added queries, tests, docs

Author: chanel-y

powershell/ql/src/queries/security/cwe-502/BinaryFormatterDeserialization.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Using BinaryFormatter to deserialize an object from untrusted input may result in security problems, such
+as denial of service or remote code execution.</p>
+
+</overview>
+<recommendation>
+
+<p>Avoid using BinaryFormatter.</p>
+
+</recommendation>
+<example>
+
+<p>In this example, a string is deserialized using a
+<code>BinaryFormatter</code>. BinaryFormatter is an easily exploited deserializer.</p>
+
+<sample src="examples/BinaryFormatterDeserialization.ps1" />
+
+</example>
+<references>
+
+<li>
+Mu&ntilde;oz, Alvaro and Mirosh, Oleksandr:
+<a href="https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf">JSON Attacks</a>.
+</li>
+
+<li>
+Microsoft:
+<a href="https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide">Deserialization risks in use of BinaryFormatter and related types</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/queries/security/cwe-502/BinaryFormatterDeserialization.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Use of Binary Formatter deserialization
+ * @description Use of Binary Formatter is unsafe
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id powershell/microsoft/public/binary-formatter-deserialization
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-502
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.dataflow.TaintTracking
+
+from DataFlow::ObjectCreationNode source, DataFlow::CallNode cn 
+where
+source.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Runtime.Serialization.Formatters.Binary.BinaryFormatter" and
+cn.getQualifier().getALocalSource() = source and 
+cn.getLowerCaseName() = "deserialize" 
+select cn, "Call to BinaryFormatter.Deserialize"

powershell/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Deserializing an object from untrusted input may result in security problems, such
+as denial of service or remote code execution.</p>
+
+</overview>
+<recommendation>
+
+<p>Avoid using an unsafe deserialization framework.</p>
+
+</recommendation>
+<example>
+
+<p>In this example, a string is deserialized using a
+<code>BinaryFormatter</code>. BinaryFormatter is an easily exploited deserializer.</p>
+
+<sample src="examples/BinaryFormatterDeserialization.ps1" />
+
+</example>
+<references>
+
+<li>
+Mu&ntilde;oz, Alvaro and Mirosh, Oleksandr:
+<a href="https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf">JSON Attacks</a>.
+</li>
+
+<li>
+Microsoft:
+<a href="https://learn.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide">Deserialization risks in use of BinaryFormatter and related types</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/queries/security/cwe-502/UnsafeDeserialization.ql

@@ -0,0 +1,43 @@
+/**
+ * @name Unsafe deserializer
+ * @description Calling an unsafe deserializer with data controlled by an attacker
+ *              can lead to denial of service and other security problems.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id powershell/microsoft/public/unsafe-deserialization
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-502
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.flowsources.FlowSources
+import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.dataflow.TaintTracking
+
+module DeserializationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof SourceNode }
+
+  predicate isSink(DataFlow::Node sink) { 
+    exists(DataFlow::ObjectCreationNode ocn, DataFlow::CallNode cn | 
+        cn.getQualifier().getALocalSource() = ocn and 
+        ocn.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Runtime.Serialization.Formatters.Binary.BinaryFormatter" and
+        cn.getLowerCaseName() = "deserialize" and
+        cn.getAnArgument() = sink
+    )
+  }
+  predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo){
+    exists(InvokeMemberExpr ime | 
+        nodeTo.asExpr().getExpr() = ime and 
+        nodeFrom.asExpr().getExpr() = ime.getAnArgument()
+    )
+  }
+}
+
+module DeserializationFlow = TaintTracking::Global<DeserializationConfig>; 
+
+from DataFlow::Node source, DataFlow::Node sink
+where DeserializationFlow::flow(source, sink)
+select sink, "Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source."

powershell/ql/src/queries/security/cwe-502/examples/BinaryFormatterDeserialization.ps1

@@ -0,0 +1,6 @@
+$untrustedBase64 = Read-Host "Enter user input"
+
+$formatter = New-Object System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+$stream = [System.IO.MemoryStream]::new([Convert]::FromBase64String($untrustedBase64))
+
+$obj = $formatter.Deserialize($stream)

powershell/ql/test/query-tests/security/cwe-502/UnsafeDeserialization.expected

@@ -0,0 +1 @@
+| test.ps1:4:31:4:37 | stream | Unsafe deserializer is used. Make sure the value being deserialized comes from a trusted source. |

powershell/ql/test/query-tests/security/cwe-502/UnsafeDeserialization.qlref

@@ -0,0 +1 @@
+queries/security/cwe-502/UnsafeDeserialization.ql

powershell/ql/test/query-tests/security/cwe-502/test.ps1

@@ -0,0 +1,4 @@
+$untrustedBase64 = Read-Host "Enter user input"
+$formatter = New-Object System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
+$stream = [System.IO.MemoryStream]::new([Convert]::FromBase64String($untrustedBase64))
+$obj = $formatter.Deserialize($stream)