C#: Query and qltest for VulnerablePackage.

2026-04-30 19:26:02 +02:00 · 2018-10-15 12:20:10 +01:00
parent 0ddb7027ee
commit 3de1f3b101
8 changed files with 437 additions and 0 deletions
--- a/Features/CWE-937/Vulnerabilities.qll
+++ b/Features/CWE-937/Vulnerabilities.qll
@@ -0,0 +1,291 @@
+/**
+ * A list of NuGet packages with known vulnerabilities.
+ * 
+ * To add a new vulnerability follow the existing pattern.
+ * Create a new class that extends the abstract class `Vulnerability`,
+ * supplying the name and the URL, and override one (or both) of
+ * `matchesRange` and `matchesVersion`.
+ */
+
+import csharp
+import Vulnerability
+
+class MicrosoftAdvisory4021279 extends Vulnerability {
+
+  MicrosoftAdvisory4021279() { this = "Microsoft Security Advisory 4021279" }
+
+  override string getUrl() { result = "https://github.com/dotnet/corefx/issues/19535" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.Text.Encodings.Web" and (
+      affected = "4.0.0" and fixed = "4.0.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or
+    name = "System.Net.Http" and (
+      affected = "4.1.1" and fixed = "4.1.2"
+      or
+      affected = "4.3.1" and fixed = "4.3.2"
+    ) or
+    name = "System.Net.Http.WinHttpHandler" and (
+      affected = "4.0.1" and fixed = "4.0.2"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or
+    name = "System.Net.Security" and (
+      affected = "4.0.0" and fixed = "4.0.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or (
+      name = "Microsoft.AspNetCore.Mvc"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Core"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Abstractions"
+      or
+      name = "Microsoft.AspNetCore.Mvc.ApiExplorer"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Cors"
+      or
+      name = "Microsoft.AspNetCore.Mvc.DataAnnotations"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Formatters.Json"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Formatters.Xml"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Localization"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Razor.Host"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Razor"
+      or
+      name = "Microsoft.AspNetCore.Mvc.TagHelpers"
+      or
+      name = "Microsoft.AspNetCore.Mvc.ViewFeatures"
+      or
+      name = "Microsoft.AspNetCore.Mvc.WebApiCompatShim"
+    ) and (
+      affected = "1.0.0" and fixed = "1.0.4"
+      or
+      affected = "1.1.0" and fixed = "1.1.3"
+    )
+  }
+}
+
+class CVE_2017_8700 extends Vulnerability {
+  CVE_2017_8700() { this = "CVE-2017-8700" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/279" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "Microsoft.AspNetCore.Mvc.Core"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Cors"
+    ) and (
+      affected = "1.0.0" and fixed = "1.0.6"
+      or
+      affected = "1.1.0" and fixed = "1.1.6"
+    )
+  }
+}
+
+class CVE_2018_0765 extends Vulnerability {
+  CVE_2018_0765() { this = "CVE-2018-0765" }
+  
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/67" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.Security.Cryptography.Xml" and
+    affected = "0.0.0" and
+    fixed = "4.4.2"
+  }
+}
+
+class AspNetCore_Mar18 extends Vulnerability {
+  AspNetCore_Mar18() { this = "ASPNETCore-Mar18" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/300" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "Microsoft.AspNetCore.Server.Kestrel.Core"
+      or
+      name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions"
+      or
+      name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv"
+      or
+      name = "Microsoft.AspNetCore.All"
+    ) and
+    affected = "2.0.0" and
+    fixed = "2.0.3"
+  }
+}
+
+class CVE_2018_8409 extends Vulnerability {
+  CVE_2018_8409() { this = "CVE-2018-8409" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/316" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.IO.Pipelines" and affected = "4.5.0" and fixed = "4.5.1"
+    or
+    (name = "Microsoft.AspNetCore.All" or name = "Microsoft.AspNetCore.App") and
+    affected = "2.1.0" and fixed = "2.1.4"
+  }
+}
+
+class CVE_2018_8171 extends Vulnerability {
+  CVE_2018_8171() { this = "CVE-2018-8171" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/310" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "Microsoft.AspNetCore.Identity" and (
+      affected = "1.0.0" and fixed = "1.0.6"
+      or
+      affected = "1.1.0" and fixed = "1.1.6"
+      or
+      affected = "2.0.0" and fixed = "2.0.4"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+  }
+}
+
+class CVE_2018_8356 extends Vulnerability {
