClient(ResolveHttpMessageHandler(Options));
+                    HttpClient httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.
                     httpClient.Timeout = Options.BackchannelTimeout;
                     httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
                     Options.ConfigurationManager = new ConfigurationManager<WsFederationConfiguration>(Options.MetadataAddress,
@@ -103,7 +103,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(WsFederationAuthenti
                 {
                     throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);
                 }
-                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;
+                webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.
             }
 
             return handler;
diff --git a/src/Microsoft.Owin.Security/CertificateSubjectPublicKeyInfoValidator.cs b/src/Microsoft.Owin.Security/CertificateSubjectPublicKeyInfoValidator.cs
@@ -129,7 +129,7 @@ private static byte[] ExtractSpkiBlob(X509Certificate2 certificate)
         [SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "Caller is responsible for disposal.")]
         private HashAlgorithm CreateHashAlgorithm()
         {
-            return _algorithm == SubjectPublicKeyInfoAlgorithm.Sha1 ? (HashAlgorithm)new SHA1CryptoServiceProvider() : new SHA256CryptoServiceProvider();
+            return _algorithm == SubjectPublicKeyInfoAlgorithm.Sha1 ? (HashAlgorithm)new SHA1CryptoServiceProvider() : new SHA256CryptoServiceProvider(); // CodeQL [SM02196] Only used to validate hashes.
         }
     }
 }
diff --git a/src/Microsoft.Owin.Testing/TestServer.cs b/src/Microsoft.Owin.Testing/TestServer.cs
@@ -45,7 +45,7 @@ public HttpMessageHandler Handler
         [SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "Disposed by caller.")]
         public HttpClient HttpClient
         {
-            get { return new HttpClient(Handler) { BaseAddress = BaseAddress }; }
+            get { return new HttpClient(Handler) { BaseAddress = BaseAddress }; } // CodeQL [SM02185] This handler does not do TLS, only in-memory.
         }
 
