hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6718 from hvitved/csharp/xss-subpath

Browse Source 
C#: Add `subpaths` predicate to XSS queries
This commit is contained in:
Tom Hvitved
2021-09-20 12:47:27 +02:00
committed by GitHub
parent 64507ab316 6d315a5d16
commit 82d463e86e
3 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
View File

@@ -62,6 +62,16 @@ module PathGraph {
key = "semmle.label" and
val = n.(XssAspNode).toString()
}
/**
* Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
* a subpath between `par` and `ret` with the connecting edges `arg -> par` and
* `ret -> out` is summarized as the edge `arg -> out`.
*/
query predicate subpaths(XssNode arg, XssNode par, XssNode ret, XssNode out) {
DataFlow2::PathGraph::subpaths(arg.asDataFlowNode(), par.asDataFlowNode(), ret.asDataFlowNode(),
out.asDataFlowNode())
}
}
private newtype TXssNode =

1
csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.expected
View File

@@ -44,6 +44,7 @@ nodes
| script.aspx:12:1:12:14 | <%= ... %> | semmle.label | <%= ... %> |
| script.aspx:16:1:16:34 | <%= ... %> | semmle.label | <%= ... %> |
| script.aspx:20:1:20:41 | <%= ... %> | semmle.label | <%= ... %> |
subpaths
#select
| XSS.cs:26:32:26:51 | call to method ToString | XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | XSS.cs:26:32:26:51 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | User-provided value |
| XSS.cs:27:29:27:48 | call to method ToString | XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | XSS.cs:27:29:27:48 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | User-provided value |

1
csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSS.expected
View File

@@ -34,6 +34,7 @@ nodes
| XSSAspNetCore.cs:72:51:72:65 | access to property Headers : IHeaderDictionary | semmle.label | access to property Headers : IHeaderDictionary |
| XSSAspNetCore.cs:72:51:72:72 | access to indexer : StringValues | semmle.label | access to indexer : StringValues |
| XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion | semmle.label | call to operator implicit conversion |
subpaths
#select
| XSSAspNet.cs:26:30:26:34 | access to local variable sayHi | XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | XSSAspNet.cs:26:30:26:34 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteral() method. | XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | User-provided value |
| XSSAspNet.cs:36:40:36:44 | access to local variable sayHi | XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | XSSAspNet.cs:36:40:36:44 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteralTo() method. | XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | User-provided value |