CodeQL suppressions + suppression fixes (#10201)

Author: skofman1

src/NuGetGallery/Controllers/ApiController.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 #pragma warning disable CA3147 // No need to validate Antiforgery Token with API request
@@ -426,8 +426,8 @@ public virtual Task<ActionResult> CreatePackagePut()
         [ApiAuthorize]
         [ApiScopeRequired(NuGetScopes.PackagePush, NuGetScopes.PackagePushVersion)]
         [ActionName("PushPackageApi")]
-        public virtual Task<ActionResult> CreatePackagePost()
         // CodeQL [SM00433] This endpoint uses API Key authentication
+        public virtual Task<ActionResult> CreatePackagePost()
         {
             return CreatePackageInternal();
         }
@@ -969,8 +969,8 @@ await PackageDeleteService.SoftDeletePackagesAsync(
         [ApiAuthorize]
         [ApiScopeRequired(NuGetScopes.PackageUnlist)]
         [ActionName("PublishPackageApi")]
-        public virtual async Task<ActionResult> PublishPackage(string id, string version)
         // CodeQL [SM00433] This endpoint uses API Key authentication
+        public virtual async Task<ActionResult> PublishPackage(string id, string version)
         {
             var package = PackageService.FindPackageByIdAndVersionStrict(id, version);
             if (package == null)

src/NuGetGallery/Controllers/AuthenticationController.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -479,6 +479,7 @@ public virtual ActionResult AuthenticateExternal(string returnUrl)
                         userOrganizationsWithTenantPolicy.Select(member => member.Organization.Username));
 
                     TempData["WarningMessage"] = string.Format(Strings.ChangeCredential_NotAllowed, orgList);
+                    // CodeQL [SM00405] the return URL is validated to be a relative URL before redirecting using Url.IsLocalUrl.
                     return Redirect(returnUrl);
                 }
             }
@@ -487,6 +488,7 @@ public virtual ActionResult AuthenticateExternal(string returnUrl)
             if (externalAuthProvider == null)
             {
                 TempData["Message"] = Strings.ChangeCredential_ProviderNotFound;
+                // CodeQL [SM00405] the return URL is validated to be a relative URL before redirecting using Url.IsLocalUrl.
                 return Redirect(returnUrl);
             }