Merge pull request github#3951 from raulgarciamsft/users/raulgarciamsft/dataset_serialization

hvitved · web-flow · commit c20d763490cc · 2020-08-07T12:54:10.000+02:00
C#: DataSet serialization
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qhelp b/csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qhelp
@@ -0,0 +1,23 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The <code>DataSet</code> and <code>DataTable</code> types are legacy .NET components that you can use to represent data sets as managed objects.</p>
+
+<p>While <code>DataSet</code> and <code>DataTable</code> do impose default limitations on the types that are allowed to be present while deserializing XML payloads, <code>DataSet</code> and <code>DataTable</code> are in general not safe when populated with untrusted input.</p>
+
+<p>Please visit <a href="https://go.microsoft.com/fwlink/?linkid=2132227">DataSet and DataTable security guidance</a> for more details.</p>
+    
+</overview>
+<recommendation>
+
+<p>Please review the <a href="https://go.microsoft.com/fwlink/?linkid=2132227">DataSet and DataTable security guidance</a> before making use of these types for serialization.</p>
+
+</recommendation>
+<references>
+
+<li>Microsoft Docs<a href="https://go.microsoft.com/fwlink/?linkid=2132227">DataSet and DataTable security guidance</a>.</li>
+
+</references>
+</qhelp>
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qll b/csharp/ql/src/experimental/Security Features/Serialization/DataSetSerialization.qll
@@ -0,0 +1,100 @@
+/**
+ * Provides classes for `DataSet` or `DataTable` deserialization queries.
+ *
+ * Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
+ */
+
+import csharp
+
+/**
+ * Abstract class that depends or inherits from `DataSet` or `DataTable` types.
+ */
+abstract class DataSetOrTableRelatedClass extends Class { }
+
+/**
+ * `DataSet`, `DataTable` types, or any types derived from them.
+ */
+class DataSetOrTable extends DataSetOrTableRelatedClass {
+  DataSetOrTable() {
+    this.getABaseType*().getQualifiedName() = "System.Data.DataTable" or
+    this.getABaseType*().getQualifiedName() = "System.Data.DataSet"
+  }
+}
+
+/**
+ * A Class that include a property or generic collection of type `DataSet` and `DataTable`
+ */
+class ClassWithDataSetOrTableMember extends DataSetOrTableRelatedClass {
+  ClassWithDataSetOrTableMember() {
+    this.getAMember().(AssignableMember).getType() instanceof DataSetOrTable
+    or
+    exists(Property p | p = this.getAProperty() |
+      p.getType() instanceof DataSetOrTable or
+      p.getType().(ConstructedGeneric).getATypeArgument() instanceof DataSetOrTable
+    )
+  }
+}
+
+/**
+ * Serializable types
+ */
+class SerializableClass extends Class {
+  SerializableClass() {
+    (
+      this.getABaseType*().getQualifiedName() = "System.Xml.Serialization.XmlSerializer" or
+      this.getABaseType*().getQualifiedName() = "System.Runtime.Serialization.ISerializable" or
+      this.getABaseType*().getQualifiedName() = "System.Runtime.Serialization.XmlObjectSerializer" or
+      this.getABaseType*().getQualifiedName() =
+        "System.Runtime.Serialization.ISerializationSurrogateProvider" or
+      this.getABaseType*().getQualifiedName() =
+        "System.Runtime.Serialization.XmlSerializableServices" or
+      this.getABaseType*().getQualifiedName() = "System.Xml.Serialization.IXmlSerializable"
+    )
+    or
+    exists(Attribute a | a = this.getAnAttribute() |
+      a.getType().getQualifiedName() = "System.SerializableAttribute"
+    )
+  }
+}
+
+/**
+ * Holds if the serializable class `c` has a property or field `m` that is of `DataSet` or `DataTable` related type
+ */
+predicate isClassUnsafeXmlSerializerImplementation(SerializableClass c, AssignableMember am) {
+  am = c.getAMember() and
+  am.getType() instanceof DataSetOrTableRelatedClass
+}
+
+/**
+ * Serializable class that has a property or field that is of `DataSet` or `DataTable` related type
+ */
+class UnsafeXmlSerializerImplementation extends SerializableClass {
+  UnsafeXmlSerializerImplementation() { isClassUnsafeXmlSerializerImplementation(this, _) }
+}
+
+/**
+ * Method that may be unsafe when used to deserialize DataSet and DataTable related types
+ */
+class UnsafeXmlReadMethod extends Method {
+  UnsafeXmlReadMethod() {
+    this.getQualifiedName() = "System.Data.DataTable.ReadXml"
+    or
+    this.getQualifiedName() = "System.Data.DataTable.ReadXmlSchema"
+    or
+    this.getQualifiedName() = "System.Data.DataSet.ReadXml"
+    or
+    this.getQualifiedName() = "System.Data.DataSet.ReadXmlSchema"
+    or
+    this.getName().matches("ReadXml%") and
+    exists(Class c | c.getAMethod() = this |
