Skip to content

Commit 8a5ec1d

Browse files
committed
Restructure library state
1 parent 72db91b commit 8a5ec1d

26 files changed

Lines changed: 488 additions & 807 deletions

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

Lines changed: 156 additions & 199 deletions
Large diffs are not rendered by default.

csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll

Lines changed: 14 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -121,9 +121,16 @@ private module Cached {
121121
or
122122
localTaintStepCommon(nodeFrom, nodeTo)
123123
or
124+
LibraryFlow::localStepLibrary(nodeFrom, nodeTo, false) and
125+
not nodeFrom instanceof LibraryCodeNode and
126+
not nodeFrom instanceof ImplicitDelegateOutNode and
127+
not nodeTo instanceof ImplicitDelegateArgumentNode and
128+
not nodeTo instanceof LibraryCodeNode
129+
or
124130
exists(DataFlow::Content c |
125131
readStep(nodeFrom, c, nodeTo) and
126132
not nodeFrom instanceof LibraryCodeNode and
133+
not nodeTo instanceof ImplicitDelegateArgumentNode and
127134
not nodeTo instanceof LibraryCodeNode
128135
|
129136
// Taint members
@@ -133,23 +140,12 @@ private module Cached {
133140
c = TElementContent()
134141
)
135142
or
136-
// Simple flow through library code is included in the exposed local
137-
// step relation, even though flow is technically interprocedural
138-
exists(LibraryCodeNode entry, LibraryCodeNode exit |
139-
not entry.preservesValue() and
140-
not entry.usesContents()
141-
or
143+
exists(DataFlow::Content c | getterLibrary(nodeFrom, c, nodeTo, false) |
142144
// Taint members (using library code)
143-
entry.isGetter(any(TaintedMember m).(FieldOrProperty).getContent())
145+
c = any(TaintedMember m).(FieldOrProperty).getContent()
144146
or
145147
// Read from a tainted collection (using library code)
146-
entry.isGetter(TElementContent())
147-
|
148-
localFlowStepLibraryEntry(nodeFrom, entry) and
149-
exit = entry.getNodeInOtherState(_) and
150-
localFlowStepLibraryExit(exit, nodeTo) and
151-
not nodeFrom instanceof ImplicitDelegateOutNode and
152-
not nodeTo instanceof ImplicitDelegateArgumentNode
148+
c = TElementContent()
153149
)
154150
}
155151

@@ -169,9 +165,11 @@ private module Cached {
169165
// tracking configurations where the source is a collection
170166
readStep(nodeFrom, TElementContent(), nodeTo)
171167
or
172-
localFlowStepLibraryInternal(nodeFrom, nodeTo) and
173-
nodeFrom = any(LibraryCodeNode lcn | not lcn.preservesValue())
168+
LibraryFlow::localStepLibrary(nodeFrom, nodeTo, false)
174169
or
170+
// localFlowStepLibraryInternal(nodeFrom, nodeTo) and
171+
// nodeFrom = any(LibraryCodeNode lcn | not lcn.preservesValue())
172+
// or
175173
nodeTo = nodeFrom.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
176174
}
177175
}

