Merge pull request github#13093 from GeekMasher/csharp-ext

jcogs33 · web-flow · commit 3fed2798c856 · 2023-06-22T10:22:32.000-04:00
[CSharp] Additional data extensions for sink models
diff --git a/csharp/ql/lib/change-notes/2023-05-09-models-as-data.md b/csharp/ql/lib/change-notes/2023-05-09-models-as-data.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional support for `command-injection`, `ldap-injection`, `log-injection`, and `url-redirection` sink kinds for Models as Data.
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll
@@ -6,6 +6,7 @@ import csharp
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.frameworks.system.Diagnostics
 private import semmle.code.csharp.security.Sanitizers
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A source specific to command injection vulnerabilities.
@@ -66,6 +67,11 @@ module CommandInjection = TaintTracking::Global<CommandInjectionConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** Command Injection sinks defined through Models as Data. */
+private class ExternalCommandInjectionExprSink extends Sink {
+  ExternalCommandInjectionExprSink() { sinkNode(this, "command-injection") }
+}
+
 /**
  * A sink in `System.Diagnostic.Process` or its related classes.
  */
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll
@@ -8,6 +8,7 @@ private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import semmle.code.csharp.frameworks.system.DirectoryServices
 private import semmle.code.csharp.frameworks.system.directoryservices.Protocols
 private import semmle.code.csharp.security.Sanitizers
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for unvalidated user input that is used to construct LDAP queries.
@@ -68,6 +69,11 @@ module LdapInjection = TaintTracking::Global<LdapInjectionConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** LDAP sinks defined through Models as Data. */
+private class ExternalLdapExprSink extends Sink {
+  ExternalLdapExprSink() { sinkNode(this, "ldap-injection") }
+}
+
 /**
  * An argument that sets the `Path` property of a `DirectoryEntry` object that is a sink for LDAP
  * injection.
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll
@@ -8,6 +8,7 @@ private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.text.RegularExpressions
 private import semmle.code.csharp.security.Sanitizers
 private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for untrusted user input used in log entries.
@@ -72,6 +73,11 @@ private class LogForgingLogMessageSink extends Sink, LogMessageSink { }
  */
 private class LogForgingTraceMessageSink extends Sink, TraceMessageSink { }
 
+/** Log Forging sinks defined through Models as Data. */
+private class ExternalLoggingExprSink extends Sink {
+  ExternalLoggingExprSink() { sinkNode(this, "log-injection") }
+}
+
 /**
  * A call to String replace or remove that is considered to sanitize replaced string.
  */
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
@@ -9,6 +9,7 @@ private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.frameworks.system.web.Mvc
 private import semmle.code.csharp.security.Sanitizers
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /**
  * A data flow source for unvalidated URL redirect vulnerabilities.
@@ -70,6 +71,11 @@ module UrlRedirect = TaintTracking::Global<UrlRedirectConfig>;
 /** A source of remote user input. */
 class RemoteSource extends Source instanceof RemoteFlowSource { }
 
+/** URL Redirection sinks defined through Models as Data. */
+private class ExternalUrlRedirectExprSink extends Sink {
+  ExternalUrlRedirectExprSink() { sinkNode(this, "url-redirection") }
+}
+
 /**
  * A URL argument to a call to `HttpResponse.Redirect()` or `Controller.Redirect()`, that is a
  * sink for URL redirects.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Additional support for `command-injection`, `ldap-injection`, `log-injection`, and `url-redirection` sink kinds for Models as Data.