From c812d4e4e81b1e64146e242563a9f545ab2453de Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Fri, 2 Jul 2021 10:47:41 +0200 Subject: [PATCH] C#: Add `Query` suffix to libraries that should only be imported by queries --- .../ExternalAPIsUsedWithUntrustedData.ql | 2 +- .../CWE-020/UntrustedDataToExternalAPI.ql | 2 +- .../Security Features/CWE-022/TaintedPath.ql | 2 +- .../src/Security Features/CWE-022/ZipSlip.ql | 2 +- .../CWE-078/CommandInjection.ql | 2 +- .../CWE-078/StoredCommandInjection.ql | 2 +- .../Security Features/CWE-079/StoredXSS.ql | 2 +- .../ql/src/Security Features/CWE-079/XSS.ql | 2 +- .../CWE-089/SecondOrderSqlInjection.ql | 2 +- .../Security Features/CWE-089/SqlInjection.ql | 2 +- .../CWE-090/LDAPInjection.ql | 2 +- .../CWE-090/StoredLDAPInjection.ql | 2 +- .../CWE-094/CodeInjection.ql | 2 +- .../CWE-099/ResourceInjection.ql | 2 +- .../CWE-112/MissingXMLValidation.ql | 2 +- .../Security Features/CWE-117/LogForging.ql | 2 +- .../CWE-312/CleartextStorage.ql | 2 +- .../CWE-321/HardcodedEncryptionKey.ql | 2 +- .../CWE-359/ExposureOfPrivateInformation.ql | 2 +- .../CWE-502/UnsafeDeserialization.ql | 2 +- .../UnsafeDeserializationUntrustedInput.ql | 2 +- .../Security Features/CWE-601/UrlRedirect.ql | 2 +- .../CWE-611/UntrustedDataInsecureXml.ql | 2 +- .../CWE-611/UseXmlSecureResolver.ql | 2 +- .../CWE-643/StoredXPathInjection.ql | 2 +- .../CWE-643/XPathInjection.ql | 2 +- .../ql/src/Security Features/CWE-730/ReDoS.ql | 2 +- .../CWE-730/RegexInjection.ql | 2 +- .../CWE-798/HardcodedConnectionString.ql | 2 +- .../CWE-798/HardcodedCredentials.ql | 2 +- .../CWE-807/ConditionalBypass.ql | 2 +- .../CWE-838/InappropriateEncoding.ql | 4 +- csharp/ql/src/Useless code/DefaultToString.ql | 2 +- ...tToString.qll => DefaultToStringQuery.qll} | 0 .../code/csharp/dataflow/ExternalFlow.qll | 2 +- ...low.qll => EncryptionKeyDataFlowQuery.qll} | 0 ...tStorage.qll => CleartextStorageQuery.qll} | 0 ...deInjection.qll => CodeInjectionQuery.qll} | 0 ...njection.qll => CommandInjectionQuery.qll} | 0 ...lBypass.qll => ConditionalBypassQuery.qll} | 0 ... => ExposureOfPrivateInformationQuery.qll} | 0 ...ExternalAPIs.qll => ExternalAPIsQuery.qll} | 0 ...ials.qll => HardcodedCredentialsQuery.qll} | 0 ...APInjection.qll => LDAPInjectionQuery.qll} | 0 .../{LogForging.qll => LogForgingQuery.qll} | 0 ...tion.qll => MissingXMLValidationQuery.qll} | 0 .../dataflow/{ReDoS.qll => ReDoSQuery.qll} | 0 ...xInjection.qll => RegexInjectionQuery.qll} | 0 ...jection.qll => ResourceInjectionQuery.qll} | 0 ...SqlInjection.qll => SqlInjectionQuery.qll} | 0 .../{TaintedPath.qll => TaintedPathQuery.qll} | 0 ...ion.qll => UnsafeDeserializationQuery.qll} | 0 .../{UrlRedirect.qll => UrlRedirectQuery.qll} | 0 ...ection.qll => XMLEntityInjectionQuery.qll} | 2 +- ...hInjection.qll => XPathInjectionQuery.qll} | 0 .../code/csharp/security/dataflow/XSS.qll | 425 ------------------ .../csharp/security/dataflow/XSSQuery.qll | 171 +++++++ .../csharp/security/dataflow/XSSSinks.qll | 259 +++++++++++ .../{ZipSlip.qll => ZipSlipQuery.qll} | 0 .../security/dataflow/flowsinks/Remote.qll | 2 +- .../{InsecureXML.qll => InsecureXMLQuery.qll} | 0 .../CWE-079/StoredXSS/AspInline.ql | 4 +- .../CWE-611/InsecureXMLSettings.ql | 2 +- .../CWE-730/ReDoS/ExponentialRegex.ql | 4 +- .../DefaultToString/DefaultToString.ql | 2 +- 65 files changed, 473 insertions(+), 468 deletions(-) rename csharp/ql/src/Useless code/{DefaultToString.qll => DefaultToStringQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/cryptography/{EncryptionKeyDataFlow.qll => EncryptionKeyDataFlowQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{CleartextStorage.qll => CleartextStorageQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{CodeInjection.qll => CodeInjectionQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{CommandInjection.qll => CommandInjectionQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{ConditionalBypass.qll => ConditionalBypassQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{ExposureOfPrivateInformation.qll => ExposureOfPrivateInformationQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{ExternalAPIs.qll => ExternalAPIsQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{HardcodedCredentials.qll => HardcodedCredentialsQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{LDAPInjection.qll => LDAPInjectionQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{LogForging.qll => LogForgingQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{MissingXMLValidation.qll => MissingXMLValidationQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{ReDoS.qll => ReDoSQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{RegexInjection.qll => RegexInjectionQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{ResourceInjection.qll => ResourceInjectionQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{SqlInjection.qll => SqlInjectionQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{TaintedPath.qll => TaintedPathQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{UnsafeDeserialization.qll => UnsafeDeserializationQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{UrlRedirect.qll => UrlRedirectQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{XMLEntityInjection.qll => XMLEntityInjectionQuery.qll} (97%) rename csharp/ql/src/semmle/code/csharp/security/dataflow/{XPathInjection.qll => XPathInjectionQuery.qll} (100%) delete mode 100644 csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll create mode 100644 csharp/ql/src/semmle/code/csharp/security/dataflow/XSSQuery.qll create mode 100644 csharp/ql/src/semmle/code/csharp/security/dataflow/XSSSinks.qll rename csharp/ql/src/semmle/code/csharp/security/dataflow/{ZipSlip.qll => ZipSlipQuery.qll} (100%) rename csharp/ql/src/semmle/code/csharp/security/xml/{InsecureXML.qll => InsecureXMLQuery.qll} (100%) diff --git a/csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql b/csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql index e7de9e936c8..d34c8037e8b 100644 --- a/csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql +++ b/csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql @@ -9,7 +9,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.ExternalAPIs +import semmle.code.csharp.security.dataflow.ExternalAPIsQuery from ExternalAPIUsedWithUntrustedData externalAPI select externalAPI, count(externalAPI.getUntrustedDataNode()) as numberOfUses, diff --git a/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql b/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql index ca21947ee9b..88709f2e0cc 100644 --- a/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql +++ b/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql @@ -11,7 +11,7 @@ import csharp import semmle.code.csharp.dataflow.TaintTracking -import semmle.code.csharp.security.dataflow.ExternalAPIs +import semmle.code.csharp.security.dataflow.ExternalAPIsQuery import DataFlow::PathGraph from UntrustedDataToExternalAPIConfig config, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql index b3659df1617..330ddc65754 100644 --- a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql +++ b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql @@ -15,7 +15,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.TaintedPath::TaintedPath +import semmle.code.csharp.security.dataflow.TaintedPathQuery::TaintedPath import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql index 4203f94cb33..faebcea22f8 100644 --- a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql +++ b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql @@ -13,7 +13,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.ZipSlip::ZipSlip +import semmle.code.csharp.security.dataflow.ZipSlipQuery::ZipSlip import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration zipTaintTracking, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql index f66f86f290e..0ed341b8f4a 100644 --- a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql +++ b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql @@ -14,7 +14,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.CommandInjection::CommandInjection +import semmle.code.csharp.security.dataflow.CommandInjectionQuery::CommandInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql index b15dd866e72..0da82aecbcd 100644 --- a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql +++ b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql @@ -15,7 +15,7 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.Stored -import semmle.code.csharp.security.dataflow.CommandInjection::CommandInjection +import semmle.code.csharp.security.dataflow.CommandInjectionQuery::CommandInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { diff --git a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql index 548e72dbd56..947e9c1ab1b 100644 --- a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql +++ b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql @@ -14,7 +14,7 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.Stored -import semmle.code.csharp.security.dataflow.XSS::XSS +import semmle.code.csharp.security.dataflow.XSSQuery::XSS import semmle.code.csharp.dataflow.DataFlow2 import DataFlow2::PathGraph diff --git a/csharp/ql/src/Security Features/CWE-079/XSS.ql b/csharp/ql/src/Security Features/CWE-079/XSS.ql index 34a7ea87a72..eb916ada481 100644 --- a/csharp/ql/src/Security Features/CWE-079/XSS.ql +++ b/csharp/ql/src/Security Features/CWE-079/XSS.ql @@ -13,7 +13,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.XSS::XSS +import semmle.code.csharp.security.dataflow.XSSQuery::XSS import PathGraph from XssNode source, XssNode sink, string message diff --git a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql index 7b9bfef0ef9..65382cf0375 100644 --- a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql +++ b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.SqlInjection +import semmle.code.csharp.security.dataflow.SqlInjectionQuery import semmle.code.csharp.security.dataflow.flowsources.Stored import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph diff --git a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql index e818eaeb0af..bb09de32cef 100644 --- a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql +++ b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.SqlInjection::SqlInjection +import semmle.code.csharp.security.dataflow.SqlInjectionQuery::SqlInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph string getSourceType(DataFlow::Node node) { diff --git a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql index 4878b449eb8..9e45e2ef017 100644 --- a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql +++ b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.LDAPInjection::LDAPInjection +import semmle.code.csharp.security.dataflow.LDAPInjectionQuery::LDAPInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql index c2791b8f2b1..3f889198aec 100644 --- a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql +++ b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.LDAPInjection::LDAPInjection +import semmle.code.csharp.security.dataflow.LDAPInjectionQuery::LDAPInjection import semmle.code.csharp.security.dataflow.flowsources.Stored import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph diff --git a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql index 2d85c9aabbc..b9998784013 100644 --- a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql +++ b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql @@ -14,7 +14,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.CodeInjection::CodeInjection +import semmle.code.csharp.security.dataflow.CodeInjectionQuery::CodeInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql index dee11139a58..76c3b19ae99 100644 --- a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql +++ b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.ResourceInjection::ResourceInjection +import semmle.code.csharp.security.dataflow.ResourceInjectionQuery::ResourceInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql index 24716639aa5..80624997f4b 100644 --- a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql +++ b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.MissingXMLValidation::MissingXMLValidation +import semmle.code.csharp.security.dataflow.MissingXMLValidationQuery::MissingXMLValidation import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-117/LogForging.ql b/csharp/ql/src/Security Features/CWE-117/LogForging.ql index 4c31a02c86e..864c458bafd 100644 --- a/csharp/ql/src/Security Features/CWE-117/LogForging.ql +++ b/csharp/ql/src/Security Features/CWE-117/LogForging.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.LogForging::LogForging +import semmle.code.csharp.security.dataflow.LogForgingQuery::LogForging import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql index 6e957788776..bd58936dcf0 100644 --- a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql +++ b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql @@ -14,7 +14,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.CleartextStorage::CleartextStorage +import semmle.code.csharp.security.dataflow.CleartextStorageQuery::CleartextStorage import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql index 20298cac6f7..2efd42233b2 100644 --- a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql +++ b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql @@ -14,7 +14,7 @@ */ import csharp -import semmle.code.csharp.security.cryptography.EncryptionKeyDataFlow::EncryptionKeyDataFlow +import semmle.code.csharp.security.cryptography.EncryptionKeyDataFlowQuery::EncryptionKeyDataFlow /** * The creation of a literal byte array. diff --git a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql index de509e38a3c..f0768205edc 100644 --- a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql +++ b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformation::ExposureOfPrivateInformation +import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery::ExposureOfPrivateInformation import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql index 68c4822544d..c450f5ef680 100644 --- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization +import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery::UnsafeDeserialization