csharp/ql/test/library-tests/cil/dataflow/DataFlow.expected

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,5 @@
11
edges
2-
| dataflow.cs:18:18:18:26 | "tainted" : String | dataflow.cs:18:18:18:26 | [library code] input into ToString : String |
3-
| dataflow.cs:18:18:18:26 | [library code] input into ToString : String | dataflow.cs:18:18:18:37 | [library code] output from ToString : String |
4-
| dataflow.cs:18:18:18:37 | [library code] output from ToString : String | dataflow.cs:18:18:18:37 | call to method ToString |
2+
| dataflow.cs:18:18:18:26 | "tainted" : String | dataflow.cs:18:18:18:37 | call to method ToString |
53
| dataflow.cs:20:27:20:27 | 2 : Int32 | dataflow.cs:20:18:20:31 | call to method Max |
64
| dataflow.cs:20:30:20:30 | 3 : Int32 | dataflow.cs:20:18:20:31 | call to method Max |
75
| dataflow.cs:21:29:21:31 | 0.5 : Double | dataflow.cs:21:18:21:32 | call to method Round |
@@ -27,8 +25,6 @@ edges
2725
| dataflow.cs:110:16:110:16 | access to local variable x : null | dataflow.cs:89:31:89:44 | call to method NullFunction : null |
2826
nodes
2927
| dataflow.cs:18:18:18:26 | "tainted" : String | semmle.label | "tainted" : String |
30-
| dataflow.cs:18:18:18:26 | [library code] input into ToString : String | semmle.label | [library code] input into ToString : String |
31-
| dataflow.cs:18:18:18:37 | [library code] output from ToString : String | semmle.label | [library code] output from ToString : String |
3228
| dataflow.cs:18:18:18:37 | call to method ToString | semmle.label | call to method ToString |
3329
| dataflow.cs:20:18:20:31 | call to method Max | semmle.label | call to method Max |
3430
| dataflow.cs:20:27:20:27 | 2 : Int32 | semmle.label | 2 : Int32 |

csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.expected

Lines changed: 111 additions & 155 deletions
Large diffs are not rendered by default.

csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected

Lines changed: 54 additions & 104 deletions
Large diffs are not rendered by default.

csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected

Lines changed: 59 additions & 141 deletions
Large diffs are not rendered by default.

csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected

Lines changed: 9 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -1,53 +1,25 @@
11
edges
2-
| ZipSlip.cs:16:35:16:66 | [library code] output from GetFullPath : String | ZipSlip.cs:31:71:31:78 | [library code] input into Combine : String |
3-
| ZipSlip.cs:16:35:16:66 | [library code] output from GetFullPath : String | ZipSlip.cs:39:81:39:88 | [library code] input into Combine : String |
4-
| ZipSlip.cs:16:52:16:65 | [library code] input into GetFullPath : String | ZipSlip.cs:16:35:16:66 | [library code] output from GetFullPath : String |
5-
| ZipSlip.cs:16:52:16:65 | access to property FullName : String | ZipSlip.cs:16:52:16:65 | [library code] input into GetFullPath : String |
6-
| ZipSlip.cs:19:31:19:44 | access to property FullName : String | ZipSlip.cs:23:71:23:74 | [library code] input into Combine : String |
7-
| ZipSlip.cs:23:43:23:75 | [library code] output from Combine : String | ZipSlip.cs:24:41:24:52 | access to local variable destFileName |
8-
| ZipSlip.cs:23:71:23:74 | [library code] input into Combine : String | ZipSlip.cs:23:43:23:75 | [library code] output from Combine : String |
9-
| ZipSlip.cs:31:43:31:79 | [library code] output from Combine : String | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath |
10-
| ZipSlip.cs:31:43:31:79 | [library code] output from Combine : String | ZipSlip.cs:36:45:36:56 | access to local variable destFilePath |
11-
| ZipSlip.cs:31:71:31:78 | [library code] input into Combine : String | ZipSlip.cs:31:43:31:79 | [library code] output from Combine : String |
12-
| ZipSlip.cs:39:36:39:90 | [library code] output from GetFullPath : String | ZipSlip.cs:40:41:40:52 | access to local variable destFilePath |
13-
| ZipSlip.cs:39:53:39:89 | [library code] input into GetFullPath : String | ZipSlip.cs:39:36:39:90 | [library code] output from GetFullPath : String |
14-
| ZipSlip.cs:39:53:39:89 | [library code] output from Combine : String | ZipSlip.cs:39:53:39:89 | [library code] input into GetFullPath : String |
15-
| ZipSlip.cs:39:81:39:88 | [library code] input into Combine : String | ZipSlip.cs:39:53:39:89 | [library code] output from Combine : String |
16-
| ZipSlip.cs:62:47:62:86 | [library code] output from Combine : String | ZipSlip.cs:69:74:69:85 | access to local variable destFilePath |
17-
| ZipSlip.cs:62:47:62:86 | [library code] output from Combine : String | ZipSlip.cs:76:71:76:82 | access to local variable destFilePath |
18-
| ZipSlip.cs:62:47:62:86 | [library code] output from Combine : String | ZipSlip.cs:83:57:83:68 | access to local variable destFilePath |
19-
| ZipSlip.cs:62:47:62:86 | [library code] output from Combine : String | ZipSlip.cs:91:58:91:69 | access to local variable destFilePath |
20-
| ZipSlip.cs:62:72:62:85 | [library code] input into Combine : String | ZipSlip.cs:62:47:62:86 | [library code] output from Combine : String |
21-
| ZipSlip.cs:62:72:62:85 | access to property FullName : String | ZipSlip.cs:62:72:62:85 | [library code] input into Combine : String |
22-
| ZipSlipBad.cs:9:31:9:73 | [library code] output from Combine : String | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName |
23-
| ZipSlipBad.cs:9:59:9:72 | [library code] input into Combine : String | ZipSlipBad.cs:9:31:9:73 | [library code] output from Combine : String |
24-
| ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | ZipSlipBad.cs:9:59:9:72 | [library code] input into Combine : String |
2+
| ZipSlip.cs:16:52:16:65 | access to property FullName : String | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath |
3+
| ZipSlip.cs:16:52:16:65 | access to property FullName : String | ZipSlip.cs:36:45:36:56 | access to local variable destFilePath |
4+
| ZipSlip.cs:16:52:16:65 | access to property FullName : String | ZipSlip.cs:40:41:40:52 | access to local variable destFilePath |
5+
| ZipSlip.cs:19:31:19:44 | access to property FullName : String | ZipSlip.cs:24:41:24:52 | access to local variable destFileName |
6+
| ZipSlip.cs:62:72:62:85 | access to property FullName : String | ZipSlip.cs:69:74:69:85 | access to local variable destFilePath |
7+
| ZipSlip.cs:62:72:62:85 | access to property FullName : String | ZipSlip.cs:76:71:76:82 | access to local variable destFilePath |
8+
| ZipSlip.cs:62:72:62:85 | access to property FullName : String | ZipSlip.cs:83:57:83:68 | access to local variable destFilePath |
9+
| ZipSlip.cs:62:72:62:85 | access to property FullName : String | ZipSlip.cs:91:58:91:69 | access to local variable destFilePath |
10+
| ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName |
2511
nodes
26-
| ZipSlip.cs:16:35:16:66 | [library code] output from GetFullPath : String | semmle.label | [library code] output from GetFullPath : String |
27-
| ZipSlip.cs:16:52:16:65 | [library code] input into GetFullPath : String | semmle.label | [library code] input into GetFullPath : String |
2812
| ZipSlip.cs:16:52:16:65 | access to property FullName : String | semmle.label | access to property FullName : String |
2913
| ZipSlip.cs:19:31:19:44 | access to property FullName : String | semmle.label | access to property FullName : String |
30-
| ZipSlip.cs:23:43:23:75 | [library code] output from Combine : String | semmle.label | [library code] output from Combine : String |
31-
| ZipSlip.cs:23:71:23:74 | [library code] input into Combine : String | semmle.label | [library code] input into Combine : String |
3214
| ZipSlip.cs:24:41:24:52 | access to local variable destFileName | semmle.label | access to local variable destFileName |
33-
| ZipSlip.cs:31:43:31:79 | [library code] output from Combine : String | semmle.label | [library code] output from Combine : String |
34-
| ZipSlip.cs:31:71:31:78 | [library code] input into Combine : String | semmle.label | [library code] input into Combine : String |
3515
| ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
3616
| ZipSlip.cs:36:45:36:56 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
37-
| ZipSlip.cs:39:36:39:90 | [library code] output from GetFullPath : String | semmle.label | [library code] output from GetFullPath : String |
38-
| ZipSlip.cs:39:53:39:89 | [library code] input into GetFullPath : String | semmle.label | [library code] input into GetFullPath : String |
39-
| ZipSlip.cs:39:53:39:89 | [library code] output from Combine : String | semmle.label | [library code] output from Combine : String |
40-
| ZipSlip.cs:39:81:39:88 | [library code] input into Combine : String | semmle.label | [library code] input into Combine : String |
4117
| ZipSlip.cs:40:41:40:52 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
42-
| ZipSlip.cs:62:47:62:86 | [library code] output from Combine : String | semmle.label | [library code] output from Combine : String |
43-
| ZipSlip.cs:62:72:62:85 | [library code] input into Combine : String | semmle.label | [library code] input into Combine : String |
4418
| ZipSlip.cs:62:72:62:85 | access to property FullName : String | semmle.label | access to property FullName : String |
4519
| ZipSlip.cs:69:74:69:85 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
4620
| ZipSlip.cs:76:71:76:82 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
4721
| ZipSlip.cs:83:57:83:68 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
4822
| ZipSlip.cs:91:58:91:69 | access to local variable destFilePath | semmle.label | access to local variable destFilePath |
49-
| ZipSlipBad.cs:9:31:9:73 | [library code] output from Combine : String | semmle.label | [library code] output from Combine : String |
50-
| ZipSlipBad.cs:9:59:9:72 | [library code] input into Combine : String | semmle.label | [library code] input into Combine : String |
5123
| ZipSlipBad.cs:9:59:9:72 | access to property FullName : String | semmle.label | access to property FullName : String |
5224
| ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | semmle.label | access to local variable destFileName |
5325
#select

