Merge pull request #15359 from egregius313/egregius313/csharp/dataflow/threat-modeling/add-threatmodelflowsource

C#: Threat Modeling - Introduce `ThreatModelFlowSource`
2025-12-17 01:03:14 +01:00 · 2024-01-23 09:02:10 -05:00
parent df8d453058 a6c977c169
commit 0e866a5447
30 changed files with 530 additions and 11 deletions
--- a/csharp/ql/lib/change-notes/2024-01-17-introduce-threatmodelflowsource.md
+++ b/csharp/ql/lib/change-notes/2024-01-17-introduce-threatmodelflowsource.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a new library `semmle.code.csharp.security.dataflow.flowsources.FlowSources`, which provides a new class `ThreatModelFlowSource`. The `ThreatModelFlowSource` class can be used to include sources which match the current *threat model* configuration.
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -10,6 +10,7 @@ dependencies:
  codeql/dataflow: ${workspace}
  codeql/mad: ${workspace}
  codeql/ssa: ${workspace}
+  codeql/threat-models: ${workspace}
  codeql/tutorial: ${workspace}
  codeql/util: ${workspace}
 dataExtensions:
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll
@@ -12,6 +12,7 @@ private import semmle.code.csharp.frameworks.Sql
 private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl::Public
 private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl::Private
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+private import semmle.code.csharp.security.dataflow.flowsources.Stored as Stored

 /**
 * Definitions relating to the `System.ComponentModel.DataAnnotations`
@@ -44,7 +45,7 @@ module EntityFramework {
  }

  /** A taint source where the data has come from a mapped property stored in the database. */
-  class StoredFlowSource extends DataFlow::Node {
+  class StoredFlowSource extends Stored::DatabaseInputSource {
    StoredFlowSource() {
      this.asExpr() = any(PropertyRead read | read.getTarget() instanceof MappedProperty)
    }
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/NHibernate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/NHibernate.qll
@@ -6,6 +6,7 @@ import csharp
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.Sql
+private import semmle.code.csharp.security.dataflow.flowsources.Stored as Stored

 /** Definitions relating to the `NHibernate` package. */
 module NHibernate {
@@ -86,7 +87,7 @@ module NHibernate {
  }

  /** A taint source where the data has come from a mapped property stored in the database. */
-  class StoredFlowSource extends DataFlow::Node {
+  class StoredFlowSource extends Stored::DatabaseInputSource {
    StoredFlowSource() {
      this.asExpr() = any(PropertyRead read | read.getTarget() instanceof MappedProperty)
    }
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll
@@ -0,0 +1,31 @@
+/** Provides classes representing various flow sources for taint tracking. */
+
+private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import codeql.threatmodels.ThreatModels
+import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Local
+import semmle.code.csharp.security.dataflow.flowsources.Stored
+
+/**
+ * A data flow source.
+ */
+abstract class SourceNode extends DataFlow::Node {
+  /**
+   * Gets a string that represents the source kind with respect to threat modeling.
+   */
+  abstract string getThreatModel();
+}
+
+/**
+ * A class of data flow sources that respects the
+ * current threat model configuration.
+ */
+class ThreatModelFlowSource extends DataFlow::Node {
+  ThreatModelFlowSource() {
+    exists(string kind |
+      // Specific threat model.
+      currentThreatModel(kind) and
+      (this.(SourceNode).getThreatModel() = kind or sourceNode(this, kind))
+    )
+  }
+}
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll
@@ -5,11 +5,14 @@
 import csharp
 private import semmle.code.csharp.frameworks.system.windows.Forms
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources

 /** A data flow source of local data. */
-abstract class LocalFlowSource extends DataFlow::Node {
+abstract class LocalFlowSource extends SourceNode {
  /** Gets a string that describes the type of this local flow source. */
  abstract string getSourceType();
+
+  override string getThreatModel() { result = "local" }
 }

 private class ExternalLocalFlowSource extends LocalFlowSource {
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
@@ -13,11 +13,14 @@ private import semmle.code.csharp.frameworks.WCF
 private import semmle.code.csharp.frameworks.microsoft.Owin
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources

 /** A data flow source of remote user input. */
-abstract class RemoteFlowSource extends DataFlow::Node {
+abstract class RemoteFlowSource extends SourceNode {
  /** Gets a string that describes the type of this remote flow source. */
  abstract string getSourceType();
+
+  override string getThreatModel() { result = "remote" }
 }