from Call deserializeCall, Sink sink where deserializeCall.getAnArgument() = sink.asExpr() diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql index 949daa4986c..7899db5b70f 100644 --- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql +++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization +import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery::UnsafeDeserialization import DataFlow::PathGraph from TaintTrackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql index 18aaed307b5..6d046e1453b 100644 --- a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql +++ b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.UrlRedirect::UrlRedirect +import semmle.code.csharp.security.dataflow.UrlRedirectQuery::UrlRedirect import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql index 29bd2386316..a13502e5857 100644 --- a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql +++ b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql @@ -13,7 +13,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.XMLEntityInjection::XMLEntityInjection +import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery::XMLEntityInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql b/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql index afda204d115..95c1a124b7a 100644 --- a/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql +++ b/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql @@ -14,7 +14,7 @@ */ import csharp -import semmle.code.csharp.security.xml.InsecureXML::InsecureXML +import semmle.code.csharp.security.xml.InsecureXMLQuery::InsecureXML from InsecureXmlProcessing xmlProcessing, string reason where xmlProcessing.isUnsafe(reason) diff --git a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql index c63ed490d09..0dae603be58 100644 --- a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql @@ -13,7 +13,7 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.Stored -import semmle.code.csharp.security.dataflow.XPathInjection +import semmle.code.csharp.security.dataflow.XPathInjectionQuery import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class StoredTaintTrackingConfiguration extends XPathInjection::TaintTrackingConfiguration { diff --git a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql index 15a5cf11be9..d493baf2152 100644 --- a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql @@ -12,7 +12,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.XPathInjection::XPathInjection +import semmle.code.csharp.security.dataflow.XPathInjectionQuery::XPathInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql index 7a933dc18bd..8f98af60734 100644 --- a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql +++ b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql @@ -13,7 +13,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.ReDoS::ReDoS +import semmle.code.csharp.security.dataflow.ReDoSQuery::ReDoS import semmle.code.csharp.frameworks.system.text.RegularExpressions import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph diff --git a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql index e358e59b612..32e5aa41976 100644 --- a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql +++ b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql @@ -14,7 +14,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.RegexInjection::RegexInjection +import semmle.code.csharp.security.dataflow.RegexInjectionQuery::RegexInjection import semmle.code.csharp.frameworks.system.text.RegularExpressions import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql index 697ce99d127..2a57af46aeb 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql @@ -14,7 +14,7 @@ import csharp import semmle.code.csharp.frameworks.system.Data -import semmle.code.csharp.security.dataflow.HardcodedCredentials +import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph /** diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql index 34961ac0953..7aea7951129 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql @@ -13,7 +13,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.HardcodedCredentials::HardcodedCredentials +import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery::HardcodedCredentials import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from diff --git a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql index 9069c77b603..beaeba7a25d 100644 --- a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql +++ b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql @@ -14,7 +14,7 @@ */ import csharp -import semmle.code.csharp.security.dataflow.ConditionalBypass::UserControlledBypassOfSensitiveMethod +import semmle.code.csharp.security.dataflow.ConditionalBypassQuery::UserControlledBypassOfSensitiveMethod import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql index 75982a02943..d7fe68e7a30 100644 --- a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql +++ b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql @@ -16,9 +16,9 @@ import semmle.code.csharp.frameworks.System import semmle.code.csharp.frameworks.system.Net import semmle.code.csharp.frameworks.system.Web import semmle.code.csharp.frameworks.system.web.UI -import semmle.code.csharp.security.dataflow.SqlInjection +import semmle.code.csharp.security.dataflow.SqlInjectionQuery import semmle.code.csharp.security.dataflow.flowsinks.Html -import semmle.code.csharp.security.dataflow.UrlRedirect +import semmle.code.csharp.security.dataflow.UrlRedirectQuery import semmle.code.csharp.security.Sanitizers import semmle.code.csharp.dataflow.DataFlow2::DataFlow2 import semmle.code.csharp.dataflow.DataFlow2::DataFlow2::PathGraph diff --git a/csharp/ql/src/Useless code/DefaultToString.ql b/csharp/ql/src/Useless code/DefaultToString.ql index 0c724ab1741..544347576fe 100644 --- a/csharp/ql/src/Useless code/DefaultToString.ql +++ b/csharp/ql/src/Useless code/DefaultToString.ql @@ -10,4 +10,4 @@ * maintainability */ -import DefaultToString +import DefaultToStringQuery diff --git a/csharp/ql/src/Useless code/DefaultToString.qll b/csharp/ql/src/Useless code/DefaultToStringQuery.qll similarity index 100% rename from csharp/ql/src/Useless code/DefaultToString.qll rename to csharp/ql/src/Useless code/DefaultToStringQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/ExternalFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/ExternalFlow.qll index facc74a9f8b..bec5d5a4162 100644 --- a/csharp/ql/src/semmle/code/csharp/dataflow/ExternalFlow.qll +++ b/csharp/ql/src/semmle/code/csharp/dataflow/ExternalFlow.qll @@ -87,7 +87,7 @@ private module Frameworks { private import semmle.code.csharp.security.dataflow.flowsources.Local private import semmle.code.csharp.security.dataflow.flowsinks.Html private import semmle.code.csharp.frameworks.System - private import semmle.code.csharp.security.dataflow.XSS + private import semmle.code.csharp.security.dataflow.XSSSinks } /** diff --git a/csharp/ql/src/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlow.qll b/csharp/ql/src/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlow.qll rename to csharp/ql/src/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/CleartextStorage.