Modify test cases

Author: egregius313

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs

@@ -1,4 +1,6 @@
 using System;
+using System.Data.SqlClient;
+using System.Diagnostics;
 
 namespace System.Web.UI.WebControls
 {
@@ -34,5 +36,22 @@ public void WebCommandInjection()
             startInfoProps.WorkingDirectory = userInput;
             Process.Start(startInfoProps);
         }
+
+        public void StoredCommandInjection()
+        {
+            using (SqlConnection connection = new SqlConnection(""))
+            {
+                connection.Open();
+                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
+                SqlDataReader customerReader = customerCommand.ExecuteReader();
+
+                while (customerReader.Read())
+                {
+                    // BAD: Read from database, and use it to directly execute a command
+                    Process.Start("foo.exe", "/c " + customerReader.GetString(1));
+                }
+                customerReader.Close();
+            }
+        }
     }
 }

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected

@@ -1,4 +1,5 @@
 edges
+<<<<<<< HEAD
 | CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:26:27:26:47 | ... + ... | provenance |  |
 | CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:26:50:26:66 | ... + ... | provenance |  |
 | CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:28:63:28:71 | access to local variable userInput | provenance |  |
@@ -42,18 +43,63 @@ nodes
 | CommandInjection.cs:33:13:33:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
 | CommandInjection.cs:33:40:33:48 | access to local variable userInput | semmle.label | access to local variable userInput |
 | CommandInjection.cs:33:40:33:48 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+=======
+| CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:27:32:27:51 | access to property Text : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:28:27:28:47 | ... + ... | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:28:50:28:66 | ... + ... | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:30:63:30:71 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:30:74:30:82 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:34:39:34:47 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:35:40:35:48 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:36:47:36:55 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | CommandInjection.cs:31:27:31:35 | access to local variable startInfo | provenance |  |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:51:54:51:80 | call to method GetString : String | CommandInjection.cs:51:46:51:80 | ... + ... | provenance |  |
+nodes
+| CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | semmle.label | access to property Text : String |
+| CommandInjection.cs:28:27:28:47 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:28:50:28:66 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | semmle.label | object creation of type ProcessStartInfo : ProcessStartInfo |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:31:27:31:35 | access to local variable startInfo | semmle.label | access to local variable startInfo |
+>>>>>>> 4fc83a3267 (Modify test cases)
 | CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput | semmle.label | access to local variable userInput |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
-| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | semmle.label | access to local variable startInfoProps |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | semmle.label | access to local variable startInfoProps |
+| CommandInjection.cs:51:46:51:80 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:51:54:51:80 | call to method GetString : String | semmle.label | call to method GetString : String |
 subpaths
 #select
-| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:28:63:28:71 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:28:74:28:82 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:29:27:29:35 | access to local variable startInfo | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:29:27:29:35 | access to local variable startInfo | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:32:39:32:47 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:33:40:33:48 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:28:27:28:47 | ... + ... | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:27:28:47 | ... + ... | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:28:50:28:66 | ... + ... | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:50:28:66 | ... + ... | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:30:63:30:71 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:30:74:30:82 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:31:27:31:35 | access to local variable startInfo | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:31:27:31:35 | access to local variable startInfo | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:39:34:47 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:40:35:48 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:36:47:36:55 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:51:46:51:80 | ... + ... | CommandInjection.cs:51:54:51:80 | call to method GetString : String | CommandInjection.cs:51:46:51:80 | ... + ... | This command line depends on a $@. | CommandInjection.cs:51:54:51:80 | call to method GetString | user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.cs

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected

@@ -1 +1 @@
-Security Features/CWE-079/StoredXSS.ql
+Security Features/CWE-079/XSS.ql

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.qlref

@@ -1,4 +1,5 @@
 using System;
+using System.Data.SqlClient;
 using System.DirectoryServices;
 using System.DirectoryServices.Protocols;
 using System.Web;
@@ -27,6 +28,20 @@ public void ProcessRequest(HttpContext ctx)
         DirectoryEntry de = new DirectoryEntry("LDAP://Cn=" + userName);
         DirectoryEntry de2 = new DirectoryEntry();
         de2.Path = "LDAP://Cn=" + userName;
+
+        using (SqlConnection connection = new SqlConnection(""))
+        {
+            connection.Open();
+            SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
+            SqlDataReader customerReader = customerCommand.ExecuteReader();
+
+            while (customerReader.Read())
+            {
+                // BAD: Read from database, write it straight to a response
+                DirectorySearcher ds4 = new DirectorySearcher("accountname=" + customerReader.GetString(1));
+            }
+            customerReader.Close();
+        }
     }
 
     public string LDAPEncode(string value)