Merge branch 'main' into feature/service-stack

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Email.qll

@@ -0,0 +1,32 @@
+/** Provides data flow sinks for sending email. */
+
+import csharp
+private import Remote
+private import semmle.code.csharp.frameworks.system.net.Mail
+
+/** Provides sinks for emails. */
+module Email {
+  /** A data flow sink for sending email. */
+  abstract class Sink extends DataFlow::ExprNode, RemoteFlowSink { }
+
+  /** A data flow sink for sending email via `System.Net.Mail.MailMessage`. */
+  class MailMessageSink extends Sink {
+    MailMessageSink() {
+      exists(SystemNetMailMailMessageClass message |
+        // Constructor to the MailMessage
+        exists(ObjectCreation creation | creation.getTarget() = message.getAConstructor() |
+          this.getExpr() = creation.getArgumentForName("subject") or
+          this.getExpr() = creation.getArgumentForName("body")
+        )
+        or
+        // Assigns to a sensitive property of a MailMessage
+        exists(Property p |
+          p = message.getBodyProperty() or
+          p = message.getSubjectProperty()
+        |
+          this.getExpr() = p.getAnAssignedValue()
+        )
+      )
+    }
+  }
+}

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll

@@ -0,0 +1,70 @@
+/**
+ * Provides classes representing external location sinks.
+ */
+
+import csharp
+private import Remote
+private import semmle.code.csharp.commons.Loggers
+private import semmle.code.csharp.frameworks.system.Web
+private import semmle.code.csharp.dataflow.ExternalFlow
+
+/**
+ * An external location sink.
+ *
+ * These sinks are used to write data to locations that are external to the application, and over
+ * which the application may have no access control. For example, files on a local or remote
+ * filesystem (including log files and cookies).
+ */
+abstract class ExternalLocationSink extends DataFlow::ExprNode { }
+
+private class ExternalModelSink extends ExternalLocationSink {
+  ExternalModelSink() { sinkNode(this, "remote") }
+}
+
+/**
+ * An argument to a call to a method on a logger class.
+ */
+class LogMessageSink extends ExternalLocationSink {
+  LogMessageSink() { this.getExpr() = any(LoggerType i).getAMethod().getACall().getAnArgument() }
+}
+
+/**
+ * An argument to a call to a method on a `Trace` or `TraceSource` class.
+ */
+class TraceMessageSink extends ExternalLocationSink {
+  TraceMessageSink() {
+    exists(Class trace, string parameterName |
+      trace.hasQualifiedName("System.Diagnostics", "Trace") or
+      trace.hasQualifiedName("System.Diagnostics", "TraceSource")
+    |
+      this.getExpr() = trace.getAMethod().getACall().getArgumentForName(parameterName) and
+      (
+        parameterName = "format" or
+        parameterName = "args" or
+        parameterName = "message" or
+        parameterName = "category"
+      )
+    )
+  }
+}
+
+/**
+ * An expression set as a value on a cookie instance.
+ */
+class CookieStorageSink extends ExternalLocationSink, RemoteFlowSink {
+  CookieStorageSink() {
+    exists(Expr e | e = this.getExpr() |
+      e = any(SystemWebHttpCookie cookie).getAConstructor().getACall().getArgumentForName("value")
+      or
+      // Anything set on the Value property
+      e =
+        any(SystemWebHttpCookie cookie).getProperty("Value").getSetter().getACall().getAnArgument()
+      or
+      // Anything set on any index of the `Values` property
+      e = any(SystemWebHttpCookie cookie).getValuesProperty().getAnIndexerCall().getArgument(1)
+      or
+      // Anything set on any index of the cookie itself
+      e = any(SystemWebHttpCookie cookie).getAnIndexer().getSetter().getACall().getArgument(1)
+    )
+  }
+}