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/CleartextStorage.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/CodeInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/CodeInjection.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/CommandInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/CommandInjection.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ConditionalBypass.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/ConditionalBypass.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformation.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformation.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ExternalAPIs.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/ExternalAPIs.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentials.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentialsQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentials.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentialsQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/LDAPInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/LDAPInjection.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/LogForging.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/LogForgingQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/LogForging.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/LogForgingQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/MissingXMLValidation.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/MissingXMLValidation.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ReDoS.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ReDoSQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/ReDoS.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/ReDoSQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/RegexInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/RegexInjection.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ResourceInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/ResourceInjection.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/SqlInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/SqlInjection.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPath.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPath.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirect.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirect.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll similarity index 97% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjection.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll index 425fd6b4019..2e8f60a0e91 100644 --- a/csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjection.qll +++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll @@ -8,7 +8,7 @@ module XMLEntityInjection { import semmle.code.csharp.security.dataflow.flowsources.Remote import semmle.code.csharp.frameworks.System import semmle.code.csharp.frameworks.system.text.RegularExpressions - import semmle.code.csharp.security.xml.InsecureXML + import semmle.code.csharp.security.xml.InsecureXMLQuery import semmle.code.csharp.security.Sanitizers /** diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjection.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll deleted file mode 100644 index f66496e4ae4..00000000000 --- a/csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll +++ /dev/null @@ -1,425 +0,0 @@ -/** - * Provides a taint-tracking configuration for reasoning about cross-site scripting - * (XSS) vulnerabilities. - */ - -import csharp - -module XSS { - import semmle.code.asp.AspNet - import semmle.code.csharp.frameworks.system.Net - import semmle.code.csharp.frameworks.system.Web - import semmle.code.csharp.frameworks.system.web.UI - import semmle.code.csharp.security.Sanitizers - import semmle.code.csharp.security.dataflow.flowsinks.Html - import semmle.code.csharp.security.dataflow.flowsinks.Remote - import semmle.code.csharp.security.dataflow.flowsources.Remote - private import semmle.code.csharp.dataflow.DataFlow2 - private import semmle.code.csharp.dataflow.TaintTracking2 - private import semmle.code.csharp.dataflow.ExternalFlow - - /** - * Holds if there is tainted flow from `source` to `sink` that may lead to a - * cross-site scripting (XSS) vulnerability, with `message` - * providing a description of the source. - * This is the main predicate to use in XSS queries. - */ - predicate xssFlow(XssNode source, XssNode sink, string message) { - // standard taint-tracking - exists( - TaintTrackingConfiguration c, DataFlow2::PathNode sourceNode, DataFlow2::PathNode sinkNode - | - sourceNode = source.asDataFlowNode() and - sinkNode = sink.asDataFlowNode() and - c.hasFlowPath(sourceNode, sinkNode) and - message = - "is written to HTML or JavaScript" + - any(string explanation | - if exists(sinkNode.getNode().(Sink).explanation()) - then explanation = ": " + sinkNode.getNode().(Sink).explanation() + "." - else explanation = "." - ) - ) - or - // flow entirely within ASP inline code - source = sink and - source.asAspInlineMember().getMember() instanceof AspNetQueryStringMember and - message = "is a remote source accessed inline in an ASPX page." - } - - module PathGraph { - query predicate edges(XssNode pred, XssNode succ) { - exists(DataFlow2::PathNode a, DataFlow2::PathNode b | DataFlow2::PathGraph::edges(a, b) | - pred.asDataFlowNode() = a and - succ.asDataFlowNode() = b - ) - or - xssFlow(pred, succ, _) and - pred instanceof XssAspNode - } - } - - private newtype TXssNode = - TXssDataFlowNode(DataFlow2::PathNode node) or - TXssAspNode(AspInlineMember m) - - /** - * A flow node for tracking cross-site scripting (XSS) vulnerabilities. - * Can be a standard data flow node (`XssDataFlowNode`) - * or an ASP inline code element (`XssAspNode`). - */ - class XssNode extends TXssNode { - /** Gets a textual representation of this node. */ - string toString() { none() } - - /** Gets the location of this node. */ - Location getLocation() { none() } - - /** Gets the data flow node corresponding to this node, if any. */ - DataFlow2::PathNode asDataFlowNode() { result = this.(XssDataFlowNode).getDataFlowNode() } - - /** Gets the ASP inline code element corresponding to this node, if any. */ - AspInlineMember asAspInlineMember() { result = this.