mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Merge pull request #16356 from michaelnebel/csharp/aligntelemetryimplementation
C#: Base telemetry Api Source/Sink nodes on abstract classes.
This commit is contained in:
Michael Nebel
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.system.codedom.Compiler
|
||||
private import semmle.code.csharp.security.Sanitizers
|
||||
@@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for user input treated as code vulnerabilities.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for user input treated as code vulnerabilities.
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
import csharp
|
||||
private import semmle.code.csharp.controlflow.Guards
|
||||
private import semmle.code.csharp.controlflow.BasicBlocks
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.System
|
||||
private import semmle.code.csharp.frameworks.system.Net
|
||||
@@ -14,12 +15,12 @@ private import semmle.code.csharp.security.SensitiveActions
|
||||
/**
|
||||
* A data flow source for user-controlled bypass of sensitive method.
|
||||
*/
|
||||
abstract class Source extends DataFlow::Node { }
|
||||
abstract class Source extends ApiSourceNode { }
|
||||
|
||||
/**
|
||||
* A data flow sink for user-controlled bypass of sensitive method.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode {
|
||||
abstract class Sink extends ApiSinkExprNode {
|
||||
/** Gets the 'MethodCall' which is considered sensitive. */
|
||||
abstract MethodCall getSensitiveMethodCall();
|
||||
}
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
|
||||
private import semmle.code.csharp.security.PrivateData
|
||||
@@ -15,7 +16,7 @@ abstract class Source extends DataFlow::ExprNode { }
|
||||
/**
|
||||
* A data flow sink for private information flowing unencrypted to an external location.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for private information flowing unencrypted to an external location.
|
||||
|
||||
@@ -9,6 +9,7 @@ private import semmle.code.csharp.frameworks.Moq
|
||||
private import semmle.code.csharp.frameworks.system.web.Security
|
||||
private import semmle.code.csharp.frameworks.system.security.cryptography.X509Certificates
|
||||
private import semmle.code.csharp.frameworks.Test
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
|
||||
/**
|
||||
* A data flow source for hard coded credentials.
|
||||
@@ -18,7 +19,7 @@ abstract class Source extends DataFlow::ExprNode { }
|
||||
/**
|
||||
* A data flow sink for hard coded credentials.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode {
|
||||
abstract class Sink extends ApiSinkExprNode {
|
||||
/**
|
||||
* Gets a description of this sink, including a placeholder for the sink and a placeholder for
|
||||
* the supplementary element.
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.system.DirectoryServices
|
||||
private import semmle.code.csharp.frameworks.system.directoryservices.Protocols
|
||||
@@ -18,7 +19,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for unvalidated user input that is used to construct LDAP queries.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for unvalidated user input that is used to construct LDAP queries.
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.System
|
||||
private import semmle.code.csharp.frameworks.system.text.RegularExpressions
|
||||
@@ -18,7 +19,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for untrusted user input used in log entries.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for untrusted user input used in log entries.
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.system.Xml
|
||||
private import semmle.code.csharp.security.Sanitizers
|
||||
@@ -18,7 +19,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
* A data flow sink for untrusted user input processed as XML without validation against a known
|
||||
* schema.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode {
|
||||
abstract class Sink extends ApiSinkExprNode {
|
||||
/** Gets a string describing the reason why this is a sink. */
|
||||
abstract string getReason();
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.dataflow.DataFlow2
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.system.text.RegularExpressions
|
||||
private import semmle.code.csharp.security.Sanitizers
|
||||
@@ -17,7 +18,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for untrusted user input used in dangerous regular expression operations.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for untrusted user input used in dangerous regular expression operations.
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.system.text.RegularExpressions
|
||||
private import semmle.code.csharp.security.Sanitizers
|
||||
@@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for untrusted user input used to construct regular expressions.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for untrusted user input used to construct regular expressions.
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.system.Data
|
||||
private import semmle.code.csharp.security.Sanitizers
|
||||
@@ -15,7 +16,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for untrusted user input used in resource descriptors.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for untrusted user input used in resource descriptors.
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.Sql
|
||||
private import semmle.code.csharp.security.Sanitizers
|
||||
@@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A sink for SQL injection vulnerabilities.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for SQL injection vulnerabilities.
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.controlflow.Guards
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.system.IO
|
||||
private import semmle.code.csharp.frameworks.system.Web
|
||||
@@ -18,7 +19,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for uncontrolled data in path expression vulnerabilities.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for uncontrolled data in path expression vulnerabilities.
