C#: More XPath injection sinks

hvitved · hvitved · commit fc74a482a48e · 2020-03-19T14:13:35.000+01:00
diff --git a/change-notes/1.24/analysis-csharp.md b/change-notes/1.24/analysis-csharp.md
@@ -21,7 +21,7 @@ The following changes in version 1.24 affect C# analysis in all applications.
 | Potentially dangerous use of non-short-circuit logic (`cs/non-short-circuit`) | Fewer false positive results | Results have been removed when the expression contains an `out` parameter. |
 | Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | More results | Results are reported from parameters with a default value of `null`. |
 | Useless assignment to local variable (`cs/useless-assignment-to-local`) | Fewer false positive results | Results have been removed when the value assigned is an (implicitly or explicitly) cast default-like value. For example, `var s = (string)null` and `string s = default`. |
-| XPath injection (`cs/xml/xpath-injection`) | More results | The query now recognizes calls to selection methods on `System.Xml.XPath.XPathNavigator` objects. |
+| XPath injection (`cs/xml/xpath-injection`) | More results | The query now recognizes calls to methods on `System.Xml.XPath.XPathNavigator` objects. |
 
 ## Removal of old queries
 
diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/system/xml/XPath.qll b/csharp/ql/src/semmle/code/csharp/frameworks/system/xml/XPath.qll
@@ -30,5 +30,20 @@ module SystemXmlXPath {
     csharp::Method getASelectMethod() {
       result = this.getAMethod() and result.getName().matches("Select%")
     }
+
+    /** Gets the `Compile` method. */
+    csharp::Method getCompileMethod() {
+      result = this.getAMethod("Compile")
+    }
+
+    /** Gets an `Evaluate` method. */
+    csharp::Method getAnEvaluateMethod() {
+      result = this.getAMethod("Evaluate")
+    }
+
+    /** Gets a `Matches` method. */
+    csharp::Method getAMatchesMethod() {
+      result = this.getAMethod("Matches")
+    }
   }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/XPathInjection.qll
@@ -65,14 +65,17 @@ module XPathInjection {
     }
   }
 
-  /** The `xpath` argument to an `XPathNavigator.Select*(..)` call. */
+  /** The `xpath` argument to an `XPathNavigator` call. */
   class XmlNavigatorSink extends Sink {
     XmlNavigatorSink() {
-      this.getExpr() =
-        any(SystemXmlXPath::XPathNavigator xmlNav)
-            .getASelectMethod()
-            .getACall()
-            .getArgumentForName("xpath")
+      exists(SystemXmlXPath::XPathNavigator xmlNav, Method m |
+        this.getExpr() = m.getACall().getArgumentForName("xpath")
+      |
+        m = xmlNav.getASelectMethod() or
+        m = xmlNav.getCompileMethod() or
+        m = xmlNav.getAnEvaluateMethod() or
+        m = xmlNav.getAMatchesMethod()
+      )
     }
   }
 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs
@@ -12,11 +12,13 @@ public void ProcessRequest(HttpContext ctx)
         string userName = ctx.Request.QueryString["userName"];
         string password = ctx.Request.QueryString["password"];
 
+        var s = "//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()";
+
         // BAD: User input used directly in an XPath expression
-        XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
+        XPathExpression.Compile(s);
         XmlNode xmlNode = null;
         // BAD: User input used directly in an XPath expression to SelectNodes
-        xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
+        xmlNode.SelectNodes(s);
 
         // GOOD: Uses parameters to avoid including user input directly in XPath expression
         var expr = XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()");
@@ -25,16 +27,34 @@ public void ProcessRequest(HttpContext ctx)
         var nav = doc.CreateNavigator();
 
         // BAD
-        nav.Select("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
-
-        // BAD
-        nav.SelectSingleNode("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
+        nav.Select(s);
 
         // GOOD
         nav.Select(expr);
 
