C#: New query for cs/uncontrolled-string-format

csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql

@@ -0,0 +1,36 @@
+/**
+ * @name Uncontrolled format string
+ * @description
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id cs/uncontrolled-format-string
+ * @tags security
+ *       external/cwe/cwe-134
+ */
+
+import csharp
+import semmle.code.csharp.dataflow.flowsources.Remote
+import semmle.code.csharp.dataflow.TaintTracking
+import semmle.code.csharp.frameworks.System
+import DataFlow::PathGraph
+
+class FormatStringConfiguration extends TaintTracking::Configuration
+{
+  FormatStringConfiguration() { this = "FormatStringConfiguration" }
+  
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall call | sink.asExpr() = call.getArgumentForName("format") and
+      call.getTarget() = any(SystemStringClass s).getFormatMethod()
+    )
+  }
+}
+
+from FormatStringConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used to format 'String.Format'.", source.getNode(), source.getNode().toString()

csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.cs

@@ -0,0 +1,25 @@
+// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/System.Web.cs
+
+using System;
+using System.IO;
+using System.Web;
+
+public class TaintedPathHandler : IHttpHandler
+{
+    public void ProcessRequest(HttpContext ctx)
+    {
+        String path = ctx.Request.QueryString["page"];
+        
+        // BAD: Uncontrolled format string.
+        String.Format(path, "Do not do this");
+        
+        // BAD: Using an IFormatProvider.
+        String.Format((IFormatProvider)null, path, "Do not do this");
+
+        // GOOD: Not the format string.
+        String.Format("Do not do this", path);
+        
+        // GOOD: Not the format string.
+        String.Format((IFormatProvider)null, "Do not do this", path);
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected

@@ -0,0 +1,6 @@
+edges
+| UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path |
+| UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
+#select
+| UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | $@ flows to here and is used to format 'String.Format'. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
+| UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | $@ flows to here and is used to format 'String.Format'. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |

csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.qlref

@@ -0,0 +1 @@
+Security Features/CWE-134/UncontrolledFormatString.ql