C#: Convert xml injection query to a path problem.

michaelnebel · michaelnebel · commit 13f142f14347 · 2022-05-05T10:43:23.000+02:00
diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
@@ -2,7 +2,7 @@
  * @name XML injection
  * @description Building an XML document from user-controlled sources is vulnerable to insertion of
  *              malicious code by the user.
- * @kind problem
+ * @kind path-problem
  * @id cs/xml-injection
  * @problem.severity error
  * @security-severity 8.8
@@ -12,6 +12,7 @@
  */
 
 import csharp
+import DataFlow::PathGraph
 import semmle.code.csharp.security.dataflow.flowsources.Remote
 import semmle.code.csharp.frameworks.system.Xml
 
@@ -45,6 +46,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   }
 }
 
-from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is inserted as XML.", source, "User-provided value"
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink, source, sink, "$@ flows to here and is inserted as XML.", source, "User-provided value"
