C#: Introduce RemoteFlowSink class

csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql

@@ -11,8 +11,7 @@
 
 import csharp
 import semmle.code.csharp.security.SensitiveActions
-import semmle.code.csharp.security.dataflow.XSS
-import semmle.code.csharp.security.dataflow.Email
+import semmle.code.csharp.security.dataflow.flowsinks.Remote
 import semmle.code.csharp.frameworks.system.data.Common
 import semmle.code.csharp.frameworks.System
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
@@ -42,11 +41,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof XSS::Sink
-    or
-    sink instanceof Email::Sink
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RemoteFlowSink }
 }
 
 from TaintTrackingConfiguration configuration, DataFlow::PathNode source, DataFlow::PathNode sink

csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql

@@ -14,7 +14,7 @@
 
 import csharp
 import semmle.code.csharp.frameworks.System
-import semmle.code.csharp.security.dataflow.XSS
+import semmle.code.csharp.security.dataflow.flowsinks.Remote
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 /**
@@ -46,7 +46,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XSS::Sink }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RemoteFlowSink }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     // Do not flow through Message

csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll

@@ -12,6 +12,7 @@ module XSS {
   import semmle.code.csharp.frameworks.system.web.UI
   import semmle.code.csharp.security.Sanitizers
   import semmle.code.csharp.security.dataflow.flowsinks.Html
+  import semmle.code.csharp.security.dataflow.flowsinks.Remote
   import semmle.code.csharp.security.dataflow.flowsources.Remote
 
   /**
@@ -108,8 +109,11 @@ module XSS {
 
   /**
    * A data flow sink for cross-site scripting (XSS) vulnerabilities.
+   *
+   * Any XSS sink is also a remote flow sink, so this class contributes
+   * to the abstract class `RemoteFlowSink`.
    */
-  abstract class Sink extends DataFlow::ExprNode {
+  abstract class Sink extends DataFlow::ExprNode, RemoteFlowSink {
     string explanation() { none() }
   }
 

csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Email.qll

@@ -1,11 +1,12 @@
 /** Provides data flow sinks for sending email. */
 
 import csharp
+private import Remote
 private import semmle.code.csharp.frameworks.system.net.Mail
 
 module Email {
   /** A data flow sink for sending email. */
-  abstract class Sink extends DataFlow::ExprNode { }
+  abstract class Sink extends DataFlow::ExprNode, RemoteFlowSink { }
 
   /** A data flow sink for sending email via `System.Net.Mail.MailMessage`. */
   class MailMessageSink extends Sink {

csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll

@@ -3,6 +3,7 @@
  */
 
 import csharp
+private import Remote
 private import semmle.code.csharp.commons.Loggers
 private import semmle.code.csharp.frameworks.system.Web
 
@@ -45,7 +46,7 @@ class TraceMessageSink extends ExternalLocationSink {
 /**
  * An expression set as a value on a cookie instance.
  */
-class CookieStorageSink extends ExternalLocationSink {
+class CookieStorageSink extends ExternalLocationSink, RemoteFlowSink {
   CookieStorageSink() {
     exists(Expr e | e = this.getExpr() |
       e = any(SystemWebHttpCookie cookie).getAConstructor().getACall().getArgumentForName("value")

csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Html.qll

@@ -3,6 +3,7 @@
  */
 
 import csharp
+private import Remote
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
 private import semmle.code.csharp.frameworks.system.Net
 private import semmle.code.csharp.frameworks.system.Web
@@ -18,7 +19,7 @@ private import semmle.code.asp.AspNet
  * A sink where the value of the expression may be rendered as HTML,
  * without implicit HTML encoding.
  */
-abstract class HtmlSink extends DataFlow::ExprNode { }
+abstract class HtmlSink extends DataFlow::ExprNode, RemoteFlowSink { }
 