 /**
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll
@@ -9,15 +9,25 @@ private import semmle.code.csharp.frameworks.system.data.Entity
 private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
 private import semmle.code.csharp.frameworks.Sql
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources

 /** A data flow source of stored user input. */
-abstract class StoredFlowSource extends DataFlow::Node { }
+abstract class StoredFlowSource extends SourceNode {
+  override string getThreatModel() { result = "local" }
+}
+
+/**
+ * A node with input from a database.
+ */
+abstract class DatabaseInputSource extends StoredFlowSource {
+  override string getThreatModel() { result = "database" }
+}

 /**
 * An expression that has a type of `DbRawSqlQuery`, representing the result of an Entity Framework
 * SqlQuery.
 */
-class DbRawSqlStoredFlowSource extends StoredFlowSource {
+class DbRawSqlStoredFlowSource extends DatabaseInputSource {
  DbRawSqlStoredFlowSource() {
    this.asExpr().getType() instanceof SystemDataEntityInfrastructure::DbRawSqlQuery
  }
@@ -27,14 +37,14 @@ class DbRawSqlStoredFlowSource extends StoredFlowSource {
 * An expression that has a type of `DbDataReader` or a sub-class, representing the result of a
 * data command.
 */
-class DbDataReaderStoredFlowSource extends StoredFlowSource {
+class DbDataReaderStoredFlowSource extends DatabaseInputSource {
  DbDataReaderStoredFlowSource() {
    this.asExpr().getType() = any(SystemDataCommon::DbDataReader dataReader).getASubType*()
  }
 }

 /** An expression that accesses a method of `DbDataReader` or a sub-class. */
-class DbDataReaderMethodStoredFlowSource extends StoredFlowSource {
+class DbDataReaderMethodStoredFlowSource extends DatabaseInputSource {
  DbDataReaderMethodStoredFlowSource() {
    this.asExpr().(MethodCall).getTarget().getDeclaringType() =
      any(SystemDataCommon::DbDataReader dataReader).getASubType*()
@@ -42,15 +52,19 @@ class DbDataReaderMethodStoredFlowSource extends StoredFlowSource {
 }

 /** An expression that accesses a property of `DbDataReader` or a sub-class. */
-class DbDataReaderPropertyStoredFlowSource extends StoredFlowSource {
+class DbDataReaderPropertyStoredFlowSource extends DatabaseInputSource {
  DbDataReaderPropertyStoredFlowSource() {
    this.asExpr().(PropertyAccess).getTarget().getDeclaringType() =
      any(SystemDataCommon::DbDataReader dataReader).getASubType*()
  }
 }