+      c.getABaseType*() instanceof DataSetOrTableRelatedClass
+    )
+  }
+}
+
+/**
+ * MethodCall that may be unsafe when used to deserialize DataSet and DataTable related types
+ */
+class UnsafeXmlReadMethodCall extends MethodCall {
+  UnsafeXmlReadMethodCall() { exists(UnsafeXmlReadMethod uxrm | uxrm.getACall() = this) }
+}
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.qhelp b/csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.qhelp
@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="DataSetSerialization.qhelp" /></qhelp>
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql b/csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql
@@ -0,0 +1,16 @@
+/**
+ * @name Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types
+ * @description Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types may lead to the usage of dangerous functionality. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
+ * @kind problem
+ * @problem.severity warning
+ * @id cs/dataset-serialization/defining-dataset-related-type
+ * @tags security
+ */
+
+import csharp
+import DataSetSerialization
+
+from DataSetOrTableRelatedClass dstc
+where dstc.fromSource()
+select dstc,
+  "Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerialization.qhelp b/csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerialization.qhelp
@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="DataSetSerialization.qhelp" /></qhelp>
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql b/csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Defining a potentially unsafe XML serializer
+ * @description Defining an XML serializable class that includes members that derive from DataSet or DataTable type may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @id cs/dataset-serialization/defining-potentially-unsafe-xml-serializer
+ * @tags security
+ */
+
+import csharp
+import DataSetSerialization
+
+from UnsafeXmlSerializerImplementation c, Member m
+where
+  c.fromSource() and
+  isClassUnsafeXmlSerializerImplementation(c, m)
+select m,
+  "Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details.",
+  c, c.toString(), m, m.toString()
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qhelp b/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qhelp
@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="DataSetSerialization.qhelp" /></qhelp>
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql b/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
@@ -0,0 +1,43 @@
+/**
+ * @name Unsafe type is used in data contract serializer
+ * @description Unsafe type is used in data contract serializer. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @id cs/dataset-serialization/unsafe-type-used-data-contract-serializer
+ * @tags security
+ */
+
+import csharp
+import DataSetSerialization
+
+predicate xmlSerializerConstructorArgument(Expr e) {
+  exists(ObjectCreation oc, Constructor c | e = oc.getArgument(0) |
+    c = oc.getTarget() and
+    c.getDeclaringType().getABaseType*().hasQualifiedName("System.Xml.Serialization.XmlSerializer")
+  )
+}
+
+predicate unsafeDataContractTypeCreation(Expr e) {
+  exists(MethodCall gt |
+    gt.getTarget().getName() = "GetType" and
+    e = gt and
+    gt.getQualifier().getType() instanceof DataSetOrTableRelatedClass
+  )
+  or
+  e.(TypeofExpr).getTypeAccess().getTarget() instanceof DataSetOrTableRelatedClass
+}
+
+class Conf extends DataFlow::Configuration {
+  Conf() { this = "FlowToDataSerializerConstructor" }
+
+  override predicate isSource(DataFlow::Node node) { unsafeDataContractTypeCreation(node.asExpr()) }
+
+  override predicate isSink(DataFlow::Node node) { xmlSerializerConstructorArgument(node.asExpr()) }
+}
+
+from Conf conf, DataFlow::Node source, DataFlow::Node sink
+where conf.hasFlow(source, sink)
+select sink,
+  "Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source.",
+  source, source.toString()
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.qhelp b/csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.qhelp
@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="DataSetSerialization.qhelp" /></qhelp>
diff --git a/csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql b/csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql
@@ -0,0 +1,16 @@
+/**
+ * @name XML deserialization with a type type derived from DataSet or DataTable
+ * @description Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @id cs/dataset-serialization/xml-deserialization-with-dataset
+ * @tags security
+ */
+
+import csharp
+import DataSetSerialization
+
+from UnsafeXmlReadMethodCall mc
+select mc,
+  "Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details."
