mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
C#: Autoformat.
This commit is contained in:
Geoffrey White
@@ -8,23 +8,25 @@
|
||||
* @tags security
|
||||
* external/cwe/cwe-20
|
||||
*/
|
||||
|
||||
import semmle.code.csharp.security.serialization.Serialization
|
||||
|
||||
/** The result is a write to the field `f`, assigning it the value
|
||||
/**
|
||||
* The result is a write to the field `f`, assigning it the value
|
||||
* of variable `v` which was checked by the condition `check`.
|
||||
*/
|
||||
Expr checkedWrite(Field f, Variable v, IfStmt check) {
|
||||
result = v.getAnAccess() and
|
||||
result = f.getAnAssignedValue() and
|
||||
check.getCondition() = v.getAnAccess().getParent*() and
|
||||
result.getAControlFlowNode() = check.getAControlFlowNode().getASuccessor*()
|
||||
result = v.getAnAccess() and
|
||||
result = f.getAnAssignedValue() and
|
||||
check.getCondition() = v.getAnAccess().getParent*() and
|
||||
result.getAControlFlowNode() = check.getAControlFlowNode().getASuccessor*()
|
||||
}
|
||||
|
||||
from BinarySerializableType t, Field f, IfStmt check, Expr write, Expr unsafeWrite
|
||||
where f = t.getASerializedField()
|
||||
and write = checkedWrite(f, t.getAConstructor().getAParameter(), check)
|
||||
and unsafeWrite = f.getAnAssignedValue()
|
||||
and t.getADeserializationCallback() = unsafeWrite.getEnclosingCallable()
|
||||
and not t.getADeserializationCallback().calls*(checkedWrite(f, _, _).getEnclosingCallable())
|
||||
select unsafeWrite, "This write to $@ may be circumventing a $@.",
|
||||
f, f.toString(),
|
||||
check, "check"
|
||||
where
|
||||
f = t.getASerializedField() and
|
||||
write = checkedWrite(f, t.getAConstructor().getAParameter(), check) and
|
||||
unsafeWrite = f.getAnAssignedValue() and
|
||||
t.getADeserializationCallback() = unsafeWrite.getEnclosingCallable() and
|
||||
not t.getADeserializationCallback().calls*(checkedWrite(f, _, _).getEnclosingCallable())
|
||||
select unsafeWrite, "This write to $@ may be circumventing a $@.", f, f.toString(), check, "check"
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
* @tags security
|
||||
* external/cwe/cwe-091
|
||||
*/
|
||||
|
||||
import csharp
|
||||
import semmle.code.csharp.dataflow.flowsources.Remote
|
||||
import semmle.code.csharp.frameworks.system.Xml
|
||||
@@ -17,29 +18,28 @@ import semmle.code.csharp.frameworks.system.Xml
|
||||
* A taint-tracking configuration for untrusted user input used in XML.
|
||||
*/
|
||||
class TaintTrackingConfiguration extends TaintTracking::Configuration {
|
||||
TaintTrackingConfiguration() {
|
||||
this = "XMLInjection"
|
||||
}
|
||||
TaintTrackingConfiguration() { this = "XMLInjection" }
|
||||
|
||||
override
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof RemoteFlowSource
|
||||
}
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall mc |
|
||||
mc.getTarget().hasName("WriteRaw") and
|
||||
mc.getTarget().getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.XmlWriter") |
|
||||
mc.getTarget().getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.XmlWriter")
|
||||
|
|
||||
mc.getArgument(0) = sink.asExpr()
|
||||
)
|
||||
}
|
||||
|
||||
override
|
||||
predicate isSanitizer(DataFlow::Node node) {
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
exists(MethodCall mc |
|
||||
mc.getTarget().hasName("Escape") and
|
||||
mc.getTarget().getDeclaringType().getABaseType*().hasQualifiedName("System.Security.SecurityElement") |
|
||||
mc
|
||||
.getTarget()
|
||||
.getDeclaringType()
|
||||
.getABaseType*()
|
||||
.hasQualifiedName("System.Security.SecurityElement")
|
||||
|
|
||||
mc = node.asExpr()
|
||||
)
|
||||
}
|
||||
@@ -47,4 +47,4 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
|
||||
|
||||
from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
|
||||
where c.hasFlow(source, sink)
|
||||
select sink, "$@ flows to here and is inserted as XML.", source, "User-provided value"
|
||||
select sink, "$@ flows to here and is inserted as XML.", source, "User-provided value"
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
* @tags security
|
||||
* external/cwe/cwe-114
|
||||
*/
|
||||
|
||||
import csharp
|
||||
import semmle.code.csharp.dataflow.flowsources.Remote
|
||||
|
||||
@@ -18,10 +19,9 @@ class MainMethod extends Method {
|
||||
this.hasName("Main") and
|
||||
this.isStatic() and
|
||||
(this.getReturnType() instanceof VoidType or this.getReturnType() instanceof IntType) and
|
||||
if this.getNumberOfParameters() = 1 then
|
||||
this.getParameter(0).getType().(ArrayType).getElementType() instanceof StringType
|
||||
else
|
||||
this.getNumberOfParameters() = 0
|
||||
if this.getNumberOfParameters() = 1
|
||||
then this.getParameter(0).getType().(ArrayType).getElementType() instanceof StringType
|
||||
else this.getNumberOfParameters() = 0
|
||||
}
|
||||
}
|
||||
|
||||
@@ -29,25 +29,29 @@ class MainMethod extends Method {
|
||||
* A taint-tracking configuration for untrusted user input used to load a DLL.
