feat: Additional models as data extensions

- `logging`, `ldap`, and `url-redirect` sinks
2026-04-27 09:45:15 +02:00 · 2023-05-09 17:31:51 +01:00
parent 3d5c8153ca
commit 8f39f028e6
4 changed files with 22 additions and 0 deletions
--- a/csharp/ql/lib/change-notes/2023-05-09-models-as-data.md
+++ b/csharp/ql/lib/change-notes/2023-05-09-models-as-data.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional support for `logging`, `ldap`, and `url-redirect` sink kinds for Models as Data.
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll
@@ -8,6 +8,7 @@ private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.frameworks.system.DirectoryServices
 private import semmle.code.csharp.frameworks.system.directoryservices.Protocols
 private import semmle.code.csharp.security.Sanitizers
+private import semmle.code.csharp.dataflow.ExternalFlow

 /**
 * A data flow source for unvalidated user input that is used to construct LDAP queries.
@@ -68,6 +69,11 @@ module LdapInjection = TaintTracking::Global<LdapInjectionConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }

+/** LDAP sinks defined through Models as Data. */
+private class ExternalLDAPExprSink extends Sink {
+  ExternalLDAPExprSink() { sinkNode(this, "ldap") }
+}
+
 /**
 * An argument that sets the `Path` property of a `DirectoryEntry` object that is a sink for LDAP
 * injection.
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll
@@ -8,6 +8,7 @@ private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.text.RegularExpressions
 private import semmle.code.csharp.security.Sanitizers
 private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
+private import semmle.code.csharp.dataflow.ExternalFlow

 /**
 * A data flow source for untrusted user input used in log entries.
@@ -72,6 +73,11 @@ private class LogForgingLogMessageSink extends Sink, LogMessageSink { }
 */
 private class LogForgingTraceMessageSink extends Sink, TraceMessageSink { }

+/** Log Forging sinks defined through Models as Data. */
+private class ExternalLDAPExprSink extends Sink {
+  ExternalLDAPExprSink() { sinkNode(this, "logging") }
+}
+
 /**
 * A call to String replace or remove that is considered to sanitize replaced string.
 */
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
@@ -9,6 +9,7 @@ private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.frameworks.system.web.Mvc
 private import semmle.code.csharp.security.Sanitizers
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.dataflow.ExternalFlow

 /**
 * A data flow source for unvalidated URL redirect vulnerabilities.
@@ -70,6 +71,11 @@ module UrlRedirect = TaintTracking::Global<UrlRedirectConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }

+/** URL Redirection sinks defined through Models as Data. */
+private class ExternalLDAPExprSink extends Sink {
+  ExternalLDAPExprSink() { sinkNode(this, "url-redirect") }
+}
+
 /**
 * A URL argument to a call to `HttpResponse.Redirect()` or `Controller.Redirect()`, that is a
 * sink for URL redirects.