Queries to help on the detection based on misuse of DataSet and DataTable serialization that could lead to security problems.

https://go.microsoft.com/fwlink/?linkid=2132227

Author: raulgarciamsft

csharp/ql/src/Security Features/Serialization/DataSetSerialization.qhelp

@@ -0,0 +1,20 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The <code>DataSet</code> and <code>DataTable</code> types are legacy .NET components that allow representing data sets as managed objects.<p>
+
+
+</overview>
+<recommendation>
+
+<p>Please review the <a href="https://go.microsoft.com/fwlink/?linkid=2132227">DataSet and DataTable security guidance</a> before makign use of these types for serialization.</p>
+
+</recommendation>
+<references>
+
+<li>Microsoft Docs<a href="https://go.microsoft.com/fwlink/?linkid=2132227">DataSet and DataTable security guidance</a>.</li>
+
+</references>
+</qhelp>

csharp/ql/src/Security Features/Serialization/DataSetSerialization.qll

@@ -0,0 +1,110 @@
+import csharp
+
+/**
+ * Abstract class thats depnds or inherits from DataSet and DataTable types.
+ **/
+abstract class DataSetOrTableRelatedClass extends Class {
+}
+
+/**
+ * Gets the DataSet and DataTable types, or types derived from them.
+ **/
+class DataSetOrTable extends DataSetOrTableRelatedClass {
+  DataSetOrTable() {
+    this.getABaseType*().getQualifiedName().matches("System.Data.DataTable") or
+    this.getABaseType*().getQualifiedName().matches("System.Data.DataSet") or
+    this.getQualifiedName().matches("System.Data.DataTable") or
+    this.getQualifiedName().matches("System.Data.DataSet")
+  }
+}
+
+/**
+ * Gets a class that include a property or generic of type DataSet and DataTable
+ */
+class ClassWithDataSetOrTableMember extends DataSetOrTableRelatedClass {
+  ClassWithDataSetOrTableMember() {
+    exists( Property p |
+      p = this.getAProperty() |
+      p.getType() instanceof DataSetOrTable
+    ) or exists ( AssignableMember am |
+      am = this.getAField() or
+      am = this.getAMember() |
+      am.getType() instanceof DataSetOrTable
+    ) or exists( Property p |
+      p = this.getAProperty() |
+      p.getType() instanceof DataSetOrTable or
+      p.getType().(ConstructedGeneric).getATypeArgument() instanceof DataSetOrTable 
+    )
+  }
+}
+
+/**
+ * Serializable types
+ */
+class SerializableClass extends Class {
+  SerializableClass() {
+    (
+      this.getABaseType*().getQualifiedName().matches("System.Xml.Serialization.XmlSerializer") or
+      this.getABaseInterface*().getQualifiedName().matches("System.Runtime.Serialization.ISerializable") or
+      this.getABaseType*().getQualifiedName().matches("System.Runtime.Serialization.XmlObjectSerializer") or
+      this.getABaseInterface*().getQualifiedName().matches("System.Runtime.Serialization.ISerializationSurrogateProvider") or
+      this.getABaseType*().getQualifiedName().matches("System.Runtime.Serialization.XmlSerializableServices") or
+      this.getABaseInterface*().getQualifiedName().matches("System.Xml.Serialization.IXmlSerializable")
+    ) or exists( Attribute a |
+      a = this.getAnAttribute() |
+      a.getType().getQualifiedName().toString() = "System.SerializableAttribute"
+    )
+  }
+}
+
+predicate isClassUnsafeXmlSerializerImplementation( SerializableClass c, Member m) {
+  exists( Property p |
+    m = p |
+    p = c.getAProperty() and
+    p.getType() instanceof DataSetOrTableRelatedClass
+  ) or exists ( AssignableMember am |
+    am = m |
+    ( am = c.getAField() or am = c.getAMember() ) and
+    am.getType() instanceof DataSetOrTableRelatedClass
+  )
+}
+
+/**
+ * It is unsafe to serilize DataSet and DataTable related types
+ */
+class UnsafeXmlSerializerImplementation extends SerializableClass {
+  UnsafeXmlSerializerImplementation() {
+    isClassUnsafeXmlSerializerImplementation( this, _ )
+  }
+}
+
+/**
+ * Method that may be unsafe when used to serialize DataSet and DataTable related types
+ */
+class UnsafeXmlReadMethod extends Method {
+  UnsafeXmlReadMethod() {
+    this.getQualifiedName().toString() = "System.Data.DataTable.ReadXml" or
+    this.getQualifiedName().toString() = "System.Data.DataTable.ReadXmlSchema" or
+    this.getQualifiedName().toString() = "System.Data.DataSet.ReadXml" or
+    this.getQualifiedName().toString() = "System.Data.DataSet.ReadXmlSchema" or
+    ( 
+      this.getName().matches("ReadXml%") and
+      exists( Class c |
+        c.getAMethod() = this |
+        c.getABaseType*() instanceof DataSetOrTableRelatedClass or
+        c.getABaseType*() instanceof DataSetOrTableRelatedClass
+      )
+    )
+  }
+}
+
+/**
+ * MethodCal that may be unsafe when used to serialize DataSet and DataTable related types
+ */
+class UnsafeXmlReadMethodCall extends MethodCall {
+  UnsafeXmlReadMethodCall() {
+    exists( UnsafeXmlReadMethod uxrm |
+      uxrm.getACall() = this 
+    )
+  }
+}