(XssAspNode).getAspInlineMember() } - } - - /** A data flow node, viewed as an XSS flow node. */ - class XssDataFlowNode extends TXssDataFlowNode, XssNode { - DataFlow2::PathNode node; - - XssDataFlowNode() { this = TXssDataFlowNode(node) } - - /** Gets the data flow node corresponding to this node. */ - DataFlow2::PathNode getDataFlowNode() { result = node } - - override string toString() { result = node.toString() } - - override Location getLocation() { result = node.getNode().getLocation() } - } - - /** An ASP inline code element, viewed as an XSS flow node. */ - class XssAspNode extends TXssAspNode, XssNode { - AspInlineMember member; - - XssAspNode() { this = TXssAspNode(member) } - - /** Gets the ASP inline code element corresponding to this node. */ - AspInlineMember getAspInlineMember() { result = member } - - override string toString() { result = member.toString() } - - override Location getLocation() { result = member.getLocation() } - } - - /** - * A data flow sink for cross-site scripting (XSS) vulnerabilities. - * - * Any XSS sink is also a remote flow sink, so this class contributes - * to the abstract class `RemoteFlowSink`. - */ - abstract class Sink extends DataFlow::ExprNode, RemoteFlowSink { - string explanation() { none() } - } - - private class ExternalXssSink extends Sink { - ExternalXssSink() { sinkNode(this, "xss") } - } - - /** - * A data flow source for cross-site scripting (XSS) vulnerabilities. - */ - abstract class Source extends DataFlow::Node { } - - /** - * A sanitizer for cross-site scripting (XSS) vulnerabilities. - */ - abstract class Sanitizer extends DataFlow::ExprNode { } - - /** - * A taint-tracking configuration for cross-site scripting (XSS) vulnerabilities. - */ - class TaintTrackingConfiguration extends TaintTracking2::Configuration { - TaintTrackingConfiguration() { this = "XSSDataFlowConfiguration" } - - override predicate isSource(DataFlow::Node source) { source instanceof Source } - - override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } - - override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } - } - - /** A source of remote user input. */ - class RemoteSource extends Source { - RemoteSource() { this instanceof RemoteFlowSource } - } - - private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { } - - private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { } - - /** A call to an HTML encoder. */ - private class HtmlEncodeSanitizer extends Sanitizer { - HtmlEncodeSanitizer() { this.getExpr() instanceof HtmlSanitizedExpr } - } - - /** - * A call to a URL encoder. - * - * Url encoding is sufficient to sanitize for XSS because it ensures <, >, " and ' are escaped. - * Furthermore, URL encoding is the only valid way to sanitize URLs that get inserted into HTML - * attributes. Other uses of URL encoding may or may not produce the desired visual result, but - * should be safe from XSS. - */ - private class UrlEncodeSanitizer extends Sanitizer { - UrlEncodeSanitizer() { this.getExpr() instanceof UrlSanitizedExpr } - } - - private class HtmlSinkSink extends Sink { - HtmlSinkSink() { this instanceof HtmlSink } - - override string explanation() { - this instanceof WebPageWriteLiteralSink and - result = "System.Web.WebPages.WebPage.WriteLiteral() method" - or - this instanceof WebPageWriteLiteralToSink and - result = "System.Web.WebPages.WebPage.WriteLiteralTo() method" - or - this instanceof MicrosoftAspNetCoreMvcHtmlHelperRawSink and - result = "Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method" - or - this instanceof MicrosoftAspNetRazorPageWriteLiteralSink and - result = "Microsoft.AspNetCore.Mvc.Razor.RazorPageBase.WriteLiteral() method" - } - } - - /** - * An expression that is used as an argument to an XSS sink method on - * `System.Web.UI.Page`. - */ - private class PageSink extends Sink { - PageSink() { - exists(Property p, SystemWebUIPageClass page | - p = page.getIDProperty() or - p = page.getMetaDescriptionProperty() or - p = page.getMetaKeywordsProperty() or - p = page.getTitleProperty() - | - this.getExpr() = p.getSetter().getParameter(0).getAnAssignedArgument() - ) - or - exists(Method m, SystemWebUIPageClass page | - m = page.getRegisterStartupScriptMethod() or - m = page.getRegisterClientScriptBlockMethod() - | - this.getExpr() = m.getAParameter().getAnAssignedArgument() - ) - } - } - - /** - * An expression that is used as an argument to an XSS sink method on - * `ClientScriptManager`. - */ - private class ClientScriptManagerSink extends Sink { - ClientScriptManagerSink() { - exists(Method m, SystemWebUIClientScriptManagerClass clientScriptManager, int paramNumber | - this.getExpr() = m.getParameter(paramNumber).getAnAssignedArgument() and - ( - paramNumber = 2 and m.getNumberOfParameters() in [3 .. 4] - or - paramNumber = 3 and m.getNumberOfParameters() = 5 - ) - | - m = clientScriptManager.getRegisterClientScriptBlockMethod() or - m = clientScriptManager.getRegisterStartupScriptMethod() - ) - } - } - - /** - * An expression that is used as an argument to an XSS sink setter, on - * a class within the `System.Web.UI` namespace. - */ - private class SystemWebSetterNonHtmlSink extends Sink { - SystemWebSetterNonHtmlSink() { - exists(Property p, string name | - any(SystemWebUINamespace n).getAChildNamespace*() = p.getDeclaringType().getNamespace() and - this.getExpr() = p.getSetter().getParameter(0).getAnAssignedArgument() and - p.hasName(name) - | - name = "GroupingTest" or - name = "GroupName" or - name = "Style" or - name.matches("%URL") - ) - } - } - - /** - * A call to `Parse` for a numeric type, that causes the data to be considered - * sanitized. - */ - private class NumericTypeParse extends Sanitizer { - NumericTypeParse() { - exists(Method m | - m.getDeclaringType() instanceof IntegralType or - m.getDeclaringType() instanceof FloatingPointType - | - m.hasName("Parse") and - this.getExpr().(Call).getTarget() = m - ) - } - } - - /** - * Gets a member which is accessed by the given `AspInlineCode`. - * The code body must consist only of an access to the member, possibly with qualified - * field accesses or array indexing. - */ - private Member aspxInlineAccess(AspInlineCode code) { - result = max(int i, Member m | m = getMemberAccessByIndex(code, i) | m order by i) - } - - /** - * Gets the `i`th member accessed by `code`, where the string in `code` - * must be of the form `f1.f2...fn`, `f1.f2...fn[...]`, `f1.f2...fn()`, or - * `f1.f2...fn[...]()`. The `i`th member is `fi` in all cases. - */ - private Member getMemberAccessByIndex(AspInlineCode code, int i) { - exists(ValueOrRefType t | - result.getName() = getMemberAccessNameByIndex(code, i) and - t.hasMember(result) - | - // Base case: a member on the code-behind class - i = 0 and - t = code.getLocation().getFile().(CodeBehindFile).getInheritedType() - or - // Recursive case: a nested member - exists(Member mid | - mid = getMemberAccessByIndex(code, i - 1) and - t = getMemberType(mid) - ) - ) - } - - /** - * Gets the name of the `i`th member accessed by `code`, where the string in `code` - * must be of the form `f1.f2...fn`, `f1.f2...fn[...]`, `f1.f2...fn()`, or - * `f1.f2...fn[...]()`. The `i`th member is `fi` in all cases. - */ - private string getMemberAccessNameByIndex(AspInlineCode code, int i) { - // Strip: - // - leading and trailing whitespace, which apparently you're allowed to have - // - trailing parens, so we can recognize nullary method calls - // - trailing square brackets with some contents, to recognize indexing into arrays - result = code.getBody().splitAt(".", i).regexpCapture("\\s*(.*?)(\\[.*\\])?(\\(\\))?