Merge branch 'main' into shared-bb-dominates

csharp/ql/lib/semmle/code/csharp/controlflow/internal/PreSsa.qll

@@ -90,7 +90,7 @@ module PreSsa {
 
     BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
 
-    class ExitBasicBlock extends BasicBlock {
+    private class ExitBasicBlock extends BasicBlock {
       ExitBasicBlock() { scopeLast(_, this.getLastElement(), _) }
     }
 

csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll

@@ -345,7 +345,7 @@ module Ssa {
      * - The read of `this.Field` on line 11 is a last read of the phi node
      *   between lines 9 and 10.
      */
-    final AssignableRead getALastRead() { result = this.getALastReadAtNode(_) }
+    deprecated final AssignableRead getALastRead() { result = this.getALastReadAtNode(_) }
 
     /**
      * Gets a last read of the source variable underlying this SSA definition at
@@ -375,7 +375,7 @@ module Ssa {
      * - The read of `this.Field` on line 11 is a last read of the phi node
      *   between lines 9 and 10.
      */
-    final AssignableRead getALastReadAtNode(ControlFlow::Node cfn) {
+    deprecated final AssignableRead getALastReadAtNode(ControlFlow::Node cfn) {
       SsaImpl::lastReadSameVar(this, cfn) and
       result.getAControlFlowNode() = cfn
     }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll

@@ -55,8 +55,6 @@ module BaseSsa {
 
     BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
 
-    class ExitBasicBlock extends BasicBlock, ControlFlow::BasicBlocks::ExitBlock { }
-
     class SourceVariable = PreSsa::SimpleLocalScopeVariable;
 
     predicate variableWrite(BasicBlock bb, int i, SourceVariable v, boolean certain) {

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -17,8 +17,6 @@ private module SsaInput implements SsaImplCommon::InputSig<Location> {
 
   BasicBlock getABasicBlockSuccessor(BasicBlock bb) { result = bb.getASuccessor() }
 
-  class ExitBasicBlock extends BasicBlock, ControlFlow::BasicBlocks::ExitBlock { }
-
   class SourceVariable = Ssa::SourceVariable;
 
   /**
@@ -784,7 +782,9 @@ private predicate adjacentDefReachesUncertainRead(
 
 /** Same as `lastRefRedef`, but skips uncertain reads. */
 pragma[nomagic]
-private predicate lastRefSkipUncertainReads(Definition def, SsaInput::BasicBlock bb, int i) {
+deprecated private predicate lastRefSkipUncertainReads(
+  Definition def, SsaInput::BasicBlock bb, int i
+) {
   Impl::lastRef(def, bb, i) and
   not SsaInput::variableRead(bb, i, def.getSourceVariable(), false)
   or
@@ -794,6 +794,15 @@ private predicate lastRefSkipUncertainReads(Definition def, SsaInput::BasicBlock
   )
 }
 
+pragma[nomagic]
+deprecated predicate lastReadSameVar(Definition def, ControlFlow::Node cfn) {
+  exists(ControlFlow::BasicBlock bb, int i |
+    lastRefSkipUncertainReads(def, bb, i) and
+    variableReadActual(bb, i, _) and
+    cfn = bb.getNode(i)
+  )
+}
+
 cached
 private module Cached {
   cached
@@ -957,15 +966,6 @@ private module Cached {
     )
   }
 
-  cached
-  predicate lastReadSameVar(Definition def, ControlFlow::Node cfn) {
-    exists(ControlFlow::BasicBlock bb, int i |
-      lastRefSkipUncertainReads(def, bb, i) and
-      variableReadActual(bb, i, _) and
-      cfn = bb.getNode(i)
-    )
-  }
-
   cached
   Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
     Impl::uncertainWriteDefinitionInput(def, result)

csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/aspnetcore/Components.qll