|
||||
*/
|
||||
class TaintTrackingConfiguration extends TaintTracking::Configuration {
|
||||
TaintTrackingConfiguration() {
|
||||
this = "DLLInjection"
|
||||
}
|
||||
TaintTrackingConfiguration() { this = "DLLInjection" }
|
||||
|
||||
override
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source instanceof RemoteFlowSource or
|
||||
source.asExpr() = any(MainMethod main).getParameter(0).getAnAccess()
|
||||
}
|
||||
|
||||
override
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodCall mc, string name, int arg |
|
||||
mc.getTarget().getName().matches(name) and
|
||||
mc.getTarget().getDeclaringType().getABaseType*().hasQualifiedName("System.Reflection.Assembly") and
|
||||
mc.getArgument(arg) = sink.asExpr() |
|
||||
name = "LoadFrom" and arg = 0 and mc.getNumberOfArguments() = [1..2] or
|
||||
name = "LoadFile" and arg = 0 or
|
||||
name = "LoadWithPartialName" and arg = 0 or
|
||||
mc
|
||||
.getTarget()
|
||||
.getDeclaringType()
|
||||
.getABaseType*()
|
||||
.hasQualifiedName("System.Reflection.Assembly") and
|
||||
mc.getArgument(arg) = sink.asExpr()
|
||||
|
|
||||
name = "LoadFrom" and arg = 0 and mc.getNumberOfArguments() = [1 .. 2]
|
||||
or
|
||||
name = "LoadFile" and arg = 0
|
||||
or
|
||||
name = "LoadWithPartialName" and arg = 0
|
||||
or
|
||||
name = "UnsafeLoadFrom" and arg = 0
|
||||
)
|
||||
}
|
||||
@@ -55,4 +59,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
|
||||
|
||||
from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
|
||||
where c.hasFlow(source, sink)
|
||||
select sink, "$@ flows to here and is used as the path to dynamically load an assembly.", source, "User-provided value"
|
||||
select sink, "$@ flows to here and is used as the path to dynamically load an assembly.", source,
|
||||
"User-provided value"
|
||||
|
||||
@@ -15,10 +15,11 @@ import semmle.code.csharp.security.cryptography.EncryptionKeyDataFlow::Encryptio
|
||||
* The creation of a literal byte array.
|
||||
*/
|
||||
class ByteArrayLiteralSource extends KeySource {
|
||||
ByteArrayLiteralSource() {
|
||||
ByteArrayLiteralSource() {
|
||||
this.asExpr() = any(ArrayCreation ac |
|
||||
ac.getArrayType().getElementType() instanceof ByteType and
|
||||
ac.hasInitializer())
|
||||
ac.getArrayType().getElementType() instanceof ByteType and
|
||||
ac.hasInitializer()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -26,12 +27,10 @@ class ByteArrayLiteralSource extends KeySource {
|
||||
* Any string literal as a source
|
||||
*/
|
||||
class StringLiteralSource extends KeySource {
|
||||
StringLiteralSource() {
|
||||
this.asExpr() instanceof StringLiteral
|
||||
}
|
||||
StringLiteralSource() { this.asExpr() instanceof StringLiteral }
|
||||
}
|
||||
|
||||
from SymmetricKeyTaintTrackingConfiguration keyFlow, KeySource src, SymmetricEncryptionKeySink sink
|
||||
where keyFlow.hasFlow(src, sink)
|
||||
select sink, "Hard-coded symmetric $@ is used in symmetric algorithm in " + sink.getDescription(), src, "key"
|
||||
|
||||
select sink, "Hard-coded symmetric $@ is used in symmetric algorithm in " + sink.getDescription(),
|
||||
src, "key"
|
||||
|
||||
@@ -18,13 +18,13 @@ abstract class SerializableType extends ValueOrRefType {
|
||||
* deserialization mechanism.
