Environment variable sources

csharp/ql/lib/ext/System.model.yml

@@ -6,6 +6,9 @@ extensions:
       - ["System", "Console", False, "Read", "", "", "ReturnValue", "local", "manual"]
       - ["System", "Console", False, "ReadKey", "", "", "ReturnValue", "local", "manual"]
       - ["System", "Console", False, "ReadLine", "", "", "ReturnValue", "local", "manual"]
+      - ["System", "Environment", False, "ExpandEnvironmentVariables", "", "", "ReturnValue", "environment", "manual"]
+      - ["System", "Environment", False, "GetEnvironmentVariable", "", "", "ReturnValue", "environment", "manual"]
+      - ["System", "Environment", False, "GetEnvironmentVariables", "", "", "ReturnValue", "environment", "manual"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: summaryModel

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll

@@ -29,3 +29,10 @@ class TextFieldSource extends LocalUserInputSource {
 
   override string getSourceType() { result = "TextBox text" }
 }
+
+abstract class EnvironmentVariableSource extends LocalFlowSource {
+  override string getThreatModel() { result = "environment" }
+
+  override string getSourceType() { result = "environment variable" }
+}
+

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariables.cs

@@ -0,0 +1,27 @@
+using System;
+using System.Collections;
+
+namespace EnvironmentVariables
+{
+    class EnvironmentVariables
+    {
+        public static void GetEnvironmentVariable(string environmnetVariable)
+        {
+            string value = Environment.GetEnvironmentVariable(environmnetVariable);
+            string valueFromRegistry = Environment.GetEnvironmentVariable(environmnetVariable, EnvironmentVariableTarget.Machine);
+            string valueFromProcess = Environment.GetEnvironmentVariable(environmnetVariable, EnvironmentVariableTarget.Process);
+        }
+
+        public static void GetEnvironmentVariables()
+        {
+            IDictionary environmentVariables = Environment.GetEnvironmentVariables();
+            IDictionary environmentVariablesFromRegistry = Environment.GetEnvironmentVariables(EnvironmentVariableTarget.Machine);
+            IDictionary environmentVariablesFromProcess = Environment.GetEnvironmentVariables(EnvironmentVariableTarget.Process);
+        }
+
+        public static void ExpandEnvironmentVariables(string environmentVariable)
+        {
+            string expanded = Environment.ExpandEnvironmentVariables("%PATH%");
+        }
+    }
+}

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariables.expected

@@ -0,0 +1,7 @@
+| EnvironmentVariables.cs:10:28:10:82 | call to method GetEnvironmentVariable |
+| EnvironmentVariables.cs:11:40:11:129 | call to method GetEnvironmentVariable |
+| EnvironmentVariables.cs:12:39:12:128 | call to method GetEnvironmentVariable |
+| EnvironmentVariables.cs:17:48:17:84 | call to method GetEnvironmentVariables |
+| EnvironmentVariables.cs:18:60:18:129 | call to method GetEnvironmentVariables |
+| EnvironmentVariables.cs:19:59:19:128 | call to method GetEnvironmentVariables |
+| EnvironmentVariables.cs:24:31:24:78 | call to method ExpandEnvironmentVariables |

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariables.ql

@@ -0,0 +1,6 @@
+import csharp
+import semmle.code.csharp.dataflow.internal.ExternalFlow
+
+from DataFlow::Node source
+where sourceNode(source, "environment")
+select source