Skip to content

Commit c3deb48

Browse files
author
edvraa
committed
Charpred for InstanceMethodSink
1 parent a412581 commit c3deb48

File tree

3 files changed

+41
-63
lines changed

3 files changed

+41
-63
lines changed

csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -16,16 +16,6 @@ import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeseria
1616
from Call deserializeCall, DataFlow::Node sink
1717
where
1818
deserializeCall.getAnArgument() = sink.asExpr() and
19-
(
20-
sink instanceof InstanceMethodSink and
21-
not exists(
22-
SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::Node safeTypeUsage
23-
|
24-
safeConstructorTracking.hasFlow(_, safeTypeUsage) and
25-
safeTypeUsage.asExpr().getParent() = deserializeCall
26-
)
27-
or
28-
sink instanceof ConstructorOrStaticMethodSink
29-
)
19+
sink instanceof Sink
3020
select deserializeCall,
3121
"Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source."

csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll

Lines changed: 40 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,29 @@ module UnsafeDeserialization {
1414
*/
1515
abstract class Source extends DataFlow::Node { }
1616

17+
/**
18+
* A data flow sink for unsafe deserialization vulnerabilities.
19+
*/
20+
abstract class Sink extends DataFlow::Node { }
21+
1722
/**
1823
* A data flow sink for unsafe deserialization vulnerabilities to an instance method.
1924
*/
20-
abstract class InstanceMethodSink extends DataFlow::Node { }
25+
abstract private class InstanceMethodSink extends Sink {
26+
InstanceMethodSink() {
27+
not exists(
28+
SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::Node safeTypeUsage
29+
|
30+
safeConstructorTracking.hasFlow(_, safeTypeUsage) and
31+
safeTypeUsage.asExpr().getParent() = this.asExpr().getParent()
32+
)
33+
}
34+
}
2135

2236
/**
2337
* A data flow sink for unsafe deserialization vulnerabilities to a static method or constructor call.
2438
*/
25-
abstract class ConstructorOrStaticMethodSink extends DataFlow::Node { }
39+
abstract private class ConstructorOrStaticMethodSink extends Sink { }
2640

2741
/**
2842
* A sanitizer for unsafe deserialization vulnerabilities.
@@ -132,7 +146,7 @@ module UnsafeDeserialization {
132146
)
133147
}
134148

135-
private abstract class BinaryFormatterSink extends InstanceMethodSink { }
149+
abstract private class BinaryFormatterSink extends InstanceMethodSink { }
136150

137151
private class BinaryFormatterDeserializeMethodSink extends BinaryFormatterSink {
138152
BinaryFormatterDeserializeMethodSink() {
@@ -150,7 +164,7 @@ module UnsafeDeserialization {
150164
not mc.getArgument(0).hasValue()
151165
}
152166

153-
private abstract class SoapFormatterSink extends InstanceMethodSink { }
167+
abstract private class SoapFormatterSink extends InstanceMethodSink { }
154168

155169
private class SoapFormatterDeserializeMethodSink extends SoapFormatterSink {
156170
SoapFormatterDeserializeMethodSink() {
@@ -168,7 +182,7 @@ module UnsafeDeserialization {
168182
not mc.getArgument(0).hasValue()
169183
}
170184

171-
private abstract class ObjectStateFormatterSink extends InstanceMethodSink { }
185+
abstract private class ObjectStateFormatterSink extends InstanceMethodSink { }
172186

173187
private class ObjectStateFormatterDeserializeMethodSink extends ObjectStateFormatterSink {
174188
ObjectStateFormatterDeserializeMethodSink() {
@@ -191,7 +205,7 @@ module UnsafeDeserialization {
191205
)
192206
}
193207

194-
private abstract class NetDataContractSerializerSink extends InstanceMethodSink { }
208+
abstract private class NetDataContractSerializerSink extends InstanceMethodSink { }
195209

196210
private class NetDataContractSerializerDeserializeMethodSink extends NetDataContractSerializerSink {
197211
NetDataContractSerializerDeserializeMethodSink() {
@@ -209,7 +223,7 @@ module UnsafeDeserialization {
209223
not mc.getArgument(0).hasValue()
210224
}
211225

212-
private abstract class DataContractJsonSerializerSink extends InstanceMethodSink { }
226+
abstract private class DataContractJsonSerializerSink extends InstanceMethodSink { }
213227

