Using CodeQL AutoFormat

Author: raulgarciamsft

csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qll

@@ -3,14 +3,13 @@
  *
  * Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
  */
- 
- import csharp
+
+import csharp
 
 /**
  * Abstract class that depends or inherits from `DataSet` or `DataTable` types.
  */
-abstract class DataSetOrTableRelatedClass extends Class {
-}
+abstract class DataSetOrTableRelatedClass extends Class { }
 
 /**
  * `DataSet`, `DataTable` types, or any types derived from them.
@@ -27,14 +26,13 @@ class DataSetOrTable extends DataSetOrTableRelatedClass {
  */
 class ClassWithDataSetOrTableMember extends DataSetOrTableRelatedClass {
   ClassWithDataSetOrTableMember() {
-    exists( Property p |
-      p = this.getAProperty() |
-      p.getType() instanceof DataSetOrTable
-    ) or this.getAMember().(AssignableMember).getType() instanceof DataSetOrTable
-    or exists( Property p |
-      p = this.getAProperty() |
+    exists(Property p | p = this.getAProperty() | p.getType() instanceof DataSetOrTable)
+    or
+    this.getAMember().(AssignableMember).getType() instanceof DataSetOrTable
+    or
+    exists(Property p | p = this.getAProperty() |
       p.getType() instanceof DataSetOrTable or
-      p.getType().(ConstructedGeneric).getATypeArgument() instanceof DataSetOrTable 
+      p.getType().(ConstructedGeneric).getATypeArgument() instanceof DataSetOrTable
     )
   }
 }
@@ -48,11 +46,14 @@ class SerializableClass extends Class {
       this.getABaseType*().getQualifiedName() = "System.Xml.Serialization.XmlSerializer" or
       this.getABaseInterface*().getQualifiedName() = "System.Runtime.Serialization.ISerializable" or
       this.getABaseType*().getQualifiedName() = "System.Runtime.Serialization.XmlObjectSerializer" or
-      this.getABaseInterface*().getQualifiedName() = "System.Runtime.Serialization.ISerializationSurrogateProvider" or
-      this.getABaseType*().getQualifiedName() = "System.Runtime.Serialization.XmlSerializableServices" or
+      this.getABaseInterface*().getQualifiedName() =
+        "System.Runtime.Serialization.ISerializationSurrogateProvider" or
+      this.getABaseType*().getQualifiedName() =
+        "System.Runtime.Serialization.XmlSerializableServices" or
       this.getABaseInterface*().getQualifiedName() = "System.Xml.Serialization.IXmlSerializable"
-    ) or exists( Attribute a |
-      a = this.getAnAttribute() |
+    )
+    or
+    exists(Attribute a | a = this.getAnAttribute() |
       a.getType().getQualifiedName().toString() = "System.SerializableAttribute"
     )
   }
@@ -61,14 +62,14 @@ class SerializableClass extends Class {
 /**
  * Holds if the serializable class `c` has a property or field `m` that is of `DataSet` or `DataTable` related type
  */
-predicate isClassUnsafeXmlSerializerImplementation( SerializableClass c, Member m) {
-  exists( Property p |
-    m = p |
+predicate isClassUnsafeXmlSerializerImplementation(SerializableClass c, Member m) {
+  exists(Property p | m = p |
     p = c.getAProperty() and
     p.getType() instanceof DataSetOrTableRelatedClass
-  ) or exists ( AssignableMember am |
-    am = m |
-    ( am = c.getAField() or am = c.getAMember() ) and
+  )
+  or
+  exists(AssignableMember am | am = m |
+    (am = c.getAField() or am = c.getAMember()) and
     am.getType() instanceof DataSetOrTableRelatedClass
   )
 }
@@ -77,26 +78,25 @@ predicate isClassUnsafeXmlSerializerImplementation( SerializableClass c, Member
  * Serializable class that has a property or field that is of `DataSet` or `DataTable` related type
  */
 class UnsafeXmlSerializerImplementation extends SerializableClass {
-  UnsafeXmlSerializerImplementation() {
-    isClassUnsafeXmlSerializerImplementation( this, _ )
-  }
+  UnsafeXmlSerializerImplementation() { isClassUnsafeXmlSerializerImplementation(this, _) }
 }
 
