From eddc52852d8fe9dd5640733d636243e48857990b Mon Sep 17 00:00:00 2001 From: calum Date: Thu, 25 Oct 2018 15:36:34 +0100 Subject: [PATCH 1/6] C#: Convert security queries to path-problem and update qltest expected output. --- .../Security Features/CWE-022/TaintedPath.ql | 10 +++-- .../src/Security Features/CWE-022/ZipSlip.ql | 10 +++-- .../CWE-078/CommandInjection.ql | 10 +++-- .../CWE-078/StoredCommandInjection.ql | 10 +++-- .../Security Features/CWE-079/StoredXSS.ql | 6 ++- .../CWE-089/SecondOrderSqlInjection.ql | 10 +++-- .../Security Features/CWE-089/SqlInjection.ql | 6 ++- .../CWE-090/LDAPInjection.ql | 10 +++-- .../CWE-090/StoredLDAPInjection.ql | 10 +++-- .../CWE-094/CodeInjection.ql | 10 +++-- .../CWE-099/ResourceInjection.ql | 10 +++-- .../CWE-112/MissingXMLValidation.ql | 6 ++- .../Security Features/CWE-117/LogForging.ql | 10 +++-- .../CWE-201/ExposureInTransmittedData.ql | 10 +++-- .../CWE-209/ExceptionInformationExposure.ql | 10 +++-- .../CWE-312/CleartextStorage.ql | 10 +++-- .../CWE-327/DontInstallRootCert.ql | 10 +++-- .../CWE-359/ExposureOfPrivateInformation.ql | 10 +++-- .../Security Features/CWE-601/UrlRedirect.ql | 10 +++-- .../CWE-611/UntrustedDataInsecureXml.ql | 6 ++- .../CWE-643/StoredXPathInjection.ql | 10 +++-- .../CWE-643/XPathInjection.ql | 10 +++-- .../ql/src/Security Features/CWE-730/ReDoS.ql | 6 ++- .../CWE-730/RegexInjection.ql | 6 ++- .../CWE-798/HardcodedConnectionString.ql | 7 +++- .../CWE-798/HardcodedCredentials.ql | 15 ++++--- .../CWE-807/ConditionalBypass.ql | 6 ++- .../CWE-838/InappropriateEncoding.ql | 12 +++--- .../semmle/code/csharp/dataflow/DataFlow.qll | 6 +++ .../CWE-022/TaintedPath/TaintedPath.expected | 23 +++++++---- .../CWE-022/ZipSlip/ZipSlip.expected | 31 ++++++++++----- .../CWE-078/CommandInjection.expected | 23 +++++++---- .../CWE-078/StoredCommandInjection.expected | 5 ++- .../CWE-079/StoredXSS/StoredXSS.expected | 5 ++- .../CWE-089/SecondOrderSqlInjection.expected | 5 ++- .../CWE-089/SqlInjection.expected | 39 ++++++++++++++----- .../CWE-090/LDAPInjection.expected | 20 +++++++--- .../CWE-090/StoredLDAPInjection.expected | 5 ++- .../CWE-094/CodeInjection.expected | 8 +++- .../CWE-099/ResourceInjection.expected | 8 +++- .../CWE-112/MissingXMLValidation.expected | 21 +++++++--- .../CWE-117/LogForging.expected | 8 +++- .../ExposureInTransmittedData.expected | 25 +++++++----- .../ExceptionInformationExposure.expected | 13 ++++--- .../CWE-312/CleartextStorage.expected | 12 +++--- .../DontInstallRootCert.expected | 11 ++++-- .../ExposureOfPrivateInformation.expected | 8 ++-- .../CWE-611/UntrustedDataInsecureXml.expected | 6 ++- .../CWE-643/StoredXPathInjection.expected | 14 +++++-- .../CWE-643/XPathInjection.expected | 14 +++++-- .../CWE-730/ReDoS/ReDoS.expected | 27 ++++++++++--- .../CWE-730/ReDoSGlobalTimeout/ReDoS.expected | 3 ++ .../RegexInjection/RegexInjection.expected | 5 ++- .../HardcodedConnectionString.expected | 7 +++- .../CWE-798/HardcodedCredentials.expected | 19 +++++---- .../CWE-807/ConditionalBypass.expected | 25 ++++++++---- .../CWE-838/InappropriateEncoding.expected | 36 +++++++++++------ 57 files changed, 467 insertions(+), 221 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql index 76b940631a28..9d6e55e44c92 100644 --- a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql +++ b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql @@ -1,7 +1,7 @@ /** * @name Uncontrolled data used in path expression * @description Accessing paths influenced by users can allow an attacker to access unexpected resources. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/path-injection @@ -14,7 +14,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.TaintedPath::TaintedPath +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in a path.", source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in a path.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql index 37969f0b6ebc..1d93d480634d 100644 --- a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql +++ b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql @@ -3,7 +3,7 @@ * @description Extracting files from a malicious zip archive without validating that the * destination file path is within the destination directory can cause files outside * the destination directory to be overwritten. - * @kind problem + * @kind path-problem * @id cs/zipslip * @problem.severity error * @precision high @@ -13,7 +13,9 @@ import csharp import semmle.code.csharp.security.dataflow.ZipSlip::ZipSlip +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration zipTaintTracking, DataFlow::Node source, DataFlow::Node sink -where zipTaintTracking.hasFlow(source, sink) -select sink, "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source, "item path" +from TaintTrackingConfiguration zipTaintTracking, DataFlow::PathNode source, DataFlow::PathNode sink +where zipTaintTracking.hasFlowPath(source, sink) +select sink, source, sink, + "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source, "item path" diff --git a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql index 17dec56988f5..316c06761133 100644 --- a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql +++ b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql @@ -2,7 +2,7 @@ * @name Uncontrolled command line * @description Using externally controlled strings in a command line may allow a malicious * user to change the meaning of the command. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/command-line-injection @@ -14,7 +14,9 @@ import csharp import semmle.code.csharp.security.dataflow.CommandInjection::CommandInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in a command.", source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in a command.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql index acd883e106c7..a74cbb10ce62 100644 --- a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql +++ b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql @@ -2,7 +2,7 @@ * @name Uncontrolled command line from stored user input * @description Using externally controlled strings in a command line may allow a malicious * user to change the meaning of the command. - * @kind problem + * @kind path-problem * @problem.severity error * @precision medium * @id cs/stored-command-line-injection @@ -15,6 +15,7 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.Stored import semmle.code.csharp.security.dataflow.CommandInjection::CommandInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { override predicate isSource(DataFlow::Node source) { @@ -22,6 +23,7 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { } } -from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in a command.", source, "Stored user-provided value" +from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in a command.", source, "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql index 91fe8b2616c2..2909269df2a0 100644 --- a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql +++ b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql @@ -2,7 +2,7 @@ * @name Stored cross-site scripting * @description Writing input from the database directly to a web page indicates a cross-site * scripting vulnerability if the data was originally user-provided. - * @kind problem + * @kind path-problem * @problem.severity error * @precision medium * @id cs/web/stored-xss @@ -13,6 +13,7 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.Stored import semmle.code.csharp.security.dataflow.XSS::XSS +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { override predicate isSource(DataFlow::Node source) { @@ -26,4 +27,5 @@ and if exists(sink.explanation()) then explanation = ": " + sink.explanation() + "." else explanation = "." -select sink, "$@ flows to here and is written to HTML or javascript" + explanation, source, "Stored user-provided value" +select sink, source.getPathNode(c), sink.getPathNode(c), + "$@ flows to here and is written to HTML or JavaScript" + explanation, source, "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql index b7fb79ccf37b..d4d1c4192413 100644 --- a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql +++ b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql @@ -2,7 +2,7 @@ * @name SQL query built from stored user-controlled sources * @description Building a SQL query from stored user-controlled sources is vulnerable to insertion * of malicious SQL code by the user. - * @kind problem + * @kind path-problem * @problem.severity error * @precision medium * @id cs/second-order-sql-injection @@ -13,6 +13,7 @@ import csharp import semmle.code.csharp.security.dataflow.SqlInjection import semmle.code.csharp.security.dataflow.flowsources.Stored +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class StoredTaintTrackingConfiguration extends SqlInjection::TaintTrackingConfiguration { override predicate isSource(DataFlow::Node source) { @@ -20,6 +21,7 @@ class StoredTaintTrackingConfiguration extends SqlInjection::TaintTrackingConfig } } -from StoredTaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in an SQL query.", source, "Stored user-provided value" +from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in an SQL query.", source, "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql index b39731328084..9bc70bd56b45 100644 --- a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql +++ b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql @@ -2,7 +2,7 @@ * @name SQL query built from user-controlled sources * @description Building a SQL query from user-controlled sources is vulnerable to insertion of * malicious SQL code by the user. -* @kind problem +* @kind path-problem * @problem.severity error * @precision high * @id cs/sql-injection @@ -12,7 +12,9 @@ import csharp import semmle.code.csharp.security.dataflow.SqlInjection::SqlInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, RemoteFlowSource source, Sink sink where c.hasFlow(source, sink) -select sink, "Query might include code from $@.", source, ("this " + source.getSourceType()) +select sink, source.getPathNode(c), sink.getPathNode(c), + "Query might include code from $@.", source, ("this " + source.getSourceType()) diff --git a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql index b5688b7ac41d..b2c1cfb7c933 100644 --- a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql +++ b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql @@ -2,7 +2,7 @@ * @name LDAP query built from user-controlled sources * @description Building an LDAP query from user-controlled sources is vulnerable to insertion of * malicious LDAP code by the user. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/ldap-injection @@ -11,7 +11,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.LDAPInjection::LDAPInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in an LDAP query.", source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in an LDAP query.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql index 0cea7f631134..5d11e89e8386 100644 --- a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql +++ b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql @@ -2,7 +2,7 @@ * @name LDAP query built from stored user-controlled sources * @description Building an LDAP query from stored user-controlled sources is vulnerable to * insertion of malicious LDAP code by the user. - * @kind problem + * @kind path-problem * @problem.severity error * @precision medium * @id cs/stored-ldap-injection @@ -12,6 +12,7 @@ import csharp import semmle.code.csharp.security.dataflow.LDAPInjection::LDAPInjection import semmle.code.csharp.security.dataflow.flowsources.Stored +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { override predicate isSource(DataFlow::Node source) { @@ -19,6 +20,7 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { } } -from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in an LDAP query.", source, "Stored user-provided value" +from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in an LDAP query.", source, "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql index d97498f0f128..a4447309b7cd 100644 --- a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql +++ b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql @@ -2,7 +2,7 @@ * @name Improper control of generation of code * @description Treating externally controlled strings as code can allow an attacker to execute * malicious code. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/code-injection @@ -13,7 +13,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.CodeInjection::CodeInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is compiled as code.", source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is compiled as code.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql index 9853f0c00984..3f842b1d4f4f 100644 --- a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql +++ b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql @@ -2,7 +2,7 @@ * @name Resource injection * @description Building a resource descriptor from untrusted user input is vulnerable to a * malicious user providing an unintended resource. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/resource-injection @@ -11,7 +11,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.ResourceInjection::ResourceInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in a resource descriptor.", source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in a resource descriptor.