C#: Add cs/sql-injection tests for APIs in Microsoft.Data.SqlClient.

michaelnebel · michaelnebel · commit ed7f68279f71 · 2025-06-26T08:44:50.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.cs
@@ -0,0 +1,33 @@
+using System;
+using Microsoft.Data;
+using Microsoft.Data.SqlClient;
+
+namespace Test
+{
+    class SqlInjection
+    {
+        string connectionString;
+        System.Windows.Forms.TextBox box1;
+
+        public void MakeSqlCommand()
+        {
+            // BAD: Text from a local textbox
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
+            }
+
+            // BAD: Input from the command line.
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + Console.ReadLine() + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
+            }
+        }
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected
@@ -0,0 +1,21 @@
+#select
+| SqlInjection.cs:19:42:19:52 | access to local variable queryString | SqlInjection.cs:18:21:18:29 | access to property Text : String | SqlInjection.cs:19:42:19:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:18:21:18:29 | access to property Text : String | this TextBox text |
+| SqlInjection.cs:28:42:28:52 | access to local variable queryString | SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | SqlInjection.cs:28:42:28:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | this read from stdin |
+edges
+| SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | SqlInjection.cs:19:42:19:52 | access to local variable queryString | provenance |  |
+| SqlInjection.cs:18:21:18:29 | access to property Text : String | SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | provenance |  |
+| SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | SqlInjection.cs:28:42:28:52 | access to local variable queryString | provenance |  |
+| SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | provenance | Src:MaD:1  |
+models
+| 1 | Source: System; Console; false; ReadLine; ; ; ReturnValue; stdin; manual |
+nodes
+| SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:18:21:18:29 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjection.cs:19:42:19:52 | access to local variable queryString | semmle.label | access to local variable queryString |
+| SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
+| SqlInjection.cs:28:42:28:52 | access to local variable queryString | semmle.label | access to local variable queryString |
+subpaths
+testFailures
+| SqlInjection.cs:20:56:20:83 | // ... | Missing result: Alert[cs/sql-injection] |
+| SqlInjection.cs:29:56:29:83 | // ... | Missing result: Alert[cs/sql-injection] |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.ext.yml b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.qlref
@@ -0,0 +1,4 @@
+query: Security Features/CWE-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/options b/csharp/ql/test/query-tests/Security Features/CWE-089-2/options
@@ -0,0 +1,4 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Microsoft.Data.SqlClient/6.0.2/Microsoft.Data.SqlClient.csproj
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