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Html.qll

@@ -0,0 +1,216 @@
+/**
+ * Provides classes representing HTML data flow sinks.
+ */
+
+import csharp
+private import Remote
+private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.frameworks.system.Net
+private import semmle.code.csharp.frameworks.system.Web
+private import semmle.code.csharp.frameworks.system.web.Mvc
+private import semmle.code.csharp.frameworks.system.web.WebPages
+private import semmle.code.csharp.frameworks.system.web.UI
+private import semmle.code.csharp.frameworks.system.web.ui.WebControls
+private import semmle.code.csharp.frameworks.system.windows.Forms
+private import semmle.code.csharp.security.dataflow.flowsources.Remote
+private import semmle.code.csharp.dataflow.ExternalFlow
+private import semmle.code.asp.AspNet
+
+/**
+ * A sink where the value of the expression may be rendered as HTML,
+ * without implicit HTML encoding.
+ */
+abstract class HtmlSink extends DataFlow::ExprNode, RemoteFlowSink { }
+
+private class ExternalHtmlSink extends HtmlSink {
+  ExternalHtmlSink() { sinkNode(this, "html") }
+}
+
+/**
+ * An expression that is used as an argument to an HTML sink method on
+ * `HttpResponse`.
+ */
+private class HttpResponseSinkModelCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "System.Web;HttpResponse;false;Write;;;Argument[0];html",
+        "System.Web;HttpResponse;false;WriteFile;;;Argument[0];html",
+        "System.Web;HttpResponse;false;TransmitFile;;;Argument[0];html",
+        "System.Web;HttpResponse;false;BinaryWrite;;;Argument[0];html"
+      ]
+  }
+}
+
+/**
+ * An expression that is used as an argument to an HTML sink method on
+ * `HtmlTextWriter`.
+ */
+class HtmlTextWriterSink extends HtmlSink {
+  HtmlTextWriterSink() {
+    exists(SystemWebUIHtmlTextWriterClass writeClass, Method m, Call c, int paramPos |
+      paramPos = 0 and
+      (
+        m = writeClass.getAWriteMethod() or
+        m = writeClass.getAWriteLineMethod() or
+        m = writeClass.getAWriteLineNoTabsMethod() or
+        m = writeClass.getAWriteBeginTagMethod() or
+        m = writeClass.getAWriteAttributeMethod()
+      )
+      or
+      // The second parameter to the `WriteAttribute` method is the attribute value, which we
+      // should only consider as tainted if the call does not ask for the attribute value to be
+      // encoded using the final parameter.
+      m = writeClass.getAWriteAttributeMethod() and
+      paramPos = 1 and
+      not c.getArgumentForParameter(m.getParameter(2)).(BoolLiteral).getBoolValue() = true
+    |
+      c = m.getACall() and
+      this.getExpr() = c.getArgumentForParameter(m.getParameter(paramPos))
+    )
+  }
+}
+
+/**
+ * An expression that is used as an argument to an HTML sink method on
+ * `AttributeCollection`.
+ */
+class AttributeCollectionSink extends HtmlSink {
+  AttributeCollectionSink() {
+    exists(SystemWebUIAttributeCollectionClass ac, Parameter p |
+      p = ac.getAddMethod().getParameter(1) or
+      p = ac.getItemProperty().getSetter().getParameter(0)
+    |
+      this.getExpr() = p.getAnAssignedArgument()
+    )
+  }
+}
+
+/**
+ * An expression that is used as the second argument `HtmlElement.SetAttribute`.
+ */
+class SetAttributeSink extends HtmlSink {
+  SetAttributeSink() {
+    this.getExpr() =
+      any(SystemWindowsFormsHtmlElement c).getSetAttributeMethod().getACall().getArgument(1)
+  }
+}
+
+/**
+ * An expression that is used as an argument to an HTML sink setter, on
+ * a class within the `System.Web.UI` namespace.
+ */
+class SystemWebSetterHtmlSink extends HtmlSink {
+  SystemWebSetterHtmlSink() {
+    exists(Property p, string name, ValueOrRefType declaringType |
+      declaringType = p.getDeclaringType() and
+      any(SystemWebUINamespace n).getAChildNamespace*() = declaringType.getNamespace() and
+      this.getExpr() = p.getAnAssignedValue() and
+      p.hasName(name)
+    |
+      name = "Caption" and
+      (declaringType.hasName("Calendar") or declaringType.hasName("Table"))
+      or
+      name = "InnerHtml"
+    )
+    or
+    exists(SystemWebUIWebControlsLabelClass c |
