Skip to content

Commit 4ee5cc5

Browse files
hvitvedhvitved
authored
Merge pull request github#6428 from hvitved/csharp/xss-nodes
C#: Add missing `nodes` predicate to XSS queries
2 parents 6471092 + 9eb3f28 commit 4ee5cc5

File tree

3 files changed

+58
-0
lines changed

3 files changed

+58
-0
lines changed

csharp/ql/src/semmle/code/csharp/security/dataflow/XSSQuery.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,15 @@ module PathGraph {
5353
xssFlow(pred, succ, _) and
5454
pred instanceof XssAspNode
5555
}
56+
57+
/** Holds if `n` is a node in the graph of data flow path explanations. */
58+
query predicate nodes(XssNode n, string key, string val) {
59+
DataFlow2::PathGraph::nodes(n.asDataFlowNode(), key, val)
60+
or
61+
xssFlow(n, n, _) and
62+
key = "semmle.label" and
63+
val = n.(XssAspNode).toString()
64+
}
5665
}
5766

5867
private newtype TXssNode =

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.expected

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,33 @@ edges
1717
| script.aspx:12:1:12:14 | <%= ... %> | script.aspx:12:1:12:14 | <%= ... %> |
1818
| script.aspx:16:1:16:34 | <%= ... %> | script.aspx:16:1:16:34 | <%= ... %> |
1919
| script.aspx:20:1:20:41 | <%= ... %> | script.aspx:20:1:20:41 | <%= ... %> |
20+
nodes
21+
| XSS.cs:25:13:25:21 | [post] access to local variable userInput [element] : String | semmle.label | [post] access to local variable userInput [element] : String |
22+
| XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
23+
| XSS.cs:25:48:25:67 | access to property Text : String | semmle.label | access to property Text : String |
24+
| XSS.cs:26:32:26:40 | access to local variable userInput [element] : String | semmle.label | access to local variable userInput [element] : String |
25+
| XSS.cs:26:32:26:51 | call to method ToString | semmle.label | call to method ToString |
26+
| XSS.cs:27:29:27:37 | access to local variable userInput [element] : String | semmle.label | access to local variable userInput [element] : String |
27+
| XSS.cs:27:29:27:48 | call to method ToString | semmle.label | call to method ToString |
28+
| XSS.cs:28:26:28:34 | access to local variable userInput [element] : String | semmle.label | access to local variable userInput [element] : String |
29+
| XSS.cs:28:26:28:45 | call to method ToString | semmle.label | call to method ToString |
30+
| XSS.cs:37:27:37:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
31+
| XSS.cs:38:36:38:39 | access to local variable name | semmle.label | access to local variable name |
32+
| XSS.cs:57:27:57:65 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
33+
| XSS.cs:59:22:59:25 | access to local variable name | semmle.label | access to local variable name |
34+
| XSS.cs:75:27:75:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
35+
| XSS.cs:76:36:76:39 | access to local variable name | semmle.label | access to local variable name |
36+
| XSS.cs:78:28:78:42 | access to property Request : HttpRequestBase | semmle.label | access to property Request : HttpRequestBase |
37+
| XSS.cs:79:36:79:40 | access to local variable name2 | semmle.label | access to local variable name2 |
38+
| XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
39+
| XSS.cs:86:28:86:31 | access to local variable name | semmle.label | access to local variable name |
40+
| XSS.cs:87:31:87:34 | access to local variable name | semmle.label | access to local variable name |
41+
| XSS.cs:94:27:94:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
42+
| XSS.cs:95:31:95:34 | access to local variable name | semmle.label | access to local variable name |
43+
| XSS.cs:134:20:134:33 | access to property RawUrl | semmle.label | access to property RawUrl |
44+
| script.aspx:12:1:12:14 | <%= ... %> | semmle.label | <%= ... %> |
45+
| script.aspx:16:1:16:34 | <%= ... %> | semmle.label | <%= ... %> |
46+
| script.aspx:20:1:20:41 | <%= ... %> | semmle.label | <%= ... %> |
2047
#select
2148
| XSS.cs:26:32:26:51 | call to method ToString | XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | XSS.cs:26:32:26:51 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | User-provided value |
2249
| XSS.cs:27:29:27:48 | call to method ToString | XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | XSS.cs:27:29:27:48 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSS.expected

