Merge pull request #13093 from GeekMasher/csharp-ext

[CSharp] Additional data extensions for sink models

csharp/ql/lib/change-notes/2023-05-09-models-as-data.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional support for `command-injection`, `ldap-injection`, `log-injection`, and `url-redirection` sink kinds for Models as Data.

csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll

@@ -6,6 +6,7 @@ import csharp
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.frameworks.system.Diagnostics
 private import semmle.code.csharp.security.Sanitizers
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A source specific to command injection vulnerabilities.
@@ -66,6 +67,11 @@ module CommandInjection = TaintTracking::Global<CommandInjectionConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** Command Injection sinks defined through Models as Data. */
+private class ExternalCommandInjectionExprSink extends Sink {
+  ExternalCommandInjectionExprSink() { sinkNode(this, "command-injection") }
+}
+
 /**
  * A sink in `System.Diagnostic.Process` or its related classes.
  */

csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll

@@ -8,6 +8,7 @@ private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.frameworks.system.DirectoryServices
 private import semmle.code.csharp.frameworks.system.directoryservices.Protocols
 private import semmle.code.csharp.security.Sanitizers
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for unvalidated user input that is used to construct LDAP queries.
@@ -68,6 +69,11 @@ module LdapInjection = TaintTracking::Global<LdapInjectionConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** LDAP sinks defined through Models as Data. */
+private class ExternalLdapExprSink extends Sink {
+  ExternalLdapExprSink() { sinkNode(this, "ldap-injection") }
+}
+
 /**
  * An argument that sets the `Path` property of a `DirectoryEntry` object that is a sink for LDAP
  * injection.

csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll

@@ -8,6 +8,7 @@ private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.text.RegularExpressions
 private import semmle.code.csharp.security.Sanitizers
 private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for untrusted user input used in log entries.
@@ -72,6 +73,11 @@ private class LogForgingLogMessageSink extends Sink, LogMessageSink { }
  */
 private class LogForgingTraceMessageSink extends Sink, TraceMessageSink { }
 
+/** Log Forging sinks defined through Models as Data. */
+private class ExternalLoggingExprSink extends Sink {
+  ExternalLoggingExprSink() { sinkNode(this, "log-injection") }
+}
+
 /**
  * A call to String replace or remove that is considered to sanitize replaced string.
  */

csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll

@@ -9,6 +9,7 @@ private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.frameworks.system.web.Mvc
 private import semmle.code.csharp.security.Sanitizers
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for unvalidated URL redirect vulnerabilities.
@@ -70,6 +71,11 @@ module UrlRedirect = TaintTracking::Global<UrlRedirectConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** URL Redirection sinks defined through Models as Data. */
+private class ExternalUrlRedirectExprSink extends Sink {
+  ExternalUrlRedirectExprSink() { sinkNode(this, "url-redirection") }
+}
+
 /**
  * A URL argument to a call to `HttpResponse.Redirect()` or `Controller.Redirect()`, that is a
  * sink for URL redirects.