\\s*", 1) - } - - /** - * An `AspInlineCode` which is an access to a member inherited from the - * corresponding 'CodeBehind' class. This includes direct accesses as well as - * qualified accesses or array indexing on the member. - */ - class AspInlineMember extends AspInlineCode { - Member member; - - AspInlineMember() { member = aspxInlineAccess(this) } - - /** Gets the member that this inline code references. */ - Member getMember() { result = member } - - Type getType() { result = getMemberType(getMember()) } - } - - /** Gets a value that is written to the member accessed by the given `AspInlineMember`. */ - Expr aspWrittenValue(AspInlineMember m) { - exists(Property p | p = m.getMember() | - // a directly assigned property - result = p.getAnAssignedValue() - or - // one step of flow through a variable returned by the getter - // this is mainly to handle trivial forwarding properties - exists(VariableAccess access | - p.getGetter().canReturn(access) and - result = access.getTarget().getAnAssignedValue() - ) - ) - or - result = m.getMember().(Field).getAnAssignedValue() - or - m.getMember().(Callable).canReturn(result) - } - - private string makeUrl(Location l) { - exists(string path, int sl, int sc, int el, int ec | - l.hasLocationInfo(path, sl, sc, el, ec) and - result = "file://" + path + ":" + sl + ":" + sc + ":" + el + ":" + ec - ) - } - - /** - * A sink for writes to properties that are accessed in ASP pages. - * - * Currently we only support inline code tags that directly reference a member - * on the corresponding 'CodeBehind' class. - * This may include qualified accesses to fields or array indexing on the member. - * The sink is any assigned value of such a - * member, since we don't track the flow all the way to the ASP element. - */ - private class AspxCodeSink extends Sink { - /** The ASP inline code element that references a member of the backing class. */ - AspInlineMember inline; - - AspxCodeSink() { this.getExpr() = aspWrittenValue(inline) } - - override string explanation() { - result = - "member is [[\"accessed inline\"|\"" + makeUrl(inline.getLocation()) + - "\"]] in an ASPX page" - } - } - - /** A sink for the output stream associated with a `HttpListenerResponse`. */ - private class HttpListenerResponseSink extends Sink { - HttpListenerResponseSink() { - exists(PropertyAccess responseOutputStream | - responseOutputStream.getProperty() = - any(SystemNetHttpListenerResponseClass h).getOutputStreamProperty() - | - DataFlow::localFlow(DataFlow::exprNode(responseOutputStream), this) - ) - } - } - - /** - * An expression that is used as an argument to an XSS sink method on - * `HttpResponseBase`. - */ - private class HttpResponseBaseSink extends Sink { - HttpResponseBaseSink() { - exists(Method m, SystemWebHttpResponseBaseClass responseClass | - m = responseClass.getAWriteMethod() or - m = responseClass.getAWriteFileMethod() or - m = responseClass.getATransmitFileMethod() or - m = responseClass.getABinaryWriteMethod() - | - // Calls to these methods, or overrides of them - this.getExpr() = m.getAnOverrider*().getParameter(0).getAnAssignedArgument() - ) - } - } - - /** - * An expression passed as the `content` argument to the constructor of `StringContent`. - */ - private class StringContentSinkModelCsv extends SinkModelCsv { - override predicate row(string row) { - row = ["System.Net.Http;StringContent;false;StringContent;;;Argument[0];xss"] - } - } -} - -private Type getMemberType(Member m) { - result = m.(Property).getType() or - result = m.(Field).getType() or - result = m.(Callable).getReturnType() -} diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/XSSQuery.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/XSSQuery.qll new file mode 100644 index 00000000000..b1b30da5680 --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/XSSQuery.qll @@ -0,0 +1,171 @@ +/** + * Provides a taint-tracking configuration for reasoning about cross-site scripting + * (XSS) vulnerabilities. + */ + +import csharp + +module XSS { + import XSSSinks + import semmle.code.csharp.security.Sanitizers + import semmle.code.csharp.security.dataflow.flowsources.Remote + private import semmle.code.csharp.dataflow.DataFlow2 + private import semmle.code.csharp.dataflow.TaintTracking2 + + /** + * Holds if there is tainted flow from `source` to `sink` that may lead to a + * cross-site scripting (XSS) vulnerability, with `message` + * providing a description of the source. + * This is the main predicate to use in XSS queries. + */ + predicate xssFlow(XssNode source, XssNode sink, string message) { + // standard taint-tracking + exists( + TaintTrackingConfiguration c, DataFlow2::PathNode sourceNode, DataFlow2::PathNode sinkNode + | + sourceNode = source.asDataFlowNode() and + sinkNode = sink.asDataFlowNode() and + c.hasFlowPath(sourceNode, sinkNode) and + message = + "is written to HTML or JavaScript" + + any(string explanation | + if exists(sinkNode.getNode().(Sink).explanation()) + then explanation = ": " + sinkNode.getNode().(Sink).explanation() + "." + else explanation = "." + ) + ) + or + // flow entirely within ASP inline code + source = sink and + source.asAspInlineMember().getMember() instanceof AspNetQueryStringMember and + message = "is a remote source accessed inline in an ASPX page." + } + + module PathGraph { + query predicate edges(XssNode pred, XssNode succ) { + exists(DataFlow2::PathNode a, DataFlow2::PathNode b | DataFlow2::PathGraph::edges(a, b) | + pred.asDataFlowNode() = a and + succ.asDataFlowNode() = b + ) + or + xssFlow(pred, succ, _) and + pred instanceof XssAspNode + } + } + + private newtype TXssNode = + TXssDataFlowNode(DataFlow2::PathNode node) or + TXssAspNode(AspInlineMember m) + + /** + * A flow node for tracking cross-site scripting (XSS) vulnerabilities. + * Can be a standard data flow node (`XssDataFlowNode`) + * or an ASP inline code element (`XssAspNode`). + */ + class XssNode extends TXssNode { + /** Gets a textual representation of this node. */ + string toString() { none() } + + /** Gets the location of this node. */ + Location getLocation() { none() } + + /** Gets the data flow node corresponding to this node, if any. */ + DataFlow2::PathNode asDataFlowNode() { result = this.(XssDataFlowNode).getDataFlowNode() } + + /** Gets the ASP inline code element corresponding to this node, if any. */ + AspInlineMember asAspInlineMember() { result = this.