hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 08:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Using CodeQL AutoFormat

Browse Source
This commit is contained in:
Raul Garcia (MSFT)
2020-07-29 18:01:46 -07:00
parent 7923c480af
commit 6f845b0044
5 changed files with 62 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qll
View File

@@ -3,14 +3,13 @@
*
* Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
*/
import csharp
import csharp
/**
* Abstract class that depends or inherits from `DataSet` or `DataTable` types.
*/
abstract class DataSetOrTableRelatedClass extends Class {
}
abstract class DataSetOrTableRelatedClass extends Class { }
/**
* `DataSet`, `DataTable` types, or any types derived from them.
@@ -27,14 +26,13 @@ class DataSetOrTable extends DataSetOrTableRelatedClass {
*/
class ClassWithDataSetOrTableMember extends DataSetOrTableRelatedClass {
ClassWithDataSetOrTableMember() {
exists( Property p |
p = this.getAProperty() |
p.getType() instanceof DataSetOrTable
) or this.getAMember().(AssignableMember).getType() instanceof DataSetOrTable
or exists( Property p |
p = this.getAProperty() |
exists(Property p | p = this.getAProperty() | p.getType() instanceof DataSetOrTable)
or
this.getAMember().(AssignableMember).getType() instanceof DataSetOrTable
or
exists(Property p | p = this.getAProperty() |
p.getType() instanceof DataSetOrTable or
p.getType().(ConstructedGeneric).getATypeArgument() instanceof DataSetOrTable
p.getType().(ConstructedGeneric).getATypeArgument() instanceof DataSetOrTable
)
}
}
@@ -48,11 +46,14 @@ class SerializableClass extends Class {
this.getABaseType*().getQualifiedName() = "System.Xml.Serialization.XmlSerializer" or
this.getABaseInterface*().getQualifiedName() = "System.Runtime.Serialization.ISerializable" or
this.getABaseType*().getQualifiedName() = "System.Runtime.Serialization.XmlObjectSerializer" or
this.getABaseInterface*().getQualifiedName() = "System.Runtime.Serialization.ISerializationSurrogateProvider" or
this.getABaseType*().getQualifiedName() = "System.Runtime.Serialization.XmlSerializableServices" or
this.getABaseInterface*().getQualifiedName() =
"System.Runtime.Serialization.ISerializationSurrogateProvider" or
this.getABaseType*().getQualifiedName() =
"System.Runtime.Serialization.XmlSerializableServices" or
this.getABaseInterface*().getQualifiedName() = "System.Xml.Serialization.IXmlSerializable"
) or exists( Attribute a |
a = this.getAnAttribute() |
)
or
exists(Attribute a | a = this.getAnAttribute() |
a.getType().getQualifiedName().toString() = "System.SerializableAttribute"
)
}
@@ -61,14 +62,14 @@ class SerializableClass extends Class {
/**
* Holds if the serializable class `c` has a property or field `m` that is of `DataSet` or `DataTable` related type
*/
predicate isClassUnsafeXmlSerializerImplementation( SerializableClass c, Member m) {
exists( Property p |
m = p |
predicate isClassUnsafeXmlSerializerImplementation(SerializableClass c, Member m) {
exists(Property p | m = p |
p = c.getAProperty() and
p.getType() instanceof DataSetOrTableRelatedClass
) or exists ( AssignableMember am |
am = m |
( am = c.getAField() or am = c.getAMember() ) and
)
or
exists(AssignableMember am | am = m |
(am = c.getAField() or am = c.getAMember()) and
am.getType() instanceof DataSetOrTableRelatedClass
)
}
@@ -77,9 +78,7 @@ predicate isClassUnsafeXmlSerializerImplementation( SerializableClass c, Member
* Serializable class that has a property or field that is of `DataSet` or `DataTable` related type
*/
class UnsafeXmlSerializerImplementation extends SerializableClass {
UnsafeXmlSerializerImplementation() {
isClassUnsafeXmlSerializerImplementation( this, _ )
}
UnsafeXmlSerializerImplementation() { isClassUnsafeXmlSerializerImplementation(this, _) }
}
/**
@@ -87,16 +86,17 @@ class UnsafeXmlSerializerImplementation extends SerializableClass {
*/
class UnsafeXmlReadMethod extends Method {
UnsafeXmlReadMethod() {
this.getQualifiedName().toString() = "System.Data.DataTable.ReadXml" or
this.getQualifiedName().toString() = "System.Data.DataTable.ReadXmlSchema" or
this.getQualifiedName().toString() = "System.Data.DataSet.ReadXml" or
this.getQualifiedName().toString() = "System.Data.DataSet.ReadXmlSchema" or
(
this.getName().matches("ReadXml%") and
exists( Class c |
c.getAMethod() = this |
c.getABaseType*() instanceof DataSetOrTableRelatedClass
)
this.getQualifiedName().toString() = "System.Data.DataTable.ReadXml"
or
this.getQualifiedName().toString() = "System.Data.DataTable.ReadXmlSchema"
or
this.getQualifiedName().toString() = "System.Data.DataSet.ReadXml"
or
this.getQualifiedName().toString() = "System.Data.DataSet.ReadXmlSchema"
or
this.getName().matches("ReadXml%") and
exists(Class c | c.getAMethod() = this |
c.getABaseType*() instanceof DataSetOrTableRelatedClass
)
}
}
@@ -105,9 +105,5 @@ class UnsafeXmlReadMethod extends Method {
* MethodCall that may be unsafe when used to deserialize DataSet and DataTable related types
*/
class UnsafeXmlReadMethodCall extends MethodCall {
UnsafeXmlReadMethodCall() {
exists( UnsafeXmlReadMethod uxrm |
uxrm.getACall() = this
)
}
UnsafeXmlReadMethodCall() { exists(UnsafeXmlReadMethod uxrm | uxrm.getACall() = this) }
}