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
import csharp
|
||||
private import semmle.code.csharp.serialization.Deserializers
|
||||
private import semmle.code.csharp.dataflow.TaintTracking2
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
|
||||
/**
|
||||
@@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for unsafe deserialization vulnerabilities.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::Node { }
|
||||
abstract class Sink extends ApiSinkNode { }
|
||||
|
||||
/**
|
||||
* A data flow sink for unsafe deserialization vulnerabilities to an instance method.
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.controlflow.Guards
|
||||
private import semmle.code.csharp.frameworks.Format
|
||||
@@ -20,7 +21,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for unvalidated URL redirect vulnerabilities.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for unvalidated URL redirect vulnerabilities.
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.System
|
||||
private import semmle.code.csharp.frameworks.system.text.RegularExpressions
|
||||
@@ -19,7 +20,7 @@ private class ThreatModelSource extends Source instanceof ThreatModelFlowSource
|
||||
/**
|
||||
* A data flow sink for untrusted user input used in XML processing.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode {
|
||||
abstract class Sink extends ApiSinkExprNode {
|
||||
/**
|
||||
* Gets the reason for the insecurity of this sink.
|
||||
*/
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
|
||||
private import semmle.code.csharp.frameworks.system.xml.XPath
|
||||
private import semmle.code.csharp.frameworks.system.Xml
|
||||
@@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for untrusted user input used in XPath expression.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for untrusted user input used in XPath expression.
|
||||
|
||||
@@ -4,6 +4,7 @@
|
||||
|
||||
import csharp
|
||||
private import semmle.code.csharp.controlflow.Guards
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
|
||||
/**
|
||||
* A data flow source for unsafe zip extraction.
|
||||
@@ -13,7 +14,7 @@ abstract class Source extends DataFlow::Node { }
|
||||
/**
|
||||
* A data flow sink for unsafe zip extraction.
|
||||
*/
|
||||
abstract class Sink extends DataFlow::ExprNode { }
|
||||
abstract class Sink extends ApiSinkExprNode { }
|
||||
|
||||
/**
|
||||
* A sanitizer for unsafe zip extraction.
|
||||
|
||||
@@ -1,84 +0,0 @@
|
||||
/** Provides classes representing various flow sinks for data flow / taint tracking. */
|
||||
|
||||
private import semmle.code.csharp.dataflow.internal.ExternalFlow
|
||||
|
||||
/**
|
||||
* A data flow sink node.
|
||||
*/
|
||||
abstract class SinkNode extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* Module that adds all sinks to `SinkNode`, excluding sinks for cryptography based
|
||||
* queries, and queries where sinks are not succifiently explicit.
|
||||
*/
|
||||
private module AllSinks {
|
||||
private import ParallelSink as ParallelSink
|
||||
private import Remote as Remote
|
||||
private import semmle.code.csharp.security.dataflow.CodeInjectionQuery as CodeInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery
|
||||
private import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery as ExposureOfPrivateInformationQuery
|
||||
private import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery as HardcodedCredentialsQuery
|
||||
private import semmle.code.csharp.security.dataflow.LDAPInjectionQuery as LdapInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.LogForgingQuery as LogForgingQuery
|
||||
private import semmle.code.csharp.security.dataflow.MissingXMLValidationQuery as MissingXmlValidationQuery
|
||||
private import semmle.code.csharp.security.dataflow.ReDoSQuery as ReDosQuery
|
||||
private import semmle.code.csharp.security.dataflow.RegexInjectionQuery as RegexInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.ResourceInjectionQuery as ResourceInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.SqlInjectionQuery as SqlInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.TaintedPathQuery as TaintedPathQuery
|
||||
private import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery as UnsafeDeserializationQuery
|
||||
private import semmle.code.csharp.security.dataflow.UrlRedirectQuery as UrlRedirectQuery
|
||||
private import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery as XmlEntityInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.XPathInjectionQuery as XpathInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.XSSSinks as XssSinks
|
||||
private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery
|
||||
|
||||
private class ParallelSink extends SinkNode instanceof ParallelSink::ParallelSink { }
|
||||
|
||||