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql index ae4228a5c3a1..67c8891fd7ab 100644 --- a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql +++ b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql @@ -2,7 +2,7 @@ * @name Missing XML validation * @description User input should not be processed as XML without validating it against a known * schema. - * @kind problem + * @kind path-problem * @problem.severity recommendation * @precision high * @id cs/xml/missing-validation @@ -11,7 +11,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.MissingXMLValidation::MissingXMLValidation +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, Source source, Sink sink where c.hasFlow(source, sink) -select sink, "$@ flows to here and is processed as XML without validation because " + sink.getReason(), source, "User-provided value" +select sink, source.getPathNode(c), sink.getPathNode(c), + "$@ flows to here and is processed as XML without validation because " + sink.getReason(), source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-117/LogForging.ql b/csharp/ql/src/Security Features/CWE-117/LogForging.ql index 32068cf59e2c..01985c85c8c2 100644 --- a/csharp/ql/src/Security Features/CWE-117/LogForging.ql +++ b/csharp/ql/src/Security Features/CWE-117/LogForging.ql @@ -2,7 +2,7 @@ * @name Log entries created from user input * @description Building log entries from user-controlled sources is vulnerable to * insertion of forged log entries by a malicious user. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/log-forging @@ -11,7 +11,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.LogForging::LogForging +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to log entry.", source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to log entry.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql index 3c2e9350a2df..482c9de2eab4 100644 --- a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql +++ b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql @@ -1,7 +1,7 @@ /** * @name Information exposure through transmitted data * @description Transmitting sensitive information to the user is a potential security risk. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/sensitive-data-transmission @@ -15,6 +15,7 @@ import semmle.code.csharp.security.dataflow.XSS import semmle.code.csharp.security.dataflow.Email import semmle.code.csharp.frameworks.system.data.Common import semmle.code.csharp.frameworks.System +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class TaintTrackingConfiguration extends TaintTracking::Configuration { TaintTrackingConfiguration() { @@ -49,6 +50,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration { } } -from TaintTrackingConfiguration configuration, DataFlow::Node source, DataFlow::Node sink -where configuration.hasFlow(source, sink) -select sink, "Sensitive information from $@ flows to here, and is transmitted to the user.", source, source.toString() +from TaintTrackingConfiguration configuration, DataFlow::PathNode source, DataFlow::PathNode sink +where configuration.hasFlowPath(source, sink) +select sink, source, sink, + "Sensitive information from $@ flows to here, and is transmitted to the user.", source, source.toString() diff --git a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql index b895b50321b9..935e1e155547 100644 --- a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql +++ b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql @@ -3,7 +3,7 @@ * @description Leaking information about an exception, such as messages and stack traces, to an * external user can expose implementation details that are useful to an attacker for * developing a subsequent exploit. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/information-exposure-through-exception @@ -15,6 +15,7 @@ import csharp import semmle.code.csharp.frameworks.System import semmle.code.csharp.security.dataflow.XSS +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph /** * A taint-tracking configuration for reasoning about stack traces that flow to web page outputs. @@ -56,6 +57,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration { } } -from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) -select sink, "Exception information from $@ flows to here, and is exposed to the user.", source, source.toString() +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "Exception information from $@ flows to here, and is exposed to the user.", source, source.toString() diff --git a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql index e44ad1817270..17d09cb368d8 100644 --- a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql +++ b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql @@ -2,7 +2,7 @@ * @name Clear text storage of sensitive information * @description Sensitive information stored without encryption or hashing can expose it to an * attacker. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/cleartext-storage-of-sensitive-information @@ -13,7 +13,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.CleartextStorage::CleartextStorage +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "Sensitive data returned by $@ is stored here.", source, source.toString() +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "Sensitive data returned by $@ is stored here.", source, source.toString() diff --git a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql index 412af8e43f76..d9f1dd3ef882 100644 --- a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql +++ b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql @@ -2,7 +2,7 @@ * @name Do not add certificates to the system root store. * @description Application- or user-specific certificates placed in the system root store could * weaken security for other processing running on the same system. - * @kind problem + * @kind path-problem * @id cs/adding-cert-to-root-store * @problem.severity error * @tags security @@ -10,6 +10,7 @@ */ import csharp import semmle.code.csharp.dataflow.DataFlow::DataFlow +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class AddCertToRootStoreConfig extends DataFlow::Configuration { AddCertToRootStoreConfig() { this = "Adding Certificate To Root Store" } @@ -30,7 +31,8 @@ class AddCertToRootStoreConfig extends DataFlow::Configuration { } } -from Expr oc, Expr mc, AddCertToRootStoreConfig config -where config.hasFlow(DataFlow::exprNode(oc), DataFlow::exprNode(mc)) -select mc, "Certificate added to the root certificate store." +from DataFlow::PathNode oc, DataFlow::PathNode mc, AddCertToRootStoreConfig config +where config.hasFlowPath(oc, mc) +select mc, oc, mc, + "Certificate added to the root certificate store." diff --git a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql index 5b8dad5f9314..d2d593f70258 100644 --- a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql +++ b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql @@ -2,7 +2,7 @@ * @name Exposure of private information * @description If private information is written to an external location, it may be accessible by * unauthorized persons. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/exposure-of-sensitive-information @@ -11,7 +11,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformation::ExposureOfPrivateInformation +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "Private data returned by $@ is written to an external location.", source, source.toString() +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "Private data returned by $@ is written to an external location.", source, source.toString() diff --git a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql index b2a148e10a63..c499c9860fbb 100644 --- a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql +++ b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql @@ -2,7 +2,7 @@ * @name URL redirection from remote source * @description URL redirection based on unvalidated user input * may cause redirection to malicious web sites. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/web/unvalidated-url-redirection @@ -11,7 +11,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.UrlRedirect::UrlRedirect +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "Untrusted URL redirection due to $@.", source, "user-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "Untrusted URL redirection due to $@.", source, "user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql index 09f8fa924be9..fa1c5a93e990 100644 --- a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql +++ b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql @@ -1,7 +1,7 @@ /** * @name Untrusted XML is read insecurely * @description Untrusted XML is read with an insecure resolver and DTD processing enabled. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/xml/insecure-dtd-handling @@ -12,7 +12,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.XMLEntityInjection::XMLEntityInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, Source source, Sink sink where c.hasFlow(source, sink) -select sink, "$@ flows to here and is loaded insecurely as XML (" + sink.getReason() +").", source, "User-provided value" +select sink, source.getPathNode(c), sink.getPathNode(c), + "$@ flows to here and is loaded insecurely as XML (" + sink.getReason() +").", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql index 2dd94bd1fb3b..adb34437b2b2 100644 --- a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql @@ -2,7 +2,7 @@ * @name Stored XPath injection * @description Building an XPath expression from stored data which may have been provided by the * user is vulnerable to insertion of malicious code by the user. - * @kind problem + * @kind path-problem * @problem.severity error * @precision medium * @id cs/xml/stored-xpath-injection @@ -12,6 +12,7 @@ import csharp import semmle.code.csharp.security.dataflow.flowsources.Stored import semmle.code.csharp.security.dataflow.XPathInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph class StoredTaintTrackingConfiguration extends XPathInjection::TaintTrackingConfiguration { override @@ -20,6 +21,7 @@ class StoredTaintTrackingConfiguration extends XPathInjection::TaintTrackingConf } } -from StoredTaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in an XPath expression.", source, "Stored user-provided value" +from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in an XPath expression.", source, "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql index 4206884d76c4..6cc18e5dac08 100644 --- a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql @@ -2,7 +2,7 @@ * @name XPath injection * @description Building an XPath expression from user-controlled sources is vulnerable to insertion of * malicious code by the user. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/xml/xpath-injection @@ -11,7 +11,9 @@ */ import csharp import semmle.code.csharp.security.dataflow.XPathInjection::XPathInjection +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, "$@ flows to here and is used in an XPath expression.", source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink, source, sink, + "$@ flows to here and is used in an XPath expression.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql index 9e75c1aa1bb8..d0675f8c06f8 100644 --- a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql +++ b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql @@ -2,7 +2,7 @@ * @name Denial of Service from comparison of user input against expensive regex * @description User input should not be matched against a regular expression that could require * exponential time on certain input. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/redos @@ -13,9 +13,11 @@ import csharp import semmle.code.csharp.security.dataflow.ReDoS::ReDoS import semmle.code.csharp.frameworks.system.text.RegularExpressions +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, Source source, DataFlow::Node sink where c.hasFlow(source, sink) // No global timeout set and not exists(RegexGlobalTimeout r) -select sink, "$@ flows to regular expression operation with dangerous regex.", source, "User-provided value" +select sink, source.getPathNode(c), sink.getPathNode(c), + "$@ flows to regular expression operation with dangerous regex.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql index 4e3bacc8b600..458fb366bd23 100644 --- a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql +++ b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql @@ -3,7 +3,7 @@ * @description User input should not be used in regular expressions without first being escaped, * otherwise a malicious user may be able to provide a regex that could require * exponential time on certain inputs. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/regex-injection @@ -14,9 +14,11 @@ import csharp import semmle.code.csharp.security.dataflow.RegexInjection::RegexInjection import semmle.code.csharp.frameworks.system.text.RegularExpressions +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, Source source, Sink sink where c.hasFlow(source, sink) // No global timeout set and not exists(RegexGlobalTimeout r) -select sink, "$@ flows to the construction of a regular expression.", source, "User-provided value" +select sink, source.getPathNode(c), sink.getPathNode(c), + "$@ flows to the construction of a regular expression.", source, "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql index a2376bdbd231..4585057055d3 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql @@ -1,7 +1,7 @@ /** * @name Hard-coded connection string with credentials * @description Credentials are hard-coded in a connection string in the source code of the application. