Change ServiceStack redis sinks to code injection instead of SQL injection

Author: tamasvajk

csharp/ql/lib/semmle/code/csharp/frameworks/ServiceStack.qll

@@ -241,36 +241,44 @@ private class ServiceStackSqlSinkModelCsv extends SinkModelCsv {
         "ServiceStack.OrmLite;OrmLiteWriteApi;false;ExecuteSql;(System.Data.IDbConnection,System.String,System.Object);;Argument[1];sql",
         "ServiceStack.OrmLite;OrmLiteWriteApi;false;ExecuteSql;(System.Data.IDbConnection,System.String,System.Collections.Generic.Dictionary<System.String,System.Object>);;Argument[1];sql",
         "ServiceStack.OrmLite;OrmLiteWriteApiAsync;false;ExecuteSqlAsync;(System.Data.IDbConnection,System.String,System.Threading.CancellationToken);;Argument[1];sql",
-        "ServiceStack.OrmLite;OrmLiteWriteApiAsync;false;ExecuteSqlAsync;(System.Data.IDbConnection,System.String,System.Object,System.Threading.CancellationToken);;Argument[1];sql",
+        "ServiceStack.OrmLite;OrmLiteWriteApiAsync;false;ExecuteSqlAsync;(System.Data.IDbConnection,System.String,System.Object,System.Threading.CancellationToken);;Argument[1];sql"
+      ]
+  }
+}
+
+private class ServiceStackCodeInjectionSinkModelCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
         // Redis API
-        "ServiceStack.Redis;IRedisClient;true;Custom;(System.Object[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecCachedLua;(System.String,System.Func<System.String,T>);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecLua;(System.String,System.String[],System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecLua;(System.String,System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsInt;(System.String,System.String[],System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsInt;(System.String,System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsList;(System.String,System.String[],System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsList;(System.String,System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsString;(System.String,System.String[],System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsString;(System.String,System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClient;true;LoadLuaScript;(System.String);;Argument[0];sql",
+        "ServiceStack.Redis;IRedisClient;true;Custom;(System.Object[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecCachedLua;(System.String,System.Func<System.String,T>);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecLua;(System.String,System.String[],System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecLua;(System.String,System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsInt;(System.String,System.String[],System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsInt;(System.String,System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsList;(System.String,System.String[],System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsList;(System.String,System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsString;(System.String,System.String[],System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;ExecLuaAsString;(System.String,System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClient;true;LoadLuaScript;(System.String);;Argument[0];code",
         // IRedisClientAsync
-        "ServiceStack.Redis;IRedisClientAsync;true;CustomAsync;(System.Object[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;CustomAsync;(System.Object[],System.Threading.CancellationToken);;Element of Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecCachedLuaAsync;(System.String,System.Func<System.String,System.Threading.Tasks.ValueTask<T>>,System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsync;(System.String,System.String[],System.String[],System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsync;(System.String,System.String[],System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsync;(System.String,System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsIntAsync;(System.String,System.String[],System.String[],System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsIntAsync;(System.String,System.String[],System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsIntAsync;(System.String,System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsStringAsync;(System.String,System.String[],System.String[],System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsStringAsync;(System.String,System.String[],System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsStringAsync;(System.String,System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsListAsync;(System.String,System.String[],System.String[],System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsListAsync;(System.String,System.String[],System.Threading.CancellationToken);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsListAsync;(System.String,System.String[]);;Argument[0];sql",
-        "ServiceStack.Redis;IRedisClientAsync;true;LoadLuaScriptAsync;(System.String,System.Threading.CancellationToken);;Argument[0];sql"
+        "ServiceStack.Redis;IRedisClientAsync;true;CustomAsync;(System.Object[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;CustomAsync;(System.Object[],System.Threading.CancellationToken);;Element of Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecCachedLuaAsync;(System.String,System.Func<System.String,System.Threading.Tasks.ValueTask<T>>,System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsync;(System.String,System.String[],System.String[],System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsync;(System.String,System.String[],System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsync;(System.String,System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsIntAsync;(System.String,System.String[],System.String[],System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsIntAsync;(System.String,System.String[],System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsIntAsync;(System.String,System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsStringAsync;(System.String,System.String[],System.String[],System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsStringAsync;(System.String,System.String[],System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsStringAsync;(System.String,System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsListAsync;(System.String,System.String[],System.String[],System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsListAsync;(System.String,System.String[],System.Threading.CancellationToken);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;ExecLuaAsListAsync;(System.String,System.String[]);;Argument[0];code",
+        "ServiceStack.Redis;IRedisClientAsync;true;LoadLuaScriptAsync;(System.String,System.Threading.CancellationToken);;Argument[0];code"
       ]
   }
 }

csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll

@@ -7,6 +7,7 @@ private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.security.dataflow.flowsources.Local
 private import semmle.code.csharp.frameworks.system.codedom.Compiler
 private import semmle.code.csharp.security.Sanitizers
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for user input treated as code vulnerabilities.
@@ -79,3 +80,8 @@ class RoslynCSharpScriptSink extends Sink {
     )
   }
 }
+
+/** Code injection sinks defined through CSV models. */
+private class ExternalCodeInjectionExprSink extends Sink {
+  ExternalCodeInjectionExprSink() { sinkNode(this, "code") }
+}

csharp/ql/test/library-tests/frameworks/ServiceStack/SinksSql.cs renamed to csharp/ql/test/library-tests/frameworks/ServiceStack/SinksInjection.cs

@@ -0,0 +1,4 @@
+| SinksInjection.cs:64:42:64:49 | "script" | SinksInjection.cs:64:42:64:49 | "script" |
+| SinksInjection.cs:65:28:65:35 | "script" | SinksInjection.cs:65:28:65:35 | "script" |
+| SinksInjection.cs:70:54:70:61 | "script" | SinksInjection.cs:70:54:70:61 | "script" |
+| SinksInjection.cs:71:38:71:45 | "script" | SinksInjection.cs:71:38:71:45 | "script" |

csharp/ql/test/library-tests/frameworks/ServiceStack/codeInjectionSinks.expected

@@ -0,0 +1,7 @@
+import semmle.code.csharp.security.dataflow.CodeInjectionQuery
+
+from Sink sink
+where
+  sink.getLocation().getFile().fromSource() and
+  not sink.getLocation().getFile().getAbsolutePath().matches("%/resources/stubs/%")
+select sink, sink.getExpr()

