C#: Add Dapper stub and new SqlInjection test cases

tamasvajk · tamasvajk · commit 98001c494f26 · 2021-04-06T13:30:31.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs
@@ -1,4 +1,4 @@
-// semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll ${testdir}/../../../resources/stubs/EntityFramework.cs ${testdir}/../../../resources/stubs/System.Data.cs ${testdir}/../../../resources/stubs/System.Windows.cs
+// semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll ${testdir}/../../../resources/stubs/EntityFramework.cs ${testdir}/../../../resources/stubs/System.Data.cs ${testdir}/../../../resources/stubs/System.Windows.cs ${testdir}/../../../resources/stubs/Dapper.cs /r:System.Linq.Expressions.dll
 
 using System;
 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs
@@ -0,0 +1,84 @@
+using System;
+
+namespace Test
+{
+    using System.Data;
+    using System.Data.Entity;
+    using System.Data.SqlClient;
+    using System.Web.UI.WebControls;
+    using System.Threading.Tasks;
+    using Dapper;
+
+    class SqlInjectionDapper
+    {
+        string connectionString;
+
+        public void Bad01()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                var result = connection.Query<object>(query);
+            }
+        }
+
+        public async Task Bad02()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                var result = await connection.QueryAsync<object>(query);
+            }
+        }
+
+        public async Task Bad03()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                var result = await connection.QueryFirstAsync(query);
+            }
+        }
+
+        public async Task Bad04()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+
+                await connection.ExecuteAsync(query);
+            }
+        }
+
+        public void Bad05()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                connection.ExecuteScalar(query);
+            }
+        }
+
+        public void Bad06()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                connection.ExecuteReader(query);
+            }
+        }
+
+        public async Task Bad07()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+
+                var comDef = new CommandDefinition(query);
+                var result = await connection.QueryFirstAsync(comDef);
+            }
+        }
+
+        System.Windows.Forms.TextBox box1;
+    }
+}
diff --git a/csharp/ql/test/resources/stubs/Dapper.cs b/csharp/ql/test/resources/stubs/Dapper.cs
@@ -0,0 +1,34 @@
+// This file contains auto-generated code.
+// original-extractor-options: /r:Dapper.dll /r:System.Data.SqlClient.dll ...
+
+namespace Dapper
+{
+    // Generated from `Dapper.CommandDefinition` in `Dapper, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null`
+    public struct CommandDefinition
+    {
+        public CommandDefinition(string commandText, object parameters = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null, Dapper.CommandFlags flags = CommandFlags.Buffered, System.Threading.CancellationToken cancellationToken = default) => throw null;
+    }
+
+    // Generated from `Dapper.CommandFlags` in `Dapper, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null`
+    [System.Flags]
+    public enum CommandFlags
+    {
+        None = 0x0,
+        Buffered = 0x1,
+        Pipelined = 0x2,
+        NoCache = 0x4
+    }
+
+    // Generated from `Dapper.SqlMapper` in `Dapper, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null`
+    static public class SqlMapper
+    {
+        public static System.Collections.Generic.IEnumerable<T> Query<T>(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, bool buffered = true, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static System.Data.IDataReader ExecuteReader(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static System.Threading.Tasks.Task<System.Collections.Generic.IEnumerable<T>> QueryAsync<T>(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static System.Threading.Tasks.Task<dynamic> QueryFirstAsync(this System.Data.IDbConnection cnn, Dapper.CommandDefinition command) => throw null;
+        public static System.Threading.Tasks.Task<dynamic> QueryFirstAsync(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static System.Threading.Tasks.Task<int> ExecuteAsync(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static object ExecuteScalar(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+    }
+}
+

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll ${testdir}/../../../resources/stubs/EntityFramework.cs ${testdir}/../../../resources/stubs/System.Data.cs ${testdir}/../../../resources/stubs/System.Windows.cs`
	`1`	`+// semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll ${testdir}/../../../resources/stubs/EntityFramework.cs ${testdir}/../../../resources/stubs/System.Data.cs ${testdir}/../../../resources/stubs/System.Windows.cs ${testdir}/../../../resources/stubs/Dapper.cs /r:System.Linq.Expressions.dll`
`2`	`2`
`3`	`3`	`using System;`
`4`	`4`