hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

C#: Deprecate experimental queries and libraries.

Browse Source
This commit is contained in:
Michael Nebel
2024-11-08 09:41:45 +01:00
parent ab9ab0e22f
commit 00de19ce13
20 changed files with 295 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
View File

@@ -15,10 +15,16 @@
*/
import csharp
import TaintedWebClientLib
import TaintedWebClient::PathGraph
deprecated import TaintedWebClientLib
deprecated import TaintedWebClient::PathGraph
from TaintedWebClient::PathNode source, TaintedWebClient::PathNode sink
where TaintedWebClient::flowPath(source, sink)
select sink.getNode(), source, sink, "A method of WebClient depepends on a $@.", source.getNode(),
"user-provided value"
deprecated query predicate problems(
DataFlow::Node sinkNode, TaintedWebClient::PathNode source, TaintedWebClient::PathNode sink,
string message1, DataFlow::Node sourceNode, string message2
) {
TaintedWebClient::flowPath(source, sink) and
sinkNode = sink.getNode() and
message1 = "A method of WebClient depepends on a $@." and
sourceNode = source.getNode() and
message2 = "user-provided value"
}

2
csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll
View File

@@ -1,3 +1,5 @@
deprecated module;
import csharp
import semmle.code.csharp.frameworks.system.Net
import semmle.code.csharp.frameworks.System

18
csharp/ql/src/experimental/CWE-918/RequestForgery.ql
View File

@@ -11,10 +11,16 @@
*/
import csharp
import RequestForgery::RequestForgery
import RequestForgeryFlow::PathGraph
deprecated import RequestForgery::RequestForgery
deprecated import RequestForgeryFlow::PathGraph
from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
where RequestForgeryFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "The URL of this request depends on a $@.", source.getNode(),
"user-provided value"
deprecated query predicate problems(
DataFlow::Node sinkNode, RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink,
string message1, DataFlow::Node sourceNode, string message2
) {
RequestForgeryFlow::flowPath(source, sink) and
sinkNode = sink.getNode() and
message1 = "The URL of this request depends on a $@." and
sourceNode = source.getNode() and
message2 = "user-provided value"
}