-/** A read of a mapped property. */
-class ORMMappedProperty extends StoredFlowSource {
+/**
+ * DEPRECATED: Use `EntityFramework::StoredFlowSource` and `NHibernate::StoredFlowSource` instead.
+ *
+ * A read of a mapped property.
+ */
+deprecated class ORMMappedProperty extends DataFlow::Node {
  ORMMappedProperty() {
    this instanceof EntityFramework::StoredFlowSource or
    this instanceof NHibernate::StoredFlowSource
@@ -60,4 +74,6 @@ class ORMMappedProperty extends StoredFlowSource {
 /** A file stream source is considered a stored flow source. */
 class FileStreamStoredFlowSource extends StoredFlowSource {
  FileStreamStoredFlowSource() { sourceNode(this, "file") }
+
+  override string getThreatModel() { result = "file" }
 }
--- a/csharp/ql/test/library-tests/dataflow/threat-models/Test.cs
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/Test.cs
@@ -0,0 +1,68 @@
+using System.Net.Sockets;
+using System.Data.SqlClient;
+
+namespace My.Qltest
+{
+    public class Test
+    {
+        private TestSources Sources = new TestSources();
+
+        private SqlConnection Connection => throw null;
+
+        private string BytesToString(byte[] bytes)
+        {
+            // Encode bytes to a UTF8 string.
+            return System.Text.Encoding.UTF8.GetString(bytes);
+        }
+
+        public void M1()
+        {
+            // Only a source if "remote" is a selected threat model.
+            // This is included in the "default" threat model.
+            using TcpClient client = new TcpClient("localhost", 1234);
+            using NetworkStream stream = client.GetStream();
+            byte[] buffer = new byte[1024];
+            int bytesRead = stream.Read(buffer, 0, buffer.Length);
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + BytesToString(buffer) + "'", Connection);
+        }
+
+        public void M2()
+        {
+            // Only a source if "database" is a selected threat model.
+            string result = Sources.ExecuteQuery("SELECT * FROM foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+
+        public void M3()
+        {
+            // Only a source if "environment" is a selected threat model.
+            string result = Sources.ReadEnv("foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+
+        }
+
+        public void M4()
+        {
+            // Only a source if "custom" is a selected threat model.
+            string result = Sources.GetCustom("foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+
+        public void M5()
+        {
+            // Only a source if "commandargs" is a selected threat model.
+            string result = Sources.GetCliArg(0);
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+    }
+}
--- a/csharp/ql/test/library-tests/dataflow/threat-models/Test.qll
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/Test.qll
@@ -0,0 +1,12 @@
+private import csharp
+private import semmle.code.csharp.dataflow.DataFlow
+private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
+
+private module ThreatModelConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+}
+
+module ThreatModel = TaintTracking::Global<ThreatModelConfig>;
--- a/csharp/ql/test/library-tests/dataflow/threat-models/TestSources.cs
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/TestSources.cs
@@ -0,0 +1,26 @@
+namespace My.Qltest
+{
+
+    public class TestSources
+    {
+        public string ExecuteQuery(string query)
+        {
+            return null;
+        }
+
+        public string ReadEnv(string env)
+        {
+            return null;
+        }
+
+        public string GetCustom(string s)
+        {
+            return null;
+        }
+
+        public string GetCliArg(int i)
+        {
+            return null;
+        }
+    }
+}
--- a/csharp/ql/test/library-tests/dataflow/threat-models/options
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.5/System.Data.SqlClient.csproj
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.expected
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.expected
@@ -0,0 +1,23 @@
+edges
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:25:29:25:34 | access to local variable stream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:28:85:28:105 | call to method BytesToString : String |
+nodes
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | semmle.label | bytes : Byte[] [element] : Object |
+| Test.cs:15:20:15:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | semmle.label | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | semmle.label | call to method GetStream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | semmle.label | access to local variable stream : NetworkStream |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | semmle.label | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:42:28:111 | ... + ... | semmle.label | ... + ... |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | semmle.label | call to method BytesToString : String |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | semmle.label | access to local variable buffer : Byte[] [element] : Object |
+subpaths
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String | Test.cs:28:85:28:105 | call to method BytesToString : String |
+#select
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:28:42:28:111 | ... + ... |
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.ext.yml
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.ext.yml
@@ -0,0 +1,15 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data: []
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["My.Qltest", "TestSources", False, "ExecuteQuery", "(System.String)", "", "ReturnValue", "database", "manual"]
+      - ["My.Qltest", "TestSources", False, "ReadEnv", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCustom", "(System.String)", "", "ReturnValue", "custom", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCliArg", "(System.Int32)", "", "ReturnValue", "commandargs", "manual"]
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.ql
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.ql
@@ -0,0 +1,10 @@
+/**
+ * This is a dataflow test using the "default" threat model.
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select source, sink
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.expected
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.expected
@@ -0,0 +1,27 @@
+edges
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:25:29:25:34 | access to local variable stream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:28:85:28:105 | call to method BytesToString : String |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | Test.cs:37:42:37:96 | ... + ... |
+nodes
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | semmle.label | bytes : Byte[] [element] : Object |
+| Test.cs:15:20:15:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | semmle.label | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | semmle.label | call to method GetStream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | semmle.label | access to local variable stream : NetworkStream |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | semmle.label | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:42:28:111 | ... + ... | semmle.label | ... + ... |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | semmle.label | call to method BytesToString : String |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | semmle.label | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | semmle.label | call to method ExecuteQuery : String |
