Merge pull request github#3124 from hvitved/csharp/dataflow/sources-and-sinks

C#: Introduce `RemoteFlowSink` class

Author: calumgrant

change-notes/1.24/analysis-csharp.md

@@ -22,6 +22,8 @@ The following changes in version 1.24 affect C# analysis in all applications.
 | Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | More results | Results are reported from parameters with a default value of `null`. |
 | Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the value assigned is an (implicitly or explicitly) cast default-like value. For example, `var s = (string)null` and `string s = default`. |
 | XPath injection (`cs/xml/xpath-injection`) | More results | The query now recognizes calls to methods on `System.Xml.XPath.XPathNavigator` objects. |
+| Information exposure through transmitted data (`cs/sensitive-data-transmission`) | More results | The query now recognizes writes to cookies and writes to ASP.NET (`Inner`)`Text` properties as additional sinks. |
+| Information exposure through an exception (`cs/information-exposure-through-exception`) | More results | The query now recognizes writes to cookies, writes to ASP.NET (`Inner`)`Text` properties, and email contents as additional sinks. |
 
 ## Removal of old queries
 
@@ -42,5 +44,6 @@ The following changes in version 1.24 affect C# analysis in all applications.
 * [Code contracts](https://docs.microsoft.com/en-us/dotnet/framework/debug-trace-profile/code-contracts) are now recognized, and are treated like any other assertion methods.
 * Expression nullability flow state is given by the predicates `Expr.hasNotNullFlowState()` and `Expr.hasMaybeNullFlowState()`.
 * `stackalloc` array creations are now represented by the QL class `Stackalloc`. Previously they were represented by the class `ArrayCreation`.
+* A new class `RemoteFlowSink` has been added to model sinks where data might be exposed to external users. Examples include web page output, e-mails, and cookies.
 
 ## Changes to autobuilder

csharp/ql/src/Security Features/CWE-091/XMLInjection.ql

@@ -11,7 +11,7 @@
  */
 
 import csharp
-import semmle.code.csharp.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Remote
 import semmle.code.csharp.frameworks.system.Xml
 
 /**

csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql

@@ -12,7 +12,7 @@
  */
 
 import csharp
-import semmle.code.csharp.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Remote
 import semmle.code.csharp.commons.Util
 
 /**

csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql

@@ -11,8 +11,8 @@
  */
 
 import csharp
-import semmle.code.csharp.dataflow.flowsources.Remote
-import semmle.code.csharp.dataflow.flowsources.Local
+import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Local
 import semmle.code.csharp.dataflow.TaintTracking
 import semmle.code.csharp.frameworks.Format
 import DataFlow::PathGraph

csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql

@@ -11,8 +11,7 @@
 
 import csharp
 import semmle.code.csharp.security.SensitiveActions
-import semmle.code.csharp.security.dataflow.XSS
-import semmle.code.csharp.security.dataflow.Email
+import semmle.code.csharp.security.dataflow.flowsinks.Remote
 import semmle.code.csharp.frameworks.system.data.Common
 import semmle.code.csharp.frameworks.System
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
@@ -42,11 +41,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof XSS::Sink
-    or
-    sink instanceof Email::Sink
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RemoteFlowSink }
 }
 
 from TaintTrackingConfiguration configuration, DataFlow::PathNode source, DataFlow::PathNode sink

csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql

@@ -14,7 +14,7 @@
 
 import csharp
 import semmle.code.csharp.frameworks.System
-import semmle.code.csharp.security.dataflow.XSS
+import semmle.code.csharp.security.dataflow.flowsinks.Remote
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 /**
@@ -46,7 +46,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XSS::Sink }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RemoteFlowSink }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     // Do not flow through Message

csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql

@@ -16,7 +16,7 @@ import semmle.code.csharp.frameworks.system.Net
 import semmle.code.csharp.frameworks.system.Web
 import semmle.code.csharp.frameworks.system.web.UI
 import semmle.code.csharp.security.dataflow.SqlInjection
-import semmle.code.csharp.security.dataflow.XSS
+import semmle.code.csharp.security.dataflow.flowsinks.Html
 import semmle.code.csharp.security.dataflow.UrlRedirect
 import semmle.code.csharp.security.Sanitizers
 import semmle.code.csharp.dataflow.DataFlow2::DataFlow2
@@ -114,7 +114,7 @@ module EncodingConfigurations {
 
     override string getKind() { result = "HTML expression" }
 
-    override predicate requiresEncoding(Node n) { n instanceof XSS::HtmlSink }
+    override predicate requiresEncoding(Node n) { n instanceof HtmlSink }
 
     override predicate isPossibleEncodedValue(Expr e) { e instanceof HtmlSanitizedExpr }
   }

csharp/ql/src/Security Features/InsecureRandomness.ql

@@ -16,7 +16,7 @@ import semmle.code.csharp.frameworks.Test
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 module Random {
-  import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.security.dataflow.flowsources.Remote
   import semmle.code.csharp.security.SensitiveActions
 