3
csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql
View File

@@ -12,4 +12,5 @@ import DataSetSerialization
from DataSetOrTableRelatedClass dstc
where dstc.fromSource()
select dstc, "Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
select dstc,
"Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."

13
csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
View File

@@ -1,5 +1,5 @@
/**
* @name Defining a potentially unsafe XML serializer
* @name Defining a potentially unsafe XML serializer
* @description Defining an XML serializable class that includes members that derive from dataSet or DataTable type may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
* @kind problem
* @problem.severity error
@@ -12,8 +12,9 @@ import csharp
import DataSetSerialization
from UnsafeXmlSerializerImplementation c, Member m
where c.fromSource() and
isClassUnsafeXmlSerializerImplementation( c, m)
select m, "Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.",
c, c.toString(),
m, m.toString()
where
c.fromSource() and
isClassUnsafeXmlSerializerImplementation(c, m)
select m,
"Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.",
c, c.toString(), m, m.toString()

37
csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
View File

@@ -11,40 +11,33 @@
import csharp
import DataSetSerialization
predicate xmlSerializerConstructorArgument (Expr e) {
exists (ObjectCreation oc, Constructor c |
e = oc.getArgument(0) |
predicate xmlSerializerConstructorArgument(Expr e) {
exists(ObjectCreation oc, Constructor c | e = oc.getArgument(0) |
c = oc.getTarget() and
(
c.getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.Serialization.XmlSerializer")
)
c.getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.Serialization.XmlSerializer")
)
}
predicate unsafeDataContractTypeCreation (Expr e) {
exists(MethodCall gt |
predicate unsafeDataContractTypeCreation(Expr e) {
exists(MethodCall gt |
gt.getTarget().getName() = "GetType" and
e = gt and
gt.getQualifier().getType() instanceof DataSetOrTableRelatedClass
) or
)
or
e.(TypeofExpr).getTypeAccess().getTarget() instanceof DataSetOrTableRelatedClass
}
class Conf extends DataFlow::Configuration {
Conf() {
this = "FlowToDataSerializerConstructor"
}
override predicate isSource(DataFlow::Node node) {
unsafeDataContractTypeCreation(node.asExpr())
}
override predicate isSink(DataFlow::Node node) {
xmlSerializerConstructorArgument (node.asExpr())
}
}
Conf() { this = "FlowToDataSerializerConstructor" }
override predicate isSource(DataFlow::Node node) { unsafeDataContractTypeCreation(node.asExpr()) }
override predicate isSink(DataFlow::Node node) { xmlSerializerConstructorArgument(node.asExpr()) }
}
from Conf conf, DataFlow::Node source, DataFlow::Node sink
where conf.hasFlow(source, sink)
select sink, "Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source.", source, source.toString()
select sink,
"Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source.",
source, source.toString()

5
csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql
View File

@@ -12,5 +12,6 @@ import csharp
import DataSetSerialization
from UnsafeXmlReadMethodCall mc
where exists( Method m | m.getACall() = mc )
select mc, "Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
where exists(Method m | m.getACall() = mc)
select mc,
"Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."