C#: Move all predefined sources and sinks into security/dataflow/flow{sinks,sources}

2026-04-27 01:35:13 +02:00 · 2020-03-25 13:24:48 +01:00
parent 7ac25d2439
commit fddbce0b7b
31 changed files with 257 additions and 271 deletions
--- a/Features/CWE-091/XMLInjection.ql
+++ b/Features/CWE-091/XMLInjection.ql
@@ -11,7 +11,7 @@
 */

 import csharp
-import semmle.code.csharp.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Remote
 import semmle.code.csharp.frameworks.system.Xml

 /**
--- a/Features/CWE-114/AssemblyPathInjection.ql
+++ b/Features/CWE-114/AssemblyPathInjection.ql
@@ -12,7 +12,7 @@
 */

 import csharp
-import semmle.code.csharp.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Remote
 import semmle.code.csharp.commons.Util

 /**
--- a/Features/CWE-134/UncontrolledFormatString.ql
+++ b/Features/CWE-134/UncontrolledFormatString.ql
@@ -11,8 +11,8 @@
 */

 import csharp
-import semmle.code.csharp.dataflow.flowsources.Remote
-import semmle.code.csharp.dataflow.flowsources.Local
+import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Local
 import semmle.code.csharp.dataflow.TaintTracking
 import semmle.code.csharp.frameworks.Format
 import DataFlow::PathGraph
--- a/Features/InsecureRandomness.ql
+++ b/Features/InsecureRandomness.ql
@@ -16,7 +16,7 @@ import semmle.code.csharp.frameworks.Test
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

 module Random {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.security.SensitiveActions

  /**
--- a/csharp/ql/src/semmle/code/csharp/dataflow/flowsources/PublicCallableParameter.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/flowsources/PublicCallableParameter.qll
@@ -1,11 +1,14 @@
 /**
+ * DEPRECATED.
+ *
 * Provides classes representing data flow sources for parameters of public callables.
 */

 import csharp
-private import semmle.code.csharp.frameworks.WCF

 /**
+ * DEPRECATED.
+ *
 * A parameter of a public callable, for example `p` in
 *
 * ```
@@ -14,7 +17,7 @@ private import semmle.code.csharp.frameworks.WCF
 * }
 * ```
 */
-class PublicCallableParameterFlowSource extends DataFlow::ParameterNode {
+deprecated class PublicCallableParameterFlowSource extends DataFlow::ParameterNode {
  PublicCallableParameterFlowSource() {
    exists(Callable c, Parameter p |
      p = this.getParameter() and
--- a/csharp/ql/src/semmle/code/csharp/dataflow/flowsources/Remote.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/flowsources/Remote.qll
@@ -1,218 +1,7 @@
 /**
- * Provides classes representing data flow sources for remote user input.
+ * DEPRECATED.
+ *
+ * Use `semmle.code.csharp.security.dataflow.flowsources.Remote` instead.
 */