 /**
  * An expression that is used as an argument to an HTML sink method on
@@ -101,7 +102,7 @@ class SystemWebSetterHtmlSink extends HtmlSink {
     exists(Property p, string name, ValueOrRefType declaringType |
       declaringType = p.getDeclaringType() and
       any(SystemWebUINamespace n).getAChildNamespace*() = declaringType.getNamespace() and
-      this.getExpr() = p.getSetter().getParameter(0).getAnAssignedArgument() and
+      this.getExpr() = p.getAnAssignedValue() and
       p.hasName(name)
     |
       name = "Caption" and

csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll

@@ -0,0 +1,31 @@
+/**
+ * Provides classes representing data flow sinks for remote user output.
+ */
+
+import csharp
+private import Email
+private import ExternalLocationSink
+private import Html
+private import semmle.code.csharp.security.dataflow.XSS
+private import semmle.code.csharp.frameworks.system.web.UI
+
+/** A data flow sink of remote user output. */
+abstract class RemoteFlowSink extends DataFlow::Node { }
+
+/**
+ * A value written to the `[Inner]Text` property of an object defined in the
+ * `System.Web.UI` namespace.
+ */
+class SystemWebUIText extends RemoteFlowSink {
+  SystemWebUIText() {
+    exists(Property p, string name |
+      p.getDeclaringType().getNamespace().getParentNamespace*() instanceof SystemWebUINamespace and
+      this.asExpr() = p.getAnAssignedValue() and
+      p.hasName(name)
+    |
+      name = "Text"
+      or
+      name = "InnerText"
+    )
+  }
+}

csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.cs

@@ -38,9 +38,9 @@ public class StackTraceHandler : IHttpHandler
             log("Exception occurred", ex);
             ctx.Response.Write("Exception occurred");
 
-            textBox.Text = ex.InnerException.StackTrace; // BAD (false negative)
-            textBox.Text = ex.StackTrace; // BAD (false negative)
-            textBox.Text = ex.ToString(); // BAD (false negative)
+            textBox.Text = ex.InnerException.StackTrace; // BAD
+            textBox.Text = ex.StackTrace; // BAD
+            textBox.Text = ex.ToString(); // BAD
             textBox.Text = ex.Message; // GOOD
             return;
         }

csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected

@@ -5,10 +5,16 @@ nodes
 | ExceptionInformationExposure.cs:21:32:21:44 | call to method ToString | semmle.label | call to method ToString |
 | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex | semmle.label | access to local variable ex |
 | ExceptionInformationExposure.cs:25:32:25:44 | access to property StackTrace | semmle.label | access to property StackTrace |
+| ExceptionInformationExposure.cs:41:28:41:55 | access to property StackTrace | semmle.label | access to property StackTrace |
+| ExceptionInformationExposure.cs:42:28:42:40 | access to property StackTrace | semmle.label | access to property StackTrace |
+| ExceptionInformationExposure.cs:43:28:43:40 | call to method ToString | semmle.label | call to method ToString |
 | ExceptionInformationExposure.cs:49:28:49:55 | call to method ToString | semmle.label | call to method ToString |
 #select
 | ExceptionInformationExposure.cs:21:32:21:44 | call to method ToString | ExceptionInformationExposure.cs:21:32:21:44 | call to method ToString | ExceptionInformationExposure.cs:21:32:21:44 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:21:32:21:44 | call to method ToString | call to method ToString |
 | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex : Exception | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:21:32:21:33 | access to local variable ex | access to local variable ex : Exception |
 | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:23:32:23:33 | access to local variable ex | access to local variable ex |
 | ExceptionInformationExposure.cs:25:32:25:44 | access to property StackTrace | ExceptionInformationExposure.cs:25:32:25:44 | access to property StackTrace | ExceptionInformationExposure.cs:25:32:25:44 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:25:32:25:44 | access to property StackTrace | access to property StackTrace |
+| ExceptionInformationExposure.cs:41:28:41:55 | access to property StackTrace | ExceptionInformationExposure.cs:41:28:41:55 | access to property StackTrace | ExceptionInformationExposure.cs:41:28:41:55 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:41:28:41:55 | access to property StackTrace | access to property StackTrace |
+| ExceptionInformationExposure.cs:42:28:42:40 | access to property StackTrace | ExceptionInformationExposure.cs:42:28:42:40 | access to property StackTrace | ExceptionInformationExposure.cs:42:28:42:40 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:42:28:42:40 | access to property StackTrace | access to property StackTrace |
+| ExceptionInformationExposure.cs:43:28:43:40 | call to method ToString | ExceptionInformationExposure.cs:43:28:43:40 | call to method ToString | ExceptionInformationExposure.cs:43:28:43:40 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:43:28:43:40 | call to method ToString | call to method ToString |
 | ExceptionInformationExposure.cs:49:28:49:55 | call to method ToString | ExceptionInformationExposure.cs:49:28:49:55 | call to method ToString | ExceptionInformationExposure.cs:49:28:49:55 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:49:28:49:55 | call to method ToString | call to method ToString |