(XssAspNode).getAspInlineMember() } + } + + /** A data flow node, viewed as an XSS flow node. */ + class XssDataFlowNode extends TXssDataFlowNode, XssNode { + DataFlow2::PathNode node; + + XssDataFlowNode() { this = TXssDataFlowNode(node) } + + /** Gets the data flow node corresponding to this node. */ + DataFlow2::PathNode getDataFlowNode() { result = node } + + override string toString() { result = node.toString() } + + override Location getLocation() { result = node.getNode().getLocation() } + } + + /** An ASP inline code element, viewed as an XSS flow node. */ + class XssAspNode extends TXssAspNode, XssNode { + AspInlineMember member; + + XssAspNode() { this = TXssAspNode(member) } + + /** Gets the ASP inline code element corresponding to this node. */ + AspInlineMember getAspInlineMember() { result = member } + + override string toString() { result = member.toString() } + + override Location getLocation() { result = member.getLocation() } + } + + /** + * A data flow source for cross-site scripting (XSS) vulnerabilities. + */ + abstract class Source extends DataFlow::Node { } + + /** + * A sanitizer for cross-site scripting (XSS) vulnerabilities. + */ + abstract class Sanitizer extends DataFlow::ExprNode { } + + /** + * A taint-tracking configuration for cross-site scripting (XSS) vulnerabilities. + */ + class TaintTrackingConfiguration extends TaintTracking2::Configuration { + TaintTrackingConfiguration() { this = "XSSDataFlowConfiguration" } + + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } + } + + /** A source of remote user input. */ + class RemoteSource extends Source { + RemoteSource() { this instanceof RemoteFlowSource } + } + + private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { } + + private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { } + + /** A call to an HTML encoder. */ + private class HtmlEncodeSanitizer extends Sanitizer { + HtmlEncodeSanitizer() { this.getExpr() instanceof HtmlSanitizedExpr } + } + + /** + * A call to a URL encoder. + * + * Url encoding is sufficient to sanitize for XSS because it ensures <, >, " and ' are escaped. + * Furthermore, URL encoding is the only valid way to sanitize URLs that get inserted into HTML + * attributes. Other uses of URL encoding may or may not produce the desired visual result, but + * should be safe from XSS. + */ + private class UrlEncodeSanitizer extends Sanitizer { + UrlEncodeSanitizer() { this.getExpr() instanceof UrlSanitizedExpr } + } + + /** + * A call to `Parse` for a numeric type, that causes the data to be considered + * sanitized. + */ + private class NumericTypeParse extends Sanitizer { + NumericTypeParse() { + exists(Method m | + m.getDeclaringType() instanceof IntegralType or + m.getDeclaringType() instanceof FloatingPointType + | + m.hasName("Parse") and + this.getExpr().(Call).getTarget() = m + ) + } + } +} diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/XSSSinks.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/XSSSinks.qll new file mode 100644 index 00000000000..8063fa09cda --- /dev/null +++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/XSSSinks.qll @@ -0,0 +1,259 @@ +/** + * Provides sink definitions for cross-site scripting (XSS) vulnerabilities. + */ + +import csharp +private import semmle.code.asp.AspNet +private import semmle.code.csharp.frameworks.system.Net +private import semmle.code.csharp.frameworks.system.Web +private import semmle.code.csharp.frameworks.system.web.UI +private import semmle.code.csharp.security.dataflow.flowsinks.Html +private import semmle.code.csharp.security.dataflow.flowsinks.Remote +private import semmle.code.csharp.dataflow.ExternalFlow + +/** + * A data flow sink for cross-site scripting (XSS) vulnerabilities. + * + * Any XSS sink is also a remote flow sink, so this class contributes + * to the abstract class `RemoteFlowSink`. + */ +abstract class Sink extends DataFlow::ExprNode, RemoteFlowSink { + string explanation() { none() } +} + +private class ExternalXssSink extends Sink { + ExternalXssSink() { sinkNode(this, "xss") } +} + +private class HtmlSinkSink extends Sink { + HtmlSinkSink() { this instanceof HtmlSink } + + override string explanation() { + this instanceof WebPageWriteLiteralSink and + result = "System.Web.WebPages.WebPage.WriteLiteral() method" + or + this instanceof WebPageWriteLiteralToSink and + result = "System.Web.WebPages.WebPage.WriteLiteralTo() method" + or + this instanceof MicrosoftAspNetCoreMvcHtmlHelperRawSink and + result = "Microsoft.AspNetCore.Mvc.ViewFeatures.HtmlHelper.Raw() method" + or + this instanceof MicrosoftAspNetRazorPageWriteLiteralSink and + result = "Microsoft.AspNetCore.Mvc.Razor.RazorPageBase.WriteLiteral() method" + } +} + +/** + * An expression that is used as an argument to an XSS sink method on + * `System.Web.UI.Page`. + */ +private class PageSink extends Sink { + PageSink() { + exists(Property p, SystemWebUIPageClass page | + p = page.getIDProperty() or + p = page.getMetaDescriptionProperty() or + p = page.getMetaKeywordsProperty() or + p = page.getTitleProperty() + | + this.getExpr() = p.getSetter().getParameter(0).getAnAssignedArgument() + ) + or + exists(Method m, SystemWebUIPageClass page | + m = page.getRegisterStartupScriptMethod() or + m = page.getRegisterClientScriptBlockMethod() + | + this.getExpr() = m.getAParameter().getAnAssignedArgument() + ) + } +} + +/** + * An expression that is used as an argument to an XSS sink method on + * `ClientScriptManager`. + */ +private class ClientScriptManagerSink extends Sink { + ClientScriptManagerSink() { + exists(Method m, SystemWebUIClientScriptManagerClass clientScriptManager, int paramNumber | + this.getExpr() = m.getParameter(paramNumber).getAnAssignedArgument() and + ( + paramNumber = 2 and m.getNumberOfParameters() in [3 .. 4] + or + paramNumber = 3 and m.getNumberOfParameters() = 5 + ) + | + m = clientScriptManager.getRegisterClientScriptBlockMethod() or + m = clientScriptManager.getRegisterStartupScriptMethod() + ) + } +} + +/** + * An expression that is used as an argument to an XSS sink setter, on + * a class within the `System.Web.UI` namespace. + */ +private class SystemWebSetterNonHtmlSink extends Sink { + SystemWebSetterNonHtmlSink() { + exists(Property p, string name | + any(SystemWebUINamespace n).getAChildNamespace*() = p.getDeclaringType().getNamespace() and + this.getExpr() = p.getSetter().getParameter(0).getAnAssignedArgument() and + p.hasName(name) + | + name = "GroupingTest" or + name = "GroupName" or + name = "Style" or + name.matches("%URL") + ) + } +} + +/** + * Gets a member which is accessed by the given `AspInlineCode`. + * The code body must consist only of an access to the member, possibly with qualified + * field accesses or array indexing. + */ +private Member aspxInlineAccess(AspInlineCode code) { + result = max(int i, Member m | m = getMemberAccessByIndex(code, i) | m order by i) +} + +/** + * Gets the `i`th member accessed by `code`, where the string in `code` + * must be of the form `f1.f2...fn`, `f1.f2...fn[...]`, `f1.f2...fn()`, or + * `f1.f2...fn[...]()`. The `i`th member is `fi` in all cases. + */ +private Member getMemberAccessByIndex(AspInlineCode code, int i) { + exists(ValueOrRefType t | + result.getName() = getMemberAccessNameByIndex(code, i) and + t.hasMember(result) + | + // Base case: a member on the code-behind class + i = 0 and + t = code.getLocation().getFile().(CodeBehindFile).getInheritedType() + or + // Recursive case: a nested member + exists(Member mid | + mid = getMemberAccessByIndex(code, i - 1) and + t = getMemberType(mid) + ) + ) +} + +/** + * Gets the name of the `i`th member accessed by `code`, where the string in `code` + * must be of the form `f1.f2...fn`, `f1.f2...fn[...]`, `f1.f2...fn()`, or + * `f1.f2...fn[...]()`. The `i`th member is `fi` in all cases. + */ +private string getMemberAccessNameByIndex(AspInlineCode code, int i) { + // Strip: + // - leading and trailing whitespace, which apparently you're allowed to have + // - trailing parens, so we can recognize nullary method calls + // - trailing square brackets with some contents, to recognize indexing into arrays + result = code.getBody().splitAt(".", i).regexpCapture("\\s*(.