Merge pull request github#18123 from egregius313/egregius313/csharp/ijsruntime-models

egregius313 · web-flow · commit 418ab4b22a60 · 2024-11-28T08:58:23.000-05:00
C#: Add `js-interop` sinks for `Microsoft.JSInterop.IJSRuntime`
diff --git a/csharp/ql/lib/change-notes/2024-11-26-model-microsoft.jsinterop.ijsruntime.md b/csharp/ql/lib/change-notes/2024-11-26-model-microsoft.jsinterop.ijsruntime.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript. 
+
diff --git a/csharp/ql/lib/ext/Microsoft.JSInterop.model.yml b/csharp/ql/lib/ext/Microsoft.JSInterop.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sinkModel
+    data:
+      - ["Microsoft.JSInterop", "JSRuntimeExtensions", True, "InvokeAsync<TValue>", "", "", "Argument[1]", "js-injection", "manual"]
+      - ["Microsoft.JSInterop", "JSRuntimeExtensions", True, "InvokeVoidAsync", "", "", "Argument[1]", "js-injection", "manual"]
diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
@@ -256,6 +256,12 @@ sink
 | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRawAsync;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Object[]);Argument[1];sql-injection;manual |
 | Microsoft.EntityFrameworkCore;RelationalDatabaseFacadeExtensions;ExecuteSqlRawAsync;(Microsoft.EntityFrameworkCore.Infrastructure.DatabaseFacade,System.String,System.Threading.CancellationToken);Argument[1];sql-injection;manual |
 | Microsoft.EntityFrameworkCore;RelationalQueryableExtensions;FromSqlRaw<TEntity>;(Microsoft.EntityFrameworkCore.DbSet<TEntity>,System.String,System.Object[]);Argument[1];sql-injection;manual |
+| Microsoft.JSInterop;JSRuntimeExtensions;InvokeAsync<TValue>;(Microsoft.JSInterop.IJSRuntime,System.String,System.Object[]);Argument[1];js-injection;manual |
+| Microsoft.JSInterop;JSRuntimeExtensions;InvokeAsync<TValue>;(Microsoft.JSInterop.IJSRuntime,System.String,System.Threading.CancellationToken,System.Object[]);Argument[1];js-injection;manual |
+| Microsoft.JSInterop;JSRuntimeExtensions;InvokeAsync<TValue>;(Microsoft.JSInterop.IJSRuntime,System.String,System.TimeSpan,System.Object[]);Argument[1];js-injection;manual |
+| Microsoft.JSInterop;JSRuntimeExtensions;InvokeVoidAsync;(Microsoft.JSInterop.IJSRuntime,System.String,System.Object[]);Argument[1];js-injection;manual |
+| Microsoft.JSInterop;JSRuntimeExtensions;InvokeVoidAsync;(Microsoft.JSInterop.IJSRuntime,System.String,System.Threading.CancellationToken,System.Object[]);Argument[1];js-injection;manual |
+| Microsoft.JSInterop;JSRuntimeExtensions;InvokeVoidAsync;(Microsoft.JSInterop.IJSRuntime,System.String,System.TimeSpan,System.Object[]);Argument[1];js-injection;manual |
 | ServiceStack.Messaging;BackgroundMqClient;SendAllOneWay;(System.Collections.Generic.IEnumerable<System.Object>);Argument[1].Element;file-content-store;manual |
 | ServiceStack.Messaging;BackgroundMqClient;SendOneWay;(System.Object);Argument[0];file-content-store;manual |
 | ServiceStack.Messaging;BackgroundMqClient;SendOneWay;(System.String,System.Object);Argument[1];file-content-store;manual |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.
++