|
||||
*/
|
||||
abstract Callable getADeserializationCallback();
|
||||
|
||||
|
||||
/**
|
||||
* A field whose value is restored during a deserialization, rendering it
|
||||
* potentially untrusted.
|
||||
*/
|
||||
abstract Field getASerializedField();
|
||||
|
||||
|
||||
/**
|
||||
* Get a callback that is automatically executed (without user code
|
||||
* interaction) when an object instance is deserialized. This includes
|
||||
@@ -33,12 +33,15 @@ abstract class SerializableType extends ValueOrRefType {
|
||||
Callable getAnAutomaticCallback() {
|
||||
result = this.getADeserializationCallback() or
|
||||
result.(Destructor).getDeclaringType() = this or
|
||||
result = any(Method m | m.getDeclaringType() = this and
|
||||
m.hasName("Dispose") and (
|
||||
m.getNumberOfParameters() = 0 or
|
||||
m.getNumberOfParameters() = 1 and m.getParameter(0).getType() instanceof BoolType
|
||||
result = any(Method m |
|
||||
m.getDeclaringType() = this and
|
||||
m.hasName("Dispose") and
|
||||
(
|
||||
m.getNumberOfParameters() = 0
|
||||
or
|
||||
m.getNumberOfParameters() = 1 and m.getParameter(0).getType() instanceof BoolType
|
||||
)
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -47,24 +50,24 @@ abstract class SerializableType extends ValueOrRefType {
|
||||
* attribute.
|
||||
*/
|
||||
class BinarySerializableType extends SerializableType {
|
||||
BinarySerializableType() {
|
||||
this.getAnAttribute().getType().hasName("SerializableAttribute")
|
||||
}
|
||||
|
||||
BinarySerializableType() { this.getAnAttribute().getType().hasName("SerializableAttribute") }
|
||||
|
||||
/**
|
||||
* In addition to the defaults, a `BinarySerializer` will call any method annotated
|
||||
* with an `OnDeserialized` or `OnDeserializing` attribute, as well as an
|
||||
* `OnDeserialization` method.
|
||||
*/
|
||||
override Callable getADeserializationCallback() {
|
||||
result.(SerializationConstructor).getDeclaringType() = this or
|
||||
result = this.getAMethod() and (
|
||||
result.(SerializationConstructor).getDeclaringType() = this
|
||||
or
|
||||
result = this.getAMethod() and
|
||||
(
|
||||
result.(Attributable).getAnAttribute().getType().hasName("OnDeserializedAttribute") or
|
||||
result.(Attributable).getAnAttribute().getType().hasName("OnDeserializingAttribute") or
|
||||
result.hasName("OnDeserialization")
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
override Field getASerializedField() {
|
||||
result.getDeclaringType() = this and
|
||||
not result.getAnAttribute().getType().hasName("NonSerializedAttribute") and
|
||||
@@ -77,10 +80,8 @@ class BinarySerializableType extends SerializableType {
|
||||
* then it is serialized and deserialized in a special way.
|
||||
*/
|
||||
class CustomBinarySerializableType extends BinarySerializableType {
|
||||
CustomBinarySerializableType() {
|
||||
this.getABaseType*().hasName("ISerializable")
|
||||
}
|
||||
|
||||
CustomBinarySerializableType() { this.getABaseType*().hasName("ISerializable") }
|
||||
|
||||
/**
|
||||
* For custom deserialization, the `BinarySerializer` will call the serialization constructor.
|
||||
*/
|
||||
@@ -101,4 +102,4 @@ class DangerousCallable extends Callable {
|
||||
//assembly
|
||||
this.(Method).getQualifiedName().matches("System.Reflection.Assembly.%Load%")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user