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,28 @@ edges
1212
| XSSAspNetCore.cs:61:44:61:63 | access to indexer : StringValues | XSSAspNetCore.cs:61:44:61:66 | access to indexer |
1313
| XSSAspNetCore.cs:72:51:72:65 | access to property Headers : IHeaderDictionary | XSSAspNetCore.cs:72:51:72:72 | access to indexer : StringValues |
1414
| XSSAspNetCore.cs:72:51:72:72 | access to indexer : StringValues | XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion |
15+
nodes
16+
| XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
17+
| XSSAspNet.cs:26:30:26:34 | access to local variable sayHi | semmle.label | access to local variable sayHi |
18+
| XSSAspNet.cs:36:40:36:44 | access to local variable sayHi | semmle.label | access to local variable sayHi |
19+
| XSSAspNet.cs:43:28:43:46 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
20+
| XSSAspNet.cs:43:28:43:55 | access to indexer | semmle.label | access to indexer |
21+
| XSSAspNetCore.cs:21:52:21:64 | access to property Query : IQueryCollection | semmle.label | access to property Query : IQueryCollection |
22+
| XSSAspNetCore.cs:21:52:21:76 | access to indexer : StringValues | semmle.label | access to indexer : StringValues |
23+
| XSSAspNetCore.cs:21:52:21:76 | call to operator implicit conversion | semmle.label | call to operator implicit conversion |
24+
| XSSAspNetCore.cs:40:56:40:58 | foo : String | semmle.label | foo : String |
25+
| XSSAspNetCore.cs:44:51:44:53 | access to parameter foo | semmle.label | access to parameter foo |
26+
| XSSAspNetCore.cs:51:43:51:67 | access to property Value | semmle.label | access to property Value |
27+
| XSSAspNetCore.cs:58:43:58:55 | access to property Query : IQueryCollection | semmle.label | access to property Query : IQueryCollection |
28+
| XSSAspNetCore.cs:58:43:58:62 | access to indexer : StringValues | semmle.label | access to indexer : StringValues |
29+
| XSSAspNetCore.cs:58:43:58:73 | call to method ToString | semmle.label | call to method ToString |
30+
| XSSAspNetCore.cs:61:44:61:56 | access to property Query : IQueryCollection | semmle.label | access to property Query : IQueryCollection |
31+
| XSSAspNetCore.cs:61:44:61:63 | access to indexer : StringValues | semmle.label | access to indexer : StringValues |
32+
| XSSAspNetCore.cs:61:44:61:66 | access to indexer | semmle.label | access to indexer |
33+
| XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | semmle.label | access to property ContentType |
34+
| XSSAspNetCore.cs:72:51:72:65 | access to property Headers : IHeaderDictionary | semmle.label | access to property Headers : IHeaderDictionary |
35+
| XSSAspNetCore.cs:72:51:72:72 | access to indexer : StringValues | semmle.label | access to indexer : StringValues |
36+
| XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion | semmle.label | call to operator implicit conversion |
1537
#select
1638
| XSSAspNet.cs:26:30:26:34 | access to local variable sayHi | XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | XSSAspNet.cs:26:30:26:34 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteral() method. | XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | User-provided value |
1739
| XSSAspNet.cs:36:40:36:44 | access to local variable sayHi | XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | XSSAspNet.cs:36:40:36:44 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteralTo() method. | XSSAspNet.cs:19:25:19:43 | access to property QueryString : NameValueCollection | User-provided value |

0 commit comments

Comments
 (0)