@@ -0,0 +1,135 @@
+/** Provides classes for working with `Microsoft.AspNetCore.Components` */
+
+import csharp
+import semmle.code.csharp.frameworks.Microsoft
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+
+/** The `Microsoft.AspNetCore.Components` namespace */
+class MicrosoftAspNetCoreComponentsNamespace extends Namespace {
+  MicrosoftAspNetCoreComponentsNamespace() {
+    this.getParentNamespace() instanceof MicrosoftAspNetCoreNamespace and
+    this.hasName("Components")
+  }
+}
+
+/**
+ * A class in the `Microsoft.AspNetCore.Components` namespace.
+ */
+private class MicrosoftAspNetCoreComponentsClass extends Class {
+  MicrosoftAspNetCoreComponentsClass() {
+    this.getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.CascadingParameterAttributeBase` class. */
+class MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass extends MicrosoftAspNetCoreComponentsClass
+{
+  MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass() {
+    this.hasName("CascadingParameterAttributeBase")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.ComponentBase` class. */
+class MicrosoftAspNetCoreComponentsComponentBaseClass extends MicrosoftAspNetCoreComponentsClass {
+  MicrosoftAspNetCoreComponentsComponentBaseClass() { this.hasName("ComponentBase") }
+}
+
+/** The `Microsoft.AspNetCore.Components.IComponent` interface. */
+class MicrosoftAspNetCoreComponentsIComponentInterface extends Interface {
+  MicrosoftAspNetCoreComponentsIComponentInterface() {
+    this.getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
+    this.hasName("IComponent")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.RouteAttribute` attribute. */
+private class MicrosoftAspNetCoreComponentsRouteAttribute extends Attribute {
+  MicrosoftAspNetCoreComponentsRouteAttribute() {
+    this.getType().getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
+    this.getType().hasName("RouteAttribute")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.ParameterAttribute` attribute. */
+private class MicrosoftAspNetCoreComponentsParameterAttribute extends Attribute {
+  MicrosoftAspNetCoreComponentsParameterAttribute() {
+    this.getType().getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
+    this.getType().hasName("ParameterAttribute")
+  }
+}
+
+/** An ASP.NET Core (Blazor) component. */
+class MicrosoftAspNetCoreComponentsComponent extends Class {
+  MicrosoftAspNetCoreComponentsComponent() {
+    this.getABaseType+() instanceof MicrosoftAspNetCoreComponentsComponentBaseClass or
+    this.getABaseType+() instanceof MicrosoftAspNetCoreComponentsIComponentInterface
+  }
+
+  /** Gets a property whose value cascades down the component hierarchy. */
+  Property getACascadingParameterProperty() {
+    result = this.getAProperty() and
+    result.getAnAttribute().getType().getBaseClass() instanceof
+      MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass
+  }
+
+  /** Gets the url for the route from the `Microsoft.AspNetCore.Components.RouteAttribute` of the component. */
+  private string getRouteAttributeUrl() {
+    exists(MicrosoftAspNetCoreComponentsRouteAttribute a | a = this.getAnAttribute() |
+      result = a.getArgument(0).getValue()
+    )
+  }
+
+  /**
+   * Gets a route parameter from the `Microsoft.AspNetCore.Components.RouteAttribute` of the component.
+   *
+   * A route parameter is defined in the URL by wrapping its name in a pair of { braces } when adding a component's @page declaration.
+   * There are various extensions that can be added next to the parameter name, such as `:int` or `?` to make the parameter optional.
+   * Optionally, the parameter name can start with a `*` to make it a catch-all parameter.
+   *
+   * An example of a route parameter is `@page "/counter/{id:int}/{other?}/{*rest}"`, from this we're getting the `id`, `other` and `rest` parameters.
+   */
+  pragma[nomagic]
+  private string getARouteParameter() {
+    exists(string s |
+      s = this.getRouteAttributeUrl().splitAt("{").regexpCapture("\\*?([^:?}]+)[:?}](.*)", 1) and
+      result = s.toLowerCase()
+    )
+  }
+
+  /** Gets a property attributed with `[Parameter]` attribute. */
+  pragma[nomagic]
+  private Property getAParameterProperty(string name) {
+    result = this.getAProperty() and
+    result.getAnAttribute() instanceof MicrosoftAspNetCoreComponentsParameterAttribute and
+    name = result.getName().toLowerCase()
+  }
+
+  /** Gets a property whose value is populated from route parameters. */
+  Property getARouteParameterProperty() {
+    exists(string name | name = this.getARouteParameter() |
+      result = this.getAParameterProperty(name)
+    )
+  }
+}
+
+private module Sources {
+  private import semmle.code.csharp.security.dataflow.flowsources.Remote
+
+  /**
+   * A property with a `[Parameter]` attribute in an ASP.NET Core component which
+   * is populated from a route parameter.
+   */
+  private class AspNetCoreComponentRouteParameterFlowSource extends AspNetRemoteFlowSource,
+    DataFlow::ExprNode
+  {
+    AspNetCoreComponentRouteParameterFlowSource() {
+      exists(MicrosoftAspNetCoreComponentsComponent c, Property p |
+        p = c.getARouteParameterProperty()
+      |
+        this.asExpr() = p.getGetter().getACall()
+      )
+    }
+
+    override string getSourceType() { result = "ASP.NET Core component route parameter" }
+  }
+}

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

@@ -26,7 +26,8 @@ abstract class RemoteFlowSource extends SourceNode {
  * A module for importing frameworks that defines remote flow sources.
  */
 private module RemoteFlowSources {
-  private import semmle.code.csharp.frameworks.ServiceStack
+  private import semmle.code.csharp.frameworks.ServiceStack as ServiceStack
+  private import semmle.code.csharp.frameworks.microsoft.aspnetcore.Components as Blazor
 }
 
 /** A data flow source of remote user input (ASP.NET). */