C#: Teach XPath injection query about XPathNavigator

Author: hvitved

csharp/ql/src/semmle/code/csharp/frameworks/system/xml/XPath.qll

@@ -21,4 +21,14 @@ module SystemXmlXPath {
   class XPathExpression extends Class {
     XPathExpression() { this.hasName("XPathExpression") }
   }
+
+  /** The `System.Xml.XPath.XPathNavigator` class. */
+  class XPathNavigator extends Class {
+    XPathNavigator() { this.hasName("XPathNavigator") }
+
+    /** Gets a method that selects nodes. */
+    csharp::Method getASelectMethod() {
+      result = this.getAMethod() and result.getName().matches("Select%")
+    }
+  }
 }

csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjection.qll

@@ -65,6 +65,17 @@ module XPathInjection {
     }
   }
 
+  /** The `xpath` argument to an `XPathNavigator.Select*(..)` call. */
+  class XmlNavigatorSink extends Sink {
+    XmlNavigatorSink() {
+      this.getExpr() =
+        any(SystemXmlXPath::XPathNavigator xmlNav)
+            .getASelectMethod()
+            .getACall()
+            .getArgumentForName("xpath")
+    }
+  }
+
   private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
 
   private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }

csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected

@@ -1,15 +1,25 @@
 edges
 | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:136 | ... + ... |
 | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:132 | ... + ... |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:123 | ... + ... |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:31:30:31:133 | ... + ... |
 | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:136 | ... + ... |
 | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:132 | ... + ... |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:123 | ... + ... |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:31:30:31:133 | ... + ... |
 nodes
 | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | XPathInjection.cs:16:33:16:136 | ... + ... | semmle.label | ... + ... |
 | XPathInjection.cs:19:29:19:132 | ... + ... | semmle.label | ... + ... |
+| XPathInjection.cs:28:20:28:123 | ... + ... | semmle.label | ... + ... |
+| XPathInjection.cs:31:30:31:133 | ... + ... | semmle.label | ... + ... |
 #select
 | XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
 | XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
 | XPathInjection.cs:19:29:19:132 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:132 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
 | XPathInjection.cs:19:29:19:132 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:132 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:28:20:28:123 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:123 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:28:20:28:123 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:123 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:31:30:31:133 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:31:30:31:133 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:31:30:31:133 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:31:30:31:133 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |