Merge pull request github#8600 from michaelnebel/csharp/dotnetruntimemodels

C#: Dotnet Runtime models.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -86,6 +86,7 @@ private import internal.FlowSummaryImplSpecific
  */
 private module Frameworks {
   private import semmle.code.csharp.frameworks.EntityFramework
+  private import semmle.code.csharp.frameworks.Generated
   private import semmle.code.csharp.frameworks.JsonNET
   private import semmle.code.csharp.frameworks.microsoft.extensions.Primitives
   private import semmle.code.csharp.frameworks.microsoft.VisualBasic

csharp/ql/lib/semmle/code/csharp/frameworks/Generated.qll

@@ -0,0 +1,9 @@
+/**
+ * A module importing all generated Models as Data models.
+ */
+
+import csharp
+
+private module GeneratedFrameworks {
+  private import generated.dotnet.Runtime
+}

csharp/ql/lib/semmle/code/csharp/frameworks/generated/dotnet/Runtime.qll

@@ -28,13 +28,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
     exists(Expr exceptionExpr |
       // Writing an exception directly is bad
       source.asExpr() = exceptionExpr
-      or
-      // Writing an exception property is bad
-      source.asExpr().(PropertyAccess).getQualifier() = exceptionExpr
-      or
-      // Writing the result of ToString is bad
-      source.asExpr() =
-        any(MethodCall mc | mc.getQualifier() = exceptionExpr and mc.getTarget().hasName("ToString"))
     |
       // Expr has type `System.Exception`.
       exceptionExpr.getType().(RefType).getABaseType*() instanceof SystemExceptionClass and
@@ -47,12 +40,26 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
     )
   }
 
+  override predicate isAdditionalTaintStep(DataFlow::Node source, DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodCall mc |
+        source.asExpr() = mc.getQualifier() and
+        mc.getTarget().hasName("ToString") and
+        mc.getQualifier().getType().(RefType).getABaseType*() instanceof SystemExceptionClass
+      )
+  }
+
   override predicate isSink(DataFlow::Node sink) { sink instanceof RemoteFlowSink }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     // Do not flow through Message
     sanitizer.asExpr() = any(SystemExceptionClass se).getProperty("Message").getAnAccess()
   }
+
+  override predicate isSanitizerIn(DataFlow::Node sanitizer) {
+    // Do not flow through Message
+    sanitizer.asExpr().getType().(RefType).getABaseType*() instanceof SystemExceptionClass
+  }
 }
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink

csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql

@@ -206,7 +206,9 @@
 | CSharp7.cs:283:13:283:62 | SSA def(list) | CSharp7.cs:285:39:285:42 | access to local variable list |
 | CSharp7.cs:283:20:283:62 | call to method Select<KeyValuePair<Int32,String>,(Int32,String)> | CSharp7.cs:283:13:283:62 | SSA def(list) |
 | CSharp7.cs:283:32:283:35 | item | CSharp7.cs:283:41:283:44 | access to parameter item |
+| CSharp7.cs:283:41:283:44 | access to parameter item | CSharp7.cs:283:41:283:48 | access to property Key |
 | CSharp7.cs:283:41:283:44 | access to parameter item | CSharp7.cs:283:51:283:54 | access to parameter item |
+| CSharp7.cs:283:51:283:54 | access to parameter item | CSharp7.cs:283:51:283:60 | access to property Value |
 | CSharp7.cs:285:39:285:42 | access to local variable list | CSharp7.cs:287:36:287:39 | access to local variable list |
 | CSharp7.cs:287:36:287:39 | access to local variable list | CSharp7.cs:289:32:289:35 | access to local variable list |
 | CSharp7.cs:297:18:297:22 | SSA def(x) | CSharp7.cs:297:25:297:25 | SSA phi(x) |

csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected

@@ -1,3 +1,2 @@
-| System.Collections.Specialized.NameValueCollection.get_Item(string) [qualifier] | 1 | 1 |
 | System.Web.HttpRequest.get_QueryString() [qualifier] | 1 | 1 |
 | System.Web.HttpResponse.Write(string) [param 0] | 1 | 1 |

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected

@@ -1,12 +1,13 @@
 edges
+| UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | UntrustedData.cs:9:20:9:50 | access to indexer : String |
 | UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | UntrustedData.cs:13:28:13:31 | access to local variable name |
+| UntrustedData.cs:9:20:9:50 | access to indexer : String | UntrustedData.cs:13:28:13:31 | access to local variable name |
 nodes
 | UntrustedData.cs:9:20:9:30 | access to property Request | semmle.label | access to property Request |
-| UntrustedData.cs:9:20:9:42 | access to property QueryString | semmle.label | access to property QueryString |
 | UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UntrustedData.cs:9:20:9:50 | access to indexer : String | semmle.label | access to indexer : String |
 | UntrustedData.cs:13:28:13:31 | access to local variable name | semmle.label | access to local variable name |
 subpaths
 #select
 | UntrustedData.cs:9:20:9:30 | access to property Request | UntrustedData.cs:9:20:9:30 | access to property Request | UntrustedData.cs:9:20:9:30 | access to property Request | Call to System.Web.HttpRequest.get_QueryString with untrusted data from $@. | UntrustedData.cs:9:20:9:30 | access to property Request | access to property Request |
-| UntrustedData.cs:9:20:9:42 | access to property QueryString | UntrustedData.cs:9:20:9:42 | access to property QueryString | UntrustedData.cs:9:20:9:42 | access to property QueryString | Call to System.Collections.Specialized.NameValueCollection.get_Item with untrusted data from $@. | UntrustedData.cs:9:20:9:42 | access to property QueryString | access to property QueryString |
 | UntrustedData.cs:13:28:13:31 | access to local variable name | UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | UntrustedData.cs:13:28:13:31 | access to local variable name | Call to System.Web.HttpResponse.Write with untrusted data from $@. | UntrustedData.cs:9:20:9:42 | access to property QueryString : NameValueCollection | access to property QueryString : NameValueCollection |

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected

@@ -1,13 +1,22 @@
 edges
+| TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:10:23:10:53 | access to indexer : String |
 | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:12:50:12:53 | access to local variable path |
 | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:17:51:17:54 | access to local variable path |
 | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:25:30:25:33 | access to local variable path |
 | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:31:30:31:33 | access to local variable path |
 | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:36:25:36:31 | access to local variable badPath |
 | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:38:49:38:55 | access to local variable badPath |
 | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | TaintedPath.cs:51:26:51:29 | access to local variable path |
+| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:12:50:12:53 | access to local variable path |
+| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:17:51:17:54 | access to local variable path |
+| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:25:30:25:33 | access to local variable path |
+| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:31:30:31:33 | access to local variable path |
+| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:36:25:36:31 | access to local variable badPath |
+| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:38:49:38:55 | access to local variable badPath |
+| TaintedPath.cs:10:23:10:53 | access to indexer : String | TaintedPath.cs:51:26:51:29 | access to local variable path |
 nodes
 | TaintedPath.cs:10:23:10:45 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| TaintedPath.cs:10:23:10:53 | access to indexer : String | semmle.label | access to indexer : String |
 | TaintedPath.cs:12:50:12:53 | access to local variable path | semmle.label | access to local variable path |
 | TaintedPath.cs:17:51:17:54 | access to local variable path | semmle.label | access to local variable path |
 | TaintedPath.cs:25:30:25:33 | access to local variable path | semmle.label | access to local variable path |