C#: CSV-based flow summaries

Author: hvitved

csharp/ql/src/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -10,6 +10,7 @@ private import DataFlowPublic
 private import FlowSummaryImpl::Private
 private import FlowSummaryImpl::Public
 private import semmle.code.csharp.Unification
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** Holds is `i` is a valid parameter position. */
 predicate parameterPosition(int i) { i in [-1 .. any(Parameter p).getPosition()] }
@@ -82,7 +83,40 @@ DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {
  * Holds if an external flow summary exists for `c` with input specification
  * `input`, output specification `output`, and kind `kind`.
  */
-predicate summaryElement(DataFlowCallable c, string input, string output, string kind) { none() }
+predicate summaryElement(DataFlowCallable c, string input, string output, string kind) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext
+  |
+    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind) and
+    c = interpretElement(namespace, type, subtypes, name, signature, ext)
+  )
+}
+
+/**
+ * Holds if an external source specification exists for `e` with output specification
+ * `output` and kind `kind`.
+ */
+predicate sourceElement(Element e, string output, string kind) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext
+  |
+    sourceModel(namespace, type, subtypes, name, signature, ext, output, kind) and
+    e = interpretElement(namespace, type, subtypes, name, signature, ext)
+  )
+}
+
+/**
+ * Holds if an external sink specification exists for `n` with input specification
+ * `input` and kind `kind`.
+ */
+predicate sinkElement(Element e, string input, string kind) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext
+  |
+    sinkModel(namespace, type, subtypes, name, signature, ext, input, kind) and
+    e = interpretElement(namespace, type, subtypes, name, signature, ext)
+  )
+}
 
 /** Gets the summary component for specification component `c`, if any. */
 bindingset[c]
@@ -102,18 +136,6 @@ SummaryComponent interpretComponentSpecific(string c) {
 
 class SourceOrSinkElement = Element;
 
-/**
- * Holds if an external source specification exists for `e` with output specification
- * `output` and kind `kind`.
- */
-predicate sourceElement(Element e, string output, string kind) { none() }
-
-/**
- * Holds if an external sink specification exists for `n` with input specification
- * `input` and kind `kind`.
- */
-predicate sinkElement(Element e, string input, string kind) { none() }
-
 /** Gets the return kind corresponding to specification `"ReturnValue"`. */
 NormalReturnKind getReturnValueKind() { any() }
 

csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -0,0 +1,40 @@
+namespace My.Qltest
+{
+    public class B
+    {
+        void Foo()
+        {
+            object arg1 = new object();
+            Sink1(arg1);
+
+            object argToTagged = new object();
+            TaggedSinkMethod(argToTagged);
+
+            object fieldWrite = new object();
+            TaggedField = fieldWrite;
+        }
+
+        object SinkMethod()
+        {
+            object res = new object();
+            return res;
+        }
+
+        [SinkAttribute]
+        object TaggedSinkMethod()
+        {
+            object resTag = new object();
+            return resTag;
+        }
+
+        void Sink1(object x) { }
+
+        [SinkAttribute]
+        void TaggedSinkMethod(object x) { }
+
+        [SinkAttribute]
+        object TaggedField;
+    }
+
+    class SinkAttribute : System.Attribute { }
+}

csharp/ql/test/library-tests/dataflow/external-models/Sinks.cs

@@ -0,0 +1,62 @@
+namespace My.Qltest
+{
+    public class A
+    {
+        void Foo()
+        {
+            object x;
+            x = Src1();
+            x = Src1("");
+
+            Sub sub = new Sub();
+            x = sub.Src2();
+            x = sub.Src3();
+
+            SrcArg(x);
+
+            x = TaggedSrcMethod();
+            x = TaggedSrcField;
+
+            x = SrcTwoArg("", "");
+        }
+
+        [SourceAttribute()]
+        void Tagged1(object taggedMethodParam)
+        {
+        }
+
+        void Tagged2([SourceAttribute()] object taggedSrcParam)
+        {
+        }
+
+        object Src1() { return null; }
+
+        object Src1(string s) { return null; }
+
+        object Src2() { return null; }
+
+        public virtual object Src3() { return null; }
+
+        public virtual void SrcParam(object p) { }
+
+        class Sub : A
+        {
+            // inherit src2
+            public override object Src3() { return null; }
+
+            public override void SrcParam(object p) { }
+        }
+
+        void SrcArg(object src) { }
+
+        [SourceAttribute()]
+        object TaggedSrcMethod() { return null; }
+
+        [SourceAttribute()]
+        object TaggedSrcField;
+
+        object SrcTwoArg(string s1, string s2) { return null; }
+    }
+
+    class SourceAttribute : System.Attribute { }
+}

csharp/ql/test/library-tests/dataflow/external-models/Sources.cs

@@ -0,0 +1,78 @@
+namespace My.Qltest
+{
+    public class C
+    {
+        void Foo()
+        {
+            object arg1 = new object();
+            StepArgRes(arg1);
+
+            object argIn1 = new object();
+            object argOut1 = new object();
+            StepArgArg(argIn1, argOut1);
+            object argIn2 = new object();
+            object argOut2 = new object();
+            StepArgArg(argIn2, argOut2);
+
+            object arg2 = new object();
+            StepArgQual(arg2);
+            object arg3 = new object();
+            this.StepArgQual(arg3);
+
+            this.StepQualRes();
+            StepQualRes();
+
+            object argOut = new object();
+            StepQualArg(argOut);
+
+            this.StepFieldGetter();
+
+            this.StepFieldSetter(0);
+
+            this.StepPropertyGetter();
+
+            this.StepPropertySetter(0);
+
+            this.StepElementGetter();
+
+            this.StepElementSetter(0);
+
+            var gen = new Generic<int>();
+            gen.StepGeneric(0);
+            gen.StepGeneric2(false);
+        }
+
+        object StepArgRes(object x) { return null; }
+
+        void StepArgArg(object @in, object @out) { }
+
+        void StepArgQual(object x) { }
+
+        object StepQualRes() { return null; }
+
+        void StepQualArg(object @out) { }
+
+        int Field;
+
+        int StepFieldGetter() => throw null;
+
+        void StepFieldSetter(int value) => throw null;
+
+        int Property { get; set; }
+
+        int StepPropertyGetter() => throw null;
+
+        void StepPropertySetter(int value) => throw null;
+
+        int StepElementGetter() => throw null;
+
+        void StepElementSetter(int value) => throw null;
+
+        class Generic<T>
+        {
+            public T StepGeneric(T t) => throw null;
+
+            public T StepGeneric2<S>(S s) => throw null;
+        }
+    }
+}

csharp/ql/test/library-tests/dataflow/external-models/Steps.cs

@@ -0,0 +1,8 @@
+invalidModelRow
+#select
+| Sinks.cs:8:19:8:22 | access to local variable arg1 | qltest |
+| Sinks.cs:11:13:11:41 | this access | qltest-arg |
+| Sinks.cs:11:30:11:40 | access to local variable argToTagged | qltest-arg |
+| Sinks.cs:14:27:14:36 | access to local variable fieldWrite | qltest-nospec |
+| Sinks.cs:20:20:20:22 | access to local variable res | qltest |
+| Sinks.cs:27:20:27:25 | access to local variable resTag | qltest-retval |

csharp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -0,0 +1,23 @@
+import csharp
+import DataFlow
+import semmle.code.csharp.dataflow.ExternalFlow
+import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+import CsvValidation
+
+class SinkModelTest extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"namespace;type;overrides;name;signature;ext;spec;kind",
+        "My.Qltest;B;false;Sink1;(object);;Argument[0];qltest",
+        "My.Qltest;B;false;SinkMethod;();;ReturnValue;qltest",
+        "My.Qltest;SinkAttribute;false;;;Attribute;ReturnValue;qltest-retval",
+        "My.Qltest;SinkAttribute;false;;;Attribute;Argument;qltest-arg",
+        "My.Qltest;SinkAttribute;false;;;Attribute;;qltest-nospec"
+      ]
+  }
+}
+
+from DataFlow::Node node, string kind
+where sinkNode(node, kind)
+select node, kind

csharp/ql/test/library-tests/dataflow/external-models/sinks.ql

@@ -0,0 +1,24 @@
+invalidModelRow
+#select
+| Sources.cs:8:17:8:22 | call to method Src1 | qltest |
+| Sources.cs:8:17:8:22 | call to method Src1 | qltest-all-overloads |
+| Sources.cs:9:17:9:24 | call to method Src1 | qltest |
+| Sources.cs:9:17:9:24 | call to method Src1 | qltest-all-overloads |
+| Sources.cs:9:17:9:24 | call to method Src1 | qltest-alt |
+| Sources.cs:12:17:12:26 | call to method Src2 | qltest |
+| Sources.cs:12:17:12:26 | call to method Src2 | qltest-w-subtypes |
+| Sources.cs:13:17:13:26 | call to method Src3 | qltest-w-subtypes |
+| Sources.cs:15:13:15:21 | [post] this access | qltest-argany |
+| Sources.cs:15:20:15:20 | [post] access to local variable x | qltest-argany |
+| Sources.cs:15:20:15:20 | [post] access to local variable x | qltest-argnum |
+| Sources.cs:17:17:17:33 | call to method TaggedSrcMethod | qltest-retval |
+| Sources.cs:18:17:18:30 | access to field TaggedSrcField | qltest-nospec |
+| Sources.cs:20:17:20:33 | call to method SrcTwoArg | qltest-longsig |
+| Sources.cs:20:17:20:33 | call to method SrcTwoArg | qltest-shortsig |
+| Sources.cs:24:14:24:20 | this | qltest-param |
+| Sources.cs:24:29:24:45 | taggedMethodParam | qltest-param |
+| Sources.cs:28:49:28:62 | taggedSrcParam | qltest-nospec |
+| Sources.cs:28:49:28:62 | taggedSrcParam | qltest-param |
+| Sources.cs:40:45:40:45 | p | qltest-param-override |
+| Sources.cs:47:50:47:50 | p | qltest-param-override |
+| Sources.cs:53:16:53:30 | this | qltest-param |

csharp/ql/test/library-tests/dataflow/external-models/srcs.expected

@@ -0,0 +1,34 @@
+import csharp
+import DataFlow
+import semmle.code.csharp.dataflow.ExternalFlow
+import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+import CsvValidation
+
+class SourceModelTest extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"namespace;type;overrides;name;signature;ext;spec;kind",
+        "My.Qltest;A;false;Src1;();;ReturnValue;qltest",
+        "My.Qltest;A;false;Src1;(string);;ReturnValue;qltest",
+        "My.Qltest;A;false;Src1;(System.String);;ReturnValue;qltest-alt",
+        "My.Qltest;A;false;Src1;;;ReturnValue;qltest-all-overloads",
+        "My.Qltest;A;false;Src2;();;ReturnValue;qltest",
+        "My.Qltest;A;false;Src3;();;ReturnValue;qltest",
+        "My.Qltest;A;true;Src2;();;ReturnValue;qltest-w-subtypes",
+        "My.Qltest;A;true;Src3;();;ReturnValue;qltest-w-subtypes",
+        "My.Qltest;A;false;SrcArg;(object);;Argument[0];qltest-argnum",
+        "My.Qltest;A;false;SrcArg;(object);;Argument;qltest-argany",
+        "My.Qltest;A;true;SrcParam;(object);;Parameter[0];qltest-param-override",
+        "My.Qltest;SourceAttribute;false;;;Attribute;ReturnValue;qltest-retval",
+        "My.Qltest;SourceAttribute;false;;;Attribute;Parameter;qltest-param",
+        "My.Qltest;SourceAttribute;false;;;Attribute;;qltest-nospec",
+        "My.Qltest;A;false;SrcTwoArg;(string,string);;ReturnValue;qltest-shortsig",
+        "My.Qltest;A;false;SrcTwoArg;(System.String,System.String);;ReturnValue;qltest-longsig"
+      ]
+  }
+}
+
+from DataFlow::Node node, string kind
+where sourceNode(node, kind)
+select node, kind

csharp/ql/test/library-tests/dataflow/external-models/srcs.ql

@@ -0,0 +1,20 @@
+invalidModelRow
+summaryThroughStep
+| Steps.cs:8:24:8:27 | access to local variable arg1 | Steps.cs:8:13:8:28 | call to method StepArgRes | false |
+| Steps.cs:12:24:12:29 | access to local variable argIn1 | Steps.cs:12:32:12:38 | [post] access to local variable argOut1 | false |
+| Steps.cs:15:24:15:29 | access to local variable argIn2 | Steps.cs:15:32:15:38 | [post] access to local variable argOut2 | false |
+| Steps.cs:18:25:18:28 | access to local variable arg2 | Steps.cs:18:13:18:29 | [post] this access | false |
+| Steps.cs:20:30:20:33 | access to local variable arg3 | Steps.cs:20:13:20:16 | [post] this access | false |
+| Steps.cs:22:13:22:16 | this access | Steps.cs:22:13:22:30 | call to method StepQualRes | false |
+| Steps.cs:23:13:23:25 | this access | Steps.cs:23:13:23:25 | call to method StepQualRes | false |
+| Steps.cs:26:13:26:31 | this access | Steps.cs:26:25:26:30 | [post] access to local variable argOut | false |
+| Steps.cs:41:29:41:29 | 0 | Steps.cs:41:13:41:30 | call to method StepGeneric | true |
+| Steps.cs:42:30:42:34 | false | Steps.cs:42:13:42:35 | call to method StepGeneric2 | true |
+summaryGetterStep
+| Steps.cs:28:13:28:16 | this access | Steps.cs:28:13:28:34 | call to method StepFieldGetter | Steps.cs:55:13:55:17 | field Field |
+| Steps.cs:32:13:32:16 | this access | Steps.cs:32:13:32:37 | call to method StepPropertyGetter | Steps.cs:61:13:61:20 | property Property |
+| Steps.cs:36:13:36:16 | this access | Steps.cs:36:13:36:36 | call to method StepElementGetter | file://:0:0:0:0 | element |
+summarySetterStep
+| Steps.cs:30:34:30:34 | 0 | Steps.cs:30:13:30:16 | [post] this access | Steps.cs:55:13:55:17 | field Field |
+| Steps.cs:34:37:34:37 | 0 | Steps.cs:34:13:34:16 | [post] this access | Steps.cs:61:13:61:20 | property Property |
+| Steps.cs:38:36:38:36 | 0 | Steps.cs:38:13:38:16 | [post] this access | file://:0:0:0:0 | element |