   /**

csharp/ql/src/semmle/code/csharp/dataflow/flowsources/PublicCallableParameter.qll

@@ -1,9 +1,10 @@
 /**
+ * DEPRECATED.
+ *
  * Provides classes representing data flow sources for parameters of public callables.
  */
 
 import csharp
-private import semmle.code.csharp.frameworks.WCF
 
 /**
  * A parameter of a public callable, for example `p` in

csharp/ql/src/semmle/code/csharp/dataflow/flowsources/Remote.qll

@@ -1,218 +1,7 @@
 /**
- * Provides classes representing data flow sources for remote user input.
+ * DEPRECATED.
+ *
+ * Use `semmle.code.csharp.security.dataflow.flowsources.Remote` instead.
  */
 
-import csharp
-private import semmle.code.csharp.frameworks.system.Net
-private import semmle.code.csharp.frameworks.system.Web
-private import semmle.code.csharp.frameworks.system.web.Http
-private import semmle.code.csharp.frameworks.system.web.Mvc
-private import semmle.code.csharp.frameworks.system.web.Services
-private import semmle.code.csharp.frameworks.system.web.ui.WebControls
-private import semmle.code.csharp.frameworks.WCF
-private import semmle.code.csharp.frameworks.microsoft.Owin
-private import semmle.code.csharp.frameworks.microsoft.AspNetCore
-
-/** A data flow source of remote user input. */
-abstract class RemoteFlowSource extends DataFlow::Node {
-  /** Gets a string that describes the type of this remote flow source. */
-  abstract string getSourceType();
-}
-
-/** A data flow source of remote user input (ASP.NET). */
-abstract class AspNetRemoteFlowSource extends RemoteFlowSource { }
-
-/** A member containing an ASP.NET query string. */
-class AspNetQueryStringMember extends Member {
-  AspNetQueryStringMember() {
-    exists(RefType t |
-      t instanceof SystemWebHttpRequestClass or
-      t instanceof SystemNetHttpListenerRequestClass or
-      t instanceof SystemWebHttpRequestBaseClass
-    |
-      this = t.getProperty(getHttpRequestFlowPropertyNames()) or
-      this.(Field).getType() = t or
-      this.(Property).getType() = t or
-      this.(Callable).getReturnType() = t
-    )
-  }
-}
-
-/**
- * Gets the names of the properties in `HttpRequest` classes that should propagate taint out of the
- * request.
- */
-private string getHttpRequestFlowPropertyNames() {
-  result = "QueryString" or
-  result = "Headers" or
-  result = "RawUrl" or
-  result = "Url" or
-  result = "Cookies" or
-  result = "Form" or
-  result = "Params" or
-  result = "Path" or
-  result = "PathInfo"
-}
-
-/** A data flow source of remote user input (ASP.NET query string). */
-class AspNetQueryStringRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode {
-  AspNetQueryStringRemoteFlowSource() {
-    exists(RefType t |
-      t instanceof SystemWebHttpRequestClass or
-      t instanceof SystemNetHttpListenerRequestClass or
-      t instanceof SystemWebHttpRequestBaseClass
-    |
-      // A request object can be indexed, so taint the object as well
-      this.getExpr().getType() = t
-    )
-    or
-    this.getExpr() = any(AspNetQueryStringMember m).getAnAccess()
-  }
-
-  override string getSourceType() { result = "ASP.NET query string" }
-}
-
-/** A data flow source of remote user input (ASP.NET unvalidated request data). */
-class AspNetUnvalidatedQueryStringRemoteFlowSource extends AspNetRemoteFlowSource,
-  DataFlow::ExprNode {
-  AspNetUnvalidatedQueryStringRemoteFlowSource() {
-    this.getExpr() = any(SystemWebUnvalidatedRequestValues c).getAProperty().getGetter().getACall() or
-    this.getExpr() =
-      any(SystemWebUnvalidatedRequestValuesBase c).getAProperty().getGetter().getACall()
-  }
-
-  override string getSourceType() { result = "ASP.NET unvalidated request data" }
-}
-
-/** A data flow source of remote user input (ASP.NET user input). */
-class AspNetUserInputRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode {
-  AspNetUserInputRemoteFlowSource() { getType() instanceof SystemWebUIWebControlsTextBoxClass }
-
-  override string getSourceType() { result = "ASP.NET user input" }
-}
-
-/** A data flow source of remote user input (WCF based web service). */
-class WcfRemoteFlowSource extends RemoteFlowSource, DataFlow::ParameterNode {
-  WcfRemoteFlowSource() { exists(OperationMethod om | om.getAParameter() = this.getParameter()) }
-
-  override string getSourceType() { result = "web service input" }
-}
-
-/** A data flow source of remote user input (ASP.NET web service). */
-class AspNetServiceRemoteFlowSource extends RemoteFlowSource, DataFlow::ParameterNode {
