Merge pull request github#12648 from michaelnebel/csharp/cs-web-debug-binary

michaelnebel · web-flow · commit 730848cee88f · 2023-03-28T09:40:46.000+02:00
C#: Improve cs/web/debug-binary to repect the RemoveAttributes transformation.
diff --git a/csharp/ql/lib/semmle/code/asp/WebConfig.qll b/csharp/ql/lib/semmle/code/asp/WebConfig.qll
@@ -11,6 +11,13 @@ class WebConfigXml extends XmlFile {
   WebConfigXml() { this.getName().matches("%Web.config") }
 }
 
+/**
+ * A `Web.config` transformation file.
+ */
+class WebConfigReleaseTransformXml extends XmlFile {
+  WebConfigReleaseTransformXml() { this.getName().matches("%Web.Release.config") }
+}
+
 /** DEPRECATED: Alias for WebConfigXml */
 deprecated class WebConfigXML = WebConfigXml;
 
@@ -19,6 +26,11 @@ class ConfigurationXmlElement extends XmlElement {
   ConfigurationXmlElement() { this.getName().toLowerCase() = "configuration" }
 }
 
+/** A `<compilation>` tag in an ASP.NET configuration file. */
+class CompilationXmlElement extends XmlElement {
+  CompilationXmlElement() { this.getName().toLowerCase() = "compilation" }
+}
+
 /** DEPRECATED: Alias for ConfigurationXmlElement */
 deprecated class ConfigurationXMLElement = ConfigurationXmlElement;
 
@@ -149,3 +161,15 @@ class HttpCookiesElement extends XmlElement {
   /** DEPRECATED: Alias for isRequireSsl */
   deprecated predicate isRequireSSL() { this.isRequireSsl() }
 }
+
+/** A `Transform` attribute in a Web.config transformation file. */
+class TransformXmlAttribute extends XmlAttribute {
+  TransformXmlAttribute() { this.getName().toLowerCase() = "transform" }
+
+  /**
+   * Gets the list of attribute removals in `Transform=RemoveAttributes(list)`.
+   */
+  string getRemoveAttributes() {
+    result = this.getValue().regexpCapture("RemoveAttributes\\((.*)\\)", 1).splitAt(",")
+  }
+}
diff --git a/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql b/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
@@ -19,6 +19,17 @@ import semmle.code.asp.WebConfig
 
 from SystemWebXmlElement web, XmlAttribute debugAttribute
 where
-  debugAttribute = web.getAChild("compilation").getAttribute("debug") and
-  not debugAttribute.getValue().toLowerCase() = "false"
+  exists(CompilationXmlElement compilation | compilation.getParent() = web |
+    debugAttribute = compilation.getAttribute("debug") and
+    not debugAttribute.getValue().toLowerCase() = "false"
+  ) and
+  not exists(
+    TransformXmlAttribute attribute, CompilationXmlElement compilation,
+    WebConfigReleaseTransformXml file
+  |
+    compilation = attribute.getElement() and
+    file = compilation.getFile() and
+    attribute.getRemoveAttributes() = "debug" and
+    file.getParentContainer() = web.getFile().getParentContainer()
+  )
 select debugAttribute, "The 'debug' flag is set for an ASP.NET configuration file."
diff --git a/csharp/ql/src/change-notes/2023-03-23-cs-web-debug-binary.md b/csharp/ql/src/change-notes/2023-03-23-cs-web-debug-binary.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `cs/web/debug-binary` now disregards the `debug` attribute in case there is a transformation that removes it.
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.expected b/csharp/ql/test/query-tests/Security Features/CWE-011/ASPNetDebug.expected
@@ -1 +1,2 @@
-| bad/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
+| bad1/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
+| bad2/Web.config:4:5:7:7 | debug=true | The 'debug' flag is set for an ASP.NET configuration file. |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-011/bad1/Web.config
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.Debug.config b/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.Debug.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+  <system.web>
+    <compilation xdt:Transform="RemoveAttributes(debug)" />
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-011/bad2/Web.config
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <compilation
+      defaultLanguage="c#"
+      debug="true"
+    />
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/good1/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-011/good1/Web.config
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/good2/Web.Release.config b/csharp/ql/test/query-tests/Security Features/CWE-011/good2/Web.Release.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
+  <system.web>
+    <compilation xdt:Transform="RemoveAttributes(debug)" />
+  </system.web>
+</configuration>
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/good2/Web.config b/csharp/ql/test/query-tests/Security Features/CWE-011/good2/Web.config
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <compilation
+      defaultLanguage="c#"
+      debug="true"
+    />
+  </system.web>
+</configuration>

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The query `cs/web/debug-binary` now disregards the `debug` attribute in case there is a transformation that removes it.
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-\| bad/Web.config:4:5:7:7 \| debug=true \| The 'debug' flag is set for an ASP.NET configuration file. \|`
	`1`	`+\| bad1/Web.config:4:5:7:7 \| debug=true \| The 'debug' flag is set for an ASP.NET configuration file. \|`
	`2`	`+\| bad2/Web.config:4:5:7:7 \| debug=true \| The 'debug' flag is set for an ASP.NET configuration file. \|`