csharp/ql/test/library-tests/frameworks/ServiceStack/codeInjectionSinks.ql

@@ -1,23 +1,19 @@
-| SinksSql.cs:25:28:25:32 | "SQL" | SinksSql.cs:25:28:25:32 | "SQL" |
-| SinksSql.cs:26:29:26:33 | "SQL" | SinksSql.cs:26:29:26:33 | "SQL" |
-| SinksSql.cs:27:32:27:36 | "SQL" | SinksSql.cs:27:32:27:36 | "SQL" |
-| SinksSql.cs:28:31:28:35 | "SQL" | SinksSql.cs:28:31:28:35 | "SQL" |
-| SinksSql.cs:29:27:29:31 | "SQL" | SinksSql.cs:29:27:29:31 | "SQL" |
-| SinksSql.cs:30:32:30:36 | "SQL" | SinksSql.cs:30:32:30:36 | "SQL" |
-| SinksSql.cs:31:31:31:35 | "SQL" | SinksSql.cs:31:31:31:35 | "SQL" |
-| SinksSql.cs:32:30:32:34 | "SQL" | SinksSql.cs:32:30:32:34 | "SQL" |
-| SinksSql.cs:37:28:37:32 | "SQL" | SinksSql.cs:37:28:37:32 | "SQL" |
-| SinksSql.cs:38:29:38:33 | "SQL" | SinksSql.cs:38:29:38:33 | "SQL" |
-| SinksSql.cs:39:27:39:31 | "SQL" | SinksSql.cs:39:27:39:31 | "SQL" |
-| SinksSql.cs:40:31:40:35 | "SQL" | SinksSql.cs:40:31:40:35 | "SQL" |
-| SinksSql.cs:41:30:41:34 | "SQL" | SinksSql.cs:41:30:41:34 | "SQL" |
-| SinksSql.cs:48:58:48:62 | "SQL" | SinksSql.cs:48:58:48:62 | "SQL" |
-| SinksSql.cs:49:65:49:69 | "SQL" | SinksSql.cs:49:65:49:69 | "SQL" |
-| SinksSql.cs:51:39:51:43 | "SQL" | SinksSql.cs:51:39:51:43 | "SQL" |
-| SinksSql.cs:52:46:52:50 | "SQL" | SinksSql.cs:52:46:52:50 | "SQL" |
-| SinksSql.cs:54:29:54:33 | "SQL" | SinksSql.cs:54:29:54:33 | "SQL" |
-| SinksSql.cs:55:40:55:44 | "SQL" | SinksSql.cs:55:40:55:44 | "SQL" |
-| SinksSql.cs:64:42:64:49 | "script" | SinksSql.cs:64:42:64:49 | "script" |
-| SinksSql.cs:65:28:65:35 | "script" | SinksSql.cs:65:28:65:35 | "script" |
-| SinksSql.cs:70:54:70:61 | "script" | SinksSql.cs:70:54:70:61 | "script" |
-| SinksSql.cs:71:38:71:45 | "script" | SinksSql.cs:71:38:71:45 | "script" |
+| SinksInjection.cs:25:28:25:32 | "SQL" | SinksInjection.cs:25:28:25:32 | "SQL" |
+| SinksInjection.cs:26:29:26:33 | "SQL" | SinksInjection.cs:26:29:26:33 | "SQL" |
+| SinksInjection.cs:27:32:27:36 | "SQL" | SinksInjection.cs:27:32:27:36 | "SQL" |
+| SinksInjection.cs:28:31:28:35 | "SQL" | SinksInjection.cs:28:31:28:35 | "SQL" |
+| SinksInjection.cs:29:27:29:31 | "SQL" | SinksInjection.cs:29:27:29:31 | "SQL" |
+| SinksInjection.cs:30:32:30:36 | "SQL" | SinksInjection.cs:30:32:30:36 | "SQL" |
+| SinksInjection.cs:31:31:31:35 | "SQL" | SinksInjection.cs:31:31:31:35 | "SQL" |
+| SinksInjection.cs:32:30:32:34 | "SQL" | SinksInjection.cs:32:30:32:34 | "SQL" |
+| SinksInjection.cs:37:28:37:32 | "SQL" | SinksInjection.cs:37:28:37:32 | "SQL" |
+| SinksInjection.cs:38:29:38:33 | "SQL" | SinksInjection.cs:38:29:38:33 | "SQL" |
+| SinksInjection.cs:39:27:39:31 | "SQL" | SinksInjection.cs:39:27:39:31 | "SQL" |
+| SinksInjection.cs:40:31:40:35 | "SQL" | SinksInjection.cs:40:31:40:35 | "SQL" |
+| SinksInjection.cs:41:30:41:34 | "SQL" | SinksInjection.cs:41:30:41:34 | "SQL" |
+| SinksInjection.cs:48:58:48:62 | "SQL" | SinksInjection.cs:48:58:48:62 | "SQL" |
+| SinksInjection.cs:49:65:49:69 | "SQL" | SinksInjection.cs:49:65:49:69 | "SQL" |
+| SinksInjection.cs:51:39:51:43 | "SQL" | SinksInjection.cs:51:39:51:43 | "SQL" |
+| SinksInjection.cs:52:46:52:50 | "SQL" | SinksInjection.cs:52:46:52:50 | "SQL" |
+| SinksInjection.cs:54:29:54:33 | "SQL" | SinksInjection.cs:54:29:54:33 | "SQL" |
+| SinksInjection.cs:55:40:55:44 | "SQL" | SinksInjection.cs:55:40:55:44 | "SQL" |