Merge pull request github#9180 from hvitved/csharp/entity-framework-sql-sinks

C#: Add missing EntityFramework SQL sinks

Author: hvitved

csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll

@@ -258,6 +258,30 @@ module EntityFramework {
     }
   }
 
+  /** A sink method in `Microsoft.EntityFrameworkCore.RelationalQueryableExtensions` that executes SQL. */
+  private class MicrosoftEntityFrameworkCoreRelationalQueryableExtensionsSinkModelCsv extends SinkModelCsv {
+    override predicate row(string row) {
+      row =
+        [
+          "Microsoft.EntityFrameworkCore;RelationalQueryableExtensions;false;FromSqlRaw<>;(Microsoft.EntityFrameworkCore.DbSet<TEntity>,System.String,System.Object[]);;Argument[1];sql",
+        ]
+    }
+  }
+
+  /** A sink method in `Microsoft.EntityFrameworkCore.RelationalDatabaseFacadeExtensions` that executes SQL. */
+  private class MicrosoftEntityFrameworkCoreRelationalDatabaseFacadeExtensionsSinkModelCsv extends SinkModelCsv {
+    override predicate row(string row) {
+      row =
+        [
+          "Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;false;ExecuteSqlRaw;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>);;Argument[1];sql",
+          "Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;false;ExecuteSqlRaw;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[]);;Argument[1];sql",
+          "Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;false;ExecuteSqlRawAsync;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Threading.CancellationToken);;Argument[1];sql",
+          "Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;false;ExecuteSqlRawAsync;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[]);;Argument[1];sql",
+          "Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;false;ExecuteSqlRawAsync;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Collections.Generic.IEnumerable<System.Object>,System.Threading.CancellationToken);;Argument[1];sql",
+        ]
+    }
+  }
+
   /** Holds if `t` is compatible with a DB column type. */
   private predicate isColumnType(Type t) {
     t instanceof SimpleType

csharp/ql/test/library-tests/frameworks/EntityFramework/Dataflow.expected

@@ -56,7 +56,7 @@ void FlowSources()
 
         Microsoft.EntityFrameworkCore.Storage.IRawSqlCommandBuilder builder;
 
-        async void SqlExprs(MyContext ctx)
+        async void SqlExprs(MyContext ctx, System.Threading.CancellationToken token)
         {
             // Microsoft.EntityFrameworkCore.RelationalDatabaseFacadeExtensions.ExecuteSqlCommand
             ctx.Database.ExecuteSqlCommand("");  // SqlExpr
@@ -68,6 +68,13 @@ async void SqlExprs(MyContext ctx)
             // Microsoft.EntityFrameworkCore.RawSqlString
             new RawSqlString("");  // SqlExpr
             RawSqlString str = "";  // SqlExpr
+
+            ctx.Persons.FromSqlRaw("sql");
+            ctx.Database.ExecuteSqlRaw("sql", (IEnumerable<object>)null);
+            ctx.Database.ExecuteSqlRaw("sql");
+            await ctx.Database.ExecuteSqlRawAsync("sql", token);
+            await ctx.Database.ExecuteSqlRawAsync("sql");
+            await ctx.Database.ExecuteSqlRawAsync("sql", (IEnumerable<object>)null, token);
         }
 
         void TestRawSqlStringDataFlow()

csharp/ql/test/library-tests/frameworks/EntityFramework/EntityFrameworkCore.cs

@@ -1,3 +1,4 @@
+summary
 | Microsoft.EntityFrameworkCore;DbContext;false;SaveChanges;();;Argument[Qualifier].Property[EFCoreTests.MyContext.Addresses].Element.Property[EFCoreTests.Address.Id];ReturnValue[jump to get_Addresses].Element.Property[EFCoreTests.Address.Id];value |
 | Microsoft.EntityFrameworkCore;DbContext;false;SaveChanges;();;Argument[Qualifier].Property[EFCoreTests.MyContext.Addresses].Element.Property[EFCoreTests.Address.Id];ReturnValue[jump to get_PersonAddresses].Element.Property[EFCoreTests.PersonAddressMap.Address].Property[EFCoreTests.Address.Id];value |
 | Microsoft.EntityFrameworkCore;DbContext;false;SaveChanges;();;Argument[Qualifier].Property[EFCoreTests.MyContext.Addresses].Element.Property[EFCoreTests.Address.Id];ReturnValue[jump to get_Persons].Element.Property[EFCoreTests.Person.Addresses].Element.Property[EFCoreTests.Address.Id];value |
@@ -130,3 +131,11 @@
 | System.Data.Entity;DbSet<>;false;AttachRange;(System.Collections.Generic.IEnumerable<T>);;Argument[0].Element;Argument[Qualifier].Element;value |
 | System.Data.Entity;DbSet<>;false;Update;(T);;Argument[0];Argument[Qualifier].Element;value |
 | System.Data.Entity;DbSet<>;false;UpdateRange;(System.Collections.Generic.IEnumerable<T>);;Argument[0].Element;Argument[Qualifier].Element;value |
+sourceNode
+sinkNode
+| EntityFrameworkCore.cs:72:36:72:40 | "sql" | sql |
+| EntityFrameworkCore.cs:73:40:73:44 | "sql" | sql |
+| EntityFrameworkCore.cs:74:40:74:44 | "sql" | sql |
+| EntityFrameworkCore.cs:75:51:75:55 | "sql" | sql |
+| EntityFrameworkCore.cs:76:51:76:55 | "sql" | sql |
+| EntityFrameworkCore.cs:77:51:77:55 | "sql" | sql |

