SharpSerializer

edvraa · edvraa · commit 1e4409f9edf1 · 2021-07-12T13:22:20.000+03:00
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll
@@ -798,4 +798,18 @@ module UnsafeDeserialization {
       )
     }
   }
+
+  /** SharpSerializer */
+  private class SharpSerializerDeserializeMethodSink extends InstanceMethodSink {
+    SharpSerializerDeserializeMethodSink() {
+      exists(MethodCall mc, Method m |
+        m = mc.getTarget() and
+        (
+          not mc.getArgument(0).hasValue() and
+          m instanceof SharpSerializerClassDeserializeMethod
+        ) and
+        this.asExpr() = mc.getArgument(0)
+      )
+    }
+  }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll b/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll
@@ -63,6 +63,8 @@ class WeakTypeDeserializer extends Class {
     this instanceof ServiceStackTextCsvSerializerClass
     or
     this instanceof ServiceStackTextXmlSerializerClass
+    or
+    this instanceof SharpSerializerClass
   }
 }
 
@@ -624,3 +626,16 @@ class CsPicklerSerializerClassUnPickleOfStringMethod extends Method, UnsafeDeser
     this.hasName("UnPickleOfString")
   }
 }
+
+/** Polenter.Serialization.SharpSerializer */
+private class SharpSerializerClass extends Class {
+  SharpSerializerClass() { this.hasQualifiedName("Polenter.Serialization.SharpSerializer") }
+}
+
+/** `Polenter.Serialization.SharpSerializer.Deserialize` method */
+class SharpSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {
+  SharpSerializerClassDeserializeMethod() {
+    this.getDeclaringType().getBaseClass*() instanceof SharpSerializerClass and
+    this.hasName("Deserialize")
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -798,4 +798,18 @@ module UnsafeDeserialization {`
`798`	`798`	`)`
`799`	`799`	`}`
`800`	`800`	`}`
	`801`	`+`
	`802`	`+ /** SharpSerializer */`
	`803`	`+ private class SharpSerializerDeserializeMethodSink extends InstanceMethodSink {`
	`804`	`+ SharpSerializerDeserializeMethodSink() {`
	`805`	`+ exists(MethodCall mc, Method m \|`
	`806`	`+ m = mc.getTarget() and`
	`807`	`+ (`
	`808`	`+ not mc.getArgument(0).hasValue() and`
	`809`	`+ m instanceof SharpSerializerClassDeserializeMethod`
	`810`	`+ ) and`
	`811`	`+ this.asExpr() = mc.getArgument(0)`
	`812`	`+ )`
	`813`	`+ }`
	`814`	`+ }`
`801`	`815`	`}`
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,8 @@ class WeakTypeDeserializer extends Class {`
`63`	`63`	`this instanceof ServiceStackTextCsvSerializerClass`
`64`	`64`	`or`
`65`	`65`	`this instanceof ServiceStackTextXmlSerializerClass`
	`66`	`+ or`
	`67`	`+ this instanceof SharpSerializerClass`
`66`	`68`	`}`
`67`	`69`	`}`
`68`	`70`
`@@ -624,3 +626,16 @@ class CsPicklerSerializerClassUnPickleOfStringMethod extends Method, UnsafeDeser`
`624`	`626`	`this.hasName("UnPickleOfString")`
`625`	`627`	`}`
`626`	`628`	`}`
	`629`	`+`
	`630`	`+/** Polenter.Serialization.SharpSerializer */`
	`631`	`+private class SharpSerializerClass extends Class {`
	`632`	`+ SharpSerializerClass() { this.hasQualifiedName("Polenter.Serialization.SharpSerializer") }`
	`633`	`+}`
	`634`	`+`
	`635`	+/** `Polenter.Serialization.SharpSerializer.Deserialize` method */
	`636`	`+class SharpSerializerClassDeserializeMethod extends Method, UnsafeDeserializer {`
	`637`	`+ SharpSerializerClassDeserializeMethod() {`
	`638`	`+ this.getDeclaringType().getBaseClass*() instanceof SharpSerializerClass and`
	`639`	`+ this.hasName("Deserialize")`
	`640`	`+ }`
	`641`	`+}`