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/hardcoded-connection-string-credentials @@ -13,6 +13,7 @@ import csharp import semmle.code.csharp.frameworks.system.Data import semmle.code.csharp.security.dataflow.HardcodedCredentials +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph /** * A string literal containing a username or password field. @@ -49,4 +50,6 @@ class ConnectionStringTaintTrackingConfiguration extends TaintTracking::Configur from ConnectionStringTaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink where c.hasFlow(source, sink) -select source, "'ConnectionString' property includes hard-coded credentials set in $@.", any(Call call | call.getAnArgument() = sink.asExpr()) as call, call.toString() +select source, source.getPathNode(c), sink.getPathNode(c), + "'ConnectionString' property includes hard-coded credentials set in $@.", + any(Call call | call.getAnArgument() = sink.asExpr()) as call, call.toString() diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql index 05f24d0810ed..11ddc864418a 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql @@ -1,7 +1,7 @@ /** * @name Hard-coded credentials * @description Credentials are hard coded in the source code of the application. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/hardcoded-credentials @@ -11,13 +11,18 @@ * external/cwe/cwe-798 */ import csharp -private import semmle.code.csharp.security.dataflow.HardcodedCredentials::HardcodedCredentials +import semmle.code.csharp.security.dataflow.HardcodedCredentials::HardcodedCredentials +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, Source source, Sink sink, string value -where c.hasFlow(source, sink) +where + c.hasFlow(source, sink) and // Print the source value if it's available - and if exists(source.asExpr().getValue()) then + if exists(source.asExpr().getValue()) then value = "The hard-coded value \"" + source.asExpr().getValue() + "\"" else value = "This hard-coded value" -select source, value + " flows to " + sink.getSinkDescription() + ".", sink, sink.getSinkName(), sink.getSupplementaryElement(), sink.getSupplementaryElement().toString() +select source, source.getPathNode(c), sink.getPathNode(c), + value + " flows to " + sink.getSinkDescription() + ".", + sink, sink.getSinkName(), sink.getSupplementaryElement(), + sink.getSupplementaryElement().toString() diff --git a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql index e2399be992bf..013320f92521 100644 --- a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql +++ b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql @@ -2,7 +2,7 @@ * @name User-controlled bypass of sensitive method * @description User-controlled bypassing of sensitive methods may allow attackers to avoid * passing through authentication systems. - * @kind problem + * @kind path-problem * @problem.severity error * @precision high * @id cs/user-controlled-bypass @@ -13,8 +13,10 @@ */ import csharp import semmle.code.csharp.security.dataflow.ConditionalBypass::UserControlledBypassOfSensitiveMethod +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from Configuration config, Source source, Sink sink where config.hasFlow(source, sink) -select sink.getSensitiveMethodCall(), "Sensitive method may not be executed depending on $@, which flows from $@.", +select sink.getSensitiveMethodCall(), source.getPathNode(config), sink.getPathNode(config), + "Sensitive method may not be executed depending on $@, which flows from $@.", sink, "this condition", source, "user input" diff --git a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql index d429bb0c0d28..9735cc52a637 100644 --- a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql +++ b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql @@ -2,7 +2,7 @@ * @name Inappropriate encoding * @description Using an inappropriate encoding may give unintended results and may * pose a security risk. -* @kind problem +* @kind path-problem * @problem.severity error * @precision low * @id cs/inappropriate-encoding @@ -20,6 +20,7 @@ import semmle.code.csharp.security.dataflow.SqlInjection import semmle.code.csharp.security.dataflow.XSS import semmle.code.csharp.security.dataflow.UrlRedirect import semmle.code.csharp.security.Sanitizers +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph /** * A configuration for specifying expressions that must be @@ -43,8 +44,8 @@ abstract class RequiresEncodingConfiguration extends TaintTracking::Configuratio * `sink`, where `sink` is an expression of kind `kind` that is required * to be encoded. */ - predicate hasWrongEncoding(Expr encodedValue, Expr sink, string kind) { - hasFlow(exprNode(encodedValue), exprNode(sink)) and + predicate hasWrongEncoding(PathNode encodedValue, PathNode sink, string kind) { + hasFlowPath(encodedValue, sink) and kind = this.getKind() } @@ -153,6 +154,7 @@ module EncodingConfigurations { } } -from RequiresEncodingConfiguration c, Expr encodedValue, Expr sink, string kind +from RequiresEncodingConfiguration c, PathNode encodedValue, PathNode sink, string kind where c.hasWrongEncoding(encodedValue, sink, kind) -select sink, "This " + kind + " may include data from a $@.", encodedValue, "possibly inappropriately encoded value" +select sink, encodedValue, sink, + "This " + kind + " may include data from a $@.", encodedValue, "possibly inappropriately encoded value" diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll index 6843d67087b7..d05ce2a4d815 100755 --- a/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll +++ b/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll @@ -35,6 +35,12 @@ module DataFlow { /** Gets the location of this node. */ Location getLocation() { none() } + + /** Gets the path node for this node. */ + PathNode getPathNode(Configuration config) { + result.getNode() = this and + result.getConfiguration() = config + } } /** diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected index fce17c42bd07..8586fc5266d2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected @@ -1,7 +1,16 @@ -| TaintedPath.cs:14:50:14:53 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | -| TaintedPath.cs:19:51:19:54 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | -| TaintedPath.cs:27:30:27:33 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | -| TaintedPath.cs:33:30:33:33 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | -| TaintedPath.cs:38:25:38:31 | access to local variable badPath | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | -| TaintedPath.cs:40:49:40:55 | access to local variable badPath | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | -| TaintedPath.cs:53:26:53:29 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | +edges +| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:14:50:14:53 | access to local variable path | +| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:19:51:19:54 | access to local variable path | +| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:27:30:27:33 | access to local variable path | +| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:33:30:33:33 | access to local variable path | +| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:38:25:38:31 | access to local variable badPath | +| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:40:49:40:55 | access to local variable badPath | +| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:53:26:53:29 | access to local variable path | +#select +| TaintedPath.cs:14:50:14:53 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:14:50:14:53 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | +| TaintedPath.cs:19:51:19:54 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:19:51:19:54 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | +| TaintedPath.cs:27:30:27:33 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:27:30:27:33 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | +| TaintedPath.cs:33:30:33:33 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:33:30:33:33 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | +| TaintedPath.cs:38:25:38:31 | access to local variable badPath | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:38:25:38:31 | access to local variable badPath | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | +| TaintedPath.cs:40:49:40:55 | access to local variable badPath | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:40:49:40:55 | access to local variable badPath | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | +| TaintedPath.cs:53:26:53:29 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:53:26:53:29 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected index f9da54b1b80d..2672f945a628 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected @@ -1,9 +1,22 @@ -| ZipSlip.cs:24:41:24:52 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:19:31:19:44 | access to property FullName | item path | -| ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path | -| ZipSlip.cs:36:45:36:56 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path | -| ZipSlip.cs:40:41:40:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path | -| ZipSlip.cs:69:74:69:85 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path | -| ZipSlip.cs:76:71:76:82 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path | -| ZipSlip.cs:83:57:83:68 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path | -| ZipSlip.cs:91:58:91:69 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path | -| ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad.cs:9:59:9:72 | access to property FullName | item path | +edges +| ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | +| ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:36:45:36:56 | access to local variable destFilePath | +| ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:39:53:39:89 | call to method Combine | +| ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:40:41:40:52 | access to local variable destFilePath | +| ZipSlip.cs:19:31:19:44 | access to property FullName | ZipSlip.cs:24:41:24:52 | access to local variable destFileName | +| ZipSlip.cs:39:53:39:89 | call to method Combine | ZipSlip.cs:40:41:40:52 | access to local variable destFilePath | +| ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:69:74:69:85 | access to local variable destFilePath | +| ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:76:71:76:82 | access to local variable destFilePath | +| ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:83:57:83:68 | access to local variable destFilePath | +| ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:91:58:91:69 | access to local variable destFilePath | +| ZipSlipBad.cs:9:59:9:72 | access to property FullName | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | +#select +| ZipSlip.cs:24:41:24:52 | access to local variable destFileName | ZipSlip.cs:19:31:19:44 | access to property FullName | ZipSlip.cs:24:41:24:52 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:19:31:19:44 | access to property FullName | item path | +| ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path | +| ZipSlip.cs:36:45:36:56 | access to local variable destFilePath | ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:36:45:36:56 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path | +| ZipSlip.cs:40:41:40:52 | access to local variable destFilePath | ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:40:41:40:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path | +| ZipSlip.cs:69:74:69:85 | access to local variable destFilePath | ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:69:74:69:85 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path | +| ZipSlip.cs:76:71:76:82 | access to local variable destFilePath | ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:76:71:76:82 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path | +| ZipSlip.cs:83:57:83:68 | access to local variable destFilePath | ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:83:57:83:68 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path | +| ZipSlip.cs:91:58:91:69 | access to local variable destFilePath | ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:91:58:91:69 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:62:72:62:85 | access to property FullName | item path | +| ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | ZipSlipBad.cs:9:59:9:72 | access to property FullName | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad.cs:9:59:9:72 | access to property FullName | item path | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected index 8870df306ea6..7c2a68cec355 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected @@ -1,7 +1,16 @@ -| CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | -| CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | -| CommandInjection.cs:28:63:28:71 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | -| CommandInjection.cs:28:74:28:82 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | -| CommandInjection.cs:32:39:32:47 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | -| CommandInjection.cs:33:40:33:48 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | -| CommandInjection.cs:34:47:34:55 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | +edges +| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:27:26:47 | ... + ... | +| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:50:26:66 | ... + ... | +| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput | +| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput | +| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | +| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | +| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | +#select +| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | +| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | +| CommandInjection.cs:28:63:28:71 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | +| CommandInjection.cs:28:74:28:82 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | +| CommandInjection.cs:32:39:32:47 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | +| CommandInjection.cs:33:40:33:48 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | +| CommandInjection.cs:34:47:34:55 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected index aaff4b464e43..8c41bafe5b51 