feat: Add AWS Lambda logging

GeekMasher · michaelnebel · commit 2e0ac264e786 · 2023-12-13T13:07:28.000+01:00
diff --git a/csharp/ql/lib/ext/Amazon.Lambda.model.yml b/csharp/ql/lib/ext/Amazon.Lambda.model.yml
@@ -13,7 +13,17 @@ extensions:
   - addsTo:
       pack: codeql/csharp-all
       extensible: sinkModel
-    data: []
+    data:
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"Log","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogLine","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogTrace","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogDebug","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogInformation","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogWarning","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogError","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"LogCritical","(System.String)","","Argument[0]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"Log","(System.String,System.String)","","Argument[1]","log-injection","manual"]
+      - ["Amazon.Lambda.Core","ILambdaLogger",true,"Log","(Amazon.Lambda.Core.LogLevel,System.String)","","Argument[1]","log-injection","manual"]
 
   - addsTo:
       pack: codeql/csharp-all
diff --git a/csharp/ql/test/library-tests/frameworks/Aws/lambda.cs b/csharp/ql/test/library-tests/frameworks/Aws/lambda.cs
@@ -23,5 +23,20 @@ public APIGatewayProxyResponse Get(APIGatewayHttpApiV2ProxyRequest request, ILam
                 StatusCode = 200
             };
         }
+
+        public void Logging(ILambdaContext context, string data)
+        {
+            // logging
+            context.Logger.Log($"Log Data :: {data}");
+            context.Logger.LogLine($"Log Data :: {data}");
+            context.Logger.Log("Information", $"Log Data :: {data}");
+            context.Logger.Log(LogLevel.Information, $"Log Data :: {data}");
+            context.Logger.LogTrace($"Log Data :: {data}");
+            context.Logger.LogDebug($"Log Data :: {data}");
+            context.Logger.LogInformation($"Log Data :: {data}");
+            context.Logger.LogWarning($"Log Data :: {data}");
+            context.Logger.LogError($"Log Data :: {data}");
+            context.Logger.LogCritical($"Log Data :: {data}");
+        }
     }
 }
diff --git a/csharp/ql/test/library-tests/frameworks/Aws/lambda.expected b/csharp/ql/test/library-tests/frameworks/Aws/lambda.expected
@@ -1,7 +1,19 @@
+awsRemoteSources
 | lambda.cs:11:27:11:38 | access to property Body |
 | lambda.cs:12:29:12:43 | access to property Cookies |
 | lambda.cs:14:30:14:44 | access to property RawPath |
 | lambda.cs:15:31:15:52 | access to property RawQueryString |
 | lambda.cs:16:13:16:34 | access to property PathParameters |
 | lambda.cs:18:29:18:43 | access to property Headers |
 | lambda.cs:19:13:19:27 | access to property Headers |
+awsLoggingSinks
+| lambda.cs:30:32:30:52 | $"..." |
+| lambda.cs:31:36:31:56 | $"..." |
+| lambda.cs:32:47:32:67 | $"..." |
+| lambda.cs:33:54:33:74 | $"..." |
+| lambda.cs:34:37:34:57 | $"..." |
+| lambda.cs:35:37:35:57 | $"..." |
+| lambda.cs:36:43:36:63 | $"..." |
+| lambda.cs:37:39:37:59 | $"..." |
+| lambda.cs:38:37:38:57 | $"..." |
+| lambda.cs:39:40:39:60 | $"..." |
diff --git a/csharp/ql/test/library-tests/frameworks/Aws/lambda.ql b/csharp/ql/test/library-tests/frameworks/Aws/lambda.ql
@@ -2,3 +2,5 @@ import csharp
 import semmle.code.csharp.dataflow.ExternalFlow
 
 query predicate awsRemoteSources(DataFlow::ExprNode node) { sourceNode(node, "remote") }
+
+query predicate awsLoggingSinks(DataFlow::ExprNode node) { sinkNode(node, "log-injection") }