-import csharp
-private import semmle.code.csharp.frameworks.system.Net
-private import semmle.code.csharp.frameworks.system.Web
-private import semmle.code.csharp.frameworks.system.web.Http
-private import semmle.code.csharp.frameworks.system.web.Mvc
-private import semmle.code.csharp.frameworks.system.web.Services
-private import semmle.code.csharp.frameworks.system.web.ui.WebControls
-private import semmle.code.csharp.frameworks.WCF
-private import semmle.code.csharp.frameworks.microsoft.Owin
-private import semmle.code.csharp.frameworks.microsoft.AspNetCore
-
-/** A data flow source of remote user input. */
-abstract class RemoteFlowSource extends DataFlow::Node {
-  /** Gets a string that describes the type of this remote flow source. */
-  abstract string getSourceType();
-}
-
-/** A data flow source of remote user input (ASP.NET). */
-abstract class AspNetRemoteFlowSource extends RemoteFlowSource { }
-
-/** A member containing an ASP.NET query string. */
-class AspNetQueryStringMember extends Member {
-  AspNetQueryStringMember() {
-    exists(RefType t |
-      t instanceof SystemWebHttpRequestClass or
-      t instanceof SystemNetHttpListenerRequestClass or
-      t instanceof SystemWebHttpRequestBaseClass
-    |
-      this = t.getProperty(getHttpRequestFlowPropertyNames()) or
-      this.(Field).getType() = t or
-      this.(Property).getType() = t or
-      this.(Callable).getReturnType() = t
-    )
-  }
-}
-
-/**
- * Gets the names of the properties in `HttpRequest` classes that should propagate taint out of the
- * request.
- */
-private string getHttpRequestFlowPropertyNames() {
-  result = "QueryString" or
-  result = "Headers" or
-  result = "RawUrl" or
-  result = "Url" or
-  result = "Cookies" or
-  result = "Form" or
-  result = "Params" or
-  result = "Path" or
-  result = "PathInfo"
-}
-
-/** A data flow source of remote user input (ASP.NET query string). */
-class AspNetQueryStringRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode {
-  AspNetQueryStringRemoteFlowSource() {
-    exists(RefType t |
-      t instanceof SystemWebHttpRequestClass or
-      t instanceof SystemNetHttpListenerRequestClass or
-      t instanceof SystemWebHttpRequestBaseClass
-    |
-      // A request object can be indexed, so taint the object as well
-      this.getExpr().getType() = t
-    )
-    or
-    this.getExpr() = any(AspNetQueryStringMember m).getAnAccess()
-  }
-
-  override string getSourceType() { result = "ASP.NET query string" }
-}
-
-/** A data flow source of remote user input (ASP.NET unvalidated request data). */
-class AspNetUnvalidatedQueryStringRemoteFlowSource extends AspNetRemoteFlowSource,
-  DataFlow::ExprNode {
-  AspNetUnvalidatedQueryStringRemoteFlowSource() {
-    this.getExpr() = any(SystemWebUnvalidatedRequestValues c).getAProperty().getGetter().getACall() or
-    this.getExpr() =
-      any(SystemWebUnvalidatedRequestValuesBase c).getAProperty().getGetter().getACall()
-  }
-
-  override string getSourceType() { result = "ASP.NET unvalidated request data" }
-}
-
-/** A data flow source of remote user input (ASP.NET user input). */
-class AspNetUserInputRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode {
-  AspNetUserInputRemoteFlowSource() { getType() instanceof SystemWebUIWebControlsTextBoxClass }
-
-  override string getSourceType() { result = "ASP.NET user input" }
-}
-
-/** A data flow source of remote user input (WCF based web service). */
-class WcfRemoteFlowSource extends RemoteFlowSource, DataFlow::ParameterNode {
-  WcfRemoteFlowSource() { exists(OperationMethod om | om.getAParameter() = this.getParameter()) }
-
-  override string getSourceType() { result = "web service input" }
-}
-
-/** A data flow source of remote user input (ASP.NET web service). */
-class AspNetServiceRemoteFlowSource extends RemoteFlowSource, DataFlow::ParameterNode {
-  AspNetServiceRemoteFlowSource() {
-    exists(Method m |
-      m.getAParameter() = this.getParameter() and
-      m.getAnAttribute().getType() instanceof SystemWebServicesWebMethodAttributeClass
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET web service input" }
-}
-
-/** A data flow source of remote user input (ASP.NET request message). */
-class SystemNetHttpRequestMessageRemoteFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
-  SystemNetHttpRequestMessageRemoteFlowSource() {
-    getType() instanceof SystemWebHttpRequestMessageClass
-  }
-
-  override string getSourceType() { result = "ASP.NET request message" }
-}
-
-/**
- * A data flow source of remote user input (Microsoft Owin, a query, request,
- * or path string).
- */
-class MicrosoftOwinStringFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
-  MicrosoftOwinStringFlowSource() {
-    this.getExpr() = any(MicrosoftOwinString owinString).getValueProperty().getGetter().getACall()
-  }
-
-  override string getSourceType() { result = "Microsoft Owin request or query string" }
-}
-
-/** A data flow source of remote user input (`Microsoft Owin IOwinRequest`). */
-class MicrosoftOwinRequestRemoteFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
-  MicrosoftOwinRequestRemoteFlowSource() {
-    exists(Property p, MicrosoftOwinIOwinRequestClass owinRequest |
-      this.getExpr() = p.getGetter().getACall()
-    |
-      p = owinRequest.getAcceptProperty() or
-      p = owinRequest.getBodyProperty() or
-      p = owinRequest.getCacheControlProperty() or
-      p = owinRequest.getContentTypeProperty() or
-      p = owinRequest.getContextProperty() or
-      p = owinRequest.getCookiesProperty() or
-      p = owinRequest.getHeadersProperty() or
-      p = owinRequest.getHostProperty() or
-      p = owinRequest.getMediaTypeProperty() or
-      p = owinRequest.getMethodProperty() or
-      p = owinRequest.getPathProperty() or
-      p = owinRequest.getPathBaseProperty() or
-      p = owinRequest.getQueryProperty() or
-      p = owinRequest.getQueryStringProperty() or
-      p = owinRequest.getRemoteIpAddressProperty() or
-      p = owinRequest.getSchemeProperty() or
-      p = owinRequest.getURIProperty()
-    )
-  }
-
-  override string getSourceType() { result = "Microsoft Owin request" }
-}
-
-/** A parameter to an Mvc controller action method, viewed as a source of remote user input. */
-class ActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode {
-  ActionMethodParameter() {
-    exists(Parameter p |
-      p = this.getParameter() and
-      p.fromSource()
-    |
-      p = any(Controller c).getAnActionMethod().getAParameter() or
-      p = any(ApiController c).getAnActionMethod().getAParameter()
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET MVC action method parameter" }
-}
-
-/** A data flow source of remote user input (ASP.NET Core). */
-abstract class AspNetCoreRemoteFlowSource extends RemoteFlowSource { }
-
-/** A data flow source of remote user input (ASP.NET query collection). */
-class AspNetCoreQueryRemoteFlowSource extends AspNetCoreRemoteFlowSource, DataFlow::ExprNode {
-  AspNetCoreQueryRemoteFlowSource() {
-    exists(ValueOrRefType t |
-      t instanceof MicrosoftAspNetCoreHttpHttpRequest or
-      t instanceof MicrosoftAspNetCoreHttpQueryCollection or
-      t instanceof MicrosoftAspNetCoreHttpQueryString
-    |
-      this.getExpr().(Call).getTarget().getDeclaringType() = t or
-      this.asExpr().(Access).getTarget().getDeclaringType() = t
-    )
-    or
-    exists(Call c |
-      c
-          .getTarget()
-          .getDeclaringType()
-          .hasQualifiedName("Microsoft.AspNetCore.Http", "IQueryCollection") and
-      c.getTarget().getName() = "TryGetValue" and
-      this.asExpr() = c.getArgumentForName("value")
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET Core query string" }
-}
-
-/** A parameter to a `Mvc` controller action method, viewed as a source of remote user input. */
-class AspNetCoreActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode {
-  AspNetCoreActionMethodParameter() {
-    exists(Parameter p |
-      p = this.getParameter() and
-      p.fromSource()
-    |
-      p = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod().getAParameter()
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET Core MVC action method parameter" }
-}
+import semmle.code.csharp.security.dataflow.flowsources.Remote
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/CleartextStorage.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/CleartextStorage.qll
@@ -5,10 +5,10 @@
 import csharp

 module CleartextStorage {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.system.Web
  import semmle.code.csharp.security.SensitiveActions
-  import semmle.code.csharp.security.sinks.ExternalLocationSink
+  import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink

  /**
   * A data flow source for cleartext storage of sensitive information.
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/CodeInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/CodeInjection.qll
@@ -5,8 +5,8 @@
 import csharp

 module CodeInjection {
-  import semmle.code.csharp.dataflow.flowsources.Remote
-  import semmle.code.csharp.dataflow.flowsources.Local
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Local
  import semmle.code.csharp.frameworks.system.codedom.Compiler
  import semmle.code.csharp.security.Sanitizers

--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/CommandInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/CommandInjection.qll
@@ -5,7 +5,7 @@
 import csharp

 module CommandInjection {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.system.Diagnostics
  import semmle.code.csharp.security.Sanitizers

--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/ConditionalBypass.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/ConditionalBypass.qll
@@ -8,7 +8,7 @@ import csharp
 module UserControlledBypassOfSensitiveMethod {
  import semmle.code.csharp.controlflow.Guards
  import semmle.code.csharp.controlflow.BasicBlocks
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.System
  import semmle.code.csharp.frameworks.system.Net
  import semmle.code.csharp.security.SensitiveActions
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformation.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformation.qll
@@ -5,8 +5,8 @@
 import csharp

 module ExposureOfPrivateInformation {
-  import semmle.code.csharp.dataflow.flowsources.Remote
-  import semmle.code.csharp.security.sinks.ExternalLocationSink
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
  import semmle.code.csharp.security.PrivateData

  /**
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/LDAPInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/LDAPInjection.qll
@@ -6,7 +6,7 @@
 import csharp

 module LDAPInjection {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.system.DirectoryServices
  import semmle.code.csharp.frameworks.system.directoryservices.Protocols
  import semmle.code.csharp.security.Sanitizers
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/LogForging.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/LogForging.qll
@@ -5,11 +5,11 @@
 import csharp

 module LogForging {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.System
  import semmle.code.csharp.frameworks.system.text.RegularExpressions
  import semmle.code.csharp.security.Sanitizers
-  import semmle.code.csharp.security.sinks.ExternalLocationSink
+  import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink

  /**
   * A data flow source for untrusted user input used in log entries.
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/MissingXMLValidation.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/MissingXMLValidation.qll
@@ -6,7 +6,7 @@
 import csharp

 module MissingXMLValidation {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.system.Xml
  import semmle.code.csharp.security.Sanitizers

--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/ReDoS.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/ReDoS.qll
@@ -7,7 +7,7 @@ import csharp

 module ReDoS {
  private import semmle.code.csharp.dataflow.DataFlow2
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.system.text.RegularExpressions
  import semmle.code.csharp.security.Sanitizers

--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/RegexInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/RegexInjection.qll
@@ -6,7 +6,7 @@
 import csharp

 module RegexInjection {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.system.text.RegularExpressions
  import semmle.code.csharp.security.Sanitizers

--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/ResourceInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/ResourceInjection.qll
@@ -5,8 +5,8 @@
 import csharp

 module ResourceInjection {
-  import semmle.code.csharp.dataflow.flowsources.Remote
-  import semmle.code.csharp.dataflow.flowsources.Local
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Local
  import semmle.code.csharp.frameworks.system.Data
  import semmle.code.csharp.security.Sanitizers

--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/SqlInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/SqlInjection.qll
@@ -5,8 +5,8 @@
 import csharp

 module SqlInjection {
-  import semmle.code.csharp.dataflow.flowsources.Remote
-  import semmle.code.csharp.dataflow.flowsources.Local
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Local
  import semmle.code.csharp.frameworks.Sql
  import semmle.code.csharp.security.Sanitizers

--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPath.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPath.qll
@@ -7,7 +7,7 @@ import csharp

 module TaintedPath {
  import semmle.code.csharp.controlflow.Guards
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.system.IO
  import semmle.code.csharp.frameworks.system.Web
  import semmle.code.csharp.security.Sanitizers
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll
@@ -6,7 +6,7 @@
 import csharp

 module UnsafeDeserialization {
-  private import semmle.code.csharp.dataflow.flowsources.Remote
+  private import semmle.code.csharp.security.dataflow.flowsources.Remote
  private import semmle.code.csharp.serialization.Deserializers

