From 73cd7519a2dd628888522fb281e034bdc158df36 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 31 Mar 2023 10:46:33 +0200 Subject: [PATCH] C#: Re-factor LdapInjection to use the new API. --- .../security/dataflow/LDAPInjectionQuery.qll | 20 ++++++++++++++++++- .../CWE-090/LDAPInjection.ql | 6 +++--- .../CWE-090/StoredLDAPInjection.ql | 16 ++++++++++----- 3 files changed, 33 insertions(+), 9 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll index fb94273ccd7..1b0170d4e82 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll @@ -25,9 +25,11 @@ abstract class Sink extends DataFlow::ExprNode { } abstract class Sanitizer extends DataFlow::ExprNode { } /** + * DEPRECATED: Use `LdapInjection` instead. + * * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries. */ -class TaintTrackingConfiguration extends TaintTracking::Configuration { +deprecated class TaintTrackingConfiguration extends TaintTracking::Configuration { TaintTrackingConfiguration() { this = "LDAPInjection" } override predicate isSource(DataFlow::Node source) { source instanceof Source } @@ -37,6 +39,22 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration { override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } } +/** + * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries. + */ +module LdapInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof Source } + + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } +} + +/** + * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries. + */ +module LdapInjection = TaintTracking::Global; + /** A source of remote user input. */ class RemoteSource extends Source instanceof RemoteFlowSource { } diff --git a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql index f4413eeb17a..7c38f83d34e 100644 --- a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql +++ b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql @@ -13,9 +13,9 @@ import csharp import semmle.code.csharp.security.dataflow.LDAPInjectionQuery -import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph +import LdapInjection::PathGraph -from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink -where c.hasFlowPath(source, sink) +from LdapInjection::PathNode source, LdapInjection::PathNode sink +where LdapInjection::flowPath(source, sink) select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(), "user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql index 26a0711037d..e5015892fc4 100644 --- a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql +++ b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql @@ -14,13 +14,19 @@ import csharp import semmle.code.csharp.security.dataflow.LDAPInjectionQuery import semmle.code.csharp.security.dataflow.flowsources.Stored -import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph +import StoredLdapInjection::PathGraph -class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { - override predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource } +module StoredLdapInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource } + + predicate isSink = LdapInjectionConfig::isSink/1; + + predicate isBarrier = LdapInjectionConfig::isBarrier/1; } -from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink -where c.hasFlowPath(source, sink) +module StoredLdapInjection = TaintTracking::Global; + +from StoredLdapInjection::PathNode source, StoredLdapInjection::PathNode sink +where StoredLdapInjection::flowPath(source, sink) select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(), "stored (potentially user-provided) value"