Merge pull request github#6148 from tamasvajk/feature/try-csv-source-models

C#: Start using CSV based flow models

Author: tamasvajk

csharp/documentation/library-coverage/coverage.csv

@@ -0,0 +1,2 @@
+package,sink,source,summary,sink:html,sink:xss,source:local,summary:taint
+System,5,3,6,4,1,3,6

csharp/documentation/library-coverage/coverage.rst

@@ -0,0 +1,12 @@
+C# framework & library support
+================================
+
+.. csv-table::
+   :header-rows: 1
+   :class: fullWidthTable
+   :widths: auto
+
+   Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
+   System,"``System.*``, ``System``",3,6,5,5
+   Totals,,3,6,5,5
+

csharp/documentation/library-coverage/cwe-sink.csv

@@ -0,0 +1,2 @@
+CWE,Sink identifier,Label
+CWE-079,html xss,Cross-site scripting

csharp/documentation/library-coverage/frameworks.csv

@@ -0,0 +1,2 @@
+Framework name,URL,Namespace prefixes
+System,,System.* System

csharp/ql/src/meta/frameworks/Coverage.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Framework coverage
+ * @description The number of API endpoints covered by CSV models sorted by
+ *              package and source-, sink-, and summary-kind.
+ * @kind table
+ * @id cs/meta/framework-coverage
+ */
+
+import csharp
+import semmle.code.csharp.dataflow.ExternalFlow
+
+from string namespace, int pkgs, string kind, string part, int n
+where modelCoverage(namespace, pkgs, kind, part, n)
+select namespace, pkgs, kind, part, n

csharp/ql/src/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -84,7 +84,10 @@ private import internal.FlowSummaryImplSpecific
  * ensuring that they are visible to the taint tracking / data flow library.
  */
 private module Frameworks {
-  // TODO
+  private import semmle.code.csharp.security.dataflow.flowsources.Local
+  private import semmle.code.csharp.security.dataflow.flowsinks.Html
+  private import semmle.code.csharp.frameworks.System
+  private import semmle.code.csharp.security.dataflow.XSS
 }
 
 /**

csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll

@@ -499,33 +499,6 @@ private module FrameworkDataFlowAdaptor {
   }
 }
 
-/** Data flow for `System.Int32`. */
-class SystemInt32Flow extends LibraryTypeDataFlow, SystemInt32Struct {
-  override predicate callableFlow(
-    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationCallable c,
-    boolean preservesValue
-  ) {
-    methodFlow(source, sink, c) and
-    preservesValue = false
-  }
-
-  private predicate methodFlow(
-    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationMethod m
-  ) {
-    m = getParseMethod() and
-    source = TCallableFlowSourceArg(0) and
-    sink = TCallableFlowSinkReturn()
-    or
-    m = getTryParseMethod() and
-    source = TCallableFlowSourceArg(0) and
-    (
-      sink = TCallableFlowSinkReturn()
-      or
-      sink = TCallableFlowSinkArg(any(int i | m.getParameter(i).isOutOrRef()))
-    )
-  }
-}
-
 /** Data flow for `System.Boolean`. */
 class SystemBooleanFlow extends LibraryTypeDataFlow, SystemBooleanStruct {
   override predicate callableFlow(

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -6,6 +6,7 @@ private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.FlowSummary
+private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.collections.Generic
@@ -14,6 +15,8 @@ private predicate summarizedCallable(DataFlowCallable c) {
   c instanceof SummarizedCallable
   or
   FlowSummaryImpl::Private::summaryReturnNode(_, TJumpReturnKind(c, _))
+  or
+  c = interpretElement(_, _, _, _, _, _)
 }
 
 /**

csharp/ql/src/semmle/code/csharp/frameworks/System.qll

@@ -2,6 +2,7 @@
 
 import csharp
 private import system.Reflection
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System` namespace. */
 class SystemNamespace extends Namespace {
@@ -200,6 +201,28 @@ class SystemInt32Struct extends IntType {
   }
 }
 
+/** Data flow for `System.Int32`. */
+private class SystemInt32FlowModelCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "System;Int32;false;Parse;(System.String);;Argument[0];ReturnValue;taint",
+        "System;Int32;false;Parse;(System.String,System.IFormatProvider);;Argument[0];ReturnValue;taint",
+        "System;Int32;false;Parse;(System.String,System.Globalization.NumberStyles);;Argument[0];ReturnValue;taint",
+        "System;Int32;false;Parse;(System.String,System.Globalization.NumberStyles,System.IFormatProvider);;Argument[0];ReturnValue;taint",
+        "System;Int32;false;Parse;(System.ReadOnlySpan<System.Char>,System.Globalization.NumberStyles,System.IFormatProvider);;Element of Argument[0];ReturnValue;taint",
+        "System;Int32;false;TryParse;(System.String,System.Int32);;Argument[0];ReturnValue;taint",
+        "System;Int32;false;TryParse;(System.String,System.Int32);;Argument[0];Argument[1];taint",
+        "System;Int32;false;TryParse;(System.ReadOnlySpan<System.Char>,System.Int32);;Element of Argument[0];ReturnValue;taint",
+        "System;Int32;false;TryParse;(System.ReadOnlySpan<System.Char>,System.Int32);;Element of Argument[0];Argument[1];taint",
+        "System;Int32;false;TryParse;(System.String,System.Globalization.NumberStyles,System.IFormatProvider,System.Int32);;Argument[0];ReturnValue;taint",
+        "System;Int32;false;TryParse;(System.String,System.Globalization.NumberStyles,System.IFormatProvider,System.Int32);;Argument[0];Argument[3];taint",
+        "System;Int32;false;TryParse;(System.ReadOnlySpan<System.Char>,System.Globalization.NumberStyles,System.IFormatProvider,System.Int32);;Element of Argument[0];ReturnValue;taint",
+        "System;Int32;false;TryParse;(System.ReadOnlySpan<System.Char>,System.Globalization.NumberStyles,System.IFormatProvider,System.Int32);;Element of Argument[0];Argument[3];taint"
+      ]
+  }
+}
+
 /** The `System.InvalidCastException` class. */
 class SystemInvalidCastExceptionClass extends SystemClass {
   SystemInvalidCastExceptionClass() { this.hasName("InvalidCastException") }

csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll

@@ -16,6 +16,7 @@ module XSS {
   import semmle.code.csharp.security.dataflow.flowsources.Remote
   private import semmle.code.csharp.dataflow.DataFlow2
   private import semmle.code.csharp.dataflow.TaintTracking2
+  private import semmle.code.csharp.dataflow.ExternalFlow
 
   /**
    * Holds if there is tainted flow from `source` to `sink` that may lead to a
@@ -119,6 +120,10 @@ module XSS {
     string explanation() { none() }
   }
 
+  private class ExternalXssSink extends Sink {
+    ExternalXssSink() { sinkNode(this, "xss") }
+  }
+
   /**
    * A data flow source for cross-site scripting (XSS) vulnerabilities.
    */
@@ -406,12 +411,9 @@ module XSS {
   /**
    * An expression passed as the `content` argument to the constructor of `StringContent`.
    */
-  private class StringContent extends Sink {
-    StringContent() {
-      this.getExpr() =
-        any(ObjectCreation oc |
-          oc.getTarget().getDeclaringType().hasQualifiedName("System.Net.Http", "StringContent")
-        ).getArgumentForName("content")
+  private class StringContentSinkModelCsv extends SinkModelCsv {
+    override predicate row(string row) {
+      row = ["System.Net.Http;StringContent;false;StringContent;;;Argument[0];xss"]
     }
   }
 }