private class RemoteSinkFlowSinks extends SinkNode instanceof Remote::RemoteFlowSink { }
|
||||
|
||||
private class CodeInjectionSink extends SinkNode instanceof CodeInjectionQuery::Sink { }
|
||||
|
||||
private class ConditionalBypassSink extends SinkNode instanceof ConditionalBypassQuery::Sink { }
|
||||
|
||||
private class ExposureOfPrivateInformationSink extends SinkNode instanceof ExposureOfPrivateInformationQuery::Sink
|
||||
{ }
|
||||
|
||||
private class HardcodedCredentialsSink extends SinkNode instanceof HardcodedCredentialsQuery::Sink
|
||||
{ }
|
||||
|
||||
private class LdapInjectionSink extends SinkNode instanceof LdapInjectionQuery::Sink { }
|
||||
|
||||
private class LogForgingSink extends SinkNode instanceof LogForgingQuery::Sink { }
|
||||
|
||||
private class MissingXmlValidationSink extends SinkNode instanceof MissingXmlValidationQuery::Sink
|
||||
{ }
|
||||
|
||||
private class ReDosSink extends SinkNode instanceof ReDosQuery::Sink { }
|
||||
|
||||
private class RegexInjectionSink extends SinkNode instanceof RegexInjectionQuery::Sink { }
|
||||
|
||||
private class ResourceInjectionSink extends SinkNode instanceof ResourceInjectionQuery::Sink { }
|
||||
|
||||
private class SqlInjectionSink extends SinkNode instanceof SqlInjectionQuery::Sink { }
|
||||
|
||||
private class TaintedPathSink extends SinkNode instanceof TaintedPathQuery::Sink { }
|
||||
|
||||
private class UnsafeDeserializationSink extends SinkNode instanceof UnsafeDeserializationQuery::Sink
|
||||
{ }
|
||||
|
||||
private class UrlRedirectSink extends SinkNode instanceof UrlRedirectQuery::Sink { }
|
||||
|
||||
private class XmlEntityInjectionSink extends SinkNode instanceof XmlEntityInjectionQuery::Sink { }
|
||||
|
||||
private class XpathInjectionSink extends SinkNode instanceof XpathInjectionQuery::Sink { }
|
||||
|
||||
private class XssSink extends SinkNode instanceof XssSinks::Sink { }
|
||||
|
||||
/**
|
||||
* Add all models as data sinks.
|
||||
*/
|
||||
private class SinkNodeExternal extends SinkNode {
|
||||
SinkNodeExternal() { sinkNode(this, _) }
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,35 @@
|
||||
/** Provides classes representing various flow sinks for data flow / taint tracking. */
|
||||
|
||||
private import semmle.code.csharp.dataflow.internal.ExternalFlow
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
|
||||
|
||||
/**
|
||||
* A data flow sink node.
|
||||
*/
|
||||
final class SinkNode = ApiSinkNode;
|
||||
|
||||
/**
|
||||
* Module that adds all API like sinks to `SinkNode`, excluding sinks for cryptography based
|
||||
* queries, and queries where sinks are not sufficiently defined (eg. using broad method name matching).
|
||||
*/
|
||||
private module AllApiSinks {
|
||||
private import ParallelSink
|
||||
private import Remote
|
||||
private import semmle.code.csharp.security.dataflow.CodeInjectionQuery as CodeInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery
|
||||
private import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery as ExposureOfPrivateInformationQuery
|
||||
private import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery as HardcodedCredentialsQuery
|
||||
private import semmle.code.csharp.security.dataflow.LDAPInjectionQuery as LdapInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.LogForgingQuery as LogForgingQuery
|
||||
private import semmle.code.csharp.security.dataflow.MissingXMLValidationQuery as MissingXmlValidationQuery
|
||||
private import semmle.code.csharp.security.dataflow.ReDoSQuery as ReDosQuery
|
||||
private import semmle.code.csharp.security.dataflow.RegexInjectionQuery as RegexInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.ResourceInjectionQuery as ResourceInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.SqlInjectionQuery as SqlInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.TaintedPathQuery as TaintedPathQuery
|
||||
private import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery as UnsafeDeserializationQuery
|
||||
private import semmle.code.csharp.security.dataflow.UrlRedirectQuery as UrlRedirectQuery
|
||||
private import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery as XmlEntityInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.XPathInjectionQuery as XpathInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery
|
||||
}
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import FlowSinks
|
||||
private import Remote
|
||||
private import semmle.code.csharp.commons.Loggers
|
||||
private import semmle.code.csharp.frameworks.system.Web
|
||||
@@ -16,7 +17,7 @@ private import semmle.code.csharp.dataflow.internal.ExternalFlow
|
||||
* which the application may have no access control. For example, files on a local or remote
|
||||
* filesystem (including log files and cookies).
