Merge pull request #15629 from egregius313/egregius313/csharp/dataflow/threat-modeling/remove-stored-query-variants

C#: Remove `Stored` variants of queries

csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.qhelp

@@ -1,6 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="CommandInjection.qhelp" />
-</qhelp>

csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql

@@ -1,34 +0,0 @@
-/**
- * @name Uncontrolled command line from stored user input
- * @description Using externally controlled strings in a command line may allow a malicious
- *              user to change the meaning of the command.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 9.8
- * @precision medium
- * @id cs/stored-command-line-injection
- * @tags correctness
- *       security
- *       external/cwe/cwe-078
- *       external/cwe/cwe-088
- */
-
-import csharp
-import semmle.code.csharp.security.dataflow.flowsources.Stored
-import semmle.code.csharp.security.dataflow.CommandInjectionQuery
-import StoredCommandInjection::PathGraph
-
-module StoredCommandInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource }
-
-  predicate isSink = CommandInjectionConfig::isSink/1;
-
-  predicate isBarrier = CommandInjectionConfig::isBarrier/1;
-}
-
-module StoredCommandInjection = TaintTracking::Global<StoredCommandInjectionConfig>;
-
-from StoredCommandInjection::PathNode source, StoredCommandInjection::PathNode sink
-where StoredCommandInjection::flowPath(source, sink)
-select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
-  "stored (potentially user-provided) value"

csharp/ql/src/Security Features/CWE-079/StoredXSS.qhelp

@@ -1,6 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="XSS.qhelp" />
-</qhelp>

csharp/ql/src/Security Features/CWE-079/StoredXSS.ql

@@ -1,39 +0,0 @@
-/**
- * @name Stored cross-site scripting
- * @description Writing input from the database directly to a web page indicates a cross-site
- *              scripting vulnerability if the data was originally user-provided.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 6.1
- * @precision medium
- * @id cs/web/stored-xss
- * @tags security
- *       external/cwe/cwe-079
- *       external/cwe/cwe-116
- */
-
-import csharp
-import semmle.code.csharp.security.dataflow.flowsources.Stored
-import semmle.code.csharp.security.dataflow.XSSQuery
-import semmle.code.csharp.security.dataflow.XSSSinks
-import StoredXss::PathGraph
-
-module StoredXssTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource }
-
-  predicate isSink = XssTrackingConfig::isSink/1;
-
-  predicate isBarrier = XssTrackingConfig::isBarrier/1;
-}
-
-module StoredXss = TaintTracking::Global<StoredXssTrackingConfig>;
-
-from StoredXss::PathNode source, StoredXss::PathNode sink, string explanation
-where
-  StoredXss::flowPath(source, sink) and
-  if exists(sink.getNode().(Sink).explanation())
-  then explanation = " (" + sink.getNode().(Sink).explanation() + ")"
-  else explanation = ""
-select sink.getNode(), source, sink,
-  "This HTML or JavaScript write" + explanation + " depends on a $@.", source.getNode(),
-  "stored (potentially user-provided) value"

csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.qhelp

@@ -1,6 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="SqlInjection.qhelp" />
-</qhelp>

csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql

@@ -1,32 +0,0 @@
-/**
- * @name SQL query built from stored user-controlled sources
- * @description Building a SQL query from stored user-controlled sources is vulnerable to insertion
- *              of malicious SQL code by the user.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 8.8
- * @precision medium
- * @id cs/second-order-sql-injection
- * @tags security
- *       external/cwe/cwe-089
- */
-
-import csharp
-import semmle.code.csharp.security.dataflow.SqlInjectionQuery
-import semmle.code.csharp.security.dataflow.flowsources.Stored
-import StoredSqlInjection::PathGraph
-
-module StoredSqlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource }
-
-  predicate isSink = SqlInjectionConfig::isSink/1;
-
-  predicate isBarrier = SqlInjectionConfig::isBarrier/1;
-}
-
-module StoredSqlInjection = TaintTracking::Global<StoredSqlInjectionConfig>;
-
-from StoredSqlInjection::PathNode source, StoredSqlInjection::PathNode sink
-where StoredSqlInjection::flowPath(source, sink)
-select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
-  "stored user-provided value"

csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.qhelp

@@ -1,6 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="LDAPInjection.qhelp" />
-</qhelp>

csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql

@@ -1,32 +0,0 @@
-/**
- * @name LDAP query built from stored user-controlled sources
- * @description Building an LDAP query from stored user-controlled sources is vulnerable to
- *              insertion of malicious LDAP code by the user.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 9.8
- * @precision medium
- * @id cs/stored-ldap-injection
- * @tags security
- *       external/cwe/cwe-090
- */
-
-import csharp
-import semmle.code.csharp.security.dataflow.LDAPInjectionQuery
-import semmle.code.csharp.security.dataflow.flowsources.Stored
-import StoredLdapInjection::PathGraph
-
-module StoredLdapInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource }
-
-  predicate isSink = LdapInjectionConfig::isSink/1;
-
-  predicate isBarrier = LdapInjectionConfig::isBarrier/1;
-}
-
-module StoredLdapInjection = TaintTracking::Global<StoredLdapInjectionConfig>;
-
-from StoredLdapInjection::PathNode source, StoredLdapInjection::PathNode sink
-where StoredLdapInjection::flowPath(source, sink)
-select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
-  "stored (potentially user-provided) value"

csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.qhelp

@@ -1,6 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="XPathInjection.qhelp" />
-</qhelp>

csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql

@@ -1,32 +0,0 @@
-/**
- * @name Stored XPath injection
- * @description Building an XPath expression from stored data which may have been provided by the
- *              user is vulnerable to insertion of malicious code by the user.
- * @kind path-problem
- * @problem.severity error
- * @security-severity 9.8
- * @precision medium
- * @id cs/xml/stored-xpath-injection
- * @tags security
- *       external/cwe/cwe-643
- */
-
-import csharp
-import semmle.code.csharp.security.dataflow.flowsources.Stored
-import semmle.code.csharp.security.dataflow.XPathInjectionQuery
-import StoredXpathInjection::PathGraph
-
-module StoredXpathInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource }
-
-  predicate isSink = XpathInjectionConfig::isSink/1;
-
-  predicate isBarrier = XpathInjectionConfig::isBarrier/1;
-}
-
-module StoredXpathInjection = TaintTracking::Global<StoredXpathInjectionConfig>;
-
-from StoredXpathInjection::PathNode source, StoredXpathInjection::PathNode sink
-where StoredXpathInjection::flowPath(source, sink)
-select sink.getNode(), source, sink, "This XPath expression depends on a $@.", source.getNode(),
-  "stored (potentially user-provided) value"

csharp/ql/src/change-notes/2024-03-11-remove-stored-query-variants.md

@@ -0,0 +1,5 @@
+---
+category: majorAnalysis
+---
+* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`. `cs/second-order-sql-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `file` and `database` threat models in your threat model configuration.
+

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs

@@ -1,4 +1,6 @@
 using System;
+using System.Data.SqlClient;
+using System.Diagnostics;
 
 namespace System.Web.UI.WebControls
 {
@@ -34,5 +36,22 @@ namespace Test
             startInfoProps.WorkingDirectory = userInput;
             Process.Start(startInfoProps);
         }
+
+        public void StoredCommandInjection()
+        {
+            using (SqlConnection connection = new SqlConnection(""))
+            {
+                connection.Open();
+                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
+                SqlDataReader customerReader = customerCommand.ExecuteReader();
+
+                while (customerReader.Read())
+                {
+                    // BAD: Read from database, and use it to directly execute a command
+                    Process.Start("foo.exe", "/c " + customerReader.GetString(1));
+                }
+                customerReader.Close();
+            }
+        }
     }
 }

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected

@@ -1,59 +1,63 @@
 edges
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:26:27:26:47 | ... + ... | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:26:50:26:66 | ... + ... | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:28:63:28:71 | access to local variable userInput | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:28:63:28:71 | access to local variable userInput : String | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:28:74:28:82 | access to local variable userInput | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:28:74:28:82 | access to local variable userInput : String | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:32:39:32:47 | access to local variable userInput | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:32:39:32:47 | access to local variable userInput : String | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:33:40:33:48 | access to local variable userInput | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:33:40:33:48 | access to local variable userInput : String | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:34:47:34:55 | access to local variable userInput | provenance |  |
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:34:47:34:55 | access to local variable userInput : String | provenance |  |
-| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:25:32:25:51 | access to property Text : String | provenance |  |
-| CommandInjection.cs:25:32:25:51 | access to property Text : String | CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | provenance |  |
-| CommandInjection.cs:28:30:28:38 | access to local variable startInfo : ProcessStartInfo | CommandInjection.cs:29:27:29:35 | access to local variable startInfo | provenance |  |
-| CommandInjection.cs:28:42:28:83 | object creation of type ProcessStartInfo : ProcessStartInfo | CommandInjection.cs:28:30:28:38 | access to local variable startInfo : ProcessStartInfo | provenance |  |
-| CommandInjection.cs:28:63:28:71 | access to local variable userInput : String | CommandInjection.cs:28:42:28:83 | object creation of type ProcessStartInfo : ProcessStartInfo | provenance |  |
-| CommandInjection.cs:28:74:28:82 | access to local variable userInput : String | CommandInjection.cs:28:42:28:83 | object creation of type ProcessStartInfo : ProcessStartInfo | provenance |  |
-| CommandInjection.cs:32:13:32:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | provenance |  |
-| CommandInjection.cs:32:39:32:47 | access to local variable userInput : String | CommandInjection.cs:32:13:32:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
-| CommandInjection.cs:33:13:33:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | provenance |  |
-| CommandInjection.cs:33:40:33:48 | access to local variable userInput : String | CommandInjection.cs:33:13:33:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
-| CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | provenance |  |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput : String | CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:28:27:28:47 | ... + ... | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:28:50:28:66 | ... + ... | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:30:63:30:71 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:30:74:30:82 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:34:39:34:47 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:35:40:35:48 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:36:47:36:55 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:27:32:27:51 | access to property Text : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:30:30:30:38 | access to local variable startInfo : ProcessStartInfo | CommandInjection.cs:31:27:31:35 | access to local variable startInfo | provenance |  |
+| CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | CommandInjection.cs:30:30:30:38 | access to local variable startInfo : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:51:54:51:80 | call to method GetString : String | CommandInjection.cs:51:46:51:80 | ... + ... | provenance |  |
 nodes
-| CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
-| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
-| CommandInjection.cs:25:32:25:51 | access to property Text : String | semmle.label | access to property Text : String |
-| CommandInjection.cs:26:27:26:47 | ... + ... | semmle.label | ... + ... |
-| CommandInjection.cs:26:50:26:66 | ... + ... | semmle.label | ... + ... |
-| CommandInjection.cs:28:30:28:38 | access to local variable startInfo : ProcessStartInfo | semmle.label | access to local variable startInfo : ProcessStartInfo |
-| CommandInjection.cs:28:42:28:83 | object creation of type ProcessStartInfo : ProcessStartInfo | semmle.label | object creation of type ProcessStartInfo : ProcessStartInfo |
-| CommandInjection.cs:28:63:28:71 | access to local variable userInput | semmle.label | access to local variable userInput |
-| CommandInjection.cs:28:63:28:71 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
-| CommandInjection.cs:28:74:28:82 | access to local variable userInput | semmle.label | access to local variable userInput |
-| CommandInjection.cs:28:74:28:82 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
-| CommandInjection.cs:29:27:29:35 | access to local variable startInfo | semmle.label | access to local variable startInfo |
-| CommandInjection.cs:32:13:32:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
-| CommandInjection.cs:32:39:32:47 | access to local variable userInput | semmle.label | access to local variable userInput |
-| CommandInjection.cs:32:39:32:47 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
-| CommandInjection.cs:33:13:33:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
-| CommandInjection.cs:33:40:33:48 | access to local variable userInput | semmle.label | access to local variable userInput |
-| CommandInjection.cs:33:40:33:48 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:27:20:27:28 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | semmle.label | access to property Text : String |
+| CommandInjection.cs:28:27:28:47 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:28:50:28:66 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:30:30:30:38 | access to local variable startInfo : ProcessStartInfo | semmle.label | access to local variable startInfo : ProcessStartInfo |
+| CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | semmle.label | object creation of type ProcessStartInfo : ProcessStartInfo |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:31:27:31:35 | access to local variable startInfo | semmle.label | access to local variable startInfo |
 | CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput | semmle.label | access to local variable userInput |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
-| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | semmle.label | access to local variable startInfoProps |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | semmle.label | access to local variable startInfoProps |
+| CommandInjection.cs:51:46:51:80 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:51:54:51:80 | call to method GetString : String | semmle.label | call to method GetString : String |
 subpaths
 #select
-| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:28:63:28:71 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:28:74:28:82 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:29:27:29:35 | access to local variable startInfo | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:29:27:29:35 | access to local variable startInfo | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:32:39:32:47 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:33:40:33:48 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:28:27:28:47 | ... + ... | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:27:28:47 | ... + ... | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:28:50:28:66 | ... + ... | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:50:28:66 | ... + ... | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:30:63:30:71 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:30:74:30:82 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:31:27:31:35 | access to local variable startInfo | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:31:27:31:35 | access to local variable startInfo | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:39:34:47 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:40:35:48 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:36:47:36:55 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:51:46:51:80 | ... + ... | CommandInjection.cs:51:54:51:80 | call to method GetString : String | CommandInjection.cs:51:46:51:80 | ... + ... | This command line depends on a $@. | CommandInjection.cs:51:54:51:80 | call to method GetString | user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.cs

@@ -1,28 +0,0 @@
-using System;
-using System.Data.SqlClient;
-using System.Diagnostics;
-
-namespace Test
-{
-
-    class StoredCommandInjection
-    {
-
-        public void Test()
-        {
-            using (SqlConnection connection = new SqlConnection(""))
-            {
-                connection.Open();
-                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
-                SqlDataReader customerReader = customerCommand.ExecuteReader();
-
-                while (customerReader.Read())
-                {
-                    // BAD: Read from database, and use it to directly execute a command
-                    Process.Start("foo.exe", "/c " + customerReader.GetString(1));
-                }
-                customerReader.Close();
-            }
-        }
-    }
-}

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected

@@ -1,8 +0,0 @@
-edges
-| StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | StoredCommandInjection.cs:22:46:22:80 | ... + ... | provenance |  |
-nodes
-| StoredCommandInjection.cs:22:46:22:80 | ... + ... | semmle.label | ... + ... |
-| StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | semmle.label | call to method GetString : String |
-subpaths
-#select
-| StoredCommandInjection.cs:22:46:22:80 | ... + ... | StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | StoredCommandInjection.cs:22:46:22:80 | ... + ... | This command line depends on a $@. | StoredCommandInjection.cs:22:54:22:80 | call to method GetString | stored (potentially user-provided) value |

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.qlref

@@ -1 +0,0 @@
-Security Features/CWE-078/StoredCommandInjection.ql

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected

@@ -5,4 +5,4 @@ nodes
 | StoredXSS.cs:22:60:22:86 | call to method GetString : String | semmle.label | call to method GetString : String |
 subpaths
 #select
-| StoredXSS.cs:22:44:22:86 | ... + ... | StoredXSS.cs:22:60:22:86 | call to method GetString : String | StoredXSS.cs:22:44:22:86 | ... + ... | This HTML or JavaScript write depends on a $@. | StoredXSS.cs:22:60:22:86 | call to method GetString | stored (potentially user-provided) value |
+| StoredXSS.cs:22:44:22:86 | ... + ... | StoredXSS.cs:22:60:22:86 | call to method GetString : String | StoredXSS.cs:22:44:22:86 | ... + ... | $@ flows to here and is written to HTML or JavaScript. | StoredXSS.cs:22:60:22:86 | call to method GetString : String | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref

@@ -1 +1 @@
-Security Features/CWE-079/StoredXSS.ql
+Security Features/CWE-079/XSS.ql

csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected

@@ -1,56 +0,0 @@
-edges
-| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | provenance |  |
-| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | provenance |  |
-| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | provenance |  |
-| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | provenance |  |
-| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | provenance |  |
-| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | provenance |  |
-| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | provenance |  |
-| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | provenance |  |
-| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | provenance |  |
-| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | provenance |  |
-| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | provenance |  |
-| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | provenance |  |
-| SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | provenance |  |
-| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | provenance |  |
-| SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | provenance |  |
-| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | provenance |  |
-| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | provenance |  |
-| SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | provenance |  |
-| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | provenance |  |
-| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | provenance |  |
-| SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | provenance |  |
-| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | provenance |  |
-| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | provenance |  |
-nodes
-| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | semmle.label | ... + ... |
-| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | semmle.label | call to method GetString : String |
-| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
-| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | semmle.label | object creation of type FileStream : FileStream |
-| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
-| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | semmle.label | object creation of type StreamReader : StreamReader |
-| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
-| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
-| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
-| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | semmle.label | call to method Trim : String |
-| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | semmle.label | access to local variable sql |
-| SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
-| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | semmle.label | object creation of type FileStream : FileStream |
-| SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
-| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | semmle.label | object creation of type StreamReader : StreamReader |
-| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
-| SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
-| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
-| SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | semmle.label | access to local variable sql : String |
-| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | semmle.label | call to method Trim : String |
-| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | semmle.label | access to local variable sql |
-subpaths
-#select
-| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | This SQL query depends on a $@. | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString | stored user-provided value |
-| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | This SQL query depends on a $@. | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream | stored user-provided value |
-| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | This SQL query depends on a $@. | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream | stored user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.qlref

@@ -1 +0,0 @@
-Security Features/CWE-089/SecondOrderSqlInjection.ql

csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected

@@ -1,4 +1,16 @@
 edges
+| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | provenance |  |
+| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | provenance |  |
+| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | provenance |  |
+| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | provenance |  |
+| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | provenance |  |
+| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | provenance |  |
+| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | provenance |  |
+| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | provenance |  |
+| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | provenance |  |
+| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | provenance |  |
+| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | provenance |  |
+| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | provenance |  |
 | SqlInjection.cs:32:21:32:26 | access to local variable query1 : String | SqlInjection.cs:34:50:34:55 | access to local variable query1 | provenance |  |
 | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:33:21:33:40 | access to property Text : String | provenance |  |
 | SqlInjection.cs:33:21:33:40 | access to property Text : String | SqlInjection.cs:32:21:32:26 | access to local variable query1 : String | provenance |  |
@@ -50,6 +62,20 @@ edges
 | SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | provenance |  |
 | SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | provenance |  |
 nodes
+| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | semmle.label | ... + ... |
+| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | semmle.label | call to method GetString : String |
+| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
+| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | semmle.label | object creation of type FileStream : FileStream |
+| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
+| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | semmle.label | object creation of type StreamReader : StreamReader |
+| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
+| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | semmle.label | access to local variable sql : String |
+| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
+| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
+| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | semmle.label | access to local variable sql : String |
+| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | semmle.label | access to local variable sql : String |
+| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | semmle.label | call to method Trim : String |
+| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | semmle.label | access to local variable sql |
 | SqlInjection.cs:32:21:32:26 | access to local variable query1 : String | semmle.label | access to local variable query1 : String |
 | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
 | SqlInjection.cs:33:21:33:40 | access to property Text : String | semmle.label | access to property Text : String |
@@ -118,6 +144,8 @@ nodes
 | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | semmle.label | access to local variable sql |
 subpaths
 #select
+| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | This query depends on $@. | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | this database input |
+| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | This query depends on $@. | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | this file stream |
 | SqlInjection.cs:34:50:34:55 | access to local variable query1 | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:34:50:34:55 | access to local variable query1 | This query depends on $@. | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:69:56:69:61 | access to local variable query1 | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:69:56:69:61 | access to local variable query1 | This query depends on $@. | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:70:55:70:60 | access to local variable query1 | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:70:55:70:60 | access to local variable query1 | This query depends on $@. | SqlInjection.cs:68:33:68:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
@@ -136,4 +164,5 @@ subpaths
 | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | this ASP.NET user input |
 | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | this ASP.NET user input |
 | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | This query depends on $@. | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | this ASP.NET user input |
+| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | This query depends on $@. | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | this file stream |
 | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | This query depends on $@. | SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | this ASP.NET user input |

csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Data.SqlClient;
 using System.DirectoryServices;
 using System.DirectoryServices.Protocols;
 using System.Web;
@@ -27,6 +28,20 @@ public class LDAPInjectionHandler : IHttpHandler
         DirectoryEntry de = new DirectoryEntry("LDAP://Cn=" + userName);
         DirectoryEntry de2 = new DirectoryEntry();
         de2.Path = "LDAP://Cn=" + userName;
+
+        using (SqlConnection connection = new SqlConnection(""))
+        {
+            connection.Open();
+            SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
+            SqlDataReader customerReader = customerCommand.ExecuteReader();
+
+            while (customerReader.Read())
+            {
+                // BAD: Read from database, write it straight to a response
+                DirectorySearcher ds4 = new DirectorySearcher("accountname=" + customerReader.GetString(1));
+            }
+            customerReader.Close();
+        }
     }
 
     public string LDAPEncode(string value)

csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected

@@ -1,28 +1,32 @@
 edges
-| LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:14:54:14:78 | ... + ... | provenance |  |
-| LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:16:21:16:45 | ... + ... | provenance |  |
-| LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:23:21:23:45 | ... + ... | provenance |  |
-| LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:24:53:24:77 | ... + ... | provenance |  |
-| LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:27:48:27:70 | ... + ... | provenance |  |
-| LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:29:20:29:42 | ... + ... | provenance |  |
-| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | provenance |  |
-| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:11:27:11:61 | access to indexer : String | provenance |  |
-| LDAPInjection.cs:11:27:11:61 | access to indexer : String | LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | provenance |  |
+| LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | LDAPInjection.cs:15:54:15:78 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | LDAPInjection.cs:17:21:17:45 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | LDAPInjection.cs:24:21:24:45 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | LDAPInjection.cs:25:53:25:77 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | LDAPInjection.cs:28:48:28:70 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | LDAPInjection.cs:30:20:30:42 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | provenance |  |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:12:27:12:61 | access to indexer : String | provenance |  |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | provenance |  |
+| LDAPInjection.cs:41:80:41:106 | call to method GetString : String | LDAPInjection.cs:41:63:41:106 | ... + ... | provenance |  |
 nodes
-| LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | semmle.label | access to local variable userName : String |
-| LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| LDAPInjection.cs:11:27:11:61 | access to indexer : String | semmle.label | access to indexer : String |
-| LDAPInjection.cs:14:54:14:78 | ... + ... | semmle.label | ... + ... |
-| LDAPInjection.cs:16:21:16:45 | ... + ... | semmle.label | ... + ... |
-| LDAPInjection.cs:23:21:23:45 | ... + ... | semmle.label | ... + ... |
-| LDAPInjection.cs:24:53:24:77 | ... + ... | semmle.label | ... + ... |
-| LDAPInjection.cs:27:48:27:70 | ... + ... | semmle.label | ... + ... |
-| LDAPInjection.cs:29:20:29:42 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:12:16:12:23 | access to local variable userName : String | semmle.label | access to local variable userName : String |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | semmle.label | access to indexer : String |
+| LDAPInjection.cs:15:54:15:78 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:17:21:17:45 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:24:21:24:45 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:25:53:25:77 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:28:48:28:70 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:30:20:30:42 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:41:63:41:106 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:41:80:41:106 | call to method GetString : String | semmle.label | call to method GetString : String |
 subpaths
 #select
-| LDAPInjection.cs:14:54:14:78 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:14:54:14:78 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:16:21:16:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:16:21:16:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:23:21:23:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:23:21:23:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:24:53:24:77 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:24:53:24:77 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:27:48:27:70 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:27:48:27:70 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:29:20:29:42 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:29:20:29:42 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:15:54:15:78 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:15:54:15:78 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:17:21:17:45 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:17:21:17:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:24:21:24:45 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:24:21:24:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:25:53:25:77 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:25:53:25:77 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:28:48:28:70 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:28:48:28:70 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:30:20:30:42 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:30:20:30:42 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:41:63:41:106 | ... + ... | LDAPInjection.cs:41:80:41:106 | call to method GetString : String | LDAPInjection.cs:41:63:41:106 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:41:80:41:106 | call to method GetString | user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.cs