-  AspNetServiceRemoteFlowSource() {
-    exists(Method m |
-      m.getAParameter() = this.getParameter() and
-      m.getAnAttribute().getType() instanceof SystemWebServicesWebMethodAttributeClass
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET web service input" }
-}
-
-/** A data flow source of remote user input (ASP.NET request message). */
-class SystemNetHttpRequestMessageRemoteFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
-  SystemNetHttpRequestMessageRemoteFlowSource() {
-    getType() instanceof SystemWebHttpRequestMessageClass
-  }
-
-  override string getSourceType() { result = "ASP.NET request message" }
-}
-
-/**
- * A data flow source of remote user input (Microsoft Owin, a query, request,
- * or path string).
- */
-class MicrosoftOwinStringFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
-  MicrosoftOwinStringFlowSource() {
-    this.getExpr() = any(MicrosoftOwinString owinString).getValueProperty().getGetter().getACall()
-  }
-
-  override string getSourceType() { result = "Microsoft Owin request or query string" }
-}
-
-/** A data flow source of remote user input (`Microsoft Owin IOwinRequest`). */
-class MicrosoftOwinRequestRemoteFlowSource extends RemoteFlowSource, DataFlow::ExprNode {
-  MicrosoftOwinRequestRemoteFlowSource() {
-    exists(Property p, MicrosoftOwinIOwinRequestClass owinRequest |
-      this.getExpr() = p.getGetter().getACall()
-    |
-      p = owinRequest.getAcceptProperty() or
-      p = owinRequest.getBodyProperty() or
-      p = owinRequest.getCacheControlProperty() or
-      p = owinRequest.getContentTypeProperty() or
-      p = owinRequest.getContextProperty() or
-      p = owinRequest.getCookiesProperty() or
-      p = owinRequest.getHeadersProperty() or
-      p = owinRequest.getHostProperty() or
-      p = owinRequest.getMediaTypeProperty() or
-      p = owinRequest.getMethodProperty() or
-      p = owinRequest.getPathProperty() or
-      p = owinRequest.getPathBaseProperty() or
-      p = owinRequest.getQueryProperty() or
-      p = owinRequest.getQueryStringProperty() or
-      p = owinRequest.getRemoteIpAddressProperty() or
-      p = owinRequest.getSchemeProperty() or
-      p = owinRequest.getURIProperty()
-    )
-  }
-
-  override string getSourceType() { result = "Microsoft Owin request" }
-}
-
-/** A parameter to an Mvc controller action method, viewed as a source of remote user input. */
-class ActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode {
-  ActionMethodParameter() {
-    exists(Parameter p |
-      p = this.getParameter() and
-      p.fromSource()
-    |
-      p = any(Controller c).getAnActionMethod().getAParameter() or
-      p = any(ApiController c).getAnActionMethod().getAParameter()
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET MVC action method parameter" }
-}
-
-/** A data flow source of remote user input (ASP.NET Core). */
-abstract class AspNetCoreRemoteFlowSource extends RemoteFlowSource { }
-
-/** A data flow source of remote user input (ASP.NET query collection). */
-class AspNetCoreQueryRemoteFlowSource extends AspNetCoreRemoteFlowSource, DataFlow::ExprNode {
-  AspNetCoreQueryRemoteFlowSource() {
-    exists(ValueOrRefType t |
-      t instanceof MicrosoftAspNetCoreHttpHttpRequest or
-      t instanceof MicrosoftAspNetCoreHttpQueryCollection or
-      t instanceof MicrosoftAspNetCoreHttpQueryString
-    |
-      this.getExpr().(Call).getTarget().getDeclaringType() = t or
-      this.asExpr().(Access).getTarget().getDeclaringType() = t
-    )
-    or
-    exists(Call c |
-      c
-          .getTarget()
-          .getDeclaringType()
-          .hasQualifiedName("Microsoft.AspNetCore.Http", "IQueryCollection") and
-      c.getTarget().getName() = "TryGetValue" and
-      this.asExpr() = c.getArgumentForName("value")
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET Core query string" }
-}
-
-/** A parameter to a `Mvc` controller action method, viewed as a source of remote user input. */
-class AspNetCoreActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode {
-  AspNetCoreActionMethodParameter() {
-    exists(Parameter p |
-      p = this.getParameter() and
-      p.fromSource()
-    |
-      p = any(MicrosoftAspNetCoreMvcController c).getAnActionMethod().getAParameter()
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET Core MVC action method parameter" }
-}
+import semmle.code.csharp.security.dataflow.flowsources.Remote