  /**
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirect.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirect.qll
@@ -5,7 +5,7 @@
 import csharp

 module UrlRedirect {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.controlflow.Guards
  import semmle.code.csharp.frameworks.system.Web
  import semmle.code.csharp.frameworks.system.web.Mvc
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjection.qll
@@ -5,7 +5,7 @@
 import csharp

 module XMLEntityInjection {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.System
  import semmle.code.csharp.frameworks.system.text.RegularExpressions
  import semmle.code.csharp.security.xml.InsecureXML
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjection.qll
@@ -5,7 +5,7 @@
 import csharp

 module XPathInjection {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.system.xml.XPath
  import semmle.code.csharp.frameworks.system.Xml
  import semmle.code.csharp.security.Sanitizers
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll
@@ -6,7 +6,7 @@
 import csharp

 module XSS {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
  import semmle.code.csharp.frameworks.microsoft.AspNetCore
  import semmle.code.csharp.frameworks.system.Net
  import semmle.code.csharp.frameworks.system.Web
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
@@ -0,0 +1,218 @@
+/**
+ * Provides classes representing data flow sources for remote user input.
+ */
+
+import csharp
+private import semmle.code.csharp.frameworks.system.Net
+private import semmle.code.csharp.frameworks.system.Web
+private import semmle.code.csharp.frameworks.system.web.Http
+private import semmle.code.csharp.frameworks.system.web.Mvc
+private import semmle.code.csharp.frameworks.system.web.Services
+private import semmle.code.csharp.frameworks.system.web.ui.WebControls
+private import semmle.code.csharp.frameworks.WCF
+private import semmle.code.csharp.frameworks.microsoft.Owin
+private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+
+/** A data flow source of remote user input. */
+abstract class RemoteFlowSource extends DataFlow::Node {
+  /** Gets a string that describes the type of this remote flow source. */
+  abstract string getSourceType();
+}
+
+/** A data flow source of remote user input (ASP.NET). */
+abstract class AspNetRemoteFlowSource extends RemoteFlowSource { }
+
+/** A member containing an ASP.NET query string. */
+class AspNetQueryStringMember extends Member {
+  AspNetQueryStringMember() {
+    exists(RefType t |
+      t instanceof SystemWebHttpRequestClass or
+      t instanceof SystemNetHttpListenerRequestClass or
+      t instanceof SystemWebHttpRequestBaseClass
+    |
+      this = t.getProperty(getHttpRequestFlowPropertyNames()) or
+      this.(Field).getType() = t or
+      this.(Property).getType() = t or
+      this.(Callable).getReturnType() = t
+    )
+  }
+}
+
+/**
+ * Gets the names of the properties in `HttpRequest` classes that should propagate taint out of the
+ * request.
+ */
+private string getHttpRequestFlowPropertyNames() {
+  result = "QueryString" or
+  result = "Headers" or
+  result = "RawUrl" or
+  result = "Url" or
+  result = "Cookies" or
+  result = "Form" or
+  result = "Params" or
+  result = "Path" or
+  result = "PathInfo"
+}
+
+/** A data flow source of remote user input (ASP.NET query string). */
+class AspNetQueryStringRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode {
+  AspNetQueryStringRemoteFlowSource() {
+    exists(RefType t |
+      t instanceof SystemWebHttpRequestClass or
+      t instanceof SystemNetHttpListenerRequestClass or
+      t instanceof SystemWebHttpRequestBaseClass
+    |
+      // A request object can be indexed, so taint the object as well
+      this.getExpr().getType() = t
+    )
+    or
