Merge pull request github#6196 from tamasvajk/feature/sql-sinks

C#: Migrate SQL sinks to CSV format

Author: tamasvajk

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -89,6 +89,8 @@ private module Frameworks {
   private import semmle.code.csharp.frameworks.System
   private import semmle.code.csharp.security.dataflow.XSSSinks
   private import semmle.code.csharp.frameworks.ServiceStack
+  private import semmle.code.csharp.frameworks.Sql
+  private import semmle.code.csharp.frameworks.EntityFramework
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll

@@ -9,6 +9,7 @@ private import semmle.code.csharp.frameworks.system.data.Entity
 private import semmle.code.csharp.frameworks.system.collections.Generic
 private import semmle.code.csharp.frameworks.Sql
 private import semmle.code.csharp.dataflow.FlowSummary
+private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
 
 /**
@@ -234,26 +235,29 @@ module EntityFramework {
     override Expr getSql() { result = this.getArgumentForParameter(sqlParam) }
   }
 
-  /** A call to `System.Data.Entity.DbSet.SqlQuery`. */
-  class SystemDataEntityDbSetSqlExpr extends SqlExpr, MethodCall {
-    SystemDataEntityDbSetSqlExpr() {
-      this.getTarget() = any(SystemDataEntity::DbSet dbSet).getSqlQueryMethod()
+  /** The sink method `System.Data.Entity.DbSet.SqlQuery`. */
+  private class SystemDataEntityDbSetSqlQuerySinkModelCsv extends SinkModelCsv {
+    override predicate row(string row) {
+      row =
+        ["System.Data.Entity;DbSet;false;SqlQuery;(System.String,System.Object[]);;Argument[0];sql"]
     }
-
-    override Expr getSql() { result = this.getArgumentForName("sql") }
   }
 
-  /** A call to a method in `System.Data.Entity.Database` that executes SQL. */
-  class SystemDataEntityDatabaseSqlExpr extends SqlExpr, MethodCall {
-    SystemDataEntityDatabaseSqlExpr() {
-      exists(SystemDataEntity::Database db |
-        this.getTarget() = db.getSqlQueryMethod() or
-        this.getTarget() = db.getExecuteSqlCommandMethod() or
-        this.getTarget() = db.getExecuteSqlCommandAsyncMethod()
-      )
+  /** A sink method in `System.Data.Entity.Database` that executes SQL. */
+  private class SystemDataEntityDatabaseSinkModelCsv extends SinkModelCsv {
+    override predicate row(string row) {
+      row =
+        [
+          "System.Data.Entity;Database;false;SqlQuery;(System.Type,System.String,System.Object[]);;Argument[1];sql",
+          "System.Data.Entity;Database;false;SqlQuery<>;(System.String,System.Object[]);;Argument[0];sql",
+          "System.Data.Entity;Database;false;ExecuteSqlCommand;(System.String,System.Object[]);;Argument[0];sql",
+          "System.Data.Entity;Database;false;ExecuteSqlCommand;(System.Data.Entity.TransactionalBehavior,System.String,System.Object[]);;Argument[1];sql",
+          "System.Data.Entity;Database;false;ExecuteSqlCommandAsync;(System.Data.Entity.TransactionalBehavior,System.String,System.Threading.CancellationToken,System.Object[]);;Argument[1];sql",
+          "System.Data.Entity;Database;false;ExecuteSqlCommandAsync;(System.String,System.Threading.CancellationToken,System.Object[]);;Argument[0];sql",
+          "System.Data.Entity;Database;false;ExecuteSqlCommandAsync;(System.String,System.Object[]);;Argument[0];sql",
+          "System.Data.Entity;Database;false;ExecuteSqlCommandAsync;(System.Data.Entity.TransactionalBehavior,System.String,System.Object[]);;Argument[1];sql"
+        ]
     }
-
-    override Expr getSql() { result = this.getArgumentForName("sql") }
   }
 