2
csharp/ql/src/experimental/CWE-918/RequestForgery.qll
View File

@@ -1,3 +1,5 @@
deprecated module;
import csharp
module RequestForgery {

162
csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
View File

@@ -17,89 +17,91 @@ import csharp
import semmle.code.asp.WebConfig
import semmle.code.csharp.frameworks.system.Web
import semmle.code.csharp.frameworks.microsoft.AspNetCore
import experimental.dataflow.flowsources.AuthCookie
deprecated import experimental.dataflow.flowsources.AuthCookie
from Expr httpOnlySink
where
exists(Assignment a, Expr val |
httpOnlySink = a.getRValue() and
val.getValue() = "false" and
(
exists(ObjectCreation oc |
getAValueForProp(oc, a, "HttpOnly") = val and
(
deprecated query predicate problems(Expr httpOnlySink, string message) {
(
exists(Assignment a, Expr val |
httpOnlySink = a.getRValue() and
val.getValue() = "false" and
(
exists(ObjectCreation oc |
getAValueForProp(oc, a, "HttpOnly") = val and
(
oc.getType() instanceof SystemWebHttpCookie and
isCookieWithSensitiveName(oc.getArgument(0))
or
exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
iResponse.getAppendMethod() = mc.getTarget() and
isCookieWithSensitiveName(mc.getArgument(0)) and
// there is no callback `OnAppendCookie` that sets `HttpOnly` to true
not OnAppendCookieHttpOnlyTracking::flowTo(_) and
// Passed as third argument to `IResponseCookies.Append`
exists(DataFlow::Node creation, DataFlow::Node append |
CookieOptionsTracking::flow(creation, append) and
creation.asExpr() = oc and
append.asExpr() = mc.getArgument(2)
)
)
)
)
or
exists(PropertyWrite pw |
(
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
pw.getProperty().getDeclaringType() instanceof
MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
) and
pw.getProperty().getName() = "HttpOnly" and
a.getLValue() = pw and
DataFlow::localExprFlow(val, a.getRValue())
)
)
)
or
exists(Call c |
httpOnlySink = c and
(
exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
// default is not configured or is not set to `Always`
not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
// there is no callback `OnAppendCookie` that sets `HttpOnly` to true
not OnAppendCookieHttpOnlyTracking::flowTo(_) and
iResponse.getAppendMethod() = mc.getTarget() and
isCookieWithSensitiveName(mc.getArgument(0)) and
(
// `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
not isPropertySet(oc, "HttpOnly") and
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
)
)
or
// IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
mc = c and
mc.getNumberOfArguments() < 3
)
)
or
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof SystemWebHttpCookie and
isCookieWithSensitiveName(oc.getArgument(0))
or
exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
iResponse.getAppendMethod() = mc.getTarget() and
isCookieWithSensitiveName(mc.getArgument(0)) and
// there is no callback `OnAppendCookie` that sets `HttpOnly` to true
not OnAppendCookieHttpOnlyTracking::flowTo(_) and
// Passed as third argument to `IResponseCookies.Append`
exists(DataFlow::Node creation, DataFlow::Node append |
CookieOptionsTracking::flow(creation, append) and
creation.asExpr() = oc and
append.asExpr() = mc.getArgument(2)
)
isCookieWithSensitiveName(oc.getArgument(0)) and
// the property wasn't explicitly set, so a default value from config is used
not isPropertySet(oc, "HttpOnly") and
// the default in config is not set to `true`
not exists(XmlElement element |
element instanceof HttpCookiesElement and
element.(HttpCookiesElement).isHttpOnlyCookies()
)
)
)
or
exists(PropertyWrite pw |
(
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
pw.getProperty().getDeclaringType() instanceof
MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
) and
pw.getProperty().getName() = "HttpOnly" and
a.getLValue() = pw and
DataFlow::localExprFlow(val, a.getRValue())
)
)
)
or
exists(Call c |
httpOnlySink = c and
(
exists(MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc |
// default is not configured or is not set to `Always`
not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
// there is no callback `OnAppendCookie` that sets `HttpOnly` to true
not OnAppendCookieHttpOnlyTracking::flowTo(_) and
iResponse.getAppendMethod() = mc.getTarget() and
isCookieWithSensitiveName(mc.getArgument(0)) and
(
// `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
not isPropertySet(oc, "HttpOnly") and
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
)
)
or
// IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
mc = c and
mc.getNumberOfArguments() < 3
)
)
or
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof SystemWebHttpCookie and
isCookieWithSensitiveName(oc.getArgument(0)) and
// the property wasn't explicitly set, so a default value from config is used
not isPropertySet(oc, "HttpOnly") and
// the default in config is not set to `true`
not exists(XmlElement element |
element instanceof HttpCookiesElement and
element.(HttpCookiesElement).isHttpOnlyCookies()
)
)
)
)
select httpOnlySink, "Cookie attribute 'HttpOnly' is not set to true."
) and
message = "Cookie attribute 'HttpOnly' is not set to true."
}

11
csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
View File

@@ -68,15 +68,14 @@ predicate isExprAnAccessToSafeClientSideEncryptionVersionValue(Expr e) {
)
}
from Expr e, Class c, Assembly asm
where
asm = c.getLocation() and
(
deprecated query predicate problems(Expr e, string message) {
exists(Class c, Assembly asm | asm = c.getLocation() |
exists(Expr e2 |
isCreatingAzureClientSideEncryptionObject(e, c, e2) and
not isObjectCreationArgumentSafeAndUsingSafeVersionOfAssembly(e2, asm)
)
or
isCreatingOutdatedAzureClientSideEncryptionObject(e, c)
)
select e, "Unsafe usage of v1 version of Azure Storage client-side encryption."
) and
message = "Unsafe usage of v1 version of Azure Storage client-side encryption."
}