+        // BAD
+        nav.SelectSingleNode(s);
+
         // GOOD
         nav.SelectSingleNode(expr);
+
+        // BAD
+        nav.Compile(s);
+
+        // GOOD
+        nav.Compile("//users/user[login/text()=$username]/home_dir/text()");
+
+        // BAD
+        nav.Evaluate(s);
+
+        // Good
+        nav.Evaluate(expr);
+
+        // BAD
+        nav.Matches(s);
+
+        // GOOD
+        nav.Matches(expr);
     }
 
     public bool IsReusable
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected
@@ -1,25 +1,40 @@
 edges
-| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:136 | ... + ... |
-| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:132 | ... + ... |
-| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:123 | ... + ... |
-| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:31:30:31:133 | ... + ... |
-| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:136 | ... + ... |
-| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:132 | ... + ... |
-| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:123 | ... + ... |
-| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:31:30:31:133 | ... + ... |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:18:33:18:33 | access to local variable s |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:21:29:21:29 | access to local variable s |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:30:20:30:20 | access to local variable s |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:36:30:36:30 | access to local variable s |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:42:21:42:21 | access to local variable s |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:48:22:48:22 | access to local variable s |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:54:21:54:21 | access to local variable s |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:18:33:18:33 | access to local variable s |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:21:29:21:29 | access to local variable s |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:30:20:30:20 | access to local variable s |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:36:30:36:30 | access to local variable s |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:42:21:42:21 | access to local variable s |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:48:22:48:22 | access to local variable s |
+| XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:54:21:54:21 | access to local variable s |
 nodes
 | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| XPathInjection.cs:16:33:16:136 | ... + ... | semmle.label | ... + ... |
-| XPathInjection.cs:19:29:19:132 | ... + ... | semmle.label | ... + ... |
-| XPathInjection.cs:28:20:28:123 | ... + ... | semmle.label | ... + ... |
-| XPathInjection.cs:31:30:31:133 | ... + ... | semmle.label | ... + ... |
+| XPathInjection.cs:18:33:18:33 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:21:29:21:29 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:30:20:30:20 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:36:30:36:30 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:42:21:42:21 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:48:22:48:22 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:54:21:54:21 | access to local variable s | semmle.label | access to local variable s |
 #select
-| XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
-| XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
-| XPathInjection.cs:19:29:19:132 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:132 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
-| XPathInjection.cs:19:29:19:132 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:132 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
-| XPathInjection.cs:28:20:28:123 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:123 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
-| XPathInjection.cs:28:20:28:123 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:123 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
-| XPathInjection.cs:31:30:31:133 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:31:30:31:133 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
-| XPathInjection.cs:31:30:31:133 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:31:30:31:133 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:18:33:18:33 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:18:33:18:33 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:18:33:18:33 | access to local variable s | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:18:33:18:33 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:21:29:21:29 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:21:29:21:29 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:21:29:21:29 | access to local variable s | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:21:29:21:29 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:30:20:30:20 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:30:20:30:20 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:30:20:30:20 | access to local variable s | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:30:20:30:20 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:36:30:36:30 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:36:30:36:30 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:36:30:36:30 | access to local variable s | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:36:30:36:30 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:42:21:42:21 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:42:21:42:21 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:42:21:42:21 | access to local variable s | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:42:21:42:21 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:48:22:48:22 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:48:22:48:22 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:48:22:48:22 | access to local variable s | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:48:22:48:22 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:54:21:54:21 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:54:21:54:21 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
+| XPathInjection.cs:54:21:54:21 | access to local variable s | XPathInjection.cs:13:27:13:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:54:21:54:21 | access to local variable s | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |

Original file line number	Diff line number	Diff line change
`@@ -65,14 +65,17 @@ module XPathInjection {`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`
`68`		- /** The `xpath` argument to an `XPathNavigator.Select(..)` call. /
	`68`	+ /** The `xpath` argument to an `XPathNavigator` call. */
`69`	`69`	`class XmlNavigatorSink extends Sink {`
`70`	`70`	`XmlNavigatorSink() {`
`71`		`- this.getExpr() =`
`72`		`- any(SystemXmlXPath::XPathNavigator xmlNav)`
`73`		`- .getASelectMethod()`
`74`		`- .getACall()`
`75`		`- .getArgumentForName("xpath")`
	`71`	`+ exists(SystemXmlXPath::XPathNavigator xmlNav, Method m \|`
	`72`	`+ this.getExpr() = m.getACall().getArgumentForName("xpath")`
	`73`	`+ \|`
	`74`	`+ m = xmlNav.getASelectMethod() or`
	`75`	`+ m = xmlNav.getCompileMethod() or`
	`76`	`+ m = xmlNav.getAnEvaluateMethod() or`
	`77`	`+ m = xmlNav.getAMatchesMethod()`
	`78`	`+ )`
`76`	`79`	`}`
`77`	`80`	`}`
`78`	`81`