         /// <summary>

Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,7 @@ public void AppendResponseCookie(IOwinContext context, string key, string value,`
`193`	`193`	`// Normal cookie`
`194`	`194`	`if (!ChunkSize.HasValue \|\| ChunkSize.Value > prefix.Length + escapedValue.Length + suffix.Length + (quoted ? 2 : 0))`
`195`	`195`	`{`
`196`		`- var cookie = new HttpCookie(escapedKey, escapedValue);`
	`196`	`+ var cookie = new HttpCookie(escapedKey, escapedValue); // CodeQL [SM03822] False positive, this is an abstraction and the values are determined elsewhere.`
`197`	`197`	`SetOptions(cookie, options, domainHasValue, pathHasValue, expiresHasValue);`
`198`	`198`
`199`	`199`	`webContext.Response.AppendCookie(cookie);`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ public WsFedCachingSecurityKeyProvider(string metadataEndpoint, ICertificateVali`
`45`	`45`	`{`
`46`	`46`	`throw new InvalidOperationException(Properties.Resources.Exception_ValidatorHandlerMismatch);`
`47`	`47`	`}`
`48`		`- webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate;`
	`48`	`+ webRequestHandler.ServerCertificateValidationCallback = backchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`RetrieveMetadata();`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ internal static class WsFedMetadataRetriever`
`20`	`20`
`21`	`21`	`public static IssuerSigningKeys GetSigningKeys(string metadataEndpoint, TimeSpan backchannelTimeout, HttpMessageHandler backchannelHttpHandler)`
`22`	`22`	`{`
`23`		`- using (var metadataRequest = new HttpClient(backchannelHttpHandler, false))`
	`23`	`+ using (var metadataRequest = new HttpClient(backchannelHttpHandler, false))// CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.`
`24`	`24`	`{`
`25`	`25`	`metadataRequest.Timeout = backchannelTimeout;`
`26`	`26`	`using (HttpResponseMessage metadataResponse = metadataRequest.GetAsync(metadataEndpoint).Result)`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ public FacebookAuthenticationMiddleware(`
`61`	`61`	`Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();`
`62`	`62`	`}`
`63`	`63`
`64`		`- _httpClient = new HttpClient(ResolveHttpMessageHandler(Options));`
	`64`	`+ _httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.`
`65`	`65`	`_httpClient.Timeout = Options.BackchannelTimeout;`
`66`	`66`	`_httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB`
`67`	`67`	`}`
`@@ -89,7 +89,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(FacebookAuthenticati`
`89`	`89`	`{`
`90`	`90`	`throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);`
`91`	`91`	`}`
`92`		`- webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;`
	`92`	`+ webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`return handler;`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ public GoogleOAuth2AuthenticationMiddleware(`
`63`	`63`	`Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();`
`64`	`64`	`}`
`65`	`65`
`66`		`- _httpClient = new HttpClient(ResolveHttpMessageHandler(Options));`
	`66`	`+ _httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.`
`67`	`67`	`_httpClient.Timeout = Options.BackchannelTimeout;`
`68`	`68`	`_httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB`
`69`	`69`	`}`
`@@ -91,7 +91,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(GoogleOAuth2Authenti`
`91`	`91`	`{`
`92`	`92`	`throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);`
`93`	`93`	`}`
`94`		`- webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;`
	`94`	`+ webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`return handler;`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ public MicrosoftAccountAuthenticationMiddleware(`
`61`	`61`	`Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();`
`62`	`62`	`}`
`63`	`63`
`64`		`- _httpClient = new HttpClient(ResolveHttpMessageHandler(Options));`
	`64`	`+ _httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.`
`65`	`65`	`_httpClient.Timeout = Options.BackchannelTimeout;`
`66`	`66`	`_httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB`
`67`	`67`	`}`
`@@ -89,7 +89,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(MicrosoftAccountAuth`
`89`	`89`	`{`
`90`	`90`	`throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);`
`91`	`91`	`}`
`92`		`- webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;`
	`92`	`+ webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`return handler;`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public OpenIdConnectAuthenticationMiddleware(OwinMiddleware next, IAppBuilder ap`
`69`	`69`
`70`	`70`	`if (Options.Backchannel == null)`
`71`	`71`	`{`
`72`		`- Options.Backchannel = new HttpClient(ResolveHttpMessageHandler(Options));`
	`72`	`+ Options.Backchannel = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.`
`73`	`73`	`Options.Backchannel.DefaultRequestHeaders.UserAgent.ParseAdd("Microsoft ASP.NET Core OpenIdConnect middleware");`
`74`	`74`	`Options.Backchannel.Timeout = Options.BackchannelTimeout;`
`75`	`75`	`Options.Backchannel.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB`
`@@ -133,7 +133,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(OpenIdConnectAuthent`
`133`	`133`	`throw new InvalidOperationException(Resources.Exception_ValidatorHandlerMismatch);`
`134`	`134`	`}`
`135`	`135`
`136`		`- webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;`
	`136`	`+ webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.`
`137`	`137`	`}`
`138`	`138`
`139`	`139`	`return handler;`
Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ private static string GenerateTimeStamp()`
`359`	`359`
`360`	`360`	`private static string ComputeSignature(string consumerSecret, string tokenSecret, string signatureData)`
`361`	`361`	`{`
`362`		`- using (var algorithm = new HMACSHA1())`
	`362`	`+ using (var algorithm = new HMACSHA1()) // CodeQL [SM02200] Required by protocol.`
`363`	`363`	`{`
`364`	`364`	`algorithm.Key = Encoding.ASCII.GetBytes(`
`365`	`365`	`string.Format(CultureInfo.InvariantCulture,`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ public TwitterAuthenticationMiddleware(`
`67`	`67`	`Options.SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType();`
`68`	`68`	`}`
`69`	`69`
`70`		`- _httpClient = new HttpClient(ResolveHttpMessageHandler(Options));`
	`70`	`+ _httpClient = new HttpClient(ResolveHttpMessageHandler(Options)); // CodeQL [SM02185] Enabling certificate revocation would be a breaking change. Customers can enable it.`
`71`	`71`	`_httpClient.Timeout = Options.BackchannelTimeout;`
`72`	`72`	`_httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB`
`73`	`73`	`_httpClient.DefaultRequestHeaders.Accept.ParseAdd("/");`
`@@ -100,7 +100,7 @@ private static HttpMessageHandler ResolveHttpMessageHandler(TwitterAuthenticatio`
`100`	`100`	`}`
`101`	`101`	`else if (options.BackchannelCertificateValidator != null)`
`102`	`102`	`{`
`103`		`- webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate;`
	`103`	`+ webRequestHandler.ServerCertificateValidationCallback = options.BackchannelCertificateValidator.Validate; // CodeQL [SM03786] False positive, not disabled by default. Used for testing and extensibility.`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`return handler;`