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,21 @@
11
edges
2-
| CommandInjection.cs:25:32:25:46 | [library code] input into get_Text : TextBox | CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String |
3-
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:25:32:25:46 | [library code] input into get_Text : TextBox |
4-
| CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String | CommandInjection.cs:26:27:26:47 | ... + ... |
5-
| CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String | CommandInjection.cs:26:50:26:66 | ... + ... |
6-
| CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String | CommandInjection.cs:28:63:28:71 | access to local variable userInput |
7-
| CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String | CommandInjection.cs:28:74:28:82 | access to local variable userInput |
8-
| CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String | CommandInjection.cs:32:39:32:47 | access to local variable userInput |
9-
| CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String | CommandInjection.cs:33:40:33:48 | access to local variable userInput |
10-
| CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String | CommandInjection.cs:34:47:34:55 | access to local variable userInput |
2+
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... |
3+
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... |
4+
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput |
5+
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput |
6+
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput |
7+
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput |
8+
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput |
119
nodes
12-
| CommandInjection.cs:25:32:25:46 | [library code] input into get_Text : TextBox | semmle.label | [library code] input into get_Text : TextBox |
1310
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
14-
| CommandInjection.cs:25:32:25:51 | [library code] output from get_Text : String | semmle.label | [library code] output from get_Text : String |
1511
| CommandInjection.cs:26:27:26:47 | ... + ... | semmle.label | ... + ... |
1612
| CommandInjection.cs:26:50:26:66 | ... + ... | semmle.label | ... + ... |
1713
| CommandInjection.cs:28:63:28:71 | access to local variable userInput | semmle.label | access to local variable userInput |
1814
| CommandInjection.cs:28:74:28:82 | access to local variable userInput | semmle.label | access to local variable userInput |
1915
| CommandInjection.cs:32:39:32:47 | access to local variable userInput | semmle.label | access to local variable userInput |
2016
| CommandInjection.cs:33:40:33:48 | access to local variable userInput | semmle.label | access to local variable userInput |
2117
| CommandInjection.cs:34:47:34:55 | access to local variable userInput | semmle.label | access to local variable userInput |
18+
| StoredCommandInjection.cs:15:65:15:66 | "" | semmle.label | "" |
2219
#select
2320
| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
2421
| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
edges
22
| StoredCommandInjection.cs:24:54:24:80 | call to method GetString : String | StoredCommandInjection.cs:24:46:24:80 | ... + ... |
33
nodes
4+
| StoredCommandInjection.cs:15:65:15:66 | "" | semmle.label | "" |
45
| StoredCommandInjection.cs:24:46:24:80 | ... + ... | semmle.label | ... + ... |
56
| StoredCommandInjection.cs:24:54:24:80 | call to method GetString : String | semmle.label | call to method GetString : String |
67
#select

