Merge pull request #19877 from michaelnebel/csharp/microsoftdatasqlclient

C#: Models for Microsoft.Data.SqlClient.

Author: michaelnebel

csharp/ql/lib/ext/Microsoft.Data.SqlClient.model.yml

@@ -0,0 +1,20 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sinkModel
+    data:
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction,Microsoft.Data.SqlClient.SqlCommandColumnEncryptionSetting)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(Microsoft.Data.SqlClient.SqlCommand)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(System.String,System.String)", "", "Argument[0]", "sql-injection", "manual"]
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: summaryModel
+    data:
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction,Microsoft.Data.SqlClient.SqlCommandColumnEncryptionSetting)", "", "Argument[0]", "Argument[this]", "taint", "manual"]

csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll

@@ -35,6 +35,7 @@ class IDbCommandConstructionSqlExpr extends SqlExpr, ObjectCreation {
       ic.getParameter(0).getType() instanceof StringType and
       not exists(Type t | t = ic.getDeclaringType() |
         // Known sealed classes:
+        t.hasFullyQualifiedName("Microsoft.Data.SqlClient", "SqlCommand") or
         t.hasFullyQualifiedName("System.Data.SqlClient", "SqlCommand") or
         t.hasFullyQualifiedName("System.Data.Odbc", "OdbcCommand") or
         t.hasFullyQualifiedName("System.Data.OleDb", "OleDbCommand") or

csharp/ql/src/change-notes/2025-06-25-sqlcommand-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added explicit SQL injection Models as Data models for `Microsoft.Data.SqlClient.SqlCommand` and `Microsoft.Data.SqlClient.SqlDataAdapter`. This reduces false negatives for the query `cs/sql-injection`.

csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.cs

@@ -0,0 +1,33 @@
+using System;
+using Microsoft.Data;
+using Microsoft.Data.SqlClient;
+
+namespace Test
+{
+    class SqlInjection
+    {
+        string connectionString;
+        System.Windows.Forms.TextBox box1;
+
+        public void MakeSqlCommand()
+        {
+            // BAD: Text from a local textbox
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
+            }
+
+            // BAD: Input from the command line.
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + Console.ReadLine() + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
+            }
+        }
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected

@@ -0,0 +1,39 @@
+#select
+| SqlInjection.cs:19:42:19:52 | access to local variable queryString | SqlInjection.cs:18:21:18:29 | access to property Text : String | SqlInjection.cs:19:42:19:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:18:21:18:29 | access to property Text : String | this TextBox text |
+| SqlInjection.cs:20:50:20:52 | access to local variable cmd | SqlInjection.cs:18:21:18:29 | access to property Text : String | SqlInjection.cs:20:50:20:52 | access to local variable cmd | This query depends on $@. | SqlInjection.cs:18:21:18:29 | access to property Text : String | this TextBox text |
+| SqlInjection.cs:28:42:28:52 | access to local variable queryString | SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | SqlInjection.cs:28:42:28:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | this read from stdin |
+| SqlInjection.cs:29:50:29:52 | access to local variable cmd | SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | SqlInjection.cs:29:50:29:52 | access to local variable cmd | This query depends on $@. | SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | this read from stdin |
+edges
+| SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | SqlInjection.cs:19:42:19:52 | access to local variable queryString | provenance | Sink:MaD:1 |
+| SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | SqlInjection.cs:19:42:19:52 | access to local variable queryString : String | provenance |  |
+| SqlInjection.cs:18:21:18:29 | access to property Text : String | SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | provenance |  |
+| SqlInjection.cs:19:21:19:23 | access to local variable cmd : SqlCommand | SqlInjection.cs:20:50:20:52 | access to local variable cmd | provenance | Sink:MaD:2 |
+| SqlInjection.cs:19:27:19:53 | object creation of type SqlCommand : SqlCommand | SqlInjection.cs:19:21:19:23 | access to local variable cmd : SqlCommand | provenance |  |
+| SqlInjection.cs:19:42:19:52 | access to local variable queryString : String | SqlInjection.cs:19:27:19:53 | object creation of type SqlCommand : SqlCommand | provenance | MaD:4 |
+| SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | SqlInjection.cs:28:42:28:52 | access to local variable queryString | provenance | Sink:MaD:1 |
+| SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | SqlInjection.cs:28:42:28:52 | access to local variable queryString : String | provenance |  |
+| SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | provenance | Src:MaD:3  |
+| SqlInjection.cs:28:21:28:23 | access to local variable cmd : SqlCommand | SqlInjection.cs:29:50:29:52 | access to local variable cmd | provenance | Sink:MaD:2 |
+| SqlInjection.cs:28:27:28:53 | object creation of type SqlCommand : SqlCommand | SqlInjection.cs:28:21:28:23 | access to local variable cmd : SqlCommand | provenance |  |
+| SqlInjection.cs:28:42:28:52 | access to local variable queryString : String | SqlInjection.cs:28:27:28:53 | object creation of type SqlCommand : SqlCommand | provenance | MaD:4 |
+models
+| 1 | Sink: Microsoft.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String); ; Argument[0]; sql-injection; manual |
+| 2 | Sink: Microsoft.Data.SqlClient; SqlDataAdapter; false; SqlDataAdapter; (Microsoft.Data.SqlClient.SqlCommand); ; Argument[0]; sql-injection; manual |
+| 3 | Source: System; Console; false; ReadLine; ; ; ReturnValue; stdin; manual |
+| 4 | Summary: Microsoft.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String); ; Argument[0]; Argument[this]; taint; manual |
+nodes
+| SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:18:21:18:29 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjection.cs:19:21:19:23 | access to local variable cmd : SqlCommand | semmle.label | access to local variable cmd : SqlCommand |
+| SqlInjection.cs:19:27:19:53 | object creation of type SqlCommand : SqlCommand | semmle.label | object creation of type SqlCommand : SqlCommand |
+| SqlInjection.cs:19:42:19:52 | access to local variable queryString | semmle.label | access to local variable queryString |
+| SqlInjection.cs:19:42:19:52 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:20:50:20:52 | access to local variable cmd | semmle.label | access to local variable cmd |
+| SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
+| SqlInjection.cs:28:21:28:23 | access to local variable cmd : SqlCommand | semmle.label | access to local variable cmd : SqlCommand |
+| SqlInjection.cs:28:27:28:53 | object creation of type SqlCommand : SqlCommand | semmle.label | object creation of type SqlCommand : SqlCommand |
+| SqlInjection.cs:28:42:28:52 | access to local variable queryString | semmle.label | access to local variable queryString |
+| SqlInjection.cs:28:42:28:52 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:29:50:29:52 | access to local variable cmd | semmle.label | access to local variable cmd |
+subpaths

csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.qlref

@@ -0,0 +1,4 @@
+query: Security Features/CWE-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

csharp/ql/test/query-tests/Security Features/CWE-089-2/options

@@ -0,0 +1,4 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Microsoft.Data.SqlClient/6.0.2/Microsoft.Data.SqlClient.csproj
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj

csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.cs

@@ -17,20 +17,20 @@ public void ProcessRequest()
             {
                 connection.Open();
                 SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
-                SqlDataReader customerReader = customerCommand.ExecuteReader();
+                SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/sql-injection]
 
                 while (customerReader.Read())
                 {
                     // BAD: Read from database, write it straight to another query
-                    SqlCommand secondCustomerCommand = new SqlCommand("SELECT * FROM customers WHERE customerName=" + customerReader.GetString(1), connection);
+                    SqlCommand secondCustomerCommand = new SqlCommand("SELECT * FROM customers WHERE customerName=" + customerReader.GetString(1), connection); // $ Alert[cs/sql-injection]
                 }
                 customerReader.Close();
             }
         }
 
