C#: Add CaptureSummaryModels query.

2026-04-30 03:05:15 +02:00 · 2022-03-18 13:44:10 +01:00
parent fb2a7dfb48
commit db21a6a0f3
4 changed files with 58 additions and 1 deletions
--- a/csharp/ql/src/utils/model-generator/CaptureSinkModels.ql
+++ b/csharp/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -0,0 +1,12 @@
+/**
+ * @name Capture sink models.
+ * @description Finds public methods that act as sinks as they flow into a a known sink.
+ * @id csharp/utils/model-generator/sink-models
+ */
+
+private import ModelGeneratorUtils
+private import CaptureSinkModels
+
+from TargetApi api, string sink
+where sink = captureSink(api)
+select sink order by sink
--- a/csharp/ql/src/utils/model-generator/CaptureSinkModels.qll
+++ b/csharp/ql/src/utils/model-generator/CaptureSinkModels.qll
@@ -0,0 +1,21 @@
+private import CaptureSinkModelsSpecific
+
+class PropagateToSinkConfiguration extends PropagateToSinkConfigurationSpecific {
+  PropagateToSinkConfiguration() { this = "parameters or fields flowing into sinks" }
+
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureHasSourceCallContext
+  }
+}
+
+string captureSink(TargetApi api) {
+  exists(DataFlow::Node src, DataFlow::Node sink, PropagateToSinkConfiguration config, string kind |
+    config.hasFlow(src, sink) and
+    sinkNode(sink, kind) and
+    api = src.getEnclosingCallable() and
+    not kind = "logging" and
+    result = asSinkModel(api, asInputArgument(src), kind)
+  )
+}
--- a/csharp/ql/src/utils/model-generator/CaptureSinkModelsSpecific.qll
+++ b/csharp/ql/src/utils/model-generator/CaptureSinkModelsSpecific.qll
@@ -0,0 +1,24 @@
+import csharp
+import semmle.code.csharp.dataflow.TaintTracking
+import semmle.code.csharp.dataflow.ExternalFlow
+import ModelGeneratorUtils
+
+class PropagateToSinkConfigurationSpecific extends TaintTracking::Configuration {
+  PropagateToSinkConfigurationSpecific() { this = "parameters or fields flowing into sinks" }
+
+  override predicate isSource(DataFlow::Node source) {
+    (source.asExpr() instanceof FieldAccess or source instanceof DataFlow::ParameterNode) and
+    source.getEnclosingCallable().(Modifiable).isEffectivelyPublic() and
+    isRelevantForModels(source.getEnclosingCallable())
+  }
+}
+
+string asInputArgument(DataFlow::Node source) {
+  exists(int pos |
+    pos = source.(DataFlow::ParameterNode).getParameter().getPosition() and
+    result = "Argument[" + pos + "]"
+  )
+  or
+  source.asExpr() instanceof FieldAccess and
+  result = "Argument[Qualifier]"
+}
--- a/csharp/ql/src/utils/model-generator/ModelGeneratorUtilsSpecific.qll
+++ b/csharp/ql/src/utils/model-generator/ModelGeneratorUtilsSpecific.qll
@@ -5,7 +5,7 @@ private import semmle.code.csharp.commons.Collections
 private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch

-private predicate isRelevantForModels(Callable api) { not api instanceof MainMethod }
+predicate isRelevantForModels(Callable api) { not api instanceof MainMethod }

 /**
 * A class of callables that are relevant generating summary, source and sinks models for.