C#: Add a string.Format sanitizer to url redirect and update expected test output.

michaelnebel · michaelnebel · commit 5016113a0fa9 · 2024-01-22T11:21:35.000+01:00
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Format.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Format.qll
@@ -134,7 +134,7 @@ class ValidFormatString extends StringLiteral {
     result = this.getValue().regexpFind(getValidFormatTokenRegex(), _, outPosition)
   }
 
-  /**Gets the insert number at the given position in the string. */
+  /** Gets the insert number at the given position in the string. */
   int getInsert(int position) {
     result = this.getToken(position).regexpCapture(getFormatInsertRegex(), 1).toInt()
   }
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
@@ -5,6 +5,7 @@
 import csharp
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.controlflow.Guards
+private import semmle.code.csharp.frameworks.Format
 private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.frameworks.system.web.Mvc
 private import semmle.code.csharp.security.Sanitizers
@@ -175,6 +176,20 @@ private class InterpolationSanitizer extends Sanitizer {
   }
 }
 
+/**
+ * A call to `string.Format`, where the format expression (before any inserts)
+ * contains the character "?".
+ *
+ * This is considered a sanitizer by the same reasoning as `ConcatenationSanitizer`.
+ */
+private class StringFormatSanitizer extends Sanitizer {
+  StringFormatSanitizer() {
+    exists(FormatCall c, Expr e | c = this.getExpr() and e = c.getFormatExpr() |
+      e.(StringLiteral).getValue().splitAt("{0}", 0).matches("%?%")
+    )
+  }
+}
+
 /** A call to an URL encoder. */
 class UrlEncodeSanitizer extends Sanitizer {
   UrlEncodeSanitizer() { this.getExpr() instanceof UrlSanitizedExpr }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected
@@ -3,15 +3,12 @@ edges
 | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:23:22:23:52 | access to indexer : String |
 | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:48:29:48:31 | access to local variable url |
 | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:64:31:64:52 | $"..." |
-| UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:67:66:67:68 | access to local variable url : String |
 | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:70:66:70:68 | access to local variable url : String |
 | UrlRedirect.cs:23:22:23:52 | access to indexer : String | UrlRedirect.cs:48:29:48:31 | access to local variable url |
 | UrlRedirect.cs:23:22:23:52 | access to indexer : String | UrlRedirect.cs:64:31:64:52 | $"..." |
-| UrlRedirect.cs:23:22:23:52 | access to indexer : String | UrlRedirect.cs:67:66:67:68 | access to local variable url : String |
 | UrlRedirect.cs:23:22:23:52 | access to indexer : String | UrlRedirect.cs:70:66:70:68 | access to local variable url : String |
 | UrlRedirect.cs:38:44:38:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:44:38:74 | access to indexer |
 | UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:39:47:39:77 | access to indexer |
-| UrlRedirect.cs:67:66:67:68 | access to local variable url : String | UrlRedirect.cs:67:31:67:69 | call to method Format |
 | UrlRedirect.cs:70:66:70:68 | access to local variable url : String | UrlRedirect.cs:70:31:70:69 | call to method Format |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:16:22:16:26 | access to parameter value |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion |
@@ -35,8 +32,6 @@ nodes
 | UrlRedirect.cs:39:47:39:77 | access to indexer | semmle.label | access to indexer |
 | UrlRedirect.cs:48:29:48:31 | access to local variable url | semmle.label | access to local variable url |
 | UrlRedirect.cs:64:31:64:52 | $"..." | semmle.label | $"..." |
-| UrlRedirect.cs:67:31:67:69 | call to method Format | semmle.label | call to method Format |
-| UrlRedirect.cs:67:66:67:68 | access to local variable url : String | semmle.label | access to local variable url : String |
 | UrlRedirect.cs:70:31:70:69 | call to method Format | semmle.label | call to method Format |
 | UrlRedirect.cs:70:66:70:68 | access to local variable url : String | semmle.label | access to local variable url : String |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | semmle.label | value : String |
@@ -59,7 +54,6 @@ subpaths
 | UrlRedirect.cs:39:47:39:77 | access to indexer | UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:39:47:39:77 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:39:47:39:69 | access to property QueryString | user-provided value |
 | UrlRedirect.cs:48:29:48:31 | access to local variable url | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:48:29:48:31 | access to local variable url | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value |
 | UrlRedirect.cs:64:31:64:52 | $"..." | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:64:31:64:52 | $"..." | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value |
-| UrlRedirect.cs:67:31:67:69 | call to method Format | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:67:31:67:69 | call to method Format | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value |
 | UrlRedirect.cs:70:31:70:69 | call to method Format | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:70:31:70:69 | call to method Format | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value |
 | UrlRedirectCore.cs:16:22:16:26 | access to parameter value | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:16:22:16:26 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:13:44:13:48 | value | user-provided value |
 | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:13:44:13:48 | value | user-provided value |

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ class ValidFormatString extends StringLiteral {`
`134`	`134`	`result = this.getValue().regexpFind(getValidFormatTokenRegex(), _, outPosition)`
`135`	`135`	`}`
`136`	`136`
`137`		`- /*Gets the insert number at the given position in the string. /`
	`137`	`+ /** Gets the insert number at the given position in the string. */`
`138`	`138`	`int getInsert(int position) {`
`139`	`139`	`result = this.getToken(position).regexpCapture(getFormatInsertRegex(), 1).toInt()`
`140`	`140`	`}`