+| Test.cs:37:42:37:96 | ... + ... | semmle.label | ... + ... |
+subpaths
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String | Test.cs:28:85:28:105 | call to method BytesToString : String |
+#select
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | Test.cs:37:42:37:96 | ... + ... |
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ext.yml
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ext.yml
@@ -0,0 +1,16 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["database", true, 0]
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["My.Qltest", "TestSources", False, "ExecuteQuery", "(System.String)", "", "ReturnValue", "database", "manual"]
+      - ["My.Qltest", "TestSources", False, "ReadEnv", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCustom", "(System.String)", "", "ReturnValue", "custom", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCliArg", "(System.Int32)", "", "ReturnValue", "commandargs", "manual"]
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ql
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ql
@@ -0,0 +1,11 @@
+/**
+ * This is a dataflow test using the "default" threat model with the
+ * addition of "database".
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select source, sink
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.expected
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.expected
@@ -0,0 +1,35 @@
+edges
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:25:29:25:34 | access to local variable stream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:28:85:28:105 | call to method BytesToString : String |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | Test.cs:37:42:37:96 | ... + ... |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | Test.cs:46:42:46:96 | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | Test.cs:65:42:65:96 | ... + ... |
+nodes
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | semmle.label | bytes : Byte[] [element] : Object |
+| Test.cs:15:20:15:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | semmle.label | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | semmle.label | call to method GetStream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | semmle.label | access to local variable stream : NetworkStream |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | semmle.label | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:42:28:111 | ... + ... | semmle.label | ... + ... |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | semmle.label | call to method BytesToString : String |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | semmle.label | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | semmle.label | call to method ExecuteQuery : String |
+| Test.cs:37:42:37:96 | ... + ... | semmle.label | ... + ... |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | semmle.label | call to method ReadEnv : String |
+| Test.cs:46:42:46:96 | ... + ... | semmle.label | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | semmle.label | call to method GetCliArg : String |
+| Test.cs:65:42:65:96 | ... + ... | semmle.label | ... + ... |
+subpaths
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String | Test.cs:28:85:28:105 | call to method BytesToString : String |
+#select
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | Test.cs:37:42:37:96 | ... + ... |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | Test.cs:46:42:46:96 | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | Test.cs:65:42:65:96 | ... + ... |
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.ext.yml
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.ext.yml
@@ -0,0 +1,17 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["My.Qltest", "TestSources", False, "ExecuteQuery", "(System.String)", "", "ReturnValue", "database", "manual"]
+      - ["My.Qltest", "TestSources", False, "ReadEnv", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCustom", "(System.String)", "", "ReturnValue", "custom", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCliArg", "(System.Int32)", "", "ReturnValue", "commandargs", "manual"]
+
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.ql
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest3.ql
@@ -0,0 +1,11 @@
+/**
+ * This is a dataflow test using the "default" threat model with the
+ * addition of the threat model group "local".
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select source, sink
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.expected
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.expected
@@ -0,0 +1,39 @@
+edges
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:25:29:25:34 | access to local variable stream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:28:85:28:105 | call to method BytesToString : String |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | Test.cs:37:42:37:96 | ... + ... |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | Test.cs:46:42:46:96 | ... + ... |
+| Test.cs:53:29:53:52 | call to method GetCustom : String | Test.cs:56:42:56:96 | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | Test.cs:65:42:65:96 | ... + ... |
+nodes
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | semmle.label | bytes : Byte[] [element] : Object |
+| Test.cs:15:20:15:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | semmle.label | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | semmle.label | call to method GetStream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | semmle.label | access to local variable stream : NetworkStream |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | semmle.label | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:42:28:111 | ... + ... | semmle.label | ... + ... |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | semmle.label | call to method BytesToString : String |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | semmle.label | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | semmle.label | call to method ExecuteQuery : String |
+| Test.cs:37:42:37:96 | ... + ... | semmle.label | ... + ... |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | semmle.label | call to method ReadEnv : String |
+| Test.cs:46:42:46:96 | ... + ... | semmle.label | ... + ... |
+| Test.cs:53:29:53:52 | call to method GetCustom : String | semmle.label | call to method GetCustom : String |
+| Test.cs:56:42:56:96 | ... + ... | semmle.label | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | semmle.label | call to method GetCliArg : String |
+| Test.cs:65:42:65:96 | ... + ... | semmle.label | ... + ... |
+subpaths
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String | Test.cs:28:85:28:105 | call to method BytesToString : String |
+#select
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | Test.cs:37:42:37:96 | ... + ... |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | Test.cs:46:42:46:96 | ... + ... |
+| Test.cs:53:29:53:52 | call to method GetCustom : String | Test.cs:56:42:56:96 | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | Test.cs:65:42:65:96 | ... + ... |