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected @@ -1 +1,4 @@ -| StoredCommandInjection.cs:24:46:24:80 | ... + ... | $@ flows to here and is used in a command. | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | Stored user-provided value | +edges +| StoredCommandInjection.cs:24:54:24:80 | call to method GetString | StoredCommandInjection.cs:24:46:24:80 | ... + ... | +#select +| StoredCommandInjection.cs:24:46:24:80 | ... + ... | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | StoredCommandInjection.cs:24:46:24:80 | ... + ... | $@ flows to here and is used in a command. | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected index fef8586c1639..91263323cae3 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected @@ -1 +1,4 @@ -| StoredXSS.cs:24:44:24:86 | ... + ... | $@ flows to here and is written to HTML or javascript. | StoredXSS.cs:24:60:24:86 | call to method GetString | Stored user-provided value | +edges +| StoredXSS.cs:24:60:24:86 | call to method GetString | StoredXSS.cs:24:44:24:86 | ... + ... | +#select +| StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString | StoredXSS.cs:24:44:24:86 | ... + ... | $@ flows to here and is written to HTML or JavaScript. | StoredXSS.cs:24:60:24:86 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected index 272854d84a76..9789f8d2dd7c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected @@ -1 +1,4 @@ -| SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | Stored user-provided value | +edges +| SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | +#select +| SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected index 979c31c8b4dd..cd94b55c6388 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected @@ -1,9 +1,30 @@ -| SqlInjection.cs:39:50:39:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input | -| SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input | -| SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | this ASP.NET user input | -| SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | this ASP.NET user input | -| SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | this ASP.NET user input | -| SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input | -| SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | this ASP.NET user input | -| SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | this ASP.NET user input | -| SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | this ASP.NET user input | +edges +| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 | +| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:49:62:49:81 | access to property Text | +| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:61:62:61:81 | access to property Text | +| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | +| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | +| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:49:62:49:81 | access to property Text | +| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:61:62:61:81 | access to property Text | +| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | +| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | +| SqlInjection.cs:49:62:49:81 | access to property Text | SqlInjection.cs:61:62:61:81 | access to property Text | +| SqlInjection.cs:49:62:49:81 | access to property Text | SqlInjection.cs:74:56:74:61 | access to local variable query1 | +| SqlInjection.cs:49:62:49:81 | access to property Text | SqlInjection.cs:75:55:75:60 | access to local variable query1 | +| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:61:62:61:81 | access to property Text | +| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | +| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | +| SqlInjection.cs:61:62:61:81 | access to property Text | SqlInjection.cs:74:56:74:61 | access to local variable query1 | +| SqlInjection.cs:61:62:61:81 | access to property Text | SqlInjection.cs:75:55:75:60 | access to local variable query1 | +| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | +| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | +#select +| SqlInjection.cs:39:50:39:55 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input | +| SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input | +| SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | this ASP.NET user input | +| SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | this ASP.NET user input | +| SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | this ASP.NET user input | +| SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input | +| SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | this ASP.NET user input | +| SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | this ASP.NET user input | +| SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | this ASP.NET user input | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected index 19247fa17e15..b41e03c73da7 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected @@ -1,6 +1,14 @@ -| LDAPInjection.cs:16:54:16:78 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | -| LDAPInjection.cs:18:21:18:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | -| LDAPInjection.cs:25:21:25:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | -| LDAPInjection.cs:26:53:26:77 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | -| LDAPInjection.cs:29:48:29:70 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | -| LDAPInjection.cs:31:20:31:42 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | +edges +| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:16:54:16:78 | ... + ... | +| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:18:21:18:45 | ... + ... | +| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:25:21:25:45 | ... + ... | +| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:26:53:26:77 | ... + ... | +| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:29:48:29:70 | ... + ... | +| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:31:20:31:42 | ... + ... | +#select +| LDAPInjection.cs:16:54:16:78 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:16:54:16:78 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | +| LDAPInjection.cs:18:21:18:45 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:18:21:18:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | +| LDAPInjection.cs:25:21:25:45 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:25:21:25:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | +| LDAPInjection.cs:26:53:26:77 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:26:53:26:77 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | +| LDAPInjection.cs:29:48:29:70 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:29:48:29:70 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | +| LDAPInjection.cs:31:20:31:42 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:31:20:31:42 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected index eb80d16e9d42..8fd27bbc970a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected @@ -1 +1,4 @@ -| StoredLDAPInjection.cs:24:66:24:109 | ... + ... | $@ flows to here and is used in an LDAP query. | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | Stored user-provided value | +edges +| StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | StoredLDAPInjection.cs:24:66:24:109 | ... + ... | +#select +| StoredLDAPInjection.cs:24:66:24:109 | ... + ... | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | StoredLDAPInjection.cs:24:66:24:109 | ... + ... | $@ flows to here and is used in an LDAP query. | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected index 07d9890dd50f..aa41bff24941 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected @@ -1,2 +1,6 @@ -| CodeInjection.cs:31:64:31:67 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value | -| CodeInjection.cs:42:36:42:39 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value | +edges +| CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:31:64:31:67 | access to local variable code | +| CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:42:36:42:39 | access to local variable code | +#select +| CodeInjection.cs:31:64:31:67 | access to local variable code | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:31:64:31:67 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value | +| CodeInjection.cs:42:36:42:39 | access to local variable code | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:42:36:42:39 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected index f5e7edfc70db..df1075794275 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected @@ -1,2 +1,6 @@ -| ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:10:27:10:49 | access to property QueryString | User-provided value | -| ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:10:27:10:49 | access to property QueryString | User-provided value | +edges +| ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | +| ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | +#select +| ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:10:27:10:49 | access to property QueryString | User-provided value | +| ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:10:27:10:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected index 210636ea3704..b9732e9b44c6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected @@ -1,5 +1,16 @@ -| MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because there is no 'XmlReaderSettings' instance specifying schema validation. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | -| MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance does not specify the 'ValidationType' as 'Schema'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | -| MissingXMLValidation.cs:29:26:29:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance does not specify the 'ValidationType' as 'Schema'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | -| MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance specifies 'ProcessInlineSchema'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | -| MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance specifies 'ProcessSchemaLocation'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | +edges +| MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | +| MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | +| MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:29:26:29:58 | object creation of type StringReader | +| MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:37:26:37:58 | object creation of type StringReader | +| MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader | +| MissingXMLValidation.cs:22:42:22:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:23:61:23:72 | access to local variable badSettings1 | +| MissingXMLValidation.cs:27:42:27:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:29:61:29:72 | access to local variable badSettings2 | +| MissingXMLValidation.cs:32:42:32:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:37:61:37:72 | access to local variable goodSettings | +| MissingXMLValidation.cs:40:42:40:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:47:61:47:72 | access to local variable badSettings3 | +#select +| MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because there is no 'XmlReaderSettings' instance specifying schema validation. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | +| MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance does not specify the 'ValidationType' as 'Schema'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | +| MissingXMLValidation.cs:29:26:29:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:29:26:29:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance does not specify the 'ValidationType' as 'Schema'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | +| MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance specifies 'ProcessInlineSchema'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | +| MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance specifies 'ProcessSchemaLocation'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected b/csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected index a17b4cbf24d1..fdda0a73e98a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected @@ -1,2 +1,6 @@ -| LogForging.cs:22:21:22:43 | ... + ... | $@ flows to log entry. | LogForging.cs:19:27:19:49 | access to property QueryString | User-provided value | -| LogForging.cs:28:50:28:72 | ... + ... | $@ flows to log entry. | LogForging.cs:19:27:19:49 | access to property QueryString | User-provided value | +edges +| LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:22:21:22:43 | ... + ... | +| LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:28:50:28:72 | ... + ... | +#select +| LogForging.cs:22:21:22:43 | ... + ... | LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:22:21:22:43 | ... + ... | $@ flows to log entry. | LogForging.cs:19:27:19:49 | access to property QueryString | User-provided value | +| LogForging.cs:28:50:28:72 | ... + ... | LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:28:50:28:72 | ... + ... | $@ flows to log entry. | LogForging.cs:19:27:19:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected index 39baca89ce89..7f512300244b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected @@ -1,9 +1,16 @@ -| ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | access to local variable password | -| ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | call to method ToString | -| ExposureInTransmittedData.cs:24:32:24:41 | access to property Message | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:24:32:24:41 | access to property Message | access to property Message | -| ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString | call to method ToString | -| ExposureInTransmittedData.cs:26:32:26:50 | access to indexer | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:26:32:26:38 | access to property Data | access to property Data | -| ExposureInTransmittedData.cs:33:53:33:53 | access to local variable p | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | call to method GetField | -| ExposureInTransmittedData.cs:33:56:33:56 | access to local variable p | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | call to method GetField | -| ExposureInTransmittedData.cs:34:24:34:52 | ... + ... | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | call to method GetField | -| ExposureInTransmittedData.cs:35:27:35:27 | access to local variable p | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | call to method GetField | +edges +| ExposureInTransmittedData.cs:26:32:26:38 | access to property Data | ExposureInTransmittedData.cs:26:32:26:50 | access to indexer | +| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:33:53:33:53 | access to local variable p | +| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:33:56:33:56 | access to local variable p | +| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:34:24:34:52 | ... + ... | +| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:35:27:35:27 | access to local variable p | +#select +| ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | access to local variable password | +| ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | call to method ToString | +| ExposureInTransmittedData.cs:24:32:24:41 | access to property Message | ExposureInTransmittedData.cs:24:32:24:41 | access to property Message | ExposureInTransmittedData.cs:24:32:24:41 | access to property Message | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:24:32:24:41 | access to property Message | access to property Message | +| ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString | ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString | ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString | call to method ToString | +| ExposureInTransmittedData.cs:26:32:26:50 | access to indexer | ExposureInTransmittedData.cs:26:32:26:38 | access to property Data | ExposureInTransmittedData.cs:26:32:26:50 | access to indexer | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:26:32:26:38 | access to property Data | access to property Data | +| ExposureInTransmittedData.cs:33:53:33:53 | access to local variable p | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:33:53:33:53 | access to local variable p | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | call to method GetField | +| ExposureInTransmittedData.cs:33:56:33:56 | access to local variable p | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:33:56:33:56 | access to local variable p | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | call to method GetField | +| ExposureInTransmittedData.cs:34:24:34:52 | ... + ... | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:34:24:34:52 | ... + ... | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | call to method GetField | +| ExposureInTransmittedData.cs:35:27:35:27 | access to local variable p | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:35:27:35:27 | access to local variable p | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | call to method GetField | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected index f4bfdef798b4..734ac5b026c8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected @@ -1,5 +1,8 @@ -| ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | call to method ToString | -| ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | access to local variable ex | -| ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | access to local variable ex | -| ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace | access to property StackTrace | -| ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString | call to method ToString | +edges +| ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | +#select +| ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | call to method ToString | +| ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | access to local variable ex | +| ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | access to local variable ex | +| ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace | ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace | ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace | access to property StackTrace | +| ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString | ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString | ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString | call to method ToString | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected index a5a2ca8b2f9e..8bf93c08f857 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected @@ -1,5 +1,7 @@ -| CleartextStorage.cs:14:50:14:59 | access to field accountKey | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:14:50:14:59 | access to field accountKey | access to field accountKey | -| CleartextStorage.cs:15:62:15:74 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:16:69:16:81 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:16:69:16:81 | call to method GetPassword | call to method GetPassword | -| CleartextStorage.cs:17:50:17:63 | call to method GetAccountID | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:17:50:17:63 | call to method GetAccountID | call to method GetAccountID | -| CleartextStorage.cs:25:21:25:33 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:25:21:25:33 | call to method GetPassword | call to method GetPassword | +edges +#select +| CleartextStorage.cs:14:50:14:59 | access to field accountKey | CleartextStorage.cs:14:50:14:59 | access to field accountKey | CleartextStorage.cs:14:50:14:59 | access to field accountKey | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:14:50:14:59 | access to field accountKey | access to field accountKey | +| CleartextStorage.cs:15:62:15:74 | call to method GetPassword | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:16:69:16:81 | call to method GetPassword | CleartextStorage.cs:16:69:16:81 | call to method GetPassword | CleartextStorage.cs:16:69:16:81 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:16:69:16:81 | call to method GetPassword | call to method GetPassword | +| CleartextStorage.cs:17:50:17:63 | call to method GetAccountID | CleartextStorage.cs:17:50:17:63 | call to method GetAccountID | CleartextStorage.cs:17:50:17:63 | call to method GetAccountID | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:17:50:17:63 | call to method GetAccountID | call to method GetAccountID | +| CleartextStorage.cs:25:21:25:33 | call to method GetPassword | CleartextStorage.cs:25:21:25:33 | call to method GetPassword | CleartextStorage.cs:25:21:25:33 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:25:21:25:33 | call to method GetPassword | call to method GetPassword | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected index fb8bf1f0ea20..c766b3581ea8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected @@ -1,3 +1,8 @@ -| Test.cs:20:13:20:17 | access to local variable store | Certificate added to the root certificate store. | -| Test.cs:30:13:30:17 | access to local variable store | Certificate added to the root certificate store. | -| Test.cs:75:13:75:17 | access to local variable store | Certificate added to the root certificate store. | +edges +| Test.cs:17:31:17:59 | object creation of type X509Store | Test.cs:20:13:20:17 | access to local variable store | +| Test.cs:27:31:27:86 | object creation of type X509Store | Test.cs:30:13:30:17 | access to local variable store | +| Test.cs:72:31:72:86 | object creation of type X509Store | Test.cs:75:13:75:17 | access to local variable store | +#select +| Test.cs:20:13:20:17 | access to local variable store | Test.cs:17:31:17:59 | object creation of type X509Store | Test.cs:20:13:20:17 | access to local variable store | Certificate added to the root certificate store. | +| Test.cs:30:13:30:17 | access to local variable store | Test.cs:27:31:27:86 | object creation of type X509Store | Test.cs:30:13:30:17 | access to local variable store | Certificate added to the root certificate store. | +| Test.cs:75:13:75:17 | access to local variable store | Test.cs:72:31:72:86 | object creation of type X509Store | Test.cs:75:13:75:17 | access to local variable store | Certificate added to the root certificate store. | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected index 96397029155a..09d661ed9c72 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected @@ -1,3 +1,5 @@ -| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | access to indexer | -| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | call to method getTelephone | -| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | call to method getTelephone | +edges +#select +| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | access to indexer | +| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | call to method getTelephone | +| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | call to method getTelephone | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected b/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected index 59363eed855c..6dd51cf91ed4 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected @@ -1 +1,5 @@ -| Test.cs:13:50:13:84 | access to indexer | $@ flows to here and is loaded insecurely as XML (DTD processing is enabled with an insecure resolver). | Test.cs:13:50:13:72 | access to property QueryString | User-provided value | +edges +| Test.cs:13:50:13:72 | access to property QueryString | Test.cs:13:50:13:84 | access to indexer | +| Test.cs:18:38:18:60 | object creation of type XmlReaderSettings | Test.cs:23:55:23:62 | access to local variable settings | +#select +| Test.cs:13:50:13:84 | access to indexer | Test.cs:13:50:13:72 | access to property QueryString | Test.cs:13:50:13:84 | access to indexer | $@ flows to here and is loaded insecurely as XML (DTD processing is enabled with an insecure resolver). | Test.cs:13:50:13:72 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected index 8054b637031b..0b2c001a1552 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected @@ -1,4 +1,10 @@ -| StoredXPathInjection.cs:27:45:27:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | Stored user-provided value | -| StoredXPathInjection.cs:27:45:27:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | Stored user-provided value | -| StoredXPathInjection.cs:30:41:30:144 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | Stored user-provided value | -| StoredXPathInjection.cs:30:41:30:144 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | Stored user-provided value | +edges +| StoredXPathInjection.cs:24:39:24:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | +| StoredXPathInjection.cs:24:39:24:65 | call to method GetString | StoredXPathInjection.cs:30:41:30:144 | ... + ... | +| StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | +| StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:30:41:30:144 | ... + ... | +#select +| StoredXPathInjection.cs:27:45:27:148 | ... + ... | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | Stored user-provided value | +| StoredXPathInjection.cs:27:45:27:148 | ... + ... | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | Stored user-provided value | +| StoredXPathInjection.cs:30:41:30:144 | ... + ... | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | StoredXPathInjection.cs:30:41:30:144 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | Stored user-provided value | +| StoredXPathInjection.cs:30:41:30:144 | ... + ... | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:30:41:30:144 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected index 31f05d8da31f..7106a842df11 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected @@ -1,4 +1,10 @@ -| XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value | -| XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | -| XPathInjection.cs:19:29:19:132 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value | -| XPathInjection.cs:19:29:19:132 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | +edges +| XPathInjection.cs:12:27:12:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | +| XPathInjection.cs:12:27:12:49 | access to property QueryString | XPathInjection.cs:19:29:19:132 | ... + ... | +| XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | +| XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:19:29:19:132 | ... + ... | +#select +| XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value | +| XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | +| XPathInjection.cs:19:29:19:132 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString | XPathInjection.cs:19:29:19:132 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value | +| XPathInjection.cs:19:29:19:132 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:19:29:19:132 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected index 86e0282dddf8..69cd05915601 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected @@ -1,5 +1,22 @@ -| ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | -| ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | -| ExponentialRegex.cs:21:139:21:147 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | -| ExponentialRegex.cs:24:43:24:51 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | -| ExponentialRegex.cs:26:21:26:29 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | +edges +| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | +| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX | +| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:21:139:21:147 | access to local variable userInput | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:24:43:24:51 | access to local variable userInput | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:26:21:26:29 | access to local variable userInput | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:28:47:28:55 | access to local variable userInput | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:29:90:29:98 | access to local variable userInput | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:30:21:30:29 | access to local variable userInput | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:32:57:32:65 | access to local variable userInput | +| ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX | +| ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX | +| ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX | +#select +| ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | +| ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | +| ExponentialRegex.cs:21:139:21:147 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:21:139:21:147 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | +| ExponentialRegex.cs:24:43:24:51 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:24:43:24:51 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | +| ExponentialRegex.cs:26:21:26:29 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:26:21:26:29 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected index e69de29bb2d1..3c7330c90356 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected @@ -0,0 +1,3 @@ +edges +| ExponentialRegex.cs:15:28:15:50 | access to property QueryString | ExponentialRegex.cs:18:40:18:48 | access to local variable userInput | +#select diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected index c3638ab26089..50b64034e091 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected @@ -1 +1,4 @@ -| RegexInjection.cs:16:19:16:23 | access to local variable regex | $@ flows to the construction of a regular expression. | RegexInjection.cs:12:24:12:46 | access to property QueryString | User-provided value | +edges +| RegexInjection.cs:12:24:12:46 | access to property QueryString | RegexInjection.cs:16:19:16:23 | access to local variable regex | +#select +| RegexInjection.cs:16:19:16:23 | access to local variable regex | RegexInjection.cs:12:24:12:46 | access to property QueryString | RegexInjection.cs:16:19:16:23 | access to local variable regex | $@ flows to the construction of a regular expression. | RegexInjection.cs:12:24:12:46 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected index 6854cbafe328..985c4d67e31f 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected @@ -1,2 +1,5 @@ -| HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:56:30:56:64 | object creation of type SqlConnection | object creation of type SqlConnection | -| HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:58:31:58:64 | object creation of type SqlConnection | object creation of type SqlConnection | +edges +| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | +#select +| HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:56:30:56:64 | object creation of type SqlConnection | object creation of type SqlConnection | +| HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:58:31:58:64 | object creation of type SqlConnection | object creation of type SqlConnection | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected index 0aa0caa94f69..0276293a89a8 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected @@ -1,8 +1,11 @@ -| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password | -| HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser | -| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword | -| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | -| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | -| HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser | -| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser | -| TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser | +edges +| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | +#select +| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password | +| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser | +| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword | +| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | +| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 | +| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser | +| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser | +| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected index af5a1417fa57..f04e8969bfc6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected @@ -1,8 +1,17 @@ -| ConditionalBypass.cs:19:13:19:33 | call to method login | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:18:13:18:30 | ... == ... | this condition | ConditionalBypass.cs:14:26:14:48 | access to property QueryString | user input | -| ConditionalBypass.cs:25:13:25:33 | call to method login | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:24:13:24:45 | call to method Equals | this condition | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | user input | -| ConditionalBypass.cs:31:13:31:33 | call to method login | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:29:13:29:40 | ... == ... | this condition | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | user input | -| ConditionalBypass.cs:35:13:35:39 | call to method reCheckAuth | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:29:13:29:40 | ... == ... | this condition | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | user input | -| ConditionalBypass.cs:48:13:48:33 | call to method login | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:46:13:46:46 | ... == ... | this condition | ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | user input | -| ConditionalBypass.cs:53:13:53:33 | call to method login | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:51:13:51:29 | access to property HostName | this condition | ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | user input | -| ConditionalBypass.cs:75:13:75:33 | call to method login | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:74:13:74:40 | ... == ... | this condition | ConditionalBypass.cs:72:34:72:52 | access to property Cookies | user input | -| ConditionalBypass.cs:87:13:87:33 | call to method login | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:86:13:86:40 | ... == ... | this condition | ConditionalBypass.cs:85:34:85:52 | access to property Cookies | user input | +edges +| ConditionalBypass.cs:14:26:14:48 | access to property QueryString | ConditionalBypass.cs:18:13:18:30 | ... == ... | +| ConditionalBypass.cs:21:34:21:52 | access to property Cookies | ConditionalBypass.cs:24:13:24:45 | call to method Equals | +| ConditionalBypass.cs:21:34:21:52 | access to property Cookies | ConditionalBypass.cs:29:13:29:40 | ... == ... | +| ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | ConditionalBypass.cs:46:13:46:46 | ... == ... | +| ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | ConditionalBypass.cs:51:13:51:29 | access to property HostName | +| ConditionalBypass.cs:72:34:72:52 | access to property Cookies | ConditionalBypass.cs:74:13:74:40 | ... == ... | +| ConditionalBypass.cs:85:34:85:52 | access to property Cookies | ConditionalBypass.cs:86:13:86:40 | ... == ... | +#select +| ConditionalBypass.cs:19:13:19:33 | call to method login | ConditionalBypass.cs:14:26:14:48 | access to property QueryString | ConditionalBypass.cs:18:13:18:30 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:18:13:18:30 | ... == ... | this condition | ConditionalBypass.cs:14:26:14:48 | access to property QueryString | user input | +| ConditionalBypass.cs:25:13:25:33 | call to method login | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | ConditionalBypass.cs:24:13:24:45 | call to method Equals | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:24:13:24:45 | call to method Equals | this condition | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | user input | +| ConditionalBypass.cs:31:13:31:33 | call to method login | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | ConditionalBypass.cs:29:13:29:40 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:29:13:29:40 | ... == ... | this condition | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | user input | +| ConditionalBypass.cs:35:13:35:39 | call to method reCheckAuth | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | ConditionalBypass.cs:29:13:29:40 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:29:13:29:40 | ... == ... | this condition | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | user input | +| ConditionalBypass.cs:48:13:48:33 | call to method login | ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | ConditionalBypass.cs:46:13:46:46 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:46:13:46:46 | ... == ... | this condition | ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | user input | +| ConditionalBypass.cs:53:13:53:33 | call to method login | ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | ConditionalBypass.cs:51:13:51:29 | access to property HostName | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:51:13:51:29 | access to property HostName | this condition | ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | user input | +| ConditionalBypass.cs:75:13:75:33 | call to method login | ConditionalBypass.cs:72:34:72:52 | access to property Cookies | ConditionalBypass.cs:74:13:74:40 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:74:13:74:40 | ... == ... | this condition | ConditionalBypass.cs:72:34:72:52 | access to property Cookies | user input | +| ConditionalBypass.cs:87:13:87:33 | call to method login | ConditionalBypass.cs:85:34:85:52 | access to property Cookies | ConditionalBypass.cs:86:13:86:40 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:86:13:86:40 | ... == ... | this condition | ConditionalBypass.cs:85:34:85:52 | access to property Cookies | user input | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected index bd909a8d5cde..9fea9d5d65bf 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected @@ -1,12 +1,24 @@ -| HtmlEncode.cs:12:28:12:65 | ... + ... | This HTML expression may include data from a $@. | HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | possibly inappropriately encoded value | -| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | This SQL expression may include data from a $@. | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | possibly inappropriately encoded value | -| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | This SQL expression may include data from a $@. | InappropriateEncoding.cs:68:16:68:42 | call to method Replace | possibly inappropriately encoded value | -| InappropriateEncoding.cs:33:22:33:34 | call to method Encode | This HTML expression may include data from a $@. | InappropriateEncoding.cs:33:22:33:34 | call to method Encode | possibly inappropriately encoded value | -| InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode | This HTML expression may include data from a $@. | InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode | possibly inappropriately encoded value | -| InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode | This HTML expression may include data from a $@. | InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode | possibly inappropriately encoded value | -| InappropriateEncoding.cs:37:32:37:43 | access to local variable encodedValue | This HTML expression may include data from a $@. | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | possibly inappropriately encoded value | -| InappropriateEncoding.cs:38:22:38:59 | ... + ... | This HTML expression may include data from a $@. | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | possibly inappropriately encoded value | -| InappropriateEncoding.cs:39:22:39:71 | call to method Format | This HTML expression may include data from a $@. | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | possibly inappropriately encoded value | -| InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue | This URL expression may include data from a $@. | InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode | possibly inappropriately encoded value | -| SqlEncode.cs:17:46:17:50 | access to local variable query | This SQL expression may include data from a $@. | SqlEncode.cs:16:62:16:87 | call to method Replace | possibly inappropriately encoded value | -| UrlEncode.cs:12:31:12:69 | ... + ... | This URL expression may include data from a $@. | UrlEncode.cs:12:43:12:69 | call to method HtmlEncode | possibly inappropriately encoded value | +edges +| HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | HtmlEncode.cs:12:28:12:65 | ... + ... | +| InappropriateEncoding.cs:15:28:15:40 | call to method Encode | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | +| InappropriateEncoding.cs:15:28:15:40 | call to method Encode | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | +| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:37:32:37:43 | access to local variable encodedValue | +| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:38:22:38:59 | ... + ... | +| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:39:22:39:71 | call to method Format | +| InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode | InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue | +| InappropriateEncoding.cs:68:16:68:42 | call to method Replace | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | +| SqlEncode.cs:16:62:16:87 | call to method Replace | SqlEncode.cs:17:46:17:50 | access to local variable query | +| UrlEncode.cs:12:43:12:69 | call to method HtmlEncode | UrlEncode.cs:12:31:12:69 | ... + ... | +#select +| HtmlEncode.cs:12:28:12:65 | ... + ... | HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | HtmlEncode.cs:12:28:12:65 | ... + ... | This HTML expression may include data from a $@. | HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | possibly inappropriately encoded value | +| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | This SQL expression may include data from a $@. | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | possibly inappropriately encoded value | +| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | InappropriateEncoding.cs:68:16:68:42 | call to method Replace | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | This SQL expression may include data from a $@. | InappropriateEncoding.cs:68:16:68:42 | call to method Replace | possibly inappropriately encoded value | +| InappropriateEncoding.cs:33:22:33:34 | call to method Encode | InappropriateEncoding.cs:33:22:33:34 | call to method Encode | InappropriateEncoding.cs:33:22:33:34 | call to method Encode | This HTML expression may include data from a $@. | InappropriateEncoding.cs:33:22:33:34 | call to method Encode | possibly inappropriately encoded value | +| InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode | InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode | InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode | This HTML expression may include data from a $@. | InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode | possibly inappropriately encoded value | +| InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode | InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode | InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode | This HTML expression may include data from a $@. | InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode | possibly inappropriately encoded value | +| InappropriateEncoding.cs:37:32:37:43 | access to local variable encodedValue | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:37:32:37:43 | access to local variable encodedValue | This HTML expression may include data from a $@. | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | possibly inappropriately encoded value | +| InappropriateEncoding.cs:38:22:38:59 | ... + ... | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:38:22:38:59 | ... + ... | This HTML expression may include data from a $@. | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | possibly inappropriately encoded value | +| InappropriateEncoding.cs:39:22:39:71 | call to method Format | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:39:22:39:71 | call to method Format | This HTML expression may include data from a $@. | InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | possibly inappropriately encoded value | +| InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue | InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode | InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue | This URL expression may include data from a $@. | InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode | possibly inappropriately encoded value | +| SqlEncode.cs:17:46:17:50 | access to local variable query | SqlEncode.cs:16:62:16:87 | call to method Replace | SqlEncode.cs:17:46:17:50 | access to local variable query | This SQL expression may include data from a $@. | SqlEncode.cs:16:62:16:87 | call to method Replace | possibly inappropriately encoded value | +| UrlEncode.cs:12:31:12:69 | ... + ... | UrlEncode.cs:12:43:12:69 | call to method HtmlEncode | UrlEncode.cs:12:31:12:69 | ... + ... | This URL expression may include data from a $@. | UrlEncode.cs:12:43:12:69 | call to method HtmlEncode | possibly inappropriately encoded value | From e908b090fdc9bf308d147b58a3771d10932dfc8b Mon Sep 17 00:00:00 2001 From: calum Date: Mon, 29 Oct 2018 11:44:58 +0000 Subject: [PATCH 2/6] C#: Always use PathNode in a path-problem query. --- .../src/Security Features/CWE-022/TaintedPath.ql | 4 ++-- .../ql/src/Security Features/CWE-022/ZipSlip.ql | 4 ++-- .../CWE-078/CommandInjection.ql | 4 ++-- .../CWE-078/StoredCommandInjection.ql | 4 ++-- .../src/Security Features/CWE-079/StoredXSS.ql | 12 ++++++------ .../CWE-089/SecondOrderSqlInjection.ql | 4 ++-- .../Security Features/CWE-089/SqlInjection.ql | 8 ++++---- .../Security Features/CWE-090/LDAPInjection.ql | 4 ++-- .../CWE-090/StoredLDAPInjection.ql | 4 ++-- .../Security Features/CWE-094/CodeInjection.ql | 4 ++-- .../CWE-099/ResourceInjection.ql | 4 ++-- .../CWE-112/MissingXMLValidation.ql | 8 ++++---- .../src/Security Features/CWE-117/LogForging.ql | 4 ++-- .../CWE-201/ExposureInTransmittedData.ql | 4 ++-- .../CWE-209/ExceptionInformationExposure.ql | 4 ++-- .../CWE-312/CleartextStorage.ql | 4 ++-- .../CWE-359/ExposureOfPrivateInformation.ql | 4 ++-- .../src/Security Features/CWE-601/UrlRedirect.ql | 4 ++-- .../CWE-611/UntrustedDataInsecureXml.ql | 8 ++++---- .../CWE-643/StoredXPathInjection.ql | 4 ++-- .../Security Features/CWE-643/XPathInjection.ql | 4 ++-- csharp/ql/src/Security Features/CWE-730/ReDoS.ql | 8 ++++---- .../Security Features/CWE-730/RegexInjection.ql | 8 ++++---- .../CWE-798/HardcodedConnectionString.ql | 8 ++++---- .../CWE-798/HardcodedCredentials.ql | 7 +++++-- .../CWE-807/ConditionalBypass.ql | 6 +++--- .../src/Security Features/InsecureRandomness.ql | 10 ++++++---- .../src/semmle/code/csharp/dataflow/DataFlow.qll | 6 ------ .../CWE-338/InsecureRandomness.expected | 16 +++++++++++++--- 29 files changed, 91 insertions(+), 82 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql index 9d6e55e44c92..d08cc2ca5647 100644 --- a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql +++ b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql @@ -18,5 +18,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in a path.", source, "User-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in a path.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql index 1d93d480634d..fc687c1d6b2d 100644 --- a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql +++ b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql @@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration zipTaintTracking, DataFlow::PathNode source, DataFlow::PathNode sink where zipTaintTracking.hasFlowPath(source, sink) -select sink, source, sink, - "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source, "item path" +select sink.getNode(), source, sink, + "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source.getNode(), "item path" diff --git a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql index 316c06761133..337d191eae1b 100644 --- a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql +++ b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql @@ -18,5 +18,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in a command.", source, "User-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in a command.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql index a74cbb10ce62..be51a9e347ec 100644 --- a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql +++ b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql @@ -25,5 +25,5 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in a command.", source, "Stored user-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in a command.", source.getNode(), "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql index 2909269df2a0..80f16f35d4a0 100644 --- a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql +++ b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql @@ -21,11 +21,11 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { } } -from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink, string explanation -where c.hasFlow(source, sink) +from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink, string explanation +where c.hasFlowPath(source, sink) and - if exists(sink.explanation()) - then explanation = ": " + sink.explanation() + "." + if exists(sink.getNode().(Sink).explanation()) + then explanation = ": " + sink.getNode().(Sink).explanation() + "." else explanation = "." -select sink, source.getPathNode(c), sink.getPathNode(c), - "$@ flows to here and is written to HTML or JavaScript" + explanation, source, "Stored user-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is written to HTML or JavaScript" + explanation, source.getNode(), "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql index d4d1c4192413..3e533dfd993c 100644 --- a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql +++ b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql @@ -23,5 +23,5 @@ class StoredTaintTrackingConfiguration extends SqlInjection::TaintTrackingConfig from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in an SQL query.", source, "Stored user-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in an SQL query.", source.getNode(), "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql index 9bc70bd56b45..f06eab7ef378 100644 --- a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql +++ b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql @@ -14,7 +14,7 @@ import csharp import semmle.code.csharp.security.dataflow.SqlInjection::SqlInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, RemoteFlowSource source, Sink sink -where c.hasFlow(source, sink) -select sink, source.getPathNode(c), sink.getPathNode(c), - "Query might include code from $@.", source, ("this " + source.getSourceType()) +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink.getNode(), source, sink, + "Query might include code from $@.", source, ("this " + source.getNode().(RemoteFlowSource).getSourceType()) diff --git a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql index b2c1cfb7c933..669e82e1d7e5 100644 --- a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql +++ b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql @@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in an LDAP query.", source, "User-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in an LDAP query.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql index 5d11e89e8386..846ad8735acc 100644 --- a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql +++ b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql @@ -22,5 +22,5 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration { from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in an LDAP query.", source, "Stored user-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in an LDAP query.", source.getNode(), "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql index a4447309b7cd..de26ec087e19 100644 --- a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql +++ b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql @@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is compiled as code.", source, "User-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is compiled as code.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql index 3f842b1d4f4f..50b3bc2c45fb 100644 --- a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql +++ b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql @@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in a resource descriptor.", source, "User-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in a resource descriptor.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql index 67c8891fd7ab..e2c051f260e3 100644 --- a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql +++ b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql @@ -13,7 +13,7 @@ import csharp import semmle.code.csharp.security.dataflow.MissingXMLValidation::MissingXMLValidation import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, source.getPathNode(c), sink.getPathNode(c), - "$@ flows to here and is processed as XML without validation because " + sink.getReason(), source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink.getNode(), source, sink, + "$@ flows to here and is processed as XML without validation because " + sink.getNode().(Sink).getReason(), source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-117/LogForging.ql b/csharp/ql/src/Security Features/CWE-117/LogForging.ql index 01985c85c8c2..010a46f06507 100644 --- a/csharp/ql/src/Security Features/CWE-117/LogForging.ql +++ b/csharp/ql/src/Security Features/CWE-117/LogForging.ql @@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to log entry.", source, "User-provided value" +select sink.getNode(), source, sink, + "$@ flows to log entry.