Merge pull request #3951 from raulgarciamsft/users/raulgarciamsft/dataset_serialization

C#: DataSet serialization
2026-04-28 02:05:14 +02:00 · 2020-08-07 12:54:10 +02:00
parent 77db87efb7 3682a902de
commit c20d763490
19 changed files with 350 additions and 0 deletions
--- a/Features/Serialization/DefiningDatasetRelatedType.expected
+++ b/Features/Serialization/DefiningDatasetRelatedType.expected
@@ -0,0 +1,2 @@
+| test0.cs:13:18:13:43 | DerivesFromDeprecatedType1 | Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. |
+| test0.cs:59:18:59:38 | AttributeSerializer01 | Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. |
--- a/Features/Serialization/DefiningDatasetRelatedType.qlref
+++ b/Features/Serialization/DefiningDatasetRelatedType.qlref
@@ -0,0 +1 @@
+experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql
--- a/Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.expected
+++ b/Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.expected
@@ -0,0 +1,2 @@
+| test0.cs:15:24:15:32 | MyDataSet | Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. | test0.cs:13:18:13:43 | DerivesFromDeprecatedType1 | DerivesFromDeprecatedType1 | test0.cs:15:24:15:32 | MyDataSet | MyDataSet |
+| test0.cs:61:25:61:33 | MyDataSet | Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. | test0.cs:59:18:59:38 | AttributeSerializer01 | AttributeSerializer01 | test0.cs:61:25:61:33 | MyDataSet | MyDataSet |
--- a/Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.qlref
+++ b/Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.qlref
@@ -0,0 +1 @@
+experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
--- a/Features/Serialization/UnsafeTypeUsedDataContractSerializer.expected
+++ b/Features/Serialization/UnsafeTypeUsedDataContractSerializer.expected
@@ -0,0 +1,2 @@
+| test0.cs:95:49:95:63 | typeof(...) | Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source. | test0.cs:95:49:95:63 | typeof(...) | typeof(...) |
+| test0.cs:96:49:96:77 | typeof(...) | Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source. | test0.cs:96:49:96:77 | typeof(...) | typeof(...) |
--- a/Features/Serialization/UnsafeTypeUsedDataContractSerializer.qlref
+++ b/Features/Serialization/UnsafeTypeUsedDataContractSerializer.qlref
@@ -0,0 +1 @@
+experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
--- a/Features/Serialization/XmlDeserializationWithDataSet.expected
+++ b/Features/Serialization/XmlDeserializationWithDataSet.expected
@@ -0,0 +1 @@
+| test0.cs:88:17:88:46 | call to method ReadXmlSchema | Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. |
--- a/Features/Serialization/XmlDeserializationWithDataSet.qlref
+++ b/Features/Serialization/XmlDeserializationWithDataSet.qlref
@@ -0,0 +1 @@
+experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql
--- a/csharp/ql/test/experimental/Security
+++ b/csharp/ql/test/experimental/Security
@@ -0,0 +1,101 @@
+// semmle-extractor-options: /r:System.Data.Common.dll /r:System.Runtime.WindowsRuntime.dll /r:System.Xml.XmlSerializer.dll /r:System.Runtime.Serialization.Xml.dll /r:System.Runtime.Serialization.Xml.dll /r:System.Collections.dll /r:System.Private.Xml.dll /r:System.Private.DataContractSerialization.dll /r:System.Runtime.Extensions.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Xml.ReaderWriter.dll /r:System.IO.FileSystem.dll
+
+using System;
+using System.Data;
+using System.IO;
+using System.Xml.Serialization;
+using System.Runtime.Serialization;
+using System.Xml;
+using System.Collections.Generic;
+
+namespace DataSetSerializationTest
+{
+    public class DerivesFromDeprecatedType1 : XmlSerializer // warning:DefiningDatasetRelatedType.ql
+    {
+        public DataSet MyDataSet { get; set; }  // bug:DefiningPotentiallyUnsafeXmlSerializer.ql
+
+        public DerivesFromDeprecatedType1()
+        {
+        }
+    }
+
+    /*  
+     *  TODO: I cannot use DataContract on a QL unit test
+     *  
+    [DataContract(Name = "Customer", Namespace = "http://www.contoso.com")]
+    public class PatternDataContractSerializer : XmlObjectSerializer
+    {
+        [DataMember()]
+        public DataSet MyDataSet { get; set; }
+        [DataMember()]
+        public DataTable MyDataTable { get; set; }
+
+        PatternDataContractSerializer() { }
+        private ExtensionDataObject extensionData_Value;
+        public ExtensionDataObject ExtensionData
+        {
+            get
+            {
+                return extensionData_Value;
+            }
+            set
+            {
+                extensionData_Value = value;
+            }
+        }
+
+        public override void WriteObject(System.IO.Stream stream, object graph) { }
+        public override void WriteObjectContent(System.Xml.XmlDictionaryWriter writer, object graph) { }
+        public override bool IsStartObject(System.Xml.XmlDictionaryReader reader) { return false; }
+        public override void WriteStartObject(System.Xml.XmlDictionaryWriter writer, object graph) { }
+        public override void WriteEndObject(System.Xml.XmlWriter writer) { }
+        public override void WriteEndObject(XmlDictionaryWriter writer) { }
+        public override object ReadObject(System.IO.Stream stream) { return null; }
+        public override object ReadObject(XmlDictionaryReader reader, bool b) { return null; }
+    }
+    */
+
+    [Serializable()]
+    public class AttributeSerializer01  // warning:DefiningDatasetRelatedType.ql
+    {
+        private DataSet MyDataSet;  // bug:DefiningPotentiallyUnsafeXmlSerializer.ql
+
+        AttributeSerializer01()
+        {
+        }
+    }
+
+    class Program
+    {
+        static string GetSerializedDataSet(DataSet dataSet)
+        {
+            DataTable dataTable = new DataTable("MyTable");
+            dataTable.Columns.Add("FirstName", typeof(string));
+            dataTable.Columns.Add("LastName", typeof(string));
+            dataTable.Columns.Add("Age", typeof(int));
+
+            StringWriter writer = new StringWriter();
+            dataSet.WriteXml(writer, XmlWriteMode.DiffGram);
+            return writer.ToString();
+        }
+
+        static void datatable_readxmlschema_01(string fileName)
+        {
+            using (FileStream fs = File.OpenRead(fileName))
+            {
+                DataTable newTable = new DataTable();
+                System.Xml.XmlTextReader reader = new System.Xml.XmlTextReader(fs);
+                newTable.ReadXmlSchema(reader); //bug:XmlDeserializationWithDataSet.ql
+            }
+        }
+
+        static void Main(string[] args)
+        {
+
+            XmlSerializer x = new XmlSerializer(typeof(DataSet));   // bug:UnsafeTypeUsedDataContractSerializer.ql
+            XmlSerializer y = new XmlSerializer(typeof(AttributeSerializer01)); //bug:UnsafeTypeUsedDataContractSerializer.ql
+
+            Console.WriteLine("Hello World!");
+        }
+    }
+}
				`@@ -0,0 +1 @@`
				`experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql`
				`@@ -0,0 +1 @@`
				`\| test0.cs:88:17:88:46 \| call to method ReadXmlSchema \| Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. \|`