154
csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
View File

@@ -17,89 +17,91 @@ import csharp
import semmle.code.asp.WebConfig
import semmle.code.csharp.frameworks.system.Web
import semmle.code.csharp.frameworks.microsoft.AspNetCore
import experimental.dataflow.flowsources.AuthCookie
deprecated import experimental.dataflow.flowsources.AuthCookie
from Expr secureSink
where
exists(Call c |
secureSink = c and
(
// default is not configured or is not set to `Always` or `SameAsRequest`
not (
getAValueForCookiePolicyProp("Secure").getValue() = "0" or
getAValueForCookiePolicyProp("Secure").getValue() = "1"
) and
// there is no callback `OnAppendCookie` that sets `Secure` to true
not OnAppendCookieSecureTracking::flowTo(_) and
deprecated query predicate problems(Expr secureSink, string message) {
(
exists(Call c |
secureSink = c and
(
// `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
not isPropertySet(oc, "Secure") and
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
// default is not configured or is not set to `Always` or `SameAsRequest`
not (
getAValueForCookiePolicyProp("Secure").getValue() = "0" or
getAValueForCookiePolicyProp("Secure").getValue() = "1"
) and
// there is no callback `OnAppendCookie` that sets `Secure` to true
not OnAppendCookieSecureTracking::flowTo(_) and
(
// `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
not isPropertySet(oc, "Secure") and
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
)
)
or
// IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
mc = c and
iResponse.getAppendMethod() = mc.getTarget() and
mc.getNumberOfArguments() < 3
)
)
or
// IResponseCookies.Append(String, String) was called, `Secure` is set to `false` by default
exists(MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
mc = c and
iResponse.getAppendMethod() = mc.getTarget() and
mc.getNumberOfArguments() < 3
)
)
or
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof SystemWebHttpCookie and
// the property wasn't explicitly set, so a default value from config is used
not isPropertySet(oc, "Secure") and
// the default in config is not set to `true`
// the `exists` below covers the `cs/web/requiressl-not-set`
not exists(XmlElement element |
element instanceof FormsElement and
element.(FormsElement).isRequireSsl()
or
element instanceof HttpCookiesElement and
element.(HttpCookiesElement).isRequireSsl()
)
)
)
)
or
exists(Assignment a, Expr val |
secureSink = a.getRValue() and
(
exists(ObjectCreation oc |
getAValueForProp(oc, a, "Secure") = val and
val.getValue() = "false" and
(
oc.getType() instanceof SystemWebHttpCookie
or
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
// there is no callback `OnAppendCookie` that sets `Secure` to true
not OnAppendCookieSecureTracking::flowTo(_) and
// the cookie option is passed to `Append`
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof SystemWebHttpCookie and
// the property wasn't explicitly set, so a default value from config is used
not isPropertySet(oc, "Secure") and
// the default in config is not set to `true`
// the `exists` below covers the `cs/web/requiressl-not-set`
not exists(XmlElement element |
element instanceof FormsElement and
element.(FormsElement).isRequireSsl()
or
element instanceof HttpCookiesElement and
element.(HttpCookiesElement).isRequireSsl()
)
)
)
or
exists(PropertyWrite pw |
(
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
pw.getProperty().getDeclaringType() instanceof
MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
) and
pw.getProperty().getName() = "SecurePolicy" and
a.getLValue() = pw and
DataFlow::localExprFlow(val, a.getRValue()) and
val.getValue() = "2" // None
)
or
exists(Assignment a, Expr val |
secureSink = a.getRValue() and
(
exists(ObjectCreation oc |
getAValueForProp(oc, a, "Secure") = val and
val.getValue() = "false" and
(
oc.getType() instanceof SystemWebHttpCookie
or
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
// there is no callback `OnAppendCookie` that sets `Secure` to true
not OnAppendCookieSecureTracking::flowTo(_) and
// the cookie option is passed to `Append`
exists(DataFlow::Node creation |
CookieOptionsTracking::flow(creation, _) and
creation.asExpr() = oc
)
)
)
or
exists(PropertyWrite pw |
(
pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
pw.getProperty().getDeclaringType() instanceof
MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
) and
pw.getProperty().getName() = "SecurePolicy" and
a.getLValue() = pw and
DataFlow::localExprFlow(val, a.getRValue()) and
val.getValue() = "2" // None
)
)
)
)
select secureSink, "Cookie attribute 'Secure' is not set to true."
) and
message = "Cookie attribute 'Secure' is not set to true."
}

14
csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
View File

@@ -192,7 +192,13 @@ module HashWithoutSaltConfig implements DataFlow::ConfigSig {
module HashWithoutSalt = TaintTracking::Global<HashWithoutSaltConfig>;
from HashWithoutSalt::PathNode source, HashWithoutSalt::PathNode sink
where HashWithoutSalt::flowPath(source, sink)
select sink.getNode(), source, sink, "$@ is hashed without a salt.", source.getNode(),
"The password"
deprecated query predicate problems(
DataFlow::Node sinkNode, HashWithoutSalt::PathNode source, HashWithoutSalt::PathNode sink,
string message, DataFlow::Node sourceNode, string password
) {
sinkNode = sink.getNode() and
sourceNode = source.getNode() and
HashWithoutSalt::flowPath(source, sink) and
message = "$@ is hashed without a salt." and
password = "The password"
}