csharp/ql/src/Security Features/Serialization/DefiningDatasetRelatedType.qhelp

@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="DataSetSerialization.qhelp" /></qhelp>

csharp/ql/src/Security Features/Serialization/DefiningDatasetRelatedType.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types
+ * @description Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types may lead to the usage of dangerous functionality. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
+ * @kind problem
+ * @problem.severity warning
+ * @id cs/dataset-serialization/defining-dataset-related-type
+ * @tags security
+ */
+
+import csharp
+import DataSetSerialization
+
+from DataSetOrTableRelatedClass dstc
+where dstc.fromSource()
+select dstc, "Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."

csharp/ql/src/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerialization.qhelp

@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="DataSetSerialization.qhelp" /></qhelp>

csharp/ql/src/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Defining a potentially unsafe XML serializer 
+ * @description Defining an XML serializable class that includes members that derive from dataSet or DataTable type may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @id cs/dataset-serialization/defining-potentially-unsafe-xml-serializer
+ * @tags security
+ */
+
+import csharp
+import DataSetSerialization
+
+from UnsafeXmlSerializerImplementation c, Member m
+where c.fromSource() and 
+  isClassUnsafeXmlSerializerImplementation( c, m)
+select m, "Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.",
+  c, c.toString(),
+  m, m.toString()

csharp/ql/src/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qhelp

@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="DataSetSerialization.qhelp" /></qhelp>

csharp/ql/src/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql

@@ -0,0 +1,55 @@
+/**
+ * @name Unsafe type is used in data contract serializer
+ * @description Unsafe type is used in data contract serializer. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id cs/dataset-serialization/unsafe-type-used-data-contract-serializer
+ * @tags security
+ */
+
+import csharp
+import DataSetSerialization
+
+predicate isClassDependingOnDataSetOrTable( Class c ) {
+  c instanceof DataSetOrTableRelatedClass
+}
+
+predicate xmlSerializerConstructorTypeParameter (Expr e) {
+  exists (ObjectCreation oc, Constructor c |
+    e = oc.getArgument(0) |
+    c = oc.getTarget() and
+    ( 
+      c.getDeclaringType().hasQualifiedName("System.Xml.Serialization.XmlSerializer") or
+      c.getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.Serialization.XmlSerializer")
+    )
+  )
+}
+
+predicate unsafeDataContractTypeCreation (Expr e) {
+  exists(MethodCall gt | 
+    gt.getTarget().getName() = "GetType" and
+    e = gt and
+    isClassDependingOnDataSetOrTable(gt.getQualifier().getType())
+  ) or
+  isClassDependingOnDataSetOrTable(e.(TypeofExpr).getTypeAccess().getTarget())
+}
+
+class Conf extends DataFlow::Configuration {
+  Conf() {
+    this = "FlowToDataSerializerConstructor" 
+  }
+  
+  override predicate isSource(DataFlow::Node node) {
+    unsafeDataContractTypeCreation(node.asExpr())
+    }
+  
+  override predicate isSink(DataFlow::Node node) {
+      xmlSerializerConstructorTypeParameter (node.asExpr())
+    }
+}
+
+
+from Conf conf, DataFlow::Node source, DataFlow::Node sink
+where conf.hasFlow(source, sink)
+select sink, "Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source.", source, source.toString()

csharp/ql/src/Security Features/Serialization/XmlDeserializationWithDataSet.qhelp

@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="DataSetSerialization.qhelp" /></qhelp>

csharp/ql/src/Security Features/Serialization/XmlDeserializationWithDataSet.ql

@@ -0,0 +1,16 @@
+/**
+ * @name XML deserialization with a type type derived from DataSet or DataTable
+ * @description Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @id cs/dataset-serialization/xml-deserialization-with-dataset
+ * @tags security
+ */
+
+import csharp
+import DataSetSerialization
+
+from UnsafeXmlReadMethodCall mc, Method m
+where m.getACall() = mc
+select mc, "Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."