214228
private class DataContractJsonSerializerDeserializeMethodSink extends DataContractJsonSerializerSink {
215229
DataContractJsonSerializerDeserializeMethodSink() {
@@ -252,7 +266,7 @@ module UnsafeDeserialization {
252266
)
253267
}
254268

255-
private abstract class JavaScriptSerializerSink extends InstanceMethodSink { }
269+
abstract private class JavaScriptSerializerSink extends InstanceMethodSink { }
256270

257271
private class JavaScriptSerializerDeserializeMethodSink extends JavaScriptSerializerSink {
258272
JavaScriptSerializerDeserializeMethodSink() {
@@ -290,7 +304,7 @@ module UnsafeDeserialization {
290304
not mc.targetIsLocalInstance()
291305
}
292306

293-
private abstract class XmlObjectSerializerSink extends InstanceMethodSink { }
307+
abstract private class XmlObjectSerializerSink extends InstanceMethodSink { }
294308

295309
private class XmlObjectSerializerDeserializeMethodSink extends XmlObjectSerializerSink {
296310
XmlObjectSerializerDeserializeMethodSink() {
@@ -332,7 +346,7 @@ module UnsafeDeserialization {
332346
not mc.getArgument(0).hasValue()
333347
}
334348

335-
private abstract class XmlSerializerSink extends InstanceMethodSink { }
349+
abstract private class XmlSerializerSink extends InstanceMethodSink { }
336350

337351
private class XmlSerializerDeserializeMethodSink extends XmlSerializerSink {
338352
XmlSerializerDeserializeMethodSink() {
@@ -373,7 +387,7 @@ module UnsafeDeserialization {
373387
not mc.getArgument(0).hasValue()
374388
}
375389

376-
private abstract class DataContractSerializerSink extends InstanceMethodSink { }
390+
abstract private class DataContractSerializerSink extends InstanceMethodSink { }
377391

378392
private class DataContractSerializerDeserializeMethodSink extends DataContractSerializerSink {
379393
DataContractSerializerDeserializeMethodSink() {
@@ -411,7 +425,7 @@ module UnsafeDeserialization {
411425
not mc.getArgument(0).hasValue()
412426
}
413427

414-
private abstract class XmlMessageFormatterSink extends InstanceMethodSink { }
428+
abstract private class XmlMessageFormatterSink extends InstanceMethodSink { }
415429

416430
private class XmlMessageFormatterDeserializeMethodSink extends XmlMessageFormatterSink {
417431
XmlMessageFormatterDeserializeMethodSink() {
@@ -449,7 +463,7 @@ module UnsafeDeserialization {
449463
not mc.getArgument(0).hasValue()
450464
}
451465

452-
private abstract class LosFormatterSink extends InstanceMethodSink { }
466+
abstract private class LosFormatterSink extends InstanceMethodSink { }
453467

454468
private class LosFormatterDeserializeMethodSink extends LosFormatterSink {
455469
LosFormatterDeserializeMethodSink() {
@@ -467,7 +481,7 @@ module UnsafeDeserialization {
467481
not mc.getArgument(0).hasValue()
468482
}
469483

470-
private abstract class FastJsonSink extends ConstructorOrStaticMethodSink { }
484+
abstract private class FastJsonSink extends ConstructorOrStaticMethodSink { }
471485

472486
private class FastJsonDeserializeMethodSink extends FastJsonSink {
473487
FastJsonDeserializeMethodSink() {
@@ -485,7 +499,7 @@ module UnsafeDeserialization {
485499
not mc.getArgument(0).hasValue()
486500
}
487501

488-
private abstract class ActivitySink extends InstanceMethodSink { }
502+
abstract private class ActivitySink extends InstanceMethodSink { }
489503

490504
private class ActivityDeserializeMethodSink extends ActivitySink {
491505
ActivityDeserializeMethodSink() {
@@ -503,7 +517,7 @@ module UnsafeDeserialization {
503517
not mc.getArgument(0).hasValue()
504518
}
505519

506-
private abstract class ResourceReaderSink extends ConstructorOrStaticMethodSink { }
520+
abstract private class ResourceReaderSink extends ConstructorOrStaticMethodSink { }
507521

508522
private class ResourceReaderDeserializeMethodSink extends ResourceReaderSink {
509523
ResourceReaderDeserializeMethodSink() {
@@ -521,7 +535,7 @@ module UnsafeDeserialization {
521535
not mc.getArgument(0).hasValue()
522536
}
523537

524-
private abstract class BinaryMessageFormatterSink extends InstanceMethodSink { }
538+
abstract private class BinaryMessageFormatterSink extends InstanceMethodSink { }
525539

526540
private class BinaryMessageFormatterDeserializeMethodSink extends BinaryMessageFormatterSink {
527541
BinaryMessageFormatterDeserializeMethodSink() {
@@ -545,7 +559,7 @@ module UnsafeDeserialization {
545559
not mc.getArgument(0).hasValue()
546560
}
547561

548-
private abstract class XamlReaderSink extends ConstructorOrStaticMethodSink { }
562+
abstract private class XamlReaderSink extends ConstructorOrStaticMethodSink { }
549563

550564
private class XamlReaderDeserializeMethodSink extends XamlReaderSink {
551565
XamlReaderDeserializeMethodSink() {
@@ -567,7 +581,7 @@ module UnsafeDeserialization {
567581
not mc.getArgument(0).hasValue()
568582
}
569583

570-
private abstract class ProxyObjectSink extends InstanceMethodSink { }
584+
abstract private class ProxyObjectSink extends InstanceMethodSink { }
571585

572586
private class ProxyObjectDeserializeMethodSink extends ProxyObjectSink {
573587
ProxyObjectDeserializeMethodSink() {
@@ -585,7 +599,7 @@ module UnsafeDeserialization {
585599
not mc.getArgument(0).hasValue()
586600
}
587601

588-
private abstract class SweetJaysonSink extends ConstructorOrStaticMethodSink { }
602+
abstract private class SweetJaysonSink extends ConstructorOrStaticMethodSink { }
589603

590604
private class SweetJaysonDeserializeMethodSink extends SweetJaysonSink {
591605
SweetJaysonDeserializeMethodSink() {
@@ -597,7 +611,8 @@ module UnsafeDeserialization {
597611
}
598612

599613
/** ServiceStack.Text.JsonSerializer */
600-
private abstract class ServiceStackTextJsonSerializerSink extends ConstructorOrStaticMethodSink { }
614+
abstract private class ServiceStackTextJsonSerializerSink extends ConstructorOrStaticMethodSink {
615+
}
601616

602617
private class ServiceStackTextJsonSerializerDeserializeMethodSink extends ServiceStackTextJsonSerializerSink {
603618
ServiceStackTextJsonSerializerDeserializeMethodSink() {
@@ -618,7 +633,8 @@ module UnsafeDeserialization {
618633
}
619634

620635
/** ServiceStack.Text.TypeSerializer */
621-
private abstract class ServiceStackTextTypeSerializerSink extends ConstructorOrStaticMethodSink { }
636+
abstract private class ServiceStackTextTypeSerializerSink extends ConstructorOrStaticMethodSink {
637+
}
622638

623639
private class ServiceStackTextTypeSerializerDeserializeMethodSink extends ServiceStackTextTypeSerializerSink {
624640
ServiceStackTextTypeSerializerDeserializeMethodSink() {
@@ -639,7 +655,7 @@ module UnsafeDeserialization {
639655
}
640656

641657
/** ServiceStack.Text.CsvSerializer */
642-
private abstract class ServiceStackTextCsvSerializerSink extends ConstructorOrStaticMethodSink { }
658+
abstract private class ServiceStackTextCsvSerializerSink extends ConstructorOrStaticMethodSink { }
643659

644660
private class ServiceStackTextCsvSerializerDeserializeMethodSink extends ServiceStackTextCsvSerializerSink {
645661
ServiceStackTextCsvSerializerDeserializeMethodSink() {
@@ -660,7 +676,7 @@ module UnsafeDeserialization {
660676
}
661677

662678
/** ServiceStack.Text.XmlSerializer */
663-
private abstract class ServiceStackTextXmlSerializerSink extends ConstructorOrStaticMethodSink { }
679+
abstract private class ServiceStackTextXmlSerializerSink extends ConstructorOrStaticMethodSink { }
664680

665681
private class ServiceStackTextXmlSerializerDeserializeMethodSink extends ServiceStackTextXmlSerializerSink {
666682
ServiceStackTextXmlSerializerDeserializeMethodSink() {

0 commit comments

Comments
 (0)