2
csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll
View File

@@ -1,3 +1,5 @@
deprecated module;
import csharp
import DataFlow

18
csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
View File

@@ -14,11 +14,17 @@
import csharp
import DataFlow
import JsonWebTokenHandlerLib
deprecated import JsonWebTokenHandlerLib
import semmle.code.csharp.commons.QualifiedName
from TokenValidationParametersProperty p, CallableAlwaysReturnsTrue e, string qualifier, string name
where e = p.getAnAssignedValue() and p.hasFullyQualifiedName(qualifier, name)
select e,
"JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns \"true\".",
p, getQualifiedName(qualifier, name)
deprecated query predicate problems(
CallableAlwaysReturnsTrue e, string message, TokenValidationParametersProperty p,
string fullyQualifiedName
) {
exists(string qualifier, string name | p.hasFullyQualifiedName(qualifier, name) |
fullyQualifiedName = getQualifiedName(qualifier, name)
) and
e = p.getAnAssignedValue() and
message =
"JsonWebTokenHandler security-sensitive property $@ is being delegated to this callable that always returns \"true\"."
}

19
csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.ql
View File

@@ -12,15 +12,18 @@
*/
import csharp
import JsonWebTokenHandlerLib
deprecated import JsonWebTokenHandlerLib
import semmle.code.csharp.commons.QualifiedName
from
DataFlow::Node source, DataFlow::Node sink,
TokenValidationParametersPropertySensitiveValidation pw, string qualifier, string name
where
deprecated query predicate problems(
DataFlow::Node sink, string message, TokenValidationParametersPropertySensitiveValidation pw,
string fullyQualifiedName, DataFlow::Node source, string value
) {
FalseValueFlowsToTokenValidationParametersPropertyWriteToBypassValidation::flow(source, sink) and
sink.asExpr() = pw.getAnAssignedValue() and
pw.hasFullyQualifiedName(qualifier, name)
select sink, "The security sensitive property $@ is being disabled by the following value: $@.", pw,
getQualifiedName(qualifier, name), source, "false"
exists(string qualifier, string name | pw.hasFullyQualifiedName(qualifier, name) |
fullyQualifiedName = getQualifiedName(qualifier, name)
) and
message = "The security sensitive property $@ is being disabled by the following value: $@." and
value = "false"
}

1
csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qll
View File

@@ -3,6 +3,7 @@
*
* Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
*/
deprecated module;
import csharp

11
csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql
View File

@@ -9,9 +9,10 @@
*/
import csharp
import DataSetSerialization
deprecated import DataSetSerialization
from DataSetOrTableRelatedClass dstc
where dstc.fromSource()
select dstc,
"Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
deprecated query predicate problems(DataSetOrTableRelatedClass dstc, string message) {
dstc.fromSource() and
message =
"Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
}

19
csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
View File

@@ -10,12 +10,17 @@
*/
import csharp
import DataSetSerialization
deprecated import DataSetSerialization
from UnsafeXmlSerializerImplementation c, Member m
where
deprecated query predicate problems(
Member m, string message, UnsafeXmlSerializerImplementation c, string classMessage, Member member,
string memberMessage
) {
c.fromSource() and
isClassUnsafeXmlSerializerImplementation(c, m)
select m,
"Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.",
c, c.toString(), m, m.toString()
isClassUnsafeXmlSerializerImplementation(c, m) and
message =
"Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details." and
classMessage = c.toString() and
member = m and
memberMessage = m.toString()
}

22
csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
View File

@@ -10,7 +10,7 @@
*/
import csharp
import DataSetSerialization
deprecated import DataSetSerialization
predicate xmlSerializerConstructorArgument(Expr e) {
exists(ObjectCreation oc, Constructor c | e = oc.getArgument(0) |
@@ -21,7 +21,7 @@ predicate xmlSerializerConstructorArgument(Expr e) {
)
}
predicate unsafeDataContractTypeCreation(Expr e) {
deprecated predicate unsafeDataContractTypeCreation(Expr e) {
exists(MethodCall gt |
gt.getTarget().getName() = "GetType" and
e = gt and
@@ -31,16 +31,20 @@ predicate unsafeDataContractTypeCreation(Expr e) {
e.(TypeofExpr).getTypeAccess().getTarget() instanceof DataSetOrTableRelatedClass
}
module FlowToDataSerializerConstructorConfig implements DataFlow::ConfigSig {
deprecated module FlowToDataSerializerConstructorConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { unsafeDataContractTypeCreation(node.asExpr()) }
predicate isSink(DataFlow::Node node) { xmlSerializerConstructorArgument(node.asExpr()) }
}
module FlowToDataSerializerConstructor = DataFlow::Global<FlowToDataSerializerConstructorConfig>;
deprecated module FlowToDataSerializerConstructor =
DataFlow::Global<FlowToDataSerializerConstructorConfig>;
from DataFlow::Node source, DataFlow::Node sink
where FlowToDataSerializerConstructor::flow(source, sink)
select sink,
"Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source.",
source, source.toString()
deprecated query predicate problems(
DataFlow::Node sink, string message, DataFlow::Node source, string sourceMessage
) {
FlowToDataSerializerConstructor::flow(source, sink) and
message =
"Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source." and
sourceMessage = source.toString()
}

10
csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql
View File

@@ -10,8 +10,10 @@
*/
import csharp
import DataSetSerialization
deprecated import DataSetSerialization
from UnsafeXmlReadMethodCall mc
select mc,
"Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
deprecated query predicate problems(UnsafeXmlReadMethodCall mc, string message) {
message =
"Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details." and
exists(mc)
}

8
csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
View File

@@ -48,8 +48,8 @@ predicate isExternMethod(Method externMethod) {
SystemRuntimeInteropServicesComImportAttributeClass
}
from MethodCall mc
where
deprecated query predicate problems(MethodCall mc, string message) {
isExternMethod(mc.getTarget()) and
isDangerousMethod(mc.getTarget())
select mc, "Call to an external method '" + mc.getTarget().getName() + "'."
isDangerousMethod(mc.getTarget()) and
message = "Call to an external method '" + mc.getTarget().getName() + "'."
}

21
csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
View File

@@ -174,13 +174,16 @@ predicate isPotentialTimeBomb(
)
}
from
Flow::PathNode source, Flow::PathNode sink, Call getLastWriteTimeMethodCall,
Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement
where
deprecated query predicate problems(
SelectionStmt selStatement, Flow::PathNode source, Flow::PathNode sink, string message,
Call timeComparisonCall, string timeComparisonCallString, Call timeArithmeticCall, string offset,
Call getLastWriteTimeMethodCall, string lastWriteTimeMethodCallMessage
) {
isPotentialTimeBomb(source, sink, getLastWriteTimeMethodCall, timeArithmeticCall,
timeComparisonCall, selStatement)
select selStatement, source, sink,
"Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger.",
timeComparisonCall, timeComparisonCall.toString(), timeArithmeticCall, "offset",
getLastWriteTimeMethodCall, "last modification time of a file"
timeComparisonCall, selStatement) and
message =
"Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger." and
timeComparisonCallString = timeComparisonCall.toString() and
offset = "offset" and
lastWriteTimeMethodCallMessage = "last modification time of a file"
}

17
csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
View File

@@ -42,8 +42,15 @@ predicate isSuspiciousPropertyName(PropertyRead pr) {
pr.getTarget().hasFullyQualifiedName("System.Diagnostics", "Process", "ProcessName")
}
from DataFlowFromMethodToHash::PathNode src, DataFlowFromMethodToHash::PathNode sink
where DataFlowFromMethodToHash::flow(src.getNode(), sink.getNode())
select src.getNode(), src, sink,
"The hash is calculated on $@, may be related to a backdoor. Please review the code for possible malicious intent.",
sink.getNode(), "this process name"
deprecated query predicate problems(
DataFlow::Node srcNode, DataFlowFromMethodToHash::PathNode src,
DataFlowFromMethodToHash::PathNode sink, string message, DataFlow::Node sinkNode,
string sinkMessage
) {
srcNode = src.getNode() and
sinkNode = sink.getNode() and
DataFlowFromMethodToHash::flow(srcNode, sinkNode) and
message =
"The hash is calculated on $@, may be related to a backdoor. Please review the code for possible malicious intent." and
sinkMessage = "this process name"
}

1
csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll
View File

@@ -1,6 +1,7 @@
/**
* Provides classes and predicates for detecting insecure cookies.
*/
deprecated module;
import csharp
import semmle.code.csharp.frameworks.microsoft.AspNetCore