 /**
  * Method that may be unsafe when used to deserialize DataSet and DataTable related types
  */
 class UnsafeXmlReadMethod extends Method {
   UnsafeXmlReadMethod() {
-    this.getQualifiedName().toString() = "System.Data.DataTable.ReadXml" or
-    this.getQualifiedName().toString() = "System.Data.DataTable.ReadXmlSchema" or
-    this.getQualifiedName().toString() = "System.Data.DataSet.ReadXml" or
-    this.getQualifiedName().toString() = "System.Data.DataSet.ReadXmlSchema" or
-    ( 
-      this.getName().matches("ReadXml%") and
-      exists( Class c |
-        c.getAMethod() = this |
-        c.getABaseType*() instanceof DataSetOrTableRelatedClass 
-      )
+    this.getQualifiedName().toString() = "System.Data.DataTable.ReadXml"
+    or
+    this.getQualifiedName().toString() = "System.Data.DataTable.ReadXmlSchema"
+    or
+    this.getQualifiedName().toString() = "System.Data.DataSet.ReadXml"
+    or
+    this.getQualifiedName().toString() = "System.Data.DataSet.ReadXmlSchema"
+    or
+    this.getName().matches("ReadXml%") and
+    exists(Class c | c.getAMethod() = this |
+      c.getABaseType*() instanceof DataSetOrTableRelatedClass
     )
   }
 }
@@ -105,9 +105,5 @@ class UnsafeXmlReadMethod extends Method {
  * MethodCall that may be unsafe when used to deserialize DataSet and DataTable related types
  */
 class UnsafeXmlReadMethodCall extends MethodCall {
-  UnsafeXmlReadMethodCall() {
-    exists( UnsafeXmlReadMethod uxrm |
-      uxrm.getACall() = this 
-    )
-  }
+  UnsafeXmlReadMethodCall() { exists(UnsafeXmlReadMethod uxrm | uxrm.getACall() = this) }
 }

csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql

@@ -12,4 +12,5 @@ import DataSetSerialization
 
 from DataSetOrTableRelatedClass dstc
 where dstc.fromSource()
-select dstc, "Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
+select dstc,
+  "Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."

csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql

@@ -1,5 +1,5 @@
 /**
- * @name Defining a potentially unsafe XML serializer 
+ * @name Defining a potentially unsafe XML serializer
  * @description Defining an XML serializable class that includes members that derive from dataSet or DataTable type may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
  * @kind problem
  * @problem.severity error
@@ -12,8 +12,9 @@ import csharp
 import DataSetSerialization
 
 from UnsafeXmlSerializerImplementation c, Member m
-where c.fromSource() and 
-  isClassUnsafeXmlSerializerImplementation( c, m)
-select m, "Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.",
-  c, c.toString(),
-  m, m.toString()
+where
+  c.fromSource() and
+  isClassUnsafeXmlSerializerImplementation(c, m)
+select m,
+  "Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.",
+  c, c.toString(), m, m.toString()

csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql

@@ -11,40 +11,33 @@
 import csharp
 import DataSetSerialization
 
-predicate xmlSerializerConstructorArgument (Expr e) {
-  exists (ObjectCreation oc, Constructor c |
-    e = oc.getArgument(0) |
+predicate xmlSerializerConstructorArgument(Expr e) {
+  exists(ObjectCreation oc, Constructor c | e = oc.getArgument(0) |
     c = oc.getTarget() and
-    ( 
-      c.getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.Serialization.XmlSerializer")
-    )
+    c.getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.Serialization.XmlSerializer")
   )
 }
 
-predicate unsafeDataContractTypeCreation (Expr e) {
-  exists(MethodCall gt | 
+predicate unsafeDataContractTypeCreation(Expr e) {
+  exists(MethodCall gt |
     gt.getTarget().getName() = "GetType" and
     e = gt and
     gt.getQualifier().getType() instanceof DataSetOrTableRelatedClass
-  ) or
+  )
+  or
   e.(TypeofExpr).getTypeAccess().getTarget() instanceof DataSetOrTableRelatedClass
 }
 
 class Conf extends DataFlow::Configuration {
-  Conf() {
-    this = "FlowToDataSerializerConstructor" 
-  }
-  
-  override predicate isSource(DataFlow::Node node) {
-    unsafeDataContractTypeCreation(node.asExpr())
-    }
-  
-  override predicate isSink(DataFlow::Node node) {
-      xmlSerializerConstructorArgument (node.asExpr())
-    }
-}
+  Conf() { this = "FlowToDataSerializerConstructor" }
 
+  override predicate isSource(DataFlow::Node node) { unsafeDataContractTypeCreation(node.asExpr()) }
+
+  override predicate isSink(DataFlow::Node node) { xmlSerializerConstructorArgument(node.asExpr()) }
+}
 
 from Conf conf, DataFlow::Node source, DataFlow::Node sink
 where conf.hasFlow(source, sink)
-select sink, "Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source.", source, source.toString()
+select sink,
+  "Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source.",
+  source, source.toString()

csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql

@@ -12,5 +12,6 @@ import csharp
 import DataSetSerialization
 
 from UnsafeXmlReadMethodCall mc
-where exists( Method m | m.getACall() = mc )
-select mc, "Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
+where exists(Method m | m.getACall() = mc)
+select mc,
+  "Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."