move logic to qlls

Author: chanel-y

powershell/ql/lib/semmle/code/powershell/security/UnsafeDeserializationCustomizations.qll

@@ -0,0 +1,53 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * unsafe deserialization vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+private import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.ApiGraphs
+private import semmle.code.powershell.dataflow.flowsources.FlowSources
+private import semmle.code.powershell.Cfg
+
+module UnsafeDeserialization {
+  /**
+   * A data flow source for SQL-injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the type of this flow source. */
+    abstract string getSourceType();
+  }
+
+  /**
+   * A data flow sink for SQL-injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /** Gets a description of this sink. */
+    abstract string getSinkType();
+
+  }
+
+  /**
+   * A sanitizer for Unsafe Deserialization vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of user input, considered as a flow source for unsafe deserialization. */
+  class FlowSourceAsSource extends Source instanceof SourceNode {
+    override string getSourceType() { result = SourceNode.super.getSourceType() }
+  }
+
+  class BinaryFormatterDeserializeSink extends Sink {
+    BinaryFormatterDeserializeSink() {
+      exists(DataFlow::ObjectCreationNode ocn, DataFlow::CallNode cn | 
+        cn.getQualifier().getALocalSource() = ocn and 
+        ocn.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Runtime.Serialization.Formatters.Binary.BinaryFormatter" and
+        cn.getLowerCaseName() = "deserialize" and
+        cn.getAnArgument() = this
+    )
+    }
+
+    override string getSinkType() { result = "call to BinaryFormatter.Deserialize" }
+
+  }
+}

powershell/ql/lib/semmle/code/powershell/security/UnsafeDeserializationQuery.qll

@@ -0,0 +1,28 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * deserialization vulnerabilities (CWE-502).
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsafeDeserializationFlow` is needed, otherwise
+ * `UnsafeDeserializationCustomizations` should be imported instead.
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.flowsources.FlowSources
+import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.dataflow.TaintTracking
+import UnsafeDeserializationCustomizations::UnsafeDeserialization
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo){
+    exists(InvokeMemberExpr ime | 
+        nodeTo.asExpr().getExpr() = ime and 
+        nodeFrom.asExpr().getExpr() = ime.getAnArgument()
+    )
+  }
+}
+
+module UnsafeDeserializationFlow = TaintTracking::Global<Config>; 

powershell/ql/src/queries/security/cwe-502/BinaryFormatterDeserialization.ql

@@ -12,12 +12,7 @@
  */
 
 import powershell
-import semmle.code.powershell.dataflow.DataFlow
-import semmle.code.powershell.dataflow.TaintTracking
+import semmle.code.powershell.security.UnsafeDeserializationCustomizations::UnsafeDeserialization
 
-from DataFlow::ObjectCreationNode source, DataFlow::CallNode cn 
-where
-source.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Runtime.Serialization.Formatters.Binary.BinaryFormatter" and
-cn.getQualifier().getALocalSource() = source and 
-cn.getLowerCaseName() = "deserialize" 
-select cn, "Call to BinaryFormatter.Deserialize"
+from BinaryFormatterDeserializeSink sink
+select sink, "Call to BinaryFormatter.Deserialize"

powershell/ql/src/queries/security/cwe-502/UnsafeDeserialization.ql

@@ -2,7 +2,7 @@
  * @name Unsafe deserializer
  * @description Calling an unsafe deserializer with data controlled by an attacker
  *              can lead to denial of service and other security problems.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @security-severity 8.8
  * @precision high
@@ -13,31 +13,14 @@
  */
 
 import powershell
-import semmle.code.powershell.dataflow.flowsources.FlowSources
-import semmle.code.powershell.dataflow.DataFlow
-import semmle.code.powershell.dataflow.TaintTracking
+import semmle.code.powershell.security.UnsafeDeserializationQuery
+import UnsafeDeserializationFlow::PathGraph
 
-module DeserializationConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof SourceNode }
-
-  predicate isSink(DataFlow::Node sink) { 
-    exists(DataFlow::ObjectCreationNode ocn, DataFlow::CallNode cn | 
-        cn.getQualifier().getALocalSource() = ocn and 
-        ocn.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Runtime.Serialization.Formatters.Binary.BinaryFormatter" and
-        cn.getLowerCaseName() = "deserialize" and
-        cn.getAnArgument() = sink
-    )
-  }
-  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo){
-    exists(InvokeMemberExpr ime | 
-        nodeTo.asExpr().getExpr() = ime and 
-        nodeFrom.asExpr().getExpr() = ime.getAnArgument()
-    )
-  }
-}
-
-module DeserializationFlow = TaintTracking::Global<DeserializationConfig>; 
-
-from DataFlow::Node source, DataFlow::Node sink
-where DeserializationFlow::flow(source, sink)
-select sink, "Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source."
+from
+  UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink,
+  Source sourceNode
+where
+  UnsafeDeserializationFlow::flowPath(source, sink) and
+  sourceNode = source.getNode()
+select sink.getNode(), source, sink, "This unsafe deserializer deserializes  on a $@.", sourceNode,
+  sourceNode.getSourceType()