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.expected

Lines changed: 7 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,11 @@
11
edges
2-
| XSS.cs:25:13:25:21 | [library code] output from AppendFormat : StringBuilder | XSS.cs:26:32:26:40 | [library code] input into ToString : StringBuilder |
3-
| XSS.cs:25:13:25:21 | [library code] output from AppendFormat : StringBuilder | XSS.cs:27:29:27:37 | [library code] input into ToString : StringBuilder |
4-
| XSS.cs:25:13:25:21 | [library code] output from AppendFormat : StringBuilder | XSS.cs:28:26:28:34 | [library code] input into ToString : StringBuilder |
5-
| XSS.cs:25:48:25:62 | [library code] input into get_Text : TextBox | XSS.cs:25:48:25:67 | [library code] output from get_Text : String |
6-
| XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | XSS.cs:25:48:25:62 | [library code] input into get_Text : TextBox |
7-
| XSS.cs:25:48:25:67 | [library code] input into AppendFormat : String | XSS.cs:25:13:25:21 | [library code] output from AppendFormat : StringBuilder |
8-
| XSS.cs:25:48:25:67 | [library code] output from get_Text : String | XSS.cs:25:48:25:67 | [library code] input into AppendFormat : String |
9-
| XSS.cs:26:32:26:40 | [library code] input into ToString : StringBuilder | XSS.cs:26:32:26:51 | [library code] output from ToString : String |
10-
| XSS.cs:26:32:26:51 | [library code] output from ToString : String | XSS.cs:26:32:26:51 | call to method ToString |
11-
| XSS.cs:27:29:27:37 | [library code] input into ToString : StringBuilder | XSS.cs:27:29:27:48 | [library code] output from ToString : String |
12-
| XSS.cs:27:29:27:48 | [library code] output from ToString : String | XSS.cs:27:29:27:48 | call to method ToString |
13-
| XSS.cs:28:26:28:34 | [library code] input into ToString : StringBuilder | XSS.cs:28:26:28:45 | [library code] output from ToString : String |
14-
| XSS.cs:28:26:28:45 | [library code] output from ToString : String | XSS.cs:28:26:28:45 | call to method ToString |
2+
| XSS.cs:25:13:25:21 | [post] access to local variable userInput [[]] : Object | XSS.cs:26:32:26:40 | access to local variable userInput [[]] : Object |
3+
| XSS.cs:25:13:25:21 | [post] access to local variable userInput [[]] : Object | XSS.cs:27:29:27:37 | access to local variable userInput [[]] : Object |
4+
| XSS.cs:25:13:25:21 | [post] access to local variable userInput [[]] : Object | XSS.cs:28:26:28:34 | access to local variable userInput [[]] : Object |
5+
| XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | XSS.cs:25:13:25:21 | [post] access to local variable userInput [[]] : Object |
6+
| XSS.cs:26:32:26:40 | access to local variable userInput [[]] : Object | XSS.cs:26:32:26:51 | call to method ToString |
7+
| XSS.cs:27:29:27:37 | access to local variable userInput [[]] : Object | XSS.cs:27:29:27:48 | call to method ToString |
8+
| XSS.cs:28:26:28:34 | access to local variable userInput [[]] : Object | XSS.cs:28:26:28:45 | call to method ToString |
159
| XSS.cs:37:27:37:53 | access to property QueryString : NameValueCollection | XSS.cs:38:36:38:39 | access to local variable name |
1610
| XSS.cs:57:27:57:65 | access to property QueryString : NameValueCollection | XSS.cs:59:22:59:25 | access to local variable name |
1711
| XSS.cs:75:27:75:53 | access to property QueryString : NameValueCollection | XSS.cs:76:36:76:39 | access to local variable name |

0 commit comments

Comments
 (0)