C#: update 'xss' sink kind to 'js-injection'

Jami Cogswell · Jami Cogswell · commit 74cd2407fbcd · 2023-05-16T14:07:20.000-04:00
diff --git a/csharp/ql/lib/ext/System.Net.Http.model.yml b/csharp/ql/lib/ext/System.Net.Http.model.yml
@@ -3,7 +3,7 @@ extensions:
       pack: codeql/csharp-all
       extensible: sinkModel
     data:
-      - ["System.Net.Http", "StringContent", False, "StringContent", "", "", "Argument[0]", "xss", "manual"]
+      - ["System.Net.Http", "StringContent", False, "StringContent", "", "", "Argument[0]", "js-injection", "manual"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: summaryModel
diff --git a/csharp/ql/lib/ext/generated/dotnet_runtime.model.yml b/csharp/ql/lib/ext/generated/dotnet_runtime.model.yml
@@ -9,8 +9,8 @@ extensions:
     data:
       - ["System.Data.Odbc", "OdbcDataAdapter", false, "OdbcDataAdapter", "(System.String,System.Data.Odbc.OdbcConnection)", "", "Argument[0]", "sql-injection", "df-generated"]
       - ["System.Data.Odbc", "OdbcDataAdapter", false, "OdbcDataAdapter", "(System.String,System.String)", "", "Argument[0]", "sql-injection", "df-generated"]
-      - ["System.Net.Http", "StringContent", false, "StringContent", "(System.String)", "", "Argument[0]", "xss", "df-generated"]
-      - ["System.Net.Http", "StringContent", false, "StringContent", "(System.String,System.Text.Encoding)", "", "Argument[0]", "xss", "df-generated"]
+      - ["System.Net.Http", "StringContent", false, "StringContent", "(System.String)", "", "Argument[0]", "js-injection", "df-generated"]
+      - ["System.Net.Http", "StringContent", false, "StringContent", "(System.String,System.Text.Encoding)", "", "Argument[0]", "js-injection", "df-generated"]
       - ["System.Security.Cryptography", "AesCryptoServiceProvider", false, "CreateDecryptor", "(System.Byte[],System.Byte[])", "", "Argument[0]", "encryption-decryptor", "df-generated"]
       - ["System.Security.Cryptography", "AesCryptoServiceProvider", false, "CreateEncryptor", "(System.Byte[],System.Byte[])", "", "Argument[0]", "encryption-encryptor", "df-generated"]
       - ["System.Security.Cryptography", "AesCryptoServiceProvider", false, "set_Key", "(System.Byte[])", "", "Argument[0]", "encryption-keyprop", "df-generated"]
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -211,7 +211,7 @@ module ModelValidation {
     )
     or
     exists(string kind | sinkModel(_, _, _, _, _, _, _, kind, _) |
-      not kind = ["code-injection", "sql-injection", "xss", "remote", "html-injection"] and
+      not kind = ["code-injection", "sql-injection", "js-injection", "remote", "html-injection"] and
       not kind.matches("encryption-%") and
       result = "Invalid kind \"" + kind + "\" in sink model."
     )
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSSinks.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSSinks.qll
@@ -24,7 +24,7 @@ abstract class Sink extends DataFlow::ExprNode, RemoteFlowSink {
 }
 
 private class ExternalXssSink extends Sink {
-  ExternalXssSink() { sinkNode(this, "xss") }
+  ExternalXssSink() { sinkNode(this, "js-injection") }
 }
 
 private class HtmlSinkSink extends Sink instanceof HtmlSink {
diff --git a/csharp/ql/test/library-tests/dataflow/external-models/sinks.expected b/csharp/ql/test/library-tests/dataflow/external-models/sinks.expected
@@ -4,5 +4,5 @@ invalidModelRow
 | Sinks.cs:11:13:11:41 | this access | remote |
 | Sinks.cs:11:30:11:40 | access to local variable argToTagged | remote |
 | Sinks.cs:14:27:14:36 | access to local variable fieldWrite | sql-injection |
-| Sinks.cs:20:20:20:22 | access to local variable res | xss |
+| Sinks.cs:20:20:20:22 | access to local variable res | js-injection |
 | Sinks.cs:27:20:27:25 | access to local variable resTag | html-injection |
diff --git a/csharp/ql/test/library-tests/dataflow/external-models/sinks.ext.yml b/csharp/ql/test/library-tests/dataflow/external-models/sinks.ext.yml
@@ -5,7 +5,7 @@ extensions:
     data:
     # "namespace", "type", "overrides", "name", "signature", "ext", "spec", "kind", "provenance"
       - ["My.Qltest", "B", false, "Sink1", "(System.Object)", "", "Argument[0]", "code-injection", "manual"]
-      - ["My.Qltest", "B", false, "SinkMethod", "()", "", "ReturnValue", "xss", "manual"]
+      - ["My.Qltest", "B", false, "SinkMethod", "()", "", "ReturnValue", "js-injection", "manual"]
       - ["My.Qltest", "SinkAttribute", false, "", "", "Attribute", "ReturnValue", "html-injection", "manual"]
       - ["My.Qltest", "SinkAttribute", false, "", "", "Attribute", "Argument", "remote", "manual"]
       - ["My.Qltest", "SinkAttribute", false, "", "", "Attribute", "", "sql-injection", "manual"]

Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,7 @@ module ModelValidation {`
`211`	`211`	`)`
`212`	`212`	`or`
`213`	`213`	`exists(string kind \| sinkModel(_, _, _, _, _, _, _, kind, _) \|`
`214`		`- not kind = ["code-injection", "sql-injection", "xss", "remote", "html-injection"] and`
	`214`	`+ not kind = ["code-injection", "sql-injection", "js-injection", "remote", "html-injection"] and`
`215`	`215`	`not kind.matches("encryption-%") and`
`216`	`216`	`result = "Invalid kind \"" + kind + "\" in sink model."`
`217`	`217`	`)`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ abstract class Sink extends DataFlow::ExprNode, RemoteFlowSink {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`private class ExternalXssSink extends Sink {`
`27`		`- ExternalXssSink() { sinkNode(this, "xss") }`
	`27`	`+ ExternalXssSink() { sinkNode(this, "js-injection") }`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`private class HtmlSinkSink extends Sink instanceof HtmlSink {`