csharp/ql/test/library-tests/frameworks/EntityFramework/FlowSummaries.expected

@@ -1,6 +1,13 @@
 import semmle.code.csharp.frameworks.EntityFramework::EntityFramework
 import shared.FlowSummaries
+import semmle.code.csharp.dataflow.ExternalFlow as ExternalFlow
 
 private class IncludeEFSummarizedCallable extends IncludeSummarizedCallable {
   IncludeEFSummarizedCallable() { this instanceof EFSummarizedCallable }
 }
+
+query predicate sourceNode(DataFlow::Node node, string kind) {
+  ExternalFlow::sourceNode(node, kind)
+}
+
+query predicate sinkNode(DataFlow::Node node, string kind) { ExternalFlow::sinkNode(node, kind) }

csharp/ql/test/library-tests/frameworks/EntityFramework/FlowSummaries.ql

@@ -3,5 +3,11 @@
 | EntityFrameworkCore.cs:66:13:66:29 | call to method Build |
 | EntityFrameworkCore.cs:69:13:69:32 | object creation of type RawSqlString |
 | EntityFrameworkCore.cs:70:32:70:33 | call to operator implicit conversion |
-| EntityFrameworkCore.cs:77:18:77:46 | object creation of type RawSqlString |
-| EntityFrameworkCore.cs:78:18:78:42 | call to operator implicit conversion |
+| EntityFrameworkCore.cs:72:13:72:41 | call to method FromSqlRaw<Person> |
+| EntityFrameworkCore.cs:73:13:73:72 | call to method ExecuteSqlRaw |
+| EntityFrameworkCore.cs:74:13:74:45 | call to method ExecuteSqlRaw |
+| EntityFrameworkCore.cs:75:19:75:63 | call to method ExecuteSqlRawAsync |
+| EntityFrameworkCore.cs:76:19:76:56 | call to method ExecuteSqlRawAsync |
+| EntityFrameworkCore.cs:77:19:77:90 | call to method ExecuteSqlRawAsync |
+| EntityFrameworkCore.cs:84:18:84:46 | object creation of type RawSqlString |
+| EntityFrameworkCore.cs:85:18:85:42 | call to operator implicit conversion |

csharp/ql/test/library-tests/frameworks/EntityFramework/SqlExprs.expected

@@ -10,11 +10,11 @@
 | EntityFramework.cs:219:18:219:61 | access to property Street |
 | EntityFrameworkCore.cs:52:22:52:25 | access to property Id |
 | EntityFrameworkCore.cs:53:24:53:29 | access to property Name |
-| EntityFrameworkCore.cs:229:18:229:39 | access to property Id |
-| EntityFrameworkCore.cs:230:18:230:41 | access to property Name |
-| EntityFrameworkCore.cs:237:18:237:41 | access to property Id |
-| EntityFrameworkCore.cs:238:18:238:45 | access to property Street |
-| EntityFrameworkCore.cs:244:18:244:46 | access to property Addresses |
-| EntityFrameworkCore.cs:244:18:244:57 | access to property Id |
-| EntityFrameworkCore.cs:245:18:245:46 | access to property Addresses |
-| EntityFrameworkCore.cs:245:18:245:61 | access to property Street |
+| EntityFrameworkCore.cs:236:18:236:39 | access to property Id |
+| EntityFrameworkCore.cs:237:18:237:41 | access to property Name |
+| EntityFrameworkCore.cs:244:18:244:41 | access to property Id |
+| EntityFrameworkCore.cs:245:18:245:45 | access to property Street |
+| EntityFrameworkCore.cs:251:18:251:46 | access to property Addresses |
+| EntityFrameworkCore.cs:251:18:251:57 | access to property Id |
+| EntityFrameworkCore.cs:252:18:252:46 | access to property Addresses |
+| EntityFrameworkCore.cs:252:18:252:61 | access to property Street |

csharp/ql/test/library-tests/frameworks/EntityFramework/StoredFlowSources.expected

@@ -88,10 +88,16 @@ public class DatabaseFacade
         }
     }
 
-    public static class RelationalDatabaseFacaseExtensions
+    public static class RelationalDatabaseFacadeExtensions
     {
         public static void ExecuteSqlCommand(this Infrastructure.DatabaseFacade db, string sql, params object[] parameters) { }
         public static Task ExecuteSqlCommandAsync(this Infrastructure.DatabaseFacade db, string sql, params object[] parameters) => throw null;
+
+        public static int ExecuteSqlRaw(this Infrastructure.DatabaseFacade db, string sql, IEnumerable<object> args) => throw null;
+        public static int ExecuteSqlRaw(this Infrastructure.DatabaseFacade db, string sql, params object[] args) => throw null;
+        public static Task<int> ExecuteSqlRawAsync(this Infrastructure.DatabaseFacade db, string sql, System.Threading.CancellationToken token) => throw null;
+        public static Task<int> ExecuteSqlRawAsync(this Infrastructure.DatabaseFacade db, string sql, params object[] args) => throw null;
+        public static Task<int> ExecuteSqlRawAsync(this Infrastructure.DatabaseFacade db, string sql, IEnumerable<object> args, System.Threading.CancellationToken token) => throw null;
     }
 
     struct RawSqlString
@@ -100,6 +106,11 @@ public RawSqlString(string str) { }
         public static implicit operator Microsoft.EntityFrameworkCore.RawSqlString(FormattableString fs) => throw null;
         public static implicit operator Microsoft.EntityFrameworkCore.RawSqlString(string s) => throw null;
     }
+
+    public static class RelationalQueryableExtensions
+    {
+        public static void FromSqlRaw<TEntity>(this DbSet<TEntity> set, string sql, params object[] args) => throw null;
+    }
 }
 
 namespace Microsoft.EntityFrameworkCore.Storage