@@ -13,6 +13,7 @@ private import semmle.code.csharp.frameworks.system.web.UI
1313private import semmle.code.csharp.frameworks.system.web.ui.WebControls
1414private import semmle.code.csharp.frameworks.system.windows.Forms
1515private import semmle.code.csharp.security.dataflow.flowsources.Remote
16+ private import semmle.code.csharp.dataflow.ExternalFlow
1617private import semmle.code.asp.AspNet
1718
1819/**
@@ -21,21 +22,23 @@ private import semmle.code.asp.AspNet
2122 */
2223abstract class HtmlSink extends DataFlow:: ExprNode , RemoteFlowSink { }
2324
25+ private class ExternalHtmlSink extends HtmlSink {
26+ ExternalHtmlSink ( ) { sinkNode ( this , "html" ) }
27+ }
28+
2429/**
2530 * An expression that is used as an argument to an HTML sink method on
2631 * `HttpResponse`.
2732 */
28- class HttpResponseSink extends HtmlSink {
29- HttpResponseSink ( ) {
30- exists ( Method m , SystemWebHttpResponseClass responseClass |
31- m = responseClass .getAWriteMethod ( ) or
32- m = responseClass .getAWriteFileMethod ( ) or
33- m = responseClass .getATransmitFileMethod ( ) or
34- m = responseClass .getABinaryWriteMethod ( )
35- |
36- // Calls to these methods, or overrides of them
37- this .getExpr ( ) = m .getAnOverrider * ( ) .getParameter ( 0 ) .getAnAssignedArgument ( )
38- )
33+ private class HttpResponseSinkModelCsv extends SinkModelCsv {
34+ override predicate row ( string row ) {
35+ row =
36+ [
37+ "System.Web;HttpResponse;false;Write;;;Argument[0];html" ,
38+ "System.Web;HttpResponse;false;WriteFile;;;Argument[0];html" ,
39+ "System.Web;HttpResponse;false;TransmitFile;;;Argument[0];html" ,
40+ "System.Web;HttpResponse;false;BinaryWrite;;;Argument[0];html"
41+ ]
3942 }
4043}
4144
0 commit comments