From 4dc605354cb59a4ab8e9b1de331d6a3e6590a3d3 Mon Sep 17 00:00:00 2001
From: Ed Minnix <egregius313@github.com>
Date: Tue, 20 Feb 2024 22:19:38 -0500
Subject: [PATCH] Second-order SQL injection

---
 .../CWE-089/SecondOrderSqlInjection.qhelp     |  6 --
 .../CWE-089/SecondOrderSqlInjection.ql        | 32 -----------
 ...2024-03-11-remove-stored-query-variants.md |  2 +-
 .../CWE-089/SecondOrderSqlInjection.expected  | 56 -------------------
 .../CWE-089/SecondOrderSqlInjection.qlref     |  1 -
 .../CWE-089/SqlInjection.ext.yml              |  7 +++
 6 files changed, 8 insertions(+), 96 deletions(-)
 delete mode 100644 csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.qhelp
 delete mode 100644 csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql
 delete mode 100644 csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected
 delete mode 100644 csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.qlref
 create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.ext.yml

diff --git a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.qhelp b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.qhelp
deleted file mode 100644
index 83ec163ed78..00000000000
--- a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.qhelp	
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="SqlInjection.qhelp" />
-</qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql
deleted file mode 100644
index 33c2479147d..00000000000
--- a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql	
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * @name SQL query built from stored user-controlled sources
- * @description Building a SQL query from stored user-controlled sources is vulnerable to insertion
- *              of malicious SQL code by the user.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 8.8
- * @precision medium
- * @id cs/second-order-sql-injection
- * @tags security
- *       external/cwe/cwe-089
- */
-
-import csharp
-import semmle.code.csharp.security.dataflow.SqlInjectionQuery
-import semmle.code.csharp.security.dataflow.flowsources.Stored
-import StoredSqlInjection::PathGraph
-
-module StoredSqlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource }
-
-  predicate isSink = SqlInjectionConfig::isSink/1;
-
-  predicate isBarrier = SqlInjectionConfig::isBarrier/1;
-}
-
-module StoredSqlInjection = TaintTracking::Global<StoredSqlInjectionConfig>;
-
-from StoredSqlInjection::PathNode source, StoredSqlInjection::PathNode sink
-where StoredSqlInjection::flowPath(source, sink)
-select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
-  "stored user-provided value"
diff --git a/csharp/ql/src/change-notes/2024-03-11-remove-stored-query-variants.md b/csharp/ql/src/change-notes/2024-03-11-remove-stored-query-variants.md
index 6b580be7e65..f86836b1219 100644
--- a/csharp/ql/src/change-notes/2024-03-11-remove-stored-query-variants.md
+++ b/csharp/ql/src/change-notes/2024-03-11-remove-stored-query-variants.md
@@ -1,5 +1,5 @@
 ---
 category: majorAnalysis
 ---
-* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `file` and `database` threat models in your threat model configuration.
+* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`. `cs/second-order-sql-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `file` and `database` threat models in your threat model configuration.
 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected
deleted file mode 100644
index fccccdb3c73..00000000000
--- a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected	
+++ /dev/null
@@ -1,56 +0,0 @@
-edges
-| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | provenance |  |
-| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | provenance |  |
-| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | provenance |  |
-| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | provenance |  |
-| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | provenance |  |
-| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | provenance |  |
-| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | provenance |  |
-| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | provenance |  |
-| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | provenance |  |
-| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | provenance |  |
-| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | provenance |  |
-| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | provenance |  |
-| SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | provenance |  |
-| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | provenance |  |
-| SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | provenance |  |
-| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | provenance |  |
-| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | provenance |  |
-| SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | provenance |  |
-| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | provenance |  |
-| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | provenance |  |
-| SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | provenance |  |
-| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | provenance |  |
-| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | provenance |  |
-nodes
-| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | semmle.label | ... + ... |
-| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | semmle.label | call to method GetString : String |
-| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
-| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | semmle.label | object creation of type FileStream : FileStream |
-| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
-| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | semmle.label | object creation of type StreamReader : StreamReader |
-| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
-| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
-| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
-| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | semmle.label | call to method Trim : String |
-| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | semmle.label | access to local variable sql |
-| SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
-| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | semmle.label | object creation of type FileStream : FileStream |
-| SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
-| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | semmle.label | object creation of type StreamReader : StreamReader |
-| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
-| SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
-| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
-| SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | semmle.label | call to method Trim : String |
-| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | semmle.label | access to local variable sql |
-subpaths
-#select
-| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | This SQL query depends on a $@. | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString | stored user-provided value |
-| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | This SQL query depends on a $@. | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream | stored user-provided value |
-| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | This SQL query depends on a $@. | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream | stored user-provided value |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.qlref
deleted file mode 100644
index 265e6995985..00000000000
--- a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.qlref	
+++ /dev/null
@@ -1 +0,0 @@
-Security Features/CWE-089/SecondOrderSqlInjection.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.ext.yml b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.ext.yml
new file mode 100644
index 00000000000..82f107ae1d7
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.ext.yml	
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
\ No newline at end of file