From 004d40ee9318adfca4427f24ada2203885b04b3a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 9 Jan 2026 11:19:00 +0000 Subject: [PATCH] Allow MaD barriers using sink kinds --- .../code/csharp/security/dataflow/CodeInjectionQuery.qll | 7 ++++++- .../csharp/security/dataflow/CommandInjectionQuery.qll | 7 ++++++- .../code/csharp/security/dataflow/LDAPInjectionQuery.qll | 7 ++++++- .../code/csharp/security/dataflow/LogForgingQuery.qll | 7 ++++++- .../code/csharp/security/dataflow/SqlInjectionQuery.qll | 7 ++++++- .../code/csharp/security/dataflow/UrlRedirectQuery.qll | 7 ++++++- .../lib/semmle/code/csharp/security/dataflow/XSSQuery.qll | 6 ++++++ 7 files changed, 42 insertions(+), 6 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll index 20d5bbe10ca..f567e3cbc02 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll @@ -95,7 +95,12 @@ class RoslynCSharpScriptSink extends Sink { } } -/** Code injection sinks defined through CSV models. */ +/** A code injection sink defined through Models as Data. */ private class ExternalCodeInjectionExprSink extends Sink { ExternalCodeInjectionExprSink() { sinkNode(this, "code-injection") } } + +/** A sanitizer for code injection defined through Models as Data. */ +private class ExternalCodeInjectionSanitizer extends Sanitizer { + ExternalCodeInjectionSanitizer() { barrierNode(this, "code-injection") } +} diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll index 9528676af8e..b8c37d602b9 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll @@ -61,11 +61,16 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource /** A source supported by the current threat model. */ class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } -/** Command Injection sinks defined through Models as Data. */ +/** A Command Injection sink defined through Models as Data. */ private class ExternalCommandInjectionExprSink extends Sink { ExternalCommandInjectionExprSink() { sinkNode(this, "command-injection") } } +/** A sanitizer for command injection defined through Models as Data. */ +private class ExternalCommandInjectionSanitizer extends Sanitizer { + ExternalCommandInjectionSanitizer() { barrierNode(this, "command-injection") } +} + /** * A sink in `System.Diagnostic.Process` or its related classes. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll index c2e25f0e522..06bfac6c545 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll @@ -64,11 +64,16 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource /** A source supported by the current threat model. */ class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } -/** LDAP sinks defined through Models as Data. */ +/** An LDAP sink defined through Models as Data. */ private class ExternalLdapExprSink extends Sink { ExternalLdapExprSink() { sinkNode(this, "ldap-injection") } } +/** A sanitizer for LDAP injection defined through Models as Data. */ +private class ExternalLdapInjectionSanitizer extends Sanitizer { + ExternalLdapInjectionSanitizer() { barrierNode(this, "ldap-injection") } +} + /** * An argument that sets the `Path` property of a `DirectoryEntry` object that is a sink for LDAP * injection. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll index e06e728514d..22023ebc409 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll @@ -61,11 +61,16 @@ private class LogForgingLogMessageSink extends Sink, LogMessageSink { } */ private class LogForgingTraceMessageSink extends Sink, TraceMessageSink { } -/** Log Forging sinks defined through Models as Data. */ +/** A Log Forging sink defined through Models as Data. */ private class ExternalLoggingExprSink extends Sink { ExternalLoggingExprSink() { sinkNode(this, "log-injection") } } +/** A sanitizer for log forging defined through Models as Data. */ +private class ExternalLogForgingSanitizer extends Sanitizer { + ExternalLogForgingSanitizer() { barrierNode(this, "log-injection") } +} + /** * A call to String replace or remove that is considered to sanitize replaced string. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll index 510b0381143..addc1932177 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll @@ -74,11 +74,16 @@ class SqlInjectionExprSink extends Sink { SqlInjectionExprSink() { exists(SqlExpr s | this.getExpr() = s.getSql()) } } -/** SQL sinks defined through CSV models. */ +/** An SQL sink defined through CSV models. */ private class ExternalSqlInjectionExprSink extends Sink { ExternalSqlInjectionExprSink() { sinkNode(this, "sql-injection") } } +/** A sanitizer for SQL injection defined through Models as Data. */ +private class ExternalSqlInjectionSanitizer extends Sanitizer { + ExternalSqlInjectionSanitizer() { barrierNode(this, "sql-injection") } +} + private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { } private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { } diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll index 15ba99aedf0..20a64e61d81 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll @@ -56,11 +56,16 @@ deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource /** A source supported by the current threat model. */ class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } -/** URL Redirection sinks defined through Models as Data. */ +/** A URL Redirection sink defined through Models as Data. */ private class ExternalUrlRedirectExprSink extends Sink { ExternalUrlRedirectExprSink() { sinkNode(this, "url-redirection") } } +/** A sanitizer for URL redirection defined through Models as Data. */ +private class ExternalUrlRedirectSanitizer extends Sanitizer { + ExternalUrlRedirectSanitizer() { barrierNode(this, "url-redirection") } +} + /** * A URL argument to a call to `HttpResponse.Redirect()` or `Controller.Redirect()`, that is a * sink for URL redirects. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll index 2d687b51d67..b084905ddad 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll @@ -7,6 +7,7 @@ import csharp private import XSSSinks private import semmle.code.csharp.security.Sanitizers private import semmle.code.csharp.security.dataflow.flowsources.FlowSources +private import semmle.code.csharp.dataflow.internal.ExternalFlow /** * Holds if there is tainted flow from `source` to `sink` that may lead to a @@ -169,6 +170,11 @@ private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { } private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { } +/** A sanitizer for XSS defined through Models as Data. */ +private class ExternalXssSanitizer extends Sanitizer { + ExternalXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) } +} + /** A call to an HTML encoder. */ private class HtmlEncodeSanitizer extends Sanitizer { HtmlEncodeSanitizer() { this.getExpr() instanceof HtmlSanitizedExpr }