C# Threat Modeling Tests

Author: egregius313

csharp/ql/test/library-tests/dataflow/threat-models/Test.cs

@@ -0,0 +1,69 @@
+using System.Net.Sockets;
+using System.Data.SqlClient;
+
+namespace My.Qltest
+{
+    public class Test
+    {
+        private TestSources Sources = new TestSources();
+
+        //private ILogger Logger => throw null;
+        private SqlConnection Connection => throw null;
+
+        private string BytesToString(byte[] bytes)
+        {
+            // Encode bytes to a UTF8 string.
+            return System.Text.Encoding.UTF8.GetString(bytes);
+        }
+
+        public void M1()
+        {
+            // Only a source if "remote" is a selected threat model.
+            // This is included in the "default" threat model.
+            using TcpClient client = new TcpClient("localhost", 1234);
+            using NetworkStream stream = client.GetStream();
+            byte[] buffer = new byte[1024];
+            int bytesRead = stream.Read(buffer, 0, buffer.Length);
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + BytesToString(buffer) + "'", Connection);
+        }
+
+        public void M2()
+        {
+            // Only a source if "database" is a selected threat model.
+            string result = Sources.ExecuteQuery("SELECT * FROM foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+
+        public void M3()
+        {
+            // Only a source if "environment" is a selected threat model.
+            string result = Sources.ReadEnv("foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+
+        }
+
+        public void M4()
+        {
+            // Only a source if "custom" is a selected threat model.
+            string result = Sources.GetCustom("foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+
+        public void M5()
+        {
+            // Only a source if "commandargs" is a selected threat model.
+            string result = Sources.GetCliArg(0);
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+    }
+}

csharp/ql/test/library-tests/dataflow/threat-models/Test.qll

@@ -0,0 +1,12 @@
+private import csharp
+private import semmle.code.csharp.dataflow.DataFlow
+private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
+
+private module ThreatModelConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+}
+
+module ThreatModel = TaintTracking::Global<ThreatModelConfig>;

csharp/ql/test/library-tests/dataflow/threat-models/TestSources.cs

@@ -0,0 +1,26 @@
+namespace My.Qltest
+{
+
+    public class TestSources
+    {
+        public string ExecuteQuery(string query)
+        {
+            return null;
+        }
+
+        public string ReadEnv(string env)
+        {
+            return null;
+        }
+
+        public string GetCustom(string s)
+        {
+            return null;
+        }
+
+        public string GetCliArg(int i)
+        {
+            return null;
+        }
+    }
+}

csharp/ql/test/library-tests/dataflow/threat-models/options

@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.5/System.Data.SqlClient.csproj

csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.expected

@@ -0,0 +1,23 @@
+edges
+| Test.cs:13:45:13:49 | bytes : Byte[] [element] : Object | Test.cs:16:56:16:60 | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:16:56:16:60 | access to parameter bytes : Byte[] [element] : Object | Test.cs:16:20:16:61 | call to method GetString : String |
+| Test.cs:24:42:24:59 | call to method GetStream : NetworkStream | Test.cs:26:29:26:34 | access to local variable stream : NetworkStream |
+| Test.cs:26:29:26:34 | access to local variable stream : NetworkStream | Test.cs:26:41:26:46 | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:26:41:26:46 | [post] access to local variable buffer : Byte[] [element] : Object | Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:29:85:29:105 | call to method BytesToString : String | Test.cs:29:42:29:111 | ... + ... |
+| Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:13:45:13:49 | bytes : Byte[] [element] : Object |
+| Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:29:85:29:105 | call to method BytesToString : String |
+nodes
+| Test.cs:13:45:13:49 | bytes : Byte[] [element] : Object | semmle.label | bytes : Byte[] [element] : Object |
+| Test.cs:16:20:16:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| Test.cs:16:56:16:60 | access to parameter bytes : Byte[] [element] : Object | semmle.label | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:24:42:24:59 | call to method GetStream : NetworkStream | semmle.label | call to method GetStream : NetworkStream |
+| Test.cs:26:29:26:34 | access to local variable stream : NetworkStream | semmle.label | access to local variable stream : NetworkStream |
+| Test.cs:26:41:26:46 | [post] access to local variable buffer : Byte[] [element] : Object | semmle.label | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:29:42:29:111 | ... + ... | semmle.label | ... + ... |
+| Test.cs:29:85:29:105 | call to method BytesToString : String | semmle.label | call to method BytesToString : String |
+| Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object | semmle.label | access to local variable buffer : Byte[] [element] : Object |
+subpaths
+| Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:13:45:13:49 | bytes : Byte[] [element] : Object | Test.cs:16:20:16:61 | call to method GetString : String | Test.cs:29:85:29:105 | call to method BytesToString : String |
+#select
+| Test.cs:24:42:24:59 | call to method GetStream : NetworkStream | Test.cs:29:42:29:111 | ... + ... |

csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.ext.yml

@@ -0,0 +1,15 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: supportedThreatModels
+    data: []
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["My.Qltest", "TestSources", False, "ExecuteQuery", "(System.String)", "", "ReturnValue", "database", "manual"]
+      - ["My.Qltest", "TestSources", False, "ReadEnv", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCustom", "(System.String)", "", "ReturnValue", "custom", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCliArg", "(System.Int32)", "", "ReturnValue", "commandargs", "manual"]

csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest1.ql

@@ -0,0 +1,10 @@
+/**
+ * This is a dataflow test using the "default" threat model.
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select source, sink

csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.expected

@@ -0,0 +1,27 @@
+edges
+| Test.cs:13:45:13:49 | bytes : Byte[] [element] : Object | Test.cs:16:56:16:60 | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:16:56:16:60 | access to parameter bytes : Byte[] [element] : Object | Test.cs:16:20:16:61 | call to method GetString : String |
+| Test.cs:24:42:24:59 | call to method GetStream : NetworkStream | Test.cs:26:29:26:34 | access to local variable stream : NetworkStream |
+| Test.cs:26:29:26:34 | access to local variable stream : NetworkStream | Test.cs:26:41:26:46 | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:26:41:26:46 | [post] access to local variable buffer : Byte[] [element] : Object | Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:29:85:29:105 | call to method BytesToString : String | Test.cs:29:42:29:111 | ... + ... |
+| Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:13:45:13:49 | bytes : Byte[] [element] : Object |
+| Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:29:85:29:105 | call to method BytesToString : String |
+| Test.cs:35:29:35:69 | call to method ExecuteQuery : String | Test.cs:38:42:38:96 | ... + ... |
+nodes
+| Test.cs:13:45:13:49 | bytes : Byte[] [element] : Object | semmle.label | bytes : Byte[] [element] : Object |
+| Test.cs:16:20:16:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| Test.cs:16:56:16:60 | access to parameter bytes : Byte[] [element] : Object | semmle.label | access to parameter bytes : Byte[] [element] : Object |
+| Test.cs:24:42:24:59 | call to method GetStream : NetworkStream | semmle.label | call to method GetStream : NetworkStream |
+| Test.cs:26:29:26:34 | access to local variable stream : NetworkStream | semmle.label | access to local variable stream : NetworkStream |
+| Test.cs:26:41:26:46 | [post] access to local variable buffer : Byte[] [element] : Object | semmle.label | [post] access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:29:42:29:111 | ... + ... | semmle.label | ... + ... |
+| Test.cs:29:85:29:105 | call to method BytesToString : String | semmle.label | call to method BytesToString : String |
+| Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object | semmle.label | access to local variable buffer : Byte[] [element] : Object |
+| Test.cs:35:29:35:69 | call to method ExecuteQuery : String | semmle.label | call to method ExecuteQuery : String |
+| Test.cs:38:42:38:96 | ... + ... | semmle.label | ... + ... |
+subpaths
+| Test.cs:29:99:29:104 | access to local variable buffer : Byte[] [element] : Object | Test.cs:13:45:13:49 | bytes : Byte[] [element] : Object | Test.cs:16:20:16:61 | call to method GetString : String | Test.cs:29:85:29:105 | call to method BytesToString : String |
+#select
+| Test.cs:24:42:24:59 | call to method GetStream : NetworkStream | Test.cs:29:42:29:111 | ... + ... |
+| Test.cs:35:29:35:69 | call to method ExecuteQuery : String | Test.cs:38:42:38:96 | ... + ... |

csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ext.yml

@@ -0,0 +1,16 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["database", true, 0]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["My.Qltest", "TestSources", False, "ExecuteQuery", "(System.String)", "", "ReturnValue", "database", "manual"]
+      - ["My.Qltest", "TestSources", False, "ReadEnv", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCustom", "(System.String)", "", "ReturnValue", "custom", "manual"]
+      - ["My.Qltest", "TestSources", False, "GetCliArg", "(System.Int32)", "", "ReturnValue", "commandargs", "manual"]

csharp/ql/test/library-tests/dataflow/threat-models/threat-models-flowtest2.ql

@@ -0,0 +1,11 @@
+/**
+ * This is a dataflow test using the "default" threat model with the
+ * addition of "database".
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select source, sink