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/DefiningDatasetRelatedType.expected b/csharp/ql/test/experimental/Security Features/Serialization/DefiningDatasetRelatedType.expected
@@ -0,0 +1,2 @@
+| test0.cs:13:18:13:43 | DerivesFromDeprecatedType1 | Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. |
+| test0.cs:59:18:59:38 | AttributeSerializer01 | Defining a class that inherits or has a property derived from the obsolete DataSet or DataTable types. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. |
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/DefiningDatasetRelatedType.qlref b/csharp/ql/test/experimental/Security Features/Serialization/DefiningDatasetRelatedType.qlref
@@ -0,0 +1 @@
+experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.expected b/csharp/ql/test/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.expected
@@ -0,0 +1,2 @@
+| test0.cs:15:24:15:32 | MyDataSet | Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. | test0.cs:13:18:13:43 | DerivesFromDeprecatedType1 | DerivesFromDeprecatedType1 | test0.cs:15:24:15:32 | MyDataSet | MyDataSet |
+| test0.cs:61:25:61:33 | MyDataSet | Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. | test0.cs:59:18:59:38 | AttributeSerializer01 | AttributeSerializer01 | test0.cs:61:25:61:33 | MyDataSet | MyDataSet |
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.qlref b/csharp/ql/test/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.qlref
@@ -0,0 +1 @@
+experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.expected b/csharp/ql/test/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.expected
@@ -0,0 +1,2 @@
+| test0.cs:95:49:95:63 | typeof(...) | Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source. | test0.cs:95:49:95:63 | typeof(...) | typeof(...) |
+| test0.cs:96:49:96:77 | typeof(...) | Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source. | test0.cs:96:49:96:77 | typeof(...) | typeof(...) |
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qlref b/csharp/ql/test/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.qlref
@@ -0,0 +1 @@
+experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.expected b/csharp/ql/test/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.expected
@@ -0,0 +1 @@
+| test0.cs:88:17:88:46 | call to method ReadXmlSchema | Making an XML deserialization call with a type derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details. |
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.qlref b/csharp/ql/test/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.qlref
@@ -0,0 +1 @@
+experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql
diff --git a/csharp/ql/test/experimental/Security Features/Serialization/test0.cs b/csharp/ql/test/experimental/Security Features/Serialization/test0.cs
@@ -0,0 +1,101 @@
+// semmle-extractor-options: /r:System.Data.Common.dll /r:System.Runtime.WindowsRuntime.dll /r:System.Xml.XmlSerializer.dll /r:System.Runtime.Serialization.Xml.dll /r:System.Runtime.Serialization.Xml.dll /r:System.Collections.dll /r:System.Private.Xml.dll /r:System.Private.DataContractSerialization.dll /r:System.Runtime.Extensions.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Xml.ReaderWriter.dll /r:System.IO.FileSystem.dll
+
+using System;
+using System.Data;
+using System.IO;
+using System.Xml.Serialization;
+using System.Runtime.Serialization;
+using System.Xml;
+using System.Collections.Generic;
+
+namespace DataSetSerializationTest
+{
+    public class DerivesFromDeprecatedType1 : XmlSerializer // warning:DefiningDatasetRelatedType.ql
+    {
+        public DataSet MyDataSet { get; set; }  // bug:DefiningPotentiallyUnsafeXmlSerializer.ql
+
+        public DerivesFromDeprecatedType1()
+        {
+        }
+    }
+
+    /*  
+     *  TODO: I cannot use DataContract on a QL unit test
+     *  
+    [DataContract(Name = "Customer", Namespace = "http://www.contoso.com")]
+    public class PatternDataContractSerializer : XmlObjectSerializer
+    {
+        [DataMember()]
+        public DataSet MyDataSet { get; set; }
+        [DataMember()]
+        public DataTable MyDataTable { get; set; }
+
+        PatternDataContractSerializer() { }
+        private ExtensionDataObject extensionData_Value;
+        public ExtensionDataObject ExtensionData
+        {
+            get
+            {
+                return extensionData_Value;
+            }
+            set
+            {
+                extensionData_Value = value;
+            }
+        }
+
+        public override void WriteObject(System.IO.Stream stream, object graph) { }
+        public override void WriteObjectContent(System.Xml.XmlDictionaryWriter writer, object graph) { }
+        public override bool IsStartObject(System.Xml.XmlDictionaryReader reader) { return false; }
+        public override void WriteStartObject(System.Xml.XmlDictionaryWriter writer, object graph) { }
+        public override void WriteEndObject(System.Xml.XmlWriter writer) { }
+        public override void WriteEndObject(XmlDictionaryWriter writer) { }
+        public override object ReadObject(System.IO.Stream stream) { return null; }
+        public override object ReadObject(XmlDictionaryReader reader, bool b) { return null; }
+    }
+    */
+
+    [Serializable()]
+    public class AttributeSerializer01  // warning:DefiningDatasetRelatedType.ql
+    {
+        private DataSet MyDataSet;  // bug:DefiningPotentiallyUnsafeXmlSerializer.ql
+
+        AttributeSerializer01()
+        {
+        }
+    }
+
+    class Program
+    {
+        static string GetSerializedDataSet(DataSet dataSet)
+        {
+            DataTable dataTable = new DataTable("MyTable");
+            dataTable.Columns.Add("FirstName", typeof(string));
+            dataTable.Columns.Add("LastName", typeof(string));
+            dataTable.Columns.Add("Age", typeof(int));
+
+            StringWriter writer = new StringWriter();
+            dataSet.WriteXml(writer, XmlWriteMode.DiffGram);
+            return writer.ToString();
+        }
+
+        static void datatable_readxmlschema_01(string fileName)
+        {
+            using (FileStream fs = File.OpenRead(fileName))
+            {
+                DataTable newTable = new DataTable();
+                System.Xml.XmlTextReader reader = new System.Xml.XmlTextReader(fs);
+                newTable.ReadXmlSchema(reader); //bug:XmlDeserializationWithDataSet.ql
+            }
+        }
+
+        static void Main(string[] args)
+        {
+
+            XmlSerializer x = new XmlSerializer(typeof(DataSet));   // bug:UnsafeTypeUsedDataContractSerializer.ql
+            XmlSerializer y = new XmlSerializer(typeof(AttributeSerializer01)); //bug:UnsafeTypeUsedDataContractSerializer.ql
+
+            Console.WriteLine("Hello World!");
+        }
+    }
+}
