Skip to content

Commit 392eac5

Browse files
egregius313egregius313
committed
Refactor source node classes to use SourceNode superclass
Refactor the existing flowsource classes to use the `SourceNode` class to specify which threat model they support.
1 parent d29df68 commit 392eac5

File tree

3 files changed

+23
-8
lines changed

3 files changed

+23
-8
lines changed

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,14 @@
55
import csharp
66
private import semmle.code.csharp.frameworks.system.windows.Forms
77
private import semmle.code.csharp.dataflow.internal.ExternalFlow
8+
private import semmle.code.csharp.security.dataflow.flowsources.SourceNode
89

910
/** A data flow source of local data. */
10-
abstract class LocalFlowSource extends DataFlow::Node {
11+
abstract class LocalFlowSource extends SourceNode {
1112
/** Gets a string that describes the type of this local flow source. */
1213
abstract string getSourceType();
14+
15+
override string getThreatModel() { result = "local" }
1316
}
1417

1518
private class ExternalLocalFlowSource extends LocalFlowSource {

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,14 @@ private import semmle.code.csharp.frameworks.WCF
1313
private import semmle.code.csharp.frameworks.microsoft.Owin
1414
private import semmle.code.csharp.frameworks.microsoft.AspNetCore
1515
private import semmle.code.csharp.dataflow.internal.ExternalFlow
16+
private import semmle.code.csharp.security.dataflow.flowsources.SourceNode
1617

1718
/** A data flow source of remote user input. */
18-
abstract class RemoteFlowSource extends DataFlow::Node {
19+
abstract class RemoteFlowSource extends SourceNode {
1920
/** Gets a string that describes the type of this remote flow source. */
2021
abstract string getSourceType();
22+
23+
override string getThreatModel() { result = "remote" }
2124
}
2225

2326
/**

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,15 +9,22 @@ private import semmle.code.csharp.frameworks.system.data.Entity
99
private import semmle.code.csharp.frameworks.EntityFramework
1010
private import semmle.code.csharp.frameworks.NHibernate
1111
private import semmle.code.csharp.frameworks.Sql
12+
private import semmle.code.csharp.security.dataflow.flowsources.SourceNode
1213

1314
/** A data flow source of stored user input. */
14-
abstract class StoredFlowSource extends DataFlow::Node { }
15+
abstract class StoredFlowSource extends SourceNode {
16+
override string getThreatModel() { result = "local" }
17+
}
18+
19+
abstract class DatabaseInputSource extends StoredFlowSource {
20+
override string getThreatModel() { result = "database" }
21+
}
1522

1623
/**
1724
* An expression that has a type of `DbRawSqlQuery`, representing the result of an Entity Framework
1825
* SqlQuery.
1926
*/
20-
class DbRawSqlStoredFlowSource extends StoredFlowSource {
27+
class DbRawSqlStoredFlowSource extends DatabaseInputSource {
2128
DbRawSqlStoredFlowSource() {
2229
this.asExpr().getType() instanceof SystemDataEntityInfrastructure::DbRawSqlQuery
2330
}
@@ -27,30 +34,30 @@ class DbRawSqlStoredFlowSource extends StoredFlowSource {
2734
* An expression that has a type of `DbDataReader` or a sub-class, representing the result of a
2835
* data command.
2936
*/
30-
class DbDataReaderStoredFlowSource extends StoredFlowSource {
37+
class DbDataReaderStoredFlowSource extends DatabaseInputSource {
3138
DbDataReaderStoredFlowSource() {
3239
this.asExpr().getType() = any(SystemDataCommon::DbDataReader dataReader).getASubType*()
3340
}
3441
}
3542

3643
/** An expression that accesses a method of `DbDataReader` or a sub-class. */
37-
class DbDataReaderMethodStoredFlowSource extends StoredFlowSource {
44+
class DbDataReaderMethodStoredFlowSource extends DatabaseInputSource {
3845
DbDataReaderMethodStoredFlowSource() {
3946
this.asExpr().(MethodCall).getTarget().getDeclaringType() =
4047
any(SystemDataCommon::DbDataReader dataReader).getASubType*()
4148
}
4249
}
4350

4451
/** An expression that accesses a property of `DbDataReader` or a sub-class. */
45-
class DbDataReaderPropertyStoredFlowSource extends StoredFlowSource {
52+
class DbDataReaderPropertyStoredFlowSource extends DatabaseInputSource {
4653
DbDataReaderPropertyStoredFlowSource() {
4754
this.asExpr().(PropertyAccess).getTarget().getDeclaringType() =
4855
any(SystemDataCommon::DbDataReader dataReader).getASubType*()
4956
}
5057
}
5158

5259
/** A read of a mapped property. */
53-
class ORMMappedProperty extends StoredFlowSource {
60+
class ORMMappedProperty extends DatabaseInputSource {
5461
ORMMappedProperty() {
5562
this instanceof EntityFramework::StoredFlowSource or
5663
this instanceof NHibernate::StoredFlowSource
@@ -60,4 +67,6 @@ class ORMMappedProperty extends StoredFlowSource {
6067
/** A file stream source is considered a stored flow source. */
6168
class FileStreamStoredFlowSource extends StoredFlowSource {
6269
FileStreamStoredFlowSource() { sourceNode(this, "file") }
70+
71+
override string getThreatModel() { result = "file" }
6372
}

0 commit comments

Comments
 (0)