+  CVE_2018_8356() { this = "CVE-2018-8356" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/73" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "System.Private.ServiceModel"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+    ) and (
+      affected = "4.0.0" and fixed = "4.1.3"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.3"
+    )
+    or
+    (
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+    ) and (
+      affected = "4.0.0" and fixed = "4.0.4"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.3"
+    )
+    or
+    name = "System.ServiceModel.NetTcp" and (
+      affected = "4.0.0" and fixed = "4.1.3"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.1"
+    )
+  }
+}
+
+class ASPNETCore_Jul18 extends Vulnerability {
+  ASPNETCore_Jul18() { this = "ASPNETCore-July18" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/311" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "Microsoft.AspNetCore.Server.Kestrel.Core" and (
+      affected = "2.0.0" and fixed = "2.0.4"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+    or
+    name = "Microsoft.AspNetCore.All" and (
+      affected = "2.0.0" and fixed = "2.0.9"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+    or
+    name = "Microsoft.AspNetCore.App" and
+    affected = "2.1.0" and
+    fixed = "2.1.2"
+  }
+}
+
+class CVE_2018_8292 extends Vulnerability {
+  CVE_2018_8292() { this = "CVE-2018-8292" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/88" }
+
+  override predicate matchesVersion(string name, Version affected, Version fixed) {
+    name = "System.Net.Http" and (
+      affected = "2.0" or
+      affected = "4.0.0" or
+      affected = "4.1.0" or
+      affected = "1.1.1" or
+      affected = "4.1.2" or
+      affected = "4.3.0" or
+      affected = "4.3.1" or
+      affected = "4.3.2" or
+      affected = "4.3.3"
+    ) and
+    fixed = "4.3.4"
+  }
+}
+
+class CVE_2018_0786 extends Vulnerability {
+  CVE_2018_0786() { this = "CVE-2018-0786" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/51" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "System.ServiceModel.Primitives"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+      or
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+      or
+      name = "System.Private.ServiceModel"
+    ) and (
+      affected = "4.4.0" and fixed = "4.4.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    )
+    or (
+      name = "System.ServiceModel.Primitives"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+      or
+      name = "System.Private.ServiceModel"
+    ) and
+    affected = "4.1.0" and
+    fixed = "4.1.1"
+    or (
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+    ) and
+    affected = "4.0.1" and
+    fixed = "4.0.2"
+  }
+}
--- a/Features/CWE-937/Vulnerability.qll
+++ b/Features/CWE-937/Vulnerability.qll
@@ -0,0 +1,94 @@
+import csharp
+
+/**
+ * A package reference in an XML file, for example in a
+ * .csproj file, a .props file or a packages.config file.
+ */
+class Package extends XMLElement {
+  string name;
+  Version version;
+
+  Package() {
+    (this.getName() = "PackageManagement" or this.getName() = "PackageReference") and
+    name = this.getAttributeValue("Include") and
+    version = this.getAttributeValue("Version")
+    or
+    this.getName() = "package" and
+    name = this.getAttributeValue("id") and
+    version = this.getAttributeValue("version")
+  }
+
+  /** Gets the name of the package, for example `System.IO.Pipelines`. */
+  string getPackageName() {
+    result = name
+  }
+
+  /** Gets the version of the package, for example `4.5.1`. */
+  Version getVersion() {
+    result = version
+  }
+
+  override string toString() {
+    result = name + " " + version
+  }
+}
+
+/**
+ * A vulnerability, where the name of the vulnerability is this string.
+ * One of `matchesRange` or `matchesVersion` must be overridden in order to
+ * specify which packages are vulnerable.
+ */
+abstract class Vulnerability extends string {
+  bindingset[this]
+  Vulnerability() { any() }
+  
+  /**
+   * A package with name `name` is vulnerable from version `affected`
+   * until version `fixed`.
+   */
+  predicate matchesRange(string name, Version affected, Version fixed) { none() }
+  
+  /**
+   * A package with name `name` is vulnerable in version `affected`, and
+   * is fixed by version `fixed`.
+   */
+  predicate matchesVersion(string name, Version affecter, Version fixed) { none() }
+  
+  /** Gets the URL describing the vulnerability. */
+  abstract string getUrl();
+  
+  /**
+   * Holds if a package with name `name` and version `version`
+   * has this vulnerability. The fixed version is given by `fixed`.