|
||||
*/
|
||||
abstract class ExternalLocationSink extends DataFlow::ExprNode { }
|
||||
abstract class ExternalLocationSink extends ApiSinkExprNode { }
|
||||
|
||||
private class ExternalModelSink extends ExternalLocationSink {
|
||||
ExternalModelSink() { sinkNode(this, "file-content-store") }
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
/** Provides classes representing various flow sinks for data flow / taint tracking. */
|
||||
|
||||
private import csharp
|
||||
private import semmle.code.csharp.dataflow.internal.ExternalFlow
|
||||
|
||||
/**
|
||||
* A data flow sink node for an API, which should be considered
|
||||
* supported from a modeling perspective.
|
||||
*/
|
||||
abstract class ApiSinkNode extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A data flow sink expression node for an API, which should be considered
|
||||
* supported from a modeling perspective.
|
||||
*/
|
||||
abstract class ApiSinkExprNode extends ApiSinkNode, DataFlow::ExprNode { }
|
||||
|
||||
/**
|
||||
* Add all sink models as data sinks.
|
||||
*/
|
||||
private class ApiSinkNodeExternal extends ApiSinkNode {
|
||||
ApiSinkNodeExternal() { sinkNode(this, _) }
|
||||
}
|
||||
@@ -3,11 +3,12 @@
|
||||
*/
|
||||
|
||||
import csharp
|
||||
private import FlowSinks
|
||||
|
||||
/**
|
||||
* A data flow sink node for parallel execution.
|
||||
*/
|
||||
abstract class ParallelSink extends DataFlow::Node { }
|
||||
abstract class ParallelSink extends ApiSinkNode { }
|
||||
|
||||
/**
|
||||
* A data flow sink node for lambda parallel sink.
|
||||
|
||||
@@ -5,12 +5,13 @@
|
||||
import csharp
|
||||
private import Email::Email
|
||||
private import ExternalLocationSink
|
||||
private import FlowSinks
|
||||
private import Html
|
||||
private import semmle.code.csharp.security.dataflow.XSSSinks as XssSinks
|
||||
private import semmle.code.csharp.frameworks.system.web.UI
|
||||
|
||||
/** A data flow sink of remote user output. */
|
||||
abstract class RemoteFlowSink extends DataFlow::Node { }
|
||||
abstract class RemoteFlowSink extends ApiSinkNode { }
|
||||
|
||||
/**
|
||||
* A value written to the `[Inner]Text` property of an object defined in the
|
||||
|
||||
@@ -1,77 +0,0 @@
|
||||
/** Provides classes representing various flow sources for data flow / taint tracking. */
|
||||
|
||||
private import semmle.code.csharp.dataflow.internal.ExternalFlow
|
||||
|
||||
/**
|
||||
* A data flow source node.
|
||||
*/
|
||||
abstract class SourceNode extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* Module that adds all sources to `SourceNode`, excluding source for cryptography based
|
||||
* queries, and queries where sources are not succifiently explicit or mainly hardcoded constants.
|
||||
*/
|
||||
private module AllSources {
|
||||
private import FlowSources as FlowSources
|
||||
private import semmle.code.csharp.security.cryptography.HardcodedSymmetricEncryptionKey
|
||||
private import semmle.code.csharp.security.dataflow.CleartextStorageQuery as CleartextStorageQuery
|
||||
private import semmle.code.csharp.security.dataflow.CodeInjectionQuery as CodeInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery
|
||||
private import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery as ExposureOfPrivateInformationQuery
|
||||
private import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery as HardcodedCredentialsQuery
|
||||
private import semmle.code.csharp.security.dataflow.LDAPInjectionQuery as LdapInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.LogForgingQuery as LogForgingQuery
|
||||
private import semmle.code.csharp.security.dataflow.MissingXMLValidationQuery as MissingXmlValidationQuery
|
||||
private import semmle.code.csharp.security.dataflow.ReDoSQuery as ReDosQuery
|
||||
private import semmle.code.csharp.security.dataflow.RegexInjectionQuery as RegexInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.ResourceInjectionQuery as ResourceInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.SqlInjectionQuery as SqlInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.TaintedPathQuery as TaintedPathQuery
|
||||
private import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery as UnsafeDeserializationQuery
|
||||
private import semmle.code.csharp.security.dataflow.UrlRedirectQuery as UrlRedirectQuery
|
||||
private import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery as XmlEntityInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.XPathInjectionQuery as XpathInjectionQuery
|
||||
private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery
|
||||
|
||||
private class FlowSourcesSources extends SourceNode instanceof FlowSources::SourceNode { }
|
||||
|
||||
private class CodeInjectionSource extends SourceNode instanceof CodeInjectionQuery::Source { }
|
||||
|
||||
private class ConditionalBypassSource extends SourceNode instanceof ConditionalBypassQuery::Source
|
||||
{ }
|
||||
|
||||
private class LdapInjectionSource extends SourceNode instanceof LdapInjectionQuery::Source { }
|
||||
|
||||
private class LogForgingSource extends SourceNode instanceof LogForgingQuery::Source { }
|
||||
|
||||
private class MissingXmlValidationSource extends SourceNode instanceof MissingXmlValidationQuery::Source
|
||||
{ }
|
||||
|
||||
private class ReDosSource extends SourceNode instanceof ReDosQuery::Source { }
|
||||
|
||||
private class RegexInjectionSource extends SourceNode instanceof RegexInjectionQuery::Source { }
|
||||
|
||||
private class ResourceInjectionSource extends SourceNode instanceof ResourceInjectionQuery::Source
|
||||
{ }
|
||||
|
||||
private class SqlInjectionSource extends SourceNode instanceof SqlInjectionQuery::Source { }
|
||||
|
||||
private class TaintedPathSource extends SourceNode instanceof TaintedPathQuery::Source { }
|
||||
|
||||
private class UnsafeDeserializationSource extends SourceNode instanceof UnsafeDeserializationQuery::Source
|
||||
{ }
|
||||
|
||||
private class UrlRedirectSource extends SourceNode instanceof UrlRedirectQuery::Source { }
|
||||
|
||||
private class XmlEntityInjectionSource extends SourceNode instanceof XmlEntityInjectionQuery::Source
|
||||
{ }
|
||||
|
||||
private class XpathInjectionSource extends SourceNode instanceof XpathInjectionQuery::Source { }
|
||||
|
||||
/**
|
||||
* Add all models as data sources.
|
||||
*/
|
||||
private class SourceNodeExternal extends SourceNode {
|
||||
SourceNodeExternal() { sourceNode(this, _) }
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
/** Provides classes representing various flow sources for data flow / taint tracking. */
|
||||
|
||||
private import FlowSources as FlowSources
|
||||
|
||||
final class SourceNode = FlowSources::SourceNode;
|
||||
|
||||
/**
|
||||
* Module that adds all API like sources to `SourceNode`, excluding some sources for cryptography based
|
||||
* queries, and queries where sources are not sufficiently defined (eg. using broad method name matching).
|
||||
*/
|
||||
private module AllApiSources {
|
||||
private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery
|
||||
private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery
|
||||
}
|
||||
@@ -32,3 +32,18 @@ class ThreatModelFlowSource extends DataFlow::Node {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A data flow source node for an API, which should be considered
|
||||
* supported from a modeling perspective.
|
||||
*/
|
||||
abstract class ApiSourceNode extends DataFlow::Node { }
|
||||
|
||||
private class AddSourceNodes extends ApiSourceNode instanceof SourceNode { }
|
||||
|
||||
/**
|
||||
* Add all source models as data sources.
|
||||
*/
|
||||
private class ApiSourceNodeExternal extends ApiSourceNode {
|
||||
ApiSourceNodeExternal() { sourceNode(this, _) }
|
||||
}
|
||||
|
||||
@@ -8,8 +8,8 @@ private import semmle.code.csharp.dataflow.internal.DataFlowDispatch as DataFlow
|
||||
private import semmle.code.csharp.dataflow.internal.ExternalFlow
|
||||
private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
|
||||
private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.AllSources
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.AllSinks
|
||||
private import semmle.code.csharp.security.dataflow.flowsources.ApiSources as ApiSources
|
||||
private import semmle.code.csharp.security.dataflow.flowsinks.ApiSinks as ApiSinks
|
||||
private import TestLibrary
|
||||
|
||||
/** Holds if the given callable is not worth supporting. */
|
||||
@@ -85,11 +85,11 @@ class ExternalApi extends Callable {
|
||||
|
||||
/** Holds if this API is a known source. */
|
||||
pragma[nomagic]
|
||||
predicate isSource() { this.getAnOutput() instanceof SourceNode }
|
||||
predicate isSource() { this.getAnOutput() instanceof ApiSources::SourceNode }
|
||||
|
||||
/** Holds if this API is a known sink. */
|
||||
pragma[nomagic]
|
||||
predicate isSink() { this.getAnInput() instanceof SinkNode }
|
||||
predicate isSink() { this.getAnInput() instanceof ApiSinks::SinkNode }
|
||||
|
||||
/** Holds if this API is a known neutral. */
|
||||
pragma[nomagic]
|
||||
|
||||
Reference in New Issue
Block a user