C#: The CaptureSummaryModels query should only produce summary models that will not be discarded at run-time.

2026-04-28 02:05:14 +02:00 · 2022-04-05 08:51:38 +02:00
parent 784327c183
commit 3937714f9f
3 changed files with 91 additions and 81 deletions
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -509,6 +509,13 @@ Element interpretElement(
  )
 }

+/**
+ * Holds if `c` has a `generated` summary.
+ */
+predicate hasSummary(DataFlowCallable c, boolean generated) {
+  summaryElement(c, _, _, _, generated)
+}
+
 cached
 private module Cached {
  /**
--- a/csharp/ql/src/utils/model-generator/CaptureSummaryModels.ql
+++ b/csharp/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -4,88 +4,10 @@
 * @id cs/utils/model-generator/summary-models
 */

+private import semmle.code.csharp.dataflow.ExternalFlow
 private import internal.CaptureModels
-
-/**
- * Capture fluent APIs that return `this`.
- * Example of a fluent API:
- * ```csharp
- * public class BasicFlow {
- *   public BasicFlow ReturnThis(object input)
- *   {
- *     // some side effect
- *     return this;
- *   }
- * ```
- * Captured Model:
- * ```Summaries;BasicFlow;false;ReturnThis;(System.Object);Argument[Qualifier];ReturnValue;value```
- * Capture APIs that transfer taint from an input parameter to an output return
- * value or parameter.
- * Allows a sequence of read steps followed by a sequence of store steps.
- *
- * Examples:
- *
- * ```csharp
- * public class BasicFlow {
- *   private string tainted;
- *
- *   public String ReturnField()
- *   {
- *     return tainted;
- *   }
- *
- *   public void AssignFieldToArray(object[] target)
- *   {
- *     target[0] = tainted;
- *   }
- * }
- * ```
- * Captured Models:
- * ```
- * Summaries;BasicFlow;false;ReturnField;();Argument[Qualifier];ReturnValue;taint |
- * Summaries;BasicFlow;false;AssignFieldToArray;(System.Object[]);Argument[Qualifier];Argument[0].Element;taint
- * ```
- *
- * ```csharp
- * public class BasicFlow {
- *   private string tainted;
- *
- *   public void SetField(string s)
- *   {
- *     tainted = s;
- *   }
- * }
- * ```
- * Captured Model:
- * ```Summaries;BasicFlow;false;SetField;(System.String);Argument[0];Argument[Qualifier];taint```
- *
- * ```csharp
- * public class BasicFlow {
- *   public void ReturnSubstring(string s)
- *   {
- *     return s.Substring(0, 1);
- *   }
- * }
- * ```
- * Captured Model:
- * ```Summaries;BasicFlow;false;ReturnSubstring;(System.String);Argument[0];ReturnValue;taint```
- *
- * ```csharp
- * public class BasicFlow {
- *    public void AssignToArray(int data, int[] target)
- *    {
- *        target[0] = data;
- *    }
- * }
- * ```
- * Captured Model:
- * ```Summaries;BasicFlow;false;AssignToArray;(System.Int32,System.Int32[]);Argument[0];Argument[1].Element;taint```
- */
-private string captureFlow(TargetApi api) {
-  result = captureQualifierFlow(api) or
-  result = captureThroughFlow(api)
-}
+private import internal.CaptureFlow

 from TargetApi api, string flow
-where flow = captureFlow(api)
+where flow = captureFlow(api) and not hasSummary(api, false)
 select flow order by flow
--- a/csharp/ql/src/utils/model-generator/internal/CaptureFlow.qll
+++ b/csharp/ql/src/utils/model-generator/internal/CaptureFlow.qll
@@ -0,0 +1,81 @@
+private import CaptureModels
+
+/**
+ * Capture fluent APIs that return `this`.
+ * Example of a fluent API:
+ * ```csharp
+ * public class BasicFlow {
+ *   public BasicFlow ReturnThis(object input)
+ *   {
+ *     // some side effect
+ *     return this;
+ *   }
+ * ```
+ * Captured Model:
+ * ```Summaries;BasicFlow;false;ReturnThis;(System.Object);Argument[Qualifier];ReturnValue;value```
+ * Capture APIs that transfer taint from an input parameter to an output return
+ * value or parameter.
+ * Allows a sequence of read steps followed by a sequence of store steps.
+ *
+ * Examples:
+ *
+ * ```csharp
+ * public class BasicFlow {
+ *   private string tainted;
+ *
+ *   public String ReturnField()
+ *   {
+ *     return tainted;
+ *   }
+ *
+ *   public void AssignFieldToArray(object[] target)
+ *   {
+ *     target[0] = tainted;
+ *   }
+ * }
+ * ```
+ * Captured Models:
+ * ```
+ * Summaries;BasicFlow;false;ReturnField;();Argument[Qualifier];ReturnValue;taint |
+ * Summaries;BasicFlow;false;AssignFieldToArray;(System.Object[]);Argument[Qualifier];Argument[0].Element;taint
+ * ```
+ *
+ * ```csharp
+ * public class BasicFlow {
+ *   private string tainted;
+ *
+ *   public void SetField(string s)
+ *   {
+ *     tainted = s;
+ *   }
+ * }
+ * ```
+ * Captured Model:
+ * ```Summaries;BasicFlow;false;SetField;(System.String);Argument[0];Argument[Qualifier];taint```
+ *
+ * ```csharp
+ * public class BasicFlow {
+ *   public void ReturnSubstring(string s)
+ *   {
+ *     return s.Substring(0, 1);
+ *   }
+ * }
+ * ```
+ * Captured Model:
+ * ```Summaries;BasicFlow;false;ReturnSubstring;(System.String);Argument[0];ReturnValue;taint```
+ *
+ * ```csharp
+ * public class BasicFlow {
+ *    public void AssignToArray(int data, int[] target)
+ *    {
+ *        target[0] = data;
+ *    }
+ * }
+ * ```
+ * Captured Model:
+ * ```Summaries;BasicFlow;false;AssignToArray;(System.Int32,System.Int32[]);Argument[0];Argument[1].Element;taint```
+ */
+string captureFlow(TargetApi api) {
+  result = captureQualifierFlow(api) or
+  result = captureThroughFlow(api)
+}