Skip to content

Commit 9b855c3

Browse files
michaelnebelmichaelnebel
authored
Merge pull request github#9043 from michaelnebel/csharp/xml-injection-path
C#: Convert xml injection query to a path problem.
2 parents 176e40f + 3c347ca commit 9b855c3

File tree

2 files changed

+13
-5
lines changed

2 files changed

+13
-5
lines changed

csharp/ql/src/Security Features/CWE-091/XMLInjection.ql

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
* @name XML injection
33
* @description Building an XML document from user-controlled sources is vulnerable to insertion of
44
* malicious code by the user.
5-
* @kind problem
5+
* @kind path-problem
66
* @id cs/xml-injection
77
* @problem.severity error
88
* @security-severity 8.8
@@ -12,6 +12,7 @@
1212
*/
1313

1414
import csharp
15+
import DataFlow::PathGraph
1516
import semmle.code.csharp.security.dataflow.flowsources.Remote
1617
import semmle.code.csharp.frameworks.system.Xml
1718

@@ -45,6 +46,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
4546
}
4647
}
4748

48-
from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
49-
where c.hasFlow(source, sink)
50-
select sink, "$@ flows to here and is inserted as XML.", source, "User-provided value"
49+
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
50+
where c.hasFlowPath(source, sink)
51+
select sink, source, sink, "$@ flows to here and is inserted as XML.", source, "User-provided value"

csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/XMLInjection.expected

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,8 @@
1-
| Test.cs:15:25:15:80 | ... + ... | $@ flows to here and is inserted as XML. | Test.cs:8:27:8:49 | access to property QueryString | User-provided value |
1+
edges
2+
| Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | Test.cs:15:25:15:80 | ... + ... |
3+
nodes
4+
| Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
5+
| Test.cs:15:25:15:80 | ... + ... | semmle.label | ... + ... |
6+
subpaths
7+
#select
8+
| Test.cs:15:25:15:80 | ... + ... | Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | Test.cs:15:25:15:80 | ... + ... | $@ flows to here and is inserted as XML. | Test.cs:8:27:8:49 | access to property QueryString : NameValueCollection | User-provided value |

0 commit comments

Comments
 (0)