hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improving documentation

Browse Source
This commit is contained in:
Raul Garcia (MSFT)
2020-07-20 13:54:23 -07:00
parent 9d7d6b39cb
commit 55473c65f1
2 changed files with 21 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qhelp
View File

@@ -3,9 +3,12 @@
"qhelp.dtd">
<qhelp>
<overview>
<p>The <code>DataSet</code> and <code>DataTable</code> types are legacy .NET components that allow representing data sets as managed objects.<p>
<p>The <code>DataSet</code> and <code>DataTable</code> types are legacy .NET components that allow representing data sets as managed objects.</p>
<p>While <code>DataSet</code> and <code>DataTable</code> do impose default limitations on the types that are allowed to be present while deserializing XML payloads, <code>DataSet</code> and <code>DataTable</code> are in general not safe when populated with untrusted input.</p>
<p>Please visit <a href="https://go.microsoft.com/fwlink/?linkid=2132227">DataSet and DataTable security guidance</a> for more details.</p>
</overview>
<recommendation>

25
csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qll
View File

@@ -1,14 +1,20 @@
import csharp
/**
* Provides classes for `DataSet` or `DataTable` deserialization queries.
*
* Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
*/
import csharp
/**
* Abstract class thats depnds or inherits from DataSet and DataTable types.
**/
* Abstract class that depends or inherits from `DataSet` or `DataTable` types.
*/
abstract class DataSetOrTableRelatedClass extends Class {
}
/**
* Gets the DataSet and DataTable types, or types derived from them.
**/
* `DataSet`, `DataTable` types, or any types derived from them.
*/
class DataSetOrTable extends DataSetOrTableRelatedClass {
DataSetOrTable() {
this.getABaseType*().getQualifiedName().matches("System.Data.DataTable") or
@@ -19,7 +25,7 @@ class DataSetOrTable extends DataSetOrTableRelatedClass {
}
/**
* Gets a class that include a property or generic of type DataSet and DataTable
* A Class that include a property or generic collection of type `DataSet` and `DataTable`
*/
class ClassWithDataSetOrTableMember extends DataSetOrTableRelatedClass {
ClassWithDataSetOrTableMember() {
@@ -57,6 +63,9 @@ class SerializableClass extends Class {
}
}
/**
* Holds if the serializable class `c` has a property or field `m` that is of `DataSet` or `DataTable` related type
*/
predicate isClassUnsafeXmlSerializerImplementation( SerializableClass c, Member m) {
exists( Property p |
m = p |
@@ -70,7 +79,7 @@ predicate isClassUnsafeXmlSerializerImplementation( SerializableClass c, Member
}
/**
* It is unsafe to serilize DataSet and DataTable related types
* Serializable class that has a property or field that is of `DataSet` or `DataTable` related type
*/
class UnsafeXmlSerializerImplementation extends SerializableClass {
UnsafeXmlSerializerImplementation() {
@@ -98,7 +107,7 @@ class UnsafeXmlReadMethod extends Method {
}
/**
* MethodCal that may be unsafe when used to serialize DataSet and DataTable related types
* MethodCall that may be unsafe when used to serialize DataSet and DataTable related types
*/
class UnsafeXmlReadMethodCall extends MethodCall {
UnsafeXmlReadMethodCall() {