         public void RunSQLFromFile()
         {
-            using (FileStream fs = new FileStream("myfile.txt", FileMode.Open))
+            using (FileStream fs = new FileStream("myfile.txt", FileMode.Open)) // $ Source[cs/sql-injection]
             {
                 using (StreamReader sr = new StreamReader(fs, Encoding.UTF8))
                 {
@@ -42,7 +42,7 @@ public void RunSQLFromFile()
                             continue;
                         using (var connection = new SQLiteConnection(""))
                         {
-                            var cmd = new SQLiteCommand(sql, connection);
+                            var cmd = new SQLiteCommand(sql, connection); // $ Alert[cs/sql-injection]
                             cmd.ExecuteScalar();
                         }
                     }

csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs

@@ -35,8 +35,8 @@ public void GetDataSetByCategory()
             using (var connection = new SqlConnection(connectionString))
             {
                 var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                  + categoryTextBox.Text + "' ORDER BY PRICE";
-                var adapter = new SqlDataAdapter(query1, connection);
+                  + categoryTextBox.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var adapter = new SqlDataAdapter(query1, connection); // $ Alert[cs/sql-injection]
                 var result = new DataSet();
                 adapter.Fill(result);
             }
@@ -70,9 +70,9 @@ public void GetDataSetByCategory()
                 {
                     // BAD: Use EntityFramework direct Sql execution methods
                     var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                              + categoryTextBox.Text + "' ORDER BY PRICE";
-                    context.Database.ExecuteSqlCommand(query1);
-                    context.Database.SqlQuery<string>(query1);
+                              + categoryTextBox.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                    context.Database.ExecuteSqlCommand(query1); // $ Alert[cs/sql-injection]
+                    context.Database.SqlQuery<string>(query1); // $ Alert[cs/sql-injection]
                     // GOOD: Use EntityFramework direct Sql execution methods with parameter
                     var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY="
                             + "@p0 ORDER BY PRICE";
@@ -84,8 +84,8 @@ public void GetDataSetByCategory()
             using (var connection = new SqlConnection(connectionString))
             {
                 var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                  + box1.Text + "' ORDER BY PRICE";
-                var adapter = new SqlDataAdapter(query1, connection);
+                  + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var adapter = new SqlDataAdapter(query1, connection); // $ Alert[cs/sql-injection]
                 var result = new DataSet();
                 adapter.Fill(result);
             }
@@ -94,9 +94,9 @@ public void GetDataSetByCategory()
             using (var connection = new SqlConnection(connectionString))
             {
                 var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                  + box1.Text + "' ORDER BY PRICE";
-                var cmd = new SqlCommand(queryString);
-                var adapter = new SqlDataAdapter(cmd);
+                  + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
                 var result = new DataSet();
                 adapter.Fill(result);
             }
@@ -105,9 +105,9 @@ public void GetDataSetByCategory()
             using (var connection = new SqlConnection(connectionString))
             {
                 var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
-                  + Console.ReadLine()! + "' ORDER BY PRICE";
-                var cmd = new SqlCommand(queryString);
-                var adapter = new SqlDataAdapter(cmd);
+                  + Console.ReadLine()! + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
                 var result = new DataSet();
                 adapter.Fill(result);
             }
@@ -119,14 +119,14 @@ public void GetDataSetByCategory()
     public abstract class MyController : Controller
     {
         [HttpPost("{userId:string}")]
-        public async Task<IActionResult> GetUserById([FromRoute] string userId, CancellationToken cancellationToken)
+        public async Task<IActionResult> GetUserById([FromRoute] string userId, CancellationToken cancellationToken) // $ Source[cs/sql-injection]
         {
             // This is a vulnerable method due to SQL injection
             string query = "SELECT * FROM Users WHERE UserId = '" + userId + "'";
 
             using (SqlConnection connection = new SqlConnection("YourConnectionString"))
             {
-                SqlCommand command = new SqlCommand(query, connection);
+                SqlCommand command = new SqlCommand(query, connection); // $ Alert[cs/sql-injection]
                 connection.Open();
 
                 SqlDataReader reader = command.ExecuteReader();