Merge pull request #117 from microsoft/SqlConnFP_fix

Fixing a false positive in cs/insecure-sql-connection

Author: raulgarciamsft

csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql

@@ -12,6 +12,7 @@
 
 import csharp
 import InsecureSqlConnection::PathGraph
+import InsecureSQLConnection
 
 class Source extends DataFlow::Node {
   string sourcestring;
@@ -48,6 +49,11 @@ class Sink extends DataFlow::Node {
 predicate isEncryptTrue(Source source, Sink sink) {
   sink.isEncryptedByDefault() and
   not source.setsEncryptFalse()
+  or
+  exists(ObjectCreation oc, Expr e | oc.getRuntimeArgument(0) = sink.asExpr() |
+    getInfoForInitializedConnEncryption(oc, e) and
+    e.getValue().toLowerCase() = "true"
+  )
 }
 
 /**

csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.qll

@@ -0,0 +1,11 @@
+import csharp
+
+/**
+ * Holds if `ObjectCreation` has an initializer for a member named `Encrypt`, set to `e`
+ */
+predicate getInfoForInitializedConnEncryption(ObjectCreation oc, Expr e) {
+  exists(MemberInitializer mi | mi.getInitializedMember().hasName("Encrypt") |
+    e = mi.getRValue() and
+    oc.getInitializer().(ObjectInitializer).getAMemberInitializer() = mi
+  )
+}

csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionInitializer.qhelp

@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+  <p>
+    SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.
+  </p>
+
+</overview>
+<recommendation>
+
+<p>Ensure that the client code enforces the <code>Encrypt</code> option by setting it to <code>true</code> in the connection string or as a property.</p>
+<p>Explicitly setting the property <code>Encrypt</code> to <code>false</code> will result in unprotected connections.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows a SQL connection string that is explicitly disabling the <code>Encrypt</code> setting.</p>
+
+<sample src="InsecureSQLConnectionInitializerBad.cs" />
+
+  <p>
+    The following example shows a SQL connection string that is explicitly enabling the <code>Encrypt</code> setting to force encryption in transit.
+  </p>
+
+  <sample src="InsecureSQLConnectionInitializerGood.cs" />
+
+</example>
+<references>
+  <li>Microsoft, SQL Protocols blog: 
+    <a href="https://blogs.msdn.microsoft.com/sql_protocols/2009/10/19/selectively-using-secure-connection-to-sql-server/">Selectively using secure connection to SQL Server</a>.
+  </li>
+  <li>Microsoft:
+    <a href="https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.110).aspx">SqlConnection.ConnectionString Property</a>.
+  </li>
+  <li>Microsoft: 
+    <a href="https://msdn.microsoft.com/en-us/library/ms130822.aspx">Using Connection String Keywords with SQL Server Native Client</a>.
+  </li>
+  <li>Microsoft: 
+    <a href="https://msdn.microsoft.com/en-us/library/ms378988(v=sql.110).aspx">Setting the connection properties</a>.
+  </li>
+</references>
+</qhelp>

csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionInitializer.ql

@@ -0,0 +1,48 @@
+/**
+ * @name Insecure SQL connection in Initializer
+ * @description Using an SQL Server connection without enforcing encryption is a security vulnerability.
+ *              This rule variant will flag when the `encrypt` property is explicitly set to `false` during the object initializer
+ * @kind path-problem
+ * @id cs/insecure-sql-connection-initializer
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import csharp
+import InsecureSqlConnectionInitialize::PathGraph
+import InsecureSQLConnection
+
+class Source extends DataFlow::Node {
+  Source() { this.asExpr().(BoolLiteral).getBoolValue() = false }
+}
+
+class Sink extends DataFlow::Node {
+  Sink() { getInfoForInitializedConnEncryption(_, this.asExpr()) }
+}
+
+/**
+ * A data flow configuration for tracking strings passed to `SqlConnection[StringBuilder]` instances.
+ */
+module InsecureSqlConnectionInitializeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+}
+
+/**
+ * A data flow configuration for tracking strings passed to `SqlConnection[StringBuilder]` instances.
+ */
+module InsecureSqlConnectionInitialize = DataFlow::Global<InsecureSqlConnectionInitializeConfig>;
+
+from
+  ObjectCreation oc, InsecureSqlConnectionInitialize::PathNode source,
+  InsecureSqlConnectionInitialize::PathNode sink
+where
+  InsecureSqlConnectionInitialize::flowPath(source, sink) and
+  getInfoForInitializedConnEncryption(oc, sink.getNode().asExpr())
+select sink.getNode(), source, sink,
+  "A value evaluating to $@ flows to $@ and sets the `encrypt` property.", source.getNode(),
+  "`false`", oc, "this SQL connection initializer"

csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionInitializerBad.cs

@@ -0,0 +1,7 @@
+using System.Data.SqlClient;
+
+// BAD, Encrypt not specified
+string connectString =
+    "Server=1.2.3.4;Database=Anything;Integrated Security=true;";
+var builder = new SqlConnectionStringBuilder(connectString) { Encrypt = false }
+var conn = new SqlConnection(builder.ConnectionString);

csharp/ql/src/Security Features/CWE-327/InsecureSQLConnectionInitializerGood.cs

@@ -0,0 +1,7 @@
+using System.Data.SqlClient;
+
+// BAD, Encrypt not specified
+string connectString =
+    "Server=1.2.3.4;Database=Anything;Integrated Security=true;";
+var builder = new SqlConnectionStringBuilder(connectString) { Encrypt = true }
+var conn = new SqlConnection(builder.ConnectionString);

csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs

@@ -34,9 +34,9 @@ public void StringInBuilderProperty()
         public void StringInInitializer()
         {
             string connectString = "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false";
-            SqlConnectionStringBuilder conBuilder = new SqlConnectionStringBuilder(connectString) { Encrypt = true};
+            SqlConnectionStringBuilder conBuilder = new SqlConnectionStringBuilder(connectString) { Encrypt = true };
         }
-        
+
 
         public void TriggerThis()
         {

csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected

@@ -1,9 +1,14 @@
 edges
+| InsecureSQLConnection.cs:36:20:36:32 | access to local variable connectString : String | InsecureSQLConnection.cs:37:84:37:96 | access to local variable connectString | provenance |  |
+| InsecureSQLConnection.cs:36:36:36:97 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:36:20:36:32 | access to local variable connectString : String | provenance |  |
 | InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | provenance |  |
 | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | provenance |  |
 | InsecureSQLConnection.cs:58:20:58:32 | access to local variable connectString : String | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | provenance |  |
 | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:58:20:58:32 | access to local variable connectString : String | provenance |  |
 nodes
+| InsecureSQLConnection.cs:36:20:36:32 | access to local variable connectString : String | semmle.label | access to local variable connectString : String |
+| InsecureSQLConnection.cs:36:36:36:97 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String |
+| InsecureSQLConnection.cs:37:84:37:96 | access to local variable connectString | semmle.label | access to local variable connectString |
 | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | semmle.label | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" |
 | InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | semmle.label | access to local variable connectString : String |
 | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String |

csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnectionInitializer/InsecureSQLConnectionInitializer.cs

@@ -0,0 +1,43 @@
+namespace System.Data.SqlClient
+{
+    public sealed class SqlConnectionStringBuilder
+    {
+        public bool Encrypt { get; set; }
+        public SqlConnectionStringBuilder(string connectionString) { }
+    }
+
+}
+
+namespace InsecureSQLConnection
+{
+    public class Class1
+    {
+        void Test6()
+        {
+            string connectString = "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false";
+            var conn = new System.Data.SqlClient.SqlConnectionStringBuilder(connectString) { Encrypt = false };    // Bug - cs/insecure-sql-connection-initializer
+        }
+
+        void Test72ndPhase(bool encrypt)
+        {
+            string connectString = "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false";
+            var conn = new System.Data.SqlClient.SqlConnectionStringBuilder(connectString) { Encrypt = encrypt };    // Bug - cs/insecure-sql-connection-initializer (sink)
+        }
+
+        void Test7()
+        {
+            Test72ndPhase(false);    // Bug - cs/insecure-sql-connection-initializer (source)
+        }
+
+        void Test7FP()
+        {
+            Test72ndPhase(true);    // Not a bug source
+        }
+
+        void Test8FP()
+        {
+            string connectString = "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false";
+            var conn = new System.Data.SqlClient.SqlConnectionStringBuilder(connectString) { Encrypt = true };
+        }
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnectionInitializer/InsecureSQLConnectionInitializer.expected

@@ -0,0 +1,12 @@
+edges
+| InsecureSQLConnectionInitializer.cs:21:33:21:39 | encrypt : Boolean | InsecureSQLConnectionInitializer.cs:24:104:24:110 | access to parameter encrypt | provenance |  |
+| InsecureSQLConnectionInitializer.cs:29:27:29:31 | false : Boolean | InsecureSQLConnectionInitializer.cs:21:33:21:39 | encrypt : Boolean | provenance |  |
+nodes
+| InsecureSQLConnectionInitializer.cs:18:104:18:108 | false | semmle.label | false |
+| InsecureSQLConnectionInitializer.cs:21:33:21:39 | encrypt : Boolean | semmle.label | encrypt : Boolean |
+| InsecureSQLConnectionInitializer.cs:24:104:24:110 | access to parameter encrypt | semmle.label | access to parameter encrypt |
+| InsecureSQLConnectionInitializer.cs:29:27:29:31 | false : Boolean | semmle.label | false : Boolean |
+subpaths
+#select
+| InsecureSQLConnectionInitializer.cs:18:104:18:108 | false | InsecureSQLConnectionInitializer.cs:18:104:18:108 | false | InsecureSQLConnectionInitializer.cs:18:104:18:108 | false | A value evaluating to $@ flows to $@ and sets the `encrypt` property. | InsecureSQLConnectionInitializer.cs:18:104:18:108 | false | `false` | InsecureSQLConnectionInitializer.cs:18:24:18:110 | object creation of type SqlConnectionStringBuilder | this SQL connection initializer |
+| InsecureSQLConnectionInitializer.cs:24:104:24:110 | access to parameter encrypt | InsecureSQLConnectionInitializer.cs:29:27:29:31 | false : Boolean | InsecureSQLConnectionInitializer.cs:24:104:24:110 | access to parameter encrypt | A value evaluating to $@ flows to $@ and sets the `encrypt` property. | InsecureSQLConnectionInitializer.cs:29:27:29:31 | false | `false` | InsecureSQLConnectionInitializer.cs:24:24:24:112 | object creation of type SqlConnectionStringBuilder | this SQL connection initializer |