+    this.getExpr() = any(AspNetQueryStringMember m).getAnAccess()
+  }
+
+  override string getSourceType() { result = "ASP.NET query string" }
+}
+
+/** A data flow source of remote user input (ASP.NET unvalidated request data). */
+class AspNetUnvalidatedQueryStringRemoteFlowSource extends AspNetRemoteFlowSource,
+  DataFlow::ExprNode {
+  AspNetUnvalidatedQueryStringRemoteFlowSource() {
+    this.getExpr() = any(SystemWebUnvalidatedRequestValues c).getAProperty().getGetter().getACall() or
+    this.getExpr() =
+      any(SystemWebUnvalidatedRequestValuesBase c).getAProperty().getGetter().getACall()
+  }
+
+  override string getSourceType() { result = "ASP.NET unvalidated request data" }
+}
+
+/** A data flow source of remote user input (ASP.NET user input). */
+class AspNetUserInputRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode {
+  AspNetUserInputRemoteFlowSource() { getType() instanceof SystemWebUIWebControlsTextBoxClass }
+
+  override string getSourceType() { result = "ASP.NET user input" }
+}
+
+/** A data flow source of remote user input (WCF based web service). */
+class WcfRemoteFlowSource extends RemoteFlowSource, DataFlow::ParameterNode {
+  WcfRemoteFlowSource() { exists(OperationMethod om | om.getAParameter() = this.getParameter()) }
+
+  override string getSourceType() { result = "web service input" }
+}
+
+/** A data flow source of remote user input (ASP.NET web service). */
+class AspNetServiceRemoteFlowSource extends RemoteFlowSource, DataFlow::ParameterNode {
+  AspNetServiceRemoteFlowSource() {
+    exists(Method m |
+      m.getAParameter() = this.getParameter() and
+      m.getAnAttribute().getType() instanceof SystemWebServicesWebMethodAttributeClass
+    )
+  }
+
+  override string getSourceType() { result = "ASP.NET web service input" }
+}
+
+/** A data flow source of remote user input (ASP.NET request message). */
+class SystemNetHttpRequestMessageRemoteFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
+  SystemNetHttpRequestMessageRemoteFlowSource() {
+    getType() instanceof SystemWebHttpRequestMessageClass
+  }
+
+  override string getSourceType() { result = "ASP.NET request message" }
+}
+
+/**
+ * A data flow source of remote user input (Microsoft Owin, a query, request,
+ * or path string).
+ */
+class MicrosoftOwinStringFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
+  MicrosoftOwinStringFlowSource() {
+    this.getExpr() = any(MicrosoftOwinString owinString).getValueProperty().getGetter().getACall()
+  }
+
+  override string getSourceType() { result = "Microsoft Owin request or query string" }
+}
+
+/** A data flow source of remote user input (`Microsoft Owin IOwinRequest`). */
+class MicrosoftOwinRequestRemoteFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
+  MicrosoftOwinRequestRemoteFlowSource() {
+    exists(Property p, MicrosoftOwinIOwinRequestClass owinRequest |
+      this.getExpr() = p.getGetter().getACall()
+    |
+      p = owinRequest.getAcceptProperty() or
+      p = owinRequest.getBodyProperty() or
+      p = owinRequest.getCacheControlProperty() or
+      p = owinRequest.getContentTypeProperty() or
+      p = owinRequest.getContextProperty() or
+      p = owinRequest.getCookiesProperty() or
+      p = owinRequest.getHeadersProperty() or
+      p = owinRequest.getHostProperty() or
+      p = owinRequest.getMediaTypeProperty() or
+      p = owinRequest.getMethodProperty() or
+      p = owinRequest.getPathProperty() or
+      p = owinRequest.getPathBaseProperty() or
+      p = owinRequest.getQueryProperty() or
+      p = owinRequest.getQueryStringProperty() or
+      p = owinRequest.getRemoteIpAddressProperty() or
+      p = owinRequest.getSchemeProperty() or
+      p = owinRequest.getURIProperty()
+    )
+  }
+