   /** Holds if `t` is compatible with a DB column type. */

csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll

@@ -1,8 +1,10 @@
-| sql.cs:66:46:66:65 | object creation of type SqlCommand | sql.cs:66:61:66:64 | access to parameter text |
-| sql.cs:67:23:67:44 | object creation of type MySqlCommand | sql.cs:67:40:67:43 | access to parameter text |
-| sql.cs:68:13:68:38 | ... = ... | sql.cs:68:35:68:38 | access to parameter text |
-| sql.cs:69:13:69:34 | object creation of type MySqlCommand | sql.cs:69:30:69:33 | access to parameter text |
-| sql.cs:69:13:69:53 | ... = ... | sql.cs:69:50:69:53 | access to parameter text |
-| sql.cs:70:13:70:36 | object creation of type SqlDataAdapter | sql.cs:70:32:70:35 | access to parameter text |
-| sql.cs:71:13:71:47 | call to method ExecuteScalar | sql.cs:71:43:71:46 | access to parameter text |
-| sql.cs:72:13:72:45 | call to method ExecuteScalar | sql.cs:72:41:72:44 | access to parameter text |
+sqlExpressions
+| sql.cs:44:23:44:44 | object creation of type MySqlCommand | sql.cs:44:40:44:43 | access to parameter text |
+| sql.cs:45:13:45:38 | ... = ... | sql.cs:45:35:45:38 | access to parameter text |
+| sql.cs:46:13:46:34 | object creation of type MySqlCommand | sql.cs:46:30:46:33 | access to parameter text |
+| sql.cs:46:13:46:53 | ... = ... | sql.cs:46:50:46:53 | access to parameter text |
+sqlCsvSinks
+| sql.cs:43:46:43:65 | object creation of type SqlCommand | sql.cs:43:61:43:64 | access to parameter text |
+| sql.cs:47:13:47:42 | object creation of type SqlDataAdapter | sql.cs:47:32:47:35 | access to parameter text |
+| sql.cs:48:13:48:47 | call to method ExecuteScalar | sql.cs:48:43:48:46 | access to parameter text |
+| sql.cs:49:13:49:75 | call to method ExecuteScalar | sql.cs:49:71:49:74 | access to parameter text |

csharp/ql/test/library-tests/frameworks/sql/Sql1.expected

@@ -1,4 +1,13 @@
 import semmle.code.csharp.frameworks.Sql
+import semmle.code.csharp.dataflow.ExternalFlow
+import semmle.code.csharp.dataflow.internal.DataFlowPublic
 
-from SqlExpr se
-select se, se.getSql()
+query predicate sqlExpressions(SqlExpr se, Expr e) { se.getSql() = e }
+
+query predicate sqlCsvSinks(Element p, Expr e) {
+  p = e.getParent() and
+  exists(Node n |
+    sinkNode(n, "sql") and
+    n.asExpr() = e
+  )
+}

csharp/ql/test/library-tests/frameworks/sql/Sql1.ql

@@ -0,0 +1,3 @@
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Data.cs
+semmle-extractor-options: ${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/System.ComponentModel.cs
+semmle-extractor-options: /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll

csharp/ql/test/library-tests/frameworks/sql/options

@@ -1,32 +1,5 @@
 using System;
 
-namespace System.Data
-{
-    public interface IDbCommand
-    {
-        string CommandText { get; set; }
-    }
-
-    public interface IDbDataAdapter { }
-}
-
-namespace System.Data.SqlClient
-{
-    public class SqlCommand : IDbCommand
-    {
-        public SqlCommand(string commandText) { }
-
-        string IDbCommand.CommandText { get; set; }
-    }
-
-    public class SqlDataAdapter : IDbDataAdapter
-    {
-        public SqlDataAdapter() { }
-
-        public SqlDataAdapter(string sql) { }
-    }
-}
-
 namespace MySql.Data.MySqlClient
 {
     using System.Data;
@@ -36,6 +9,10 @@ public class MySqlCommand : IDbCommand
         public MySqlCommand(string commandText) { }
 
         public string CommandText { get; set; }
+
+        public IDataReader ExecuteReader() => throw null;
+        public CommandType CommandType { get; set; }
+        public IDataParameterCollection Parameters { get; set; }
     }
 
     public class MySqlHelper
@@ -48,7 +25,7 @@ namespace Microsoft.ApplicationBlocks.Data
 {
     class SqlHelper
     {
-        public static object ExecuteScalar(string connectionString, string commandText) { return null; }
+        public static object ExecuteScalar(string connectionString, System.Data.CommandType ct, string commandText) { return null; }
     }
 }
 
@@ -67,9 +44,9 @@ public static void TestMethod(string text)
             command = new MySqlCommand(text);
             command.CommandText = text;
             new MySqlCommand(text).CommandText = text;
-            new SqlDataAdapter(text);
+            new SqlDataAdapter(text, null);
             MySqlHelper.ExecuteScalar("", text);
-            SqlHelper.ExecuteScalar("", text);
+            SqlHelper.ExecuteScalar("", System.Data.CommandType.Text, text);
         }
     }
 }