+   */
+  bindingset[name, version]
+  predicate isVulnerable(string name, Version version, Version fixed) {
+    exists(Version affected, string n |
+      name.toLowerCase() = n.toLowerCase() |
+      matchesRange(n, affected, fixed) and
+      version.compareTo(fixed) < 0 and
+      version.compareTo(affected) >= 0
+      or
+      matchesVersion(n, affected, fixed) and
+      version.compareTo(affected) = 0
+    )
+  }
+}
+
+/**
+ * A package with a vulnerability.
+ */
+class VulnerablePackage extends Package {
+  Vulnerability vuln;
+  Version fixed;
+  
+  VulnerablePackage() {
+    vuln.isVulnerable(this.getPackageName(), this.getVersion(), fixed)
+  }
+  
+  /** Gets the vulnerability of this package. */
+  Vulnerability getVulnerability() { result = vuln }
+  
+  /** Gets the version of this package where the vulnerability is fixed. */
+  Version getFixedVersion() { result = fixed }
+}
--- a/Features/CWE-937/VulnerablePackage.ql
+++ b/Features/CWE-937/VulnerablePackage.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Using a package with a known vulnerability.
+ * @description Using a package with a known vulnerability is a security risk.
+ *              Upgrade the package to a version that does not contain the vulnerability.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id cs/use-of-vulnerable-package
+ * @tags security
+ *       external/cwe/cwe-937
+ */
+
+import csharp
+import Vulnerabilities
+
+from Vulnerability vuln, VulnerablePackage package
+where vuln = package.getVulnerability()
+select package, "Package " + package + " has vulnerability $@, and should be upgraded to version " + package.getFixedVersion() + ".",
+  vuln.getUrl(), vuln.toString()
--- a/csharp/ql/test/query-tests/Security
+++ b/csharp/ql/test/query-tests/Security
--- a/Features/CWE-937/VulnerablePackage.expected
+++ b/Features/CWE-937/VulnerablePackage.expected
@@ -0,0 +1,6 @@
+| csproj.config:10:5:10:77 | System.Text.Encodings.Web 4.3.0 | Package System.Text.Encodings.Web 4.3.0 has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:11:5:11:75 | system.text.encodings.web 4.3 | Package system.text.encodings.web 4.3 has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:12:5:12:67 | System.Net.Http 4.1.1 | Package System.Net.Http 4.1.1 has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:13:5:13:67 | System.Net.Http 4.1.2 | Package System.Net.Http 4.1.2 has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
+| packages.config:8:3:8:79 | System.IO.Pipelines 4.5.0 | Package System.IO.Pipelines 4.5.0 has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
+| packages.config:9:3:9:81 | System.IO.Pipelines 4.5.0.0 | Package System.IO.Pipelines 4.5.0.0 has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
--- a/Features/CWE-937/VulnerablePackage.qlref
+++ b/Features/CWE-937/VulnerablePackage.qlref
@@ -0,0 +1 @@
+Security Features/CWE-937/VulnerablePackage.ql
--- a/csharp/ql/test/query-tests/Security
+++ b/csharp/ql/test/query-tests/Security
@@ -0,0 +1,16 @@
+<Project>
+  <ItemGroup>
+    <!-- These are GOOD -->
+    <PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
+    
+    <!-- These are BAD -->
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.3.0" />
+    <PackageReference Include="system.text.encodings.web" Version="4.3" />
+    <PackageReference Include="System.Net.Http" Version="4.1.1" />
+    <PackageReference Include="System.Net.Http" Version="4.1.2" />
+    
+  </ItemGroup>
+</Project>
--- a/csharp/ql/test/query-tests/Security
+++ b/csharp/ql/test/query-tests/Security
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <!-- These are GOOD -->
+  <package id="System.IO.Pipelines" version="4.5.1" targetFramework="net45" />
+  <package id="System.IO.Pipelines" version="4.5.1.0" targetFramework="net45" />
+
+  <!-- These are BAD -->
+  <package id="System.IO.Pipelines" version="4.5.0" targetFramework="net45" />
+  <package id="System.IO.Pipelines" version="4.5.0.0" targetFramework="net45" />
+</packages>
				`@@ -0,0 +1 @@`
				`Security Features/CWE-937/VulnerablePackage.ql`