+      // Unlike `Text` properties of other web controls, `Label.Text` is not automatically HTML encoded
+      this.getExpr() = c.getTextProperty().getSetter().getParameter(0).getAnAssignedArgument()
+    )
+  }
+}
+
+/**
+ * An expression that is used as an argument to `HtmlHelper.Raw`, typically in
+ * a `.cshtml` file.
+ */
+class SystemWebMvcHtmlHelperRawSink extends HtmlSink {
+  SystemWebMvcHtmlHelperRawSink() {
+    this.getExpr() = any(SystemWebMvcHtmlHelperClass h).getRawMethod().getACall().getAnArgument()
+  }
+}
+
+/** An expression that is returned from a `ToHtmlString` method. */
+class ToHtmlString extends HtmlSink {
+  ToHtmlString() {
+    exists(Method toHtmlString |
+      toHtmlString = any(SystemWebIHtmlString i).getToHtmlStringMethod().getAnUltimateImplementor() and
+      toHtmlString.canReturn(this.getExpr())
+    )
+  }
+}
+
+/**
+ * An expression passed to the constructor of an `HtmlString` or a `MvcHtmlString`.
+ */
+class HtmlString extends HtmlSink {
+  HtmlString() {
+    exists(Class c |
+      c = any(SystemWebMvcMvcHtmlString m) or
+      c = any(SystemWebHtmlString m)
+    |
+      this.getExpr() = c.getAConstructor().getACall().getAnArgument()
+    )
+  }
+}
+
+/**
+ * An expression that is used as an argument to `Page.WriteLiteral`, typically in
+ * a `.cshtml` file.
+ */
+class WebPageWriteLiteralSink extends HtmlSink {
+  WebPageWriteLiteralSink() {
+    this.getExpr() = any(WebPageClass h).getWriteLiteralMethod().getACall().getAnArgument()
+  }
+}
+
+/**
+ * An expression that is used as an argument to `Page.WriteLiteralTo`, typically in
+ * a `.cshtml` file.
+ */
+class WebPageWriteLiteralToSink extends HtmlSink {
+  WebPageWriteLiteralToSink() {
+    this.getExpr() = any(WebPageClass h).getWriteLiteralToMethod().getACall().getAnArgument()
+  }
+}
+
+/** An ASP.NET Core HTML sink. */
+abstract class AspNetCoreHtmlSink extends HtmlSink { }
+
+/**
+ * An expression that is used as an argument to `IHtmlHelper.Raw`, typically in
+ * a `.cshtml` file.
+ */
+class MicrosoftAspNetCoreMvcHtmlHelperRawSink extends AspNetCoreHtmlSink {
+  MicrosoftAspNetCoreMvcHtmlHelperRawSink() {
+    exists(Call c, Callable target |
+      c.getTarget() = target and
+      target.hasName("Raw") and
+      target.getDeclaringType().getABaseType*() instanceof
+        MicrosoftAspNetCoreMvcRenderingIHtmlHelperInterface and
+      this.getExpr() = c.getAnArgument()
+    )
+  }
+}
+
+/**
+ * An expression that is used as an argument to `Page.WriteLiteral` in ASP.NET 6.0 razor page, typically in
+ * a `.cshtml` file.
+ */
+class MicrosoftAspNetRazorPageWriteLiteralSink extends AspNetCoreHtmlSink {
+  MicrosoftAspNetRazorPageWriteLiteralSink() {
+    this.getExpr() =
+      any(MicrosoftAspNetCoreMvcRazorPageBase h).getWriteLiteralMethod().getACall().getAnArgument()
+  }
+}
+
+/** `HtmlString` that may be rendered as is need to have sanitized value. */
+class MicrosoftAspNetHtmlStringSink extends AspNetCoreHtmlSink {
+  MicrosoftAspNetHtmlStringSink() {
+    exists(ObjectCreation c, MicrosoftAspNetCoreHttpHtmlString s |
+      c.getTarget() = s.getAConstructor() and
+      this.asExpr() = c.getAnArgument()
+    )
+  }
+}

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides classes representing data flow sinks for remote user output.
+ */
+
+import csharp
+private import Email::Email
+private import ExternalLocationSink
+private import Html
+private import semmle.code.csharp.security.dataflow.XSSSinks as XSSSinks
+private import semmle.code.csharp.frameworks.system.web.UI
+
+/** A data flow sink of remote user output. */
+abstract class RemoteFlowSink extends DataFlow::Node { }
+
+/**
+ * A value written to the `[Inner]Text` property of an object defined in the
+ * `System.Web.UI` namespace.
+ */
+class SystemWebUIText extends RemoteFlowSink {
+  SystemWebUIText() {
+    exists(Property p, string name |
+      p.getDeclaringType().getNamespace().getParentNamespace*() instanceof SystemWebUINamespace and
+      this.asExpr() = p.getAnAssignedValue() and
+      p.hasName(name)
+    |
+      name = "Text"
+      or
+      name = "InnerText"
+    )
+  }
+}