+  override string getSourceType() { result = "Microsoft Owin request" }
+}
+
+/** A parameter to an Mvc controller action method, viewed as a source of remote user input. */
+class ActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode {
+  ActionMethodParameter() {
+    exists(Parameter p |
+      p = this.getParameter() and
+      p.fromSource()
+    |
+      p = any(Controller c).getAnActionMethod().getAParameter() or
+      p = any(ApiController c).getAnActionMethod().getAParameter()
+    )
+  }
+
+  override string getSourceType() { result = "ASP.NET MVC action method parameter" }
+}
+
+/** A data flow source of remote user input (ASP.NET Core). */
+abstract class AspNetCoreRemoteFlowSource extends RemoteFlowSource { }
+
+/** A data flow source of remote user input (ASP.NET query collection). */
+class AspNetCoreQueryRemoteFlowSource extends AspNetCoreRemoteFlowSource, DataFlow::ExprNode {
+  AspNetCoreQueryRemoteFlowSource() {
+    exists(ValueOrRefType t |
+      t instanceof MicrosoftAspNetCoreHttpHttpRequest or
+      t instanceof MicrosoftAspNetCoreHttpQueryCollection or
+      t instanceof MicrosoftAspNetCoreHttpQueryString
+    |
+      this.getExpr().(Call).getTarget().getDeclaringType() = t or
+      this.asExpr().(Access).getTarget().getDeclaringType() = t
+    )
+    or
+    exists(Call c |
+      c
+          .getTarget()
+          .getDeclaringType()
+          .hasQualifiedName("Microsoft.AspNetCore.Http", "IQueryCollection") and
+      c.getTarget().getName() = "TryGetValue" and
+      this.asExpr() = c.getArgumentForName("value")
+    )
+  }
+
+  override string getSourceType() { result = "ASP.NET Core query string" }
+}
+
+/** A parameter to a `Mvc` controller action method, viewed as a source of remote user input. */
+class AspNetCoreActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode {
+  AspNetCoreActionMethodParameter() {
+    exists(Parameter p |
+      p = this.getParameter() and
+      p.fromSource()
+    |
+      p = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod().getAParameter()
+    )
+  }
+
+  override string getSourceType() { result = "ASP.NET Core MVC action method parameter" }
+}
--- a/csharp/ql/test/library-tests/dataflow/flowsources/publicparameter/PublicCallableParameterFlowSource.cs
+++ b/csharp/ql/test/library-tests/dataflow/flowsources/publicparameter/PublicCallableParameterFlowSource.cs
@@ -1,17 +0,0 @@
-using System;
-using System.Collections.Specialized;
-
-class PublicCallableParameterFlowSource
-{
-    public void M1(string x, out string y, ref string z)
-    {
-        y = x;
-        y = z;
-    }
-
-    void M2(string x, out string y, ref string z)
-    {
-        y = x;
-        y = z;
-    }
-}
--- a/csharp/ql/test/library-tests/dataflow/flowsources/publicparameter/publicCallableParameterFlowSource.expected
+++ b/csharp/ql/test/library-tests/dataflow/flowsources/publicparameter/publicCallableParameterFlowSource.expected
@@ -1,2 +0,0 @@
-| PublicCallableParameterFlowSource.cs:6:27:6:27 | x |
-| PublicCallableParameterFlowSource.cs:6:55:6:55 | z |
--- a/csharp/ql/test/library-tests/dataflow/flowsources/publicparameter/publicCallableParameterFlowSource.ql
+++ b/csharp/ql/test/library-tests/dataflow/flowsources/publicparameter/publicCallableParameterFlowSource.ql
@@ -1,5 +0,0 @@
-import semmle.code.csharp.dataflow.flowsources.PublicCallableParameter
-
-from PublicCallableParameterFlowSource source
-where source.getParameter().fromSource()
-select source
--- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.ql
+++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.ql
@@ -1,4 +1,4 @@
-import semmle.code.csharp.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Remote

 from RemoteFlowSource source
 select source, source.getSourceType()