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql index 482c9de2eab4..13377c0e39d0 100644 --- a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql +++ b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql @@ -52,5 +52,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration { from TaintTrackingConfiguration configuration, DataFlow::PathNode source, DataFlow::PathNode sink where configuration.hasFlowPath(source, sink) -select sink, source, sink, - "Sensitive information from $@ flows to here, and is transmitted to the user.", source, source.toString() +select sink.getNode(), source, sink, + "Sensitive information from $@ flows to here, and is transmitted to the user.", source.getNode(), source.toString() diff --git a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql index 935e1e155547..92e0a2c29054 100644 --- a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql +++ b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql @@ -59,5 +59,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration { from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "Exception information from $@ flows to here, and is exposed to the user.", source, source.toString() +select sink.getNode(), source, sink, + "Exception information from $@ flows to here, and is exposed to the user.", source.getNode(), source.toString() diff --git a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql index 17d09cb368d8..86a40318b835 100644 --- a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql +++ b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql @@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "Sensitive data returned by $@ is stored here.", source, source.toString() +select sink.getNode(), source, sink, + "Sensitive data returned by $@ is stored here.", source.getNode(), source.toString() diff --git a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql index d2d593f70258..430dcd0c5ceb 100644 --- a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql +++ b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql @@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "Private data returned by $@ is written to an external location.", source, source.toString() +select sink.getNode(), source, sink, + "Private data returned by $@ is written to an external location.", source.getNode(), source.toString() diff --git a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql index c499c9860fbb..e951bba312d7 100644 --- a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql +++ b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql @@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "Untrusted URL redirection due to $@.", source, "user-provided value" +select sink.getNode(), source, sink, + "Untrusted URL redirection due to $@.", source.getNode(), "user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql index fa1c5a93e990..6458534cbf40 100644 --- a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql +++ b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql @@ -14,7 +14,7 @@ import csharp import semmle.code.csharp.security.dataflow.XMLEntityInjection::XMLEntityInjection import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) -select sink, source.getPathNode(c), sink.getPathNode(c), - "$@ flows to here and is loaded insecurely as XML (" + sink.getReason() +").", source, "User-provided value" +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select sink.getNode(), source, sink, + "$@ flows to here and is loaded insecurely as XML (" + sink.getNode().(Sink).getReason() +").", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql index adb34437b2b2..3734533d9f0b 100644 --- a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql @@ -23,5 +23,5 @@ class StoredTaintTrackingConfiguration extends XPathInjection::TaintTrackingConf from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in an XPath expression.", source, "Stored user-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in an XPath expression.", source.getNode(), "Stored user-provided value" diff --git a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql index 6cc18e5dac08..e5eba0b9db4b 100644 --- a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql @@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) -select sink, source, sink, - "$@ flows to here and is used in an XPath expression.", source, "User-provided value" +select sink.getNode(), source, sink, + "$@ flows to here and is used in an XPath expression.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql index d0675f8c06f8..bb159cc0c6aa 100644 --- a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql +++ b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql @@ -15,9 +15,9 @@ import semmle.code.csharp.security.dataflow.ReDoS::ReDoS import semmle.code.csharp.frameworks.system.text.RegularExpressions import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, DataFlow::Node sink -where c.hasFlow(source, sink) +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) // No global timeout set and not exists(RegexGlobalTimeout r) -select sink, source.getPathNode(c), sink.getPathNode(c), - "$@ flows to regular expression operation with dangerous regex.", source, "User-provided value" +select sink.getNode().(Sink), source, sink, + "$@ flows to regular expression operation with dangerous regex.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql index 458fb366bd23..2582acc7ebef 100644 --- a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql +++ b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql @@ -16,9 +16,9 @@ import semmle.code.csharp.security.dataflow.RegexInjection::RegexInjection import semmle.code.csharp.frameworks.system.text.RegularExpressions import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink -where c.hasFlow(source, sink) +from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) // No global timeout set and not exists(RegexGlobalTimeout r) -select sink, source.getPathNode(c), sink.getPathNode(c), - "$@ flows to the construction of a regular expression.", source, "User-provided value" +select sink.getNode(), source, sink, + "$@ flows to the construction of a regular expression.", source.getNode(), "User-provided value" diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql index 4585057055d3..481268366cb2 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql @@ -48,8 +48,8 @@ class ConnectionStringTaintTrackingConfiguration extends TaintTracking::Configur } } -from ConnectionStringTaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) -select source, source.getPathNode(c), sink.getPathNode(c), +from ConnectionStringTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink +where c.hasFlowPath(source, sink) +select source.getNode(), source, sink, "'ConnectionString' property includes hard-coded credentials set in $@.", - any(Call call | call.getAnArgument() = sink.asExpr()) as call, call.toString() + any(Call call | call.getAnArgument() = sink.getNode().asExpr()) as call, call.toString() diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql index 11ddc864418a..11d4307d05e0 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql @@ -14,15 +14,18 @@ import csharp import semmle.code.csharp.security.dataflow.HardcodedCredentials::HardcodedCredentials import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from TaintTrackingConfiguration c, Source source, Sink sink, string value +from TaintTrackingConfiguration c, Source source, Sink sink, DataFlow::PathNode sourcePath, DataFlow::PathNode sinkPath, + string value where + source = sourcePath.getNode() and + sink = sinkPath.getNode() and c.hasFlow(source, sink) and // Print the source value if it's available if exists(source.asExpr().getValue()) then value = "The hard-coded value \"" + source.asExpr().getValue() + "\"" else value = "This hard-coded value" -select source, source.getPathNode(c), sink.getPathNode(c), +select source, sourcePath, sinkPath, value + " flows to " + sink.getSinkDescription() + ".", sink, sink.getSinkName(), sink.getSupplementaryElement(), sink.getSupplementaryElement().toString() diff --git a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql index 013320f92521..6b8dd7aee44e 100644 --- a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql +++ b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql @@ -15,8 +15,8 @@ import csharp import semmle.code.csharp.security.dataflow.ConditionalBypass::UserControlledBypassOfSensitiveMethod import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph -from Configuration config, Source source, Sink sink -where config.hasFlow(source, sink) -select sink.getSensitiveMethodCall(), source.getPathNode(config), sink.getPathNode(config), +from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink +where config.hasFlowPath(source, sink) +select sink.getNode().(Sink).getSensitiveMethodCall(), source, sink, "Sensitive method may not be executed depending on $@, which flows from $@.", sink, "this condition", source, "user input" diff --git a/csharp/ql/src/Security Features/InsecureRandomness.ql b/csharp/ql/src/Security Features/InsecureRandomness.ql index b03b49f22642..5b270a760137 100644 --- a/csharp/ql/src/Security Features/InsecureRandomness.ql +++ b/csharp/ql/src/Security Features/InsecureRandomness.ql @@ -3,7 +3,7 @@ * @description Using a cryptographically weak pseudo-random number generator to generate a * security sensitive value may allow an attacker to predict what sensitive value will * be generated. - * @kind problem + * @kind path-problem * @problem.severity warning * @precision high * @id cs/insecure-randomness @@ -12,6 +12,7 @@ */ import csharp import semmle.code.csharp.frameworks.Test +import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph module Random { import semmle.code.csharp.dataflow.flowsources.Remote @@ -103,6 +104,7 @@ module Random { } } -from Random::TaintTrackingConfiguration randomTracking, Random::Source source, Random::Sink sink -where randomTracking.hasFlow(source, sink) -select sink, "Cryptographically insecure random number is generated at $@ and used here in a security context.", source, source.toString() +from Random::TaintTrackingConfiguration randomTracking, DataFlow::PathNode source, DataFlow::PathNode sink +where randomTracking.hasFlowPath(source, sink) +select sink.getNode(), source, sink, + "Cryptographically insecure random number is generated at $@ and used here in a security context.", source.getNode(), source.toString() diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll index d05ce2a4d815..6843d67087b7 100755 --- a/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll +++ b/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll @@ -35,12 +35,6 @@ module DataFlow { /** Gets the location of this node. */ Location getLocation() { none() } - - /** Gets the path node for this node. */ - PathNode getPathNode(Configuration config) { - result.getNode() = this and - result.getConfiguration() = config - } } /** diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected index 215587f57547..dd5727c7a463 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected @@ -1,3 +1,13 @@ -| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next | -| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next | -| InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:72:31:72:39 | call to method Next | call to method Next | +edges +| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:29:27:29:61 | call to method GetString | +| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:31:16:31:32 | call to method ToString | +| InsecureRandomness.cs:29:27:29:61 | call to method GetString | InsecureRandomness.cs:31:16:31:32 | call to method ToString | +| InsecureRandomness.cs:31:16:31:32 | call to method ToString | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | +| InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:62:16:62:32 | call to method ToString | +| InsecureRandomness.cs:62:16:62:32 | call to method ToString | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | +| InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:74:16:74:21 | access to local variable result | +| InsecureRandomness.cs:74:16:74:21 | access to local variable result | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | +#select +| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next | +| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next | +| InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:72:31:72:39 | call to method Next | call to method Next | From cf4b04a3ee4feec1506964deed784267e50c553c Mon Sep 17 00:00:00 2001 From: calum Date: Fri, 16 Nov 2018 11:52:20 +0000 Subject: [PATCH 3/6] C#: Address review comments - adding .getNode() where appropriate. --- .../CWE-327/DontInstallRootCert.ql | 2 +- .../CWE-359/ExposureOfPrivateInformation.ql | 2 +- .../CWE-807/ConditionalBypass.ql | 2 +- .../CWE-838/InappropriateEncoding.ql | 4 +- .../Security Features/InsecureRandomness.ql | 2 +- .../CWE-601/UrlRedirect/UrlRedirect.expected | 44 +++++++++++++------ 6 files changed, 36 insertions(+), 20 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql index d9f1dd3ef882..3a4293fddaca 100644 --- a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql +++ b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql @@ -33,6 +33,6 @@ class AddCertToRootStoreConfig extends DataFlow::Configuration { from DataFlow::PathNode oc, DataFlow::PathNode mc, AddCertToRootStoreConfig config where config.hasFlowPath(oc, mc) -select mc, oc, mc, +select mc.getNode(), oc, mc, "Certificate added to the root certificate store." diff --git a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql index 430dcd0c5ceb..9f952f4db504 100644 --- a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql +++ b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql @@ -16,4 +16,4 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink where c.hasFlowPath(source, sink) select sink.getNode(), source, sink, - "Private data returned by $@ is written to an external location.", source.getNode(), source.toString() + "Private data returned by $@ is written to an external location.", source.getNode(), source.getNode().toString() diff --git a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql index 6b8dd7aee44e..cf16ee88306c 100644 --- a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql +++ b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql @@ -19,4 +19,4 @@ from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink where config.hasFlowPath(source, sink) select sink.getNode().(Sink).getSensitiveMethodCall(), source, sink, "Sensitive method may not be executed depending on $@, which flows from $@.", - sink, "this condition", source, "user input" + sink.getNode(), "this condition", source.getNode(), "user input" diff --git a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql index 9735cc52a637..133f1f3b3b29 100644 --- a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql +++ b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql @@ -156,5 +156,5 @@ module EncodingConfigurations { from RequiresEncodingConfiguration c, PathNode encodedValue, PathNode