1212 */
1313
1414import csharp
15- import DataFlow:: PathGraph
1615import semmle.code.csharp.security.dataflow.flowsources.Remote
1716import semmle.code.csharp.frameworks.system.Xml
17+ import XmlInjection:: PathGraph
1818
1919/**
2020 * A taint-tracking configuration for untrusted user input used in XML.
2121 */
22- class TaintTrackingConfiguration extends TaintTracking :: Configuration {
23- TaintTrackingConfiguration ( ) { this = "XMLInjection" }
22+ module XmlInjectionConfig implements DataFlow :: ConfigSig {
23+ predicate isSource ( DataFlow :: Node source ) { source instanceof RemoteFlowSource }
2424
25- override predicate isSource ( DataFlow:: Node source ) { source instanceof RemoteFlowSource }
26-
27- override predicate isSink ( DataFlow:: Node sink ) {
25+ predicate isSink ( DataFlow:: Node sink ) {
2826 exists ( MethodCall mc |
2927 mc .getTarget ( ) .hasName ( "WriteRaw" ) and
3028 mc .getTarget ( ) .getDeclaringType ( ) .getABaseType * ( ) .hasQualifiedName ( "System.Xml" , "XmlWriter" )
@@ -33,7 +31,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
3331 )
3432 }
3533
36- override predicate isSanitizer ( DataFlow:: Node node ) {
34+ predicate isBarrier ( DataFlow:: Node node ) {
3735 exists ( MethodCall mc |
3836 mc .getTarget ( ) .hasName ( "Escape" ) and
3937 mc .getTarget ( )
@@ -46,7 +44,12 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
4644 }
4745}
4846
49- from TaintTrackingConfiguration c , DataFlow:: PathNode source , DataFlow:: PathNode sink
50- where c .hasFlowPath ( source , sink )
47+ /**
48+ * A taint-tracking module for untrusted user input used in XML.
49+ */
50+ module XmlInjection = TaintTracking:: Global< XmlInjectionConfig > ;
51+
52+ from XmlInjection:: PathNode source , XmlInjection:: PathNode sink
53+ where XmlInjection:: flowPath ( source , sink )
5154select sink .getNode ( ) , source , sink , "This XML element depends on a $@." , source .getNode ( ) ,
5255 "user-provided value"
0 commit comments