*?)(\\[.*\\])?(\\(\\))?\\s*", 1) +} + +/** + * An `AspInlineCode` which is an access to a member inherited from the + * corresponding 'CodeBehind' class. This includes direct accesses as well as + * qualified accesses or array indexing on the member. + */ +class AspInlineMember extends AspInlineCode { + Member member; + + AspInlineMember() { member = aspxInlineAccess(this) } + + /** Gets the member that this inline code references. */ + Member getMember() { result = member } + + Type getType() { result = getMemberType(getMember()) } +} + +/** Gets a value that is written to the member accessed by the given `AspInlineMember`. */ +private Expr aspWrittenValue(AspInlineMember m) { + exists(Property p | p = m.getMember() | + // a directly assigned property + result = p.getAnAssignedValue() + or + // one step of flow through a variable returned by the getter + // this is mainly to handle trivial forwarding properties + exists(VariableAccess access | + p.getGetter().canReturn(access) and + result = access.getTarget().getAnAssignedValue() + ) + ) + or + result = m.getMember().(Field).getAnAssignedValue() + or + m.getMember().(Callable).canReturn(result) +} + +private string makeUrl(Location l) { + exists(string path, int sl, int sc, int el, int ec | + l.hasLocationInfo(path, sl, sc, el, ec) and + result = "file://" + path + ":" + sl + ":" + sc + ":" + el + ":" + ec + ) +} + +/** + * A sink for writes to properties that are accessed in ASP pages. + * + * Currently we only support inline code tags that directly reference a member + * on the corresponding 'CodeBehind' class. + * This may include qualified accesses to fields or array indexing on the member. + * The sink is any assigned value of such a + * member, since we don't track the flow all the way to the ASP element. + */ +private class AspxCodeSink extends Sink { + /** The ASP inline code element that references a member of the backing class. */ + AspInlineMember inline; + + AspxCodeSink() { this.getExpr() = aspWrittenValue(inline) } + + override string explanation() { + result = + "member is [[\"accessed inline\"|\"" + makeUrl(inline.getLocation()) + "\"]] in an ASPX page" + } +} + +/** A sink for the output stream associated with a `HttpListenerResponse`. */ +private class HttpListenerResponseSink extends Sink { + HttpListenerResponseSink() { + exists(PropertyAccess responseOutputStream | + responseOutputStream.getProperty() = + any(SystemNetHttpListenerResponseClass h).getOutputStreamProperty() + | + DataFlow::localFlow(DataFlow::exprNode(responseOutputStream), this) + ) + } +} + +/** + * An expression that is used as an argument to an XSS sink method on + * `HttpResponseBase`. + */ +private class HttpResponseBaseSink extends Sink { + HttpResponseBaseSink() { + exists(Method m, SystemWebHttpResponseBaseClass responseClass | + m = responseClass.getAWriteMethod() or + m = responseClass.getAWriteFileMethod() or + m = responseClass.getATransmitFileMethod() or + m = responseClass.getABinaryWriteMethod() + | + // Calls to these methods, or overrides of them + this.getExpr() = m.getAnOverrider*().getParameter(0).getAnAssignedArgument() + ) + } +} + +/** + * An expression passed as the `content` argument to the constructor of `StringContent`. + */ +private class StringContentSinkModelCsv extends SinkModelCsv { + override predicate row(string row) { + row = ["System.Net.Http;StringContent;false;StringContent;;;Argument[0];xss"] + } +} + +private Type getMemberType(Member m) { + result = m.(Property).getType() or + result = m.(Field).getType() or + result = m.(Callable).getReturnType() +} diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll rename to csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll index 10885d52a16..b194ad57d57 100644 --- a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll +++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll @@ -6,7 +6,7 @@ import csharp private import Email::Email private import ExternalLocationSink private import Html -private import semmle.code.csharp.security.dataflow.XSS +private import semmle.code.csharp.security.dataflow.XSSSinks as XSSSinks private import semmle.code.csharp.frameworks.system.web.UI /** A data flow sink of remote user output. */ diff --git a/csharp/ql/src/semmle/code/csharp/security/xml/InsecureXML.qll b/csharp/ql/src/semmle/code/csharp/security/xml/InsecureXMLQuery.qll similarity index 100% rename from csharp/ql/src/semmle/code/csharp/security/xml/InsecureXML.qll rename to csharp/ql/src/semmle/code/csharp/security/xml/InsecureXMLQuery.qll diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.ql b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.ql index f28295c8f5e..aa33644c6ea 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.ql +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.ql @@ -1,5 +1,5 @@ import csharp -import semmle.code.csharp.security.dataflow.XSS +import semmle.code.csharp.security.dataflow.XSSSinks string tweakMemberLocation(Member member) { exists(Location loc | @@ -10,7 +10,7 @@ string tweakMemberLocation(Member member) { ) } -from XSS::AspInlineMember inline, Member member +from AspInlineMember inline, Member member where member = inline.getMember() // some members, such as ASP members inherited from DLLs, are outside the test directory, // so we select them specially using a modified location and the normal toString diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/InsecureXMLSettings.ql b/csharp/ql/test/query-tests/Security Features/CWE-611/InsecureXMLSettings.ql index dbea6e8f72c..36762996f58 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/InsecureXMLSettings.ql +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/InsecureXMLSettings.ql @@ -1,5 +1,5 @@ import csharp -import semmle.code.csharp.security.xml.InsecureXML::InsecureXML +import semmle.code.csharp.security.xml.InsecureXMLQuery::InsecureXML from ObjectCreation creation, Expr evidence, string reason where diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.ql b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.ql index 75f50d1dadc..0a4dacdd3c8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.ql +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ExponentialRegex.ql @@ -1,4 +1,4 @@ import csharp -import semmle.code.csharp.security.dataflow.ReDoS +import semmle.code.csharp.security.dataflow.ReDoSQuery -select any(StringLiteral e | ReDoS::isExponentialRegex(e)) +select any(StringLiteral e | isExponentialRegex(e)) diff --git a/csharp/ql/test/query-tests/Useless Code/DefaultToString/DefaultToString.ql b/csharp/ql/test/query-tests/Useless Code/DefaultToString/DefaultToString.ql index 7bbe092e63a..2787d7e860d 100644 --- a/csharp/ql/test/query-tests/Useless Code/DefaultToString/DefaultToString.ql +++ b/csharp/ql/test/query-tests/Useless Code/DefaultToString/DefaultToString.ql @@ -1,5 +1,5 @@ import csharp -import Useless_code.DefaultToString +import Useless_code.DefaultToStringQuery class MyDefaultToStringType extends DefaultToStringType { // A workaround for generating empty URLs for non-source locations, because qltest