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.ext.yml
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.ext.yml
@@ -0,0 +1,17 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["all", true, 0]
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["My.Qltest", "TestSources", False, "ExecuteQuery", "(System.String)", "", "ReturnValue", "database", "manual"]
+      - ["My.Qltest", "TestSources", False, "ReadEnv", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCustom", "(System.String)", "", "ReturnValue", "custom", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCliArg", "(System.Int32)", "", "ReturnValue", "commandargs", "manual"]
+
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.ql
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest4.ql
@@ -0,0 +1,10 @@
+/**
+ * This is a dataflow test using "all" threat models.
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select source, sink
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.expected
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.expected
@@ -0,0 +1,31 @@
+edges
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:25:29:25:34 | access to local variable stream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:28:85:28:105 | call to method BytesToString : String |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | Test.cs:46:42:46:96 | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | Test.cs:65:42:65:96 | ... + ... |
+nodes
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | semmle.label | bytes : Byte[] [element] : Object |
+| Test.cs:15:20:15:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | semmle.label | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | semmle.label | call to method GetStream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | semmle.label | access to local variable stream : NetworkStream |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | semmle.label | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:42:28:111 | ... + ... | semmle.label | ... + ... |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | semmle.label | call to method BytesToString : String |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | semmle.label | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | semmle.label | call to method ReadEnv : String |
+| Test.cs:46:42:46:96 | ... + ... | semmle.label | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | semmle.label | call to method GetCliArg : String |
+| Test.cs:65:42:65:96 | ... + ... | semmle.label | ... + ... |
+subpaths
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String | Test.cs:28:85:28:105 | call to method BytesToString : String |
+#select
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:43:29:43:50 | call to method ReadEnv : String | Test.cs:46:42:46:96 | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | Test.cs:65:42:65:96 | ... + ... |
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.ext.yml
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.ext.yml
@@ -0,0 +1,18 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["environment", true, 0]
+      - ["commandargs", true, 0]
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["My.Qltest", "TestSources", False, "ExecuteQuery", "(System.String)", "", "ReturnValue", "database", "manual"]
+      - ["My.Qltest", "TestSources", False, "ReadEnv", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCustom", "(System.String)", "", "ReturnValue", "custom", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCliArg", "(System.Int32)", "", "ReturnValue", "commandargs", "manual"]
+
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.ql
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest5.ql
@@ -0,0 +1,11 @@
+/**
+ * This is a dataflow test using the "default" threat model with the
+ * addition of "environment" and "commandargs".
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select source, sink
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.expected
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.expected
@@ -0,0 +1,31 @@
+edges
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:25:29:25:34 | access to local variable stream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:28:85:28:105 | call to method BytesToString : String |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | Test.cs:37:42:37:96 | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | Test.cs:65:42:65:96 | ... + ... |
+nodes
+| Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | semmle.label | bytes : Byte[] [element] : Object |
+| Test.cs:15:20:15:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| Test.cs:15:56:15:60 | access to parameter bytes : Byte[] [element] : Object | semmle.label | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | semmle.label | call to method GetStream : NetworkStream |
+| Test.cs:25:29:25:34 | access to local variable stream : NetworkStream | semmle.label | access to local variable stream : NetworkStream |
+| Test.cs:25:41:25:46 | [post] access to local variable buffer : Byte[] [element] : Object | semmle.label | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:28:42:28:111 | ... + ... | semmle.label | ... + ... |
+| Test.cs:28:85:28:105 | call to method BytesToString : String | semmle.label | call to method BytesToString : String |
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | semmle.label | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | semmle.label | call to method ExecuteQuery : String |
+| Test.cs:37:42:37:96 | ... + ... | semmle.label | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | semmle.label | call to method GetCliArg : String |
+| Test.cs:65:42:65:96 | ... + ... | semmle.label | ... + ... |
+subpaths
+| Test.cs:28:99:28:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:12:45:12:49 | bytes : Byte[] [element] : Object | Test.cs:15:20:15:61 | call to method GetString : String | Test.cs:28:85:28:105 | call to method BytesToString : String |
+#select
+| Test.cs:23:42:23:59 | call to method GetStream : NetworkStream | Test.cs:28:42:28:111 | ... + ... |
+| Test.cs:34:29:34:69 | call to method ExecuteQuery : String | Test.cs:37:42:37:96 | ... + ... |
+| Test.cs:62:29:62:48 | call to method GetCliArg : String | Test.cs:65:42:65:96 | ... + ... |
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ext.yml
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ext.yml
@@ -0,0 +1,17 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
+      - ["environment", false, 1]
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["My.Qltest", "TestSources", False, "ExecuteQuery", "(System.String)", "", "ReturnValue", "database", "manual"]
+      - ["My.Qltest", "TestSources", False, "ReadEnv", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCustom", "(System.String)", "", "ReturnValue", "custom", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCliArg", "(System.Int32)", "", "ReturnValue", "commandargs", "manual"]
--- a/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ql
+++ b/csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest6.ql
@@ -0,0 +1,12 @@
+/**
+ * This is a dataflow test using the "default" threat model with the
+ * addition of the threat model group "local", but without the
+ * "environment" threat model.
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select source, sink