C#: Add Dapper support to SQL injection queries

Author: tamasvajk

csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll

@@ -0,0 +1,42 @@
+/**
+ * Classes for modelling Dapper.
+ */
+
+import csharp
+private import semmle.code.csharp.frameworks.system.Data
+
+/** Definitions relating to the `Dapper` package. */
+module Dapper {
+  /** The namespace `Dapper`. */
+  class DapperNamespace extends Namespace {
+    DapperNamespace() { this.hasQualifiedName("Dapper") }
+  }
+
+  /** A class in `Dapper`. */
+  class DapperClass extends Class {
+    DapperClass() { this.getParent() instanceof DapperNamespace }
+  }
+
+  /** A struct in `Dapper`. */
+  class DapperStruct extends Struct {
+    DapperStruct() { this.getParent() instanceof DapperNamespace }
+  }
+
+  /** The `Dapper.SqlMapper` class. */
+  class SqlMapperClass extends DapperClass {
+    SqlMapperClass() { this.hasName("SqlMapper") }
+
+    /** Gets a DB query method. */
+    ExtensionMethod getAQueryMethod() {
+      result = this.getAMethod() and
+      result.getName().regexpMatch("Query.*|Execute.*") and
+      result.getExtendedType() instanceof SystemDataIDbConnectionInterface and
+      result.isPublic()
+    }
+  }
+
+  /** The `Dapper.CommandDefinition` struct. */
+  class CommandDefinitionStruct extends DapperStruct {
+    CommandDefinitionStruct() { this.hasName("CommandDefinition") }
+  }
+}

csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll

@@ -5,6 +5,8 @@ private import semmle.code.csharp.frameworks.system.Data
 private import semmle.code.csharp.frameworks.system.data.SqlClient
 private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
+private import semmle.code.csharp.frameworks.Dapper
+private import semmle.code.csharp.dataflow.DataFlow3
 
 /** An expression containing a SQL command. */
 abstract class SqlExpr extends Expr {
@@ -83,3 +85,37 @@ class MicrosoftSqlHelperMethodCallSqlExpr extends SqlExpr, MethodCall {
     )
   }
 }
+
+/** A `Dapper.SqlMapper` method that is taking a SQL string argument. */
+class DapperSqlMethodCallSqlExpr extends SqlExpr, MethodCall {
+  DapperSqlMethodCallSqlExpr() {
+    this.getTarget() = any(Dapper::SqlMapperClass c).getAQueryMethod()
+  }
+
+  override Expr getSql() { result = this.getArgumentForName("sql") }
+}
+
+/** A `Dapper.CommandDefinition` creation that is taking a SQL string argument and is passed to a `Dapper.SqlMapper` method. */
+class DapperCommandDefinitionMethodCallSqlExpr extends SqlExpr, ObjectCreation {
+  DapperCommandDefinitionMethodCallSqlExpr() {
+    this.getObjectType() instanceof Dapper::CommandDefinitionStruct and
+    exists(Conf c | c.hasFlow(DataFlow::exprNode(this), _))
+  }
+
+  override Expr getSql() { result = this.getArgumentForName("commandText") }
+}
+
+private class Conf extends DataFlow3::Configuration {
+  Conf() { this = "DapperCommandDefinitionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.asExpr().(ObjectCreation).getObjectType() instanceof Dapper::CommandDefinitionStruct
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(MethodCall mc |
+      mc.getTarget() = any(Dapper::SqlMapperClass c).getAQueryMethod() and
+      node.asExpr() = mc.getArgumentForName("command")
+    )
+  }
+}

csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected

@@ -5,6 +5,13 @@ edges
 | SqlInjection.cs:73:33:73:52 | access to property Text : String | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
 | SqlInjection.cs:73:33:73:52 | access to property Text : String | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
 | SqlInjection.cs:87:21:87:29 | access to property Text : String | SqlInjection.cs:88:50:88:55 | access to local variable query1 |
+| SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | SqlInjectionDapper.cs:21:55:21:59 | access to local variable query |
+| SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | SqlInjectionDapper.cs:30:66:30:70 | access to local variable query |
+| SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | SqlInjectionDapper.cs:39:63:39:67 | access to local variable query |
+| SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | SqlInjectionDapper.cs:49:47:49:51 | access to local variable query |
+| SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | SqlInjectionDapper.cs:58:42:58:46 | access to local variable query |
+| SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | SqlInjectionDapper.cs:67:42:67:46 | access to local variable query |
+| SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query |
 nodes
 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
 | SqlInjection.cs:38:21:38:40 | access to property Text : String | semmle.label | access to property Text : String |
@@ -15,8 +22,29 @@ nodes
 | SqlInjection.cs:75:55:75:60 | access to local variable query1 | semmle.label | access to local variable query1 |
 | SqlInjection.cs:87:21:87:29 | access to property Text : String | semmle.label | access to property Text : String |
 | SqlInjection.cs:88:50:88:55 | access to local variable query1 | semmle.label | access to local variable query1 |
+| SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | semmle.label | access to local variable query |
 #select
 | SqlInjection.cs:39:50:39:55 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:88:50:88:55 | access to local variable query1 | SqlInjection.cs:87:21:87:29 | access to property Text : String | SqlInjection.cs:88:50:88:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:87:21:87:29 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | this TextBox text |

csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs

@@ -79,6 +79,17 @@ public async Task Bad07()
             }
         }
 
+        public async Task Ok07()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+
+                var comDef = new CommandDefinition(query);
+                // no call to any query method
+            }
+        }
+
         System.Windows.Forms.TextBox box1;
     }
 }