@@ -1,28 +0,0 @@
-using System;
-using System.Data.SqlClient;
-using System.DirectoryServices;
-
-namespace Test
-{
-
-    class StoredLDAPInjection
-    {
-
-        public void processRequest()
-        {
-            using (SqlConnection connection = new SqlConnection(""))
-            {
-                connection.Open();
-                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
-                SqlDataReader customerReader = customerCommand.ExecuteReader();
-
-                while (customerReader.Read())
-                {
-                    // BAD: Read from database, write it straight to a response
-                    DirectorySearcher ds = new DirectorySearcher("accountname=" + customerReader.GetString(1));
-                }
-                customerReader.Close();
-            }
-        }
-    }
-}

csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected

@@ -1,8 +0,0 @@
-edges
-| StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | provenance |  |
-nodes
-| StoredLDAPInjection.cs:22:66:22:109 | ... + ... | semmle.label | ... + ... |
-| StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | semmle.label | call to method GetString : String |
-subpaths
-#select
-| StoredLDAPInjection.cs:22:66:22:109 | ... + ... | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | This LDAP query depends on a $@. | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString | stored (potentially user-provided) value |

csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.qlref

@@ -1 +0,0 @@
-Security Features/CWE-090/StoredLDAPInjection.ql

csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.cs

@@ -1,37 +0,0 @@
-using System;
-using System.Data.SqlClient;
-using System.Xml;
-using System.Xml.XPath;
-
-namespace Test
-{
-
-    class StoredXPathInjection
-    {
-
-        public void processRequest()
-        {
-            using (SqlConnection connection = new SqlConnection(""))
-            {
-                connection.Open();
-                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
-                SqlDataReader customerReader = customerCommand.ExecuteReader();
-
-                while (customerReader.Read())
-                {
-                    string userName = customerReader.GetString(1);
-                    string password = customerReader.GetString(2);
-                    // BAD: User input used directly in an XPath expression
-                    XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
-                    XmlNode xmlNode = null;
-                    // BAD: User input used directly in an XPath expression to SelectNodes
-                    xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
-
-                    // GOOD: Uses parameters to avoid including user input directly in XPath expression
-                    XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()");
-                }
-                customerReader.Close();
-            }
-        }
-    }
-}

csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected

@@ -1,20 +0,0 @@
-edges
-| StoredXPathInjection.cs:22:28:22:35 | access to local variable userName : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | provenance |  |
-| StoredXPathInjection.cs:22:28:22:35 | access to local variable userName : String | StoredXPathInjection.cs:28:41:28:144 | ... + ... | provenance |  |
-| StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | StoredXPathInjection.cs:22:28:22:35 | access to local variable userName : String | provenance |  |
-| StoredXPathInjection.cs:23:28:23:35 | access to local variable password : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | provenance |  |
-| StoredXPathInjection.cs:23:28:23:35 | access to local variable password : String | StoredXPathInjection.cs:28:41:28:144 | ... + ... | provenance |  |
-| StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | StoredXPathInjection.cs:23:28:23:35 | access to local variable password : String | provenance |  |
-nodes
-| StoredXPathInjection.cs:22:28:22:35 | access to local variable userName : String | semmle.label | access to local variable userName : String |
-| StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | semmle.label | call to method GetString : String |
-| StoredXPathInjection.cs:23:28:23:35 | access to local variable password : String | semmle.label | access to local variable password : String |
-| StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | semmle.label | call to method GetString : String |
-| StoredXPathInjection.cs:25:45:25:148 | ... + ... | semmle.label | ... + ... |
-| StoredXPathInjection.cs:28:41:28:144 | ... + ... | semmle.label | ... + ... |
-subpaths
-#select
-| StoredXPathInjection.cs:25:45:25:148 | ... + ... | StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | This XPath expression depends on a $@. | StoredXPathInjection.cs:22:39:22:65 | call to method GetString | stored (potentially user-provided) value |
-| StoredXPathInjection.cs:25:45:25:148 | ... + ... | StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | This XPath expression depends on a $@. | StoredXPathInjection.cs:23:39:23:65 | call to method GetString | stored (potentially user-provided) value |
-| StoredXPathInjection.cs:28:41:28:144 | ... + ... | StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | StoredXPathInjection.cs:28:41:28:144 | ... + ... | This XPath expression depends on a $@. | StoredXPathInjection.cs:22:39:22:65 | call to method GetString | stored (potentially user-provided) value |
-| StoredXPathInjection.cs:28:41:28:144 | ... + ... | StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | StoredXPathInjection.cs:28:41:28:144 | ... + ... | This XPath expression depends on a $@. | StoredXPathInjection.cs:23:39:23:65 | call to method GetString | stored (potentially user-provided) value |

csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.qlref

@@ -1 +0,0 @@
-Security Features/CWE-643/StoredXPathInjection.ql

csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Data.SqlClient;
 using System.Web;
 using System.Xml;
 using System.Xml.XPath;
@@ -62,4 +63,30 @@ public class XPathInjectionHandler : IHttpHandler
             return true;
         }
     }
+
+    public void ProcessStoredRequest()
+    {
+
+        using (SqlConnection connection = new SqlConnection(""))
+        {
+            connection.Open();
+            SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
+            SqlDataReader customerReader = customerCommand.ExecuteReader();
+
+            while (customerReader.Read())
+            {
+                string userName = customerReader.GetString(1);
+                string password = customerReader.GetString(2);
+                // BAD: User input used directly in an XPath expression
+                XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
+                XmlNode xmlNode = null;
+                // BAD: User input used directly in an XPath expression to SelectNodes
+                xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
+
+                // GOOD: Uses parameters to avoid including user input directly in XPath expression
+                XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()");
+            }
+            customerReader.Close();
+        }
+    }
 }

csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected

@@ -1,47 +1,63 @@
 edges
-| XPathInjection.cs:10:16:10:23 | access to local variable userName : String | XPathInjection.cs:13:13:13:13 | access to local variable s : String | provenance |  |
-| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:10:16:10:23 | access to local variable userName : String | provenance |  |
-| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:10:27:10:61 | access to indexer : String | provenance |  |
-| XPathInjection.cs:10:27:10:61 | access to indexer : String | XPathInjection.cs:10:16:10:23 | access to local variable userName : String | provenance |  |
-| XPathInjection.cs:11:16:11:23 | access to local variable password : String | XPathInjection.cs:13:13:13:13 | access to local variable s : String | provenance |  |
-| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:11:16:11:23 | access to local variable password : String | provenance |  |
+| XPathInjection.cs:11:16:11:23 | access to local variable userName : String | XPathInjection.cs:14:13:14:13 | access to local variable s : String | provenance |  |
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:11:16:11:23 | access to local variable userName : String | provenance |  |
 | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:11:27:11:61 | access to indexer : String | provenance |  |
-| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:11:16:11:23 | access to local variable password : String | provenance |  |
-| XPathInjection.cs:13:13:13:13 | access to local variable s : String | XPathInjection.cs:16:33:16:33 | access to local variable s | provenance |  |
-| XPathInjection.cs:13:13:13:13 | access to local variable s : String | XPathInjection.cs:19:29:19:29 | access to local variable s | provenance |  |
-| XPathInjection.cs:13:13:13:13 | access to local variable s : String | XPathInjection.cs:28:20:28:20 | access to local variable s | provenance |  |
-| XPathInjection.cs:13:13:13:13 | access to local variable s : String | XPathInjection.cs:34:30:34:30 | access to local variable s | provenance |  |
-| XPathInjection.cs:13:13:13:13 | access to local variable s : String | XPathInjection.cs:40:21:40:21 | access to local variable s | provenance |  |
-| XPathInjection.cs:13:13:13:13 | access to local variable s : String | XPathInjection.cs:46:22:46:22 | access to local variable s | provenance |  |
-| XPathInjection.cs:13:13:13:13 | access to local variable s : String | XPathInjection.cs:52:21:52:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:11:16:11:23 | access to local variable userName : String | provenance |  |
+| XPathInjection.cs:12:16:12:23 | access to local variable password : String | XPathInjection.cs:14:13:14:13 | access to local variable s : String | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:12:16:12:23 | access to local variable password : String | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:12:27:12:61 | access to indexer : String | provenance |  |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | XPathInjection.cs:12:16:12:23 | access to local variable password : String | provenance |  |
+| XPathInjection.cs:14:13:14:13 | access to local variable s : String | XPathInjection.cs:17:33:17:33 | access to local variable s | provenance |  |
+| XPathInjection.cs:14:13:14:13 | access to local variable s : String | XPathInjection.cs:20:29:20:29 | access to local variable s | provenance |  |
+| XPathInjection.cs:14:13:14:13 | access to local variable s : String | XPathInjection.cs:29:20:29:20 | access to local variable s | provenance |  |
+| XPathInjection.cs:14:13:14:13 | access to local variable s : String | XPathInjection.cs:35:30:35:30 | access to local variable s | provenance |  |
+| XPathInjection.cs:14:13:14:13 | access to local variable s : String | XPathInjection.cs:41:21:41:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:14:13:14:13 | access to local variable s : String | XPathInjection.cs:47:22:47:22 | access to local variable s | provenance |  |
+| XPathInjection.cs:14:13:14:13 | access to local variable s : String | XPathInjection.cs:53:21:53:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:78:24:78:31 | access to local variable userName : String | XPathInjection.cs:81:41:81:144 | ... + ... | provenance |  |
+| XPathInjection.cs:78:24:78:31 | access to local variable userName : String | XPathInjection.cs:84:37:84:140 | ... + ... | provenance |  |
+| XPathInjection.cs:78:35:78:61 | call to method GetString : String | XPathInjection.cs:78:24:78:31 | access to local variable userName : String | provenance |  |
+| XPathInjection.cs:79:24:79:31 | access to local variable password : String | XPathInjection.cs:81:41:81:144 | ... + ... | provenance |  |
+| XPathInjection.cs:79:24:79:31 | access to local variable password : String | XPathInjection.cs:84:37:84:140 | ... + ... | provenance |  |
+| XPathInjection.cs:79:35:79:61 | call to method GetString : String | XPathInjection.cs:79:24:79:31 | access to local variable password : String | provenance |  |
 nodes
-| XPathInjection.cs:10:16:10:23 | access to local variable userName : String | semmle.label | access to local variable userName : String |
-| XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| XPathInjection.cs:10:27:10:61 | access to indexer : String | semmle.label | access to indexer : String |
-| XPathInjection.cs:11:16:11:23 | access to local variable password : String | semmle.label | access to local variable password : String |
+| XPathInjection.cs:11:16:11:23 | access to local variable userName : String | semmle.label | access to local variable userName : String |
 | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | XPathInjection.cs:11:27:11:61 | access to indexer : String | semmle.label | access to indexer : String |
-| XPathInjection.cs:13:13:13:13 | access to local variable s : String | semmle.label | access to local variable s : String |
-| XPathInjection.cs:16:33:16:33 | access to local variable s | semmle.label | access to local variable s |
-| XPathInjection.cs:19:29:19:29 | access to local variable s | semmle.label | access to local variable s |
-| XPathInjection.cs:28:20:28:20 | access to local variable s | semmle.label | access to local variable s |
-| XPathInjection.cs:34:30:34:30 | access to local variable s | semmle.label | access to local variable s |
-| XPathInjection.cs:40:21:40:21 | access to local variable s | semmle.label | access to local variable s |
-| XPathInjection.cs:46:22:46:22 | access to local variable s | semmle.label | access to local variable s |
-| XPathInjection.cs:52:21:52:21 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:12:16:12:23 | access to local variable password : String | semmle.label | access to local variable password : String |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | semmle.label | access to indexer : String |
+| XPathInjection.cs:14:13:14:13 | access to local variable s : String | semmle.label | access to local variable s : String |
+| XPathInjection.cs:17:33:17:33 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:20:29:20:29 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:29:20:29:20 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:35:30:35:30 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:41:21:41:21 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:47:22:47:22 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:53:21:53:21 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:78:24:78:31 | access to local variable userName : String | semmle.label | access to local variable userName : String |
+| XPathInjection.cs:78:35:78:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| XPathInjection.cs:79:24:79:31 | access to local variable password : String | semmle.label | access to local variable password : String |
+| XPathInjection.cs:79:35:79:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| XPathInjection.cs:81:41:81:144 | ... + ... | semmle.label | ... + ... |
+| XPathInjection.cs:84:37:84:140 | ... + ... | semmle.label | ... + ... |
 subpaths
 #select
-| XPathInjection.cs:16:33:16:33 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:33 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:16:33:16:33 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:33 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:19:29:19:29 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:29 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:19:29:19:29 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:29 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:28:20:28:20 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:20 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:28:20:28:20 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:20 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:34:30:34:30 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:34:30:34:30 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:34:30:34:30 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:34:30:34:30 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:40:21:40:21 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:40:21:40:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:40:21:40:21 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:40:21:40:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:46:22:46:22 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:46:22:46:22 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:46:22:46:22 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:46:22:46:22 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:52:21:52:21 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:52:21:52:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:52:21:52:21 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:52:21:52:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:17:33:17:33 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:17:33:17:33 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:17:33:17:33 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:17:33:17:33 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:20:29:20:29 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:20:29:20:29 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:20:29:20:29 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:20:29:20:29 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:29:20:29:20 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:29:20:29:20 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:29:20:29:20 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:29:20:29:20 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:35:30:35:30 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:35:30:35:30 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:35:30:35:30 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:35:30:35:30 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:41:21:41:21 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:41:21:41:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:41:21:41:21 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:41:21:41:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:47:22:47:22 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:47:22:47:22 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:47:22:47:22 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:47:22:47:22 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:53:21:53:21 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:53:21:53:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:53:21:53:21 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:53:21:53:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:81:41:81:144 | ... + ... | XPathInjection.cs:78:35:78:61 | call to method GetString : String | XPathInjection.cs:81:41:81:144 | ... + ... | This XPath expression depends on a $@. | XPathInjection.cs:78:35:78:61 | call to method GetString | user-provided value |
+| XPathInjection.cs:81:41:81:144 | ... + ... | XPathInjection.cs:79:35:79:61 | call to method GetString : String | XPathInjection.cs:81:41:81:144 | ... + ... | This XPath expression depends on a $@. | XPathInjection.cs:79:35:79:61 | call to method GetString | user-provided value |
+| XPathInjection.cs:84:37:84:140 | ... + ... | XPathInjection.cs:78:35:78:61 | call to method GetString : String | XPathInjection.cs:84:37:84:140 | ... + ... | This XPath expression depends on a $@. | XPathInjection.cs:78:35:78:61 | call to method GetString | user-provided value |
+| XPathInjection.cs:84:37:84:140 | ... + ... | XPathInjection.cs:79:35:79:61 | call to method GetString : String | XPathInjection.cs:84:37:84:140 | ... + ... | This XPath expression depends on a $@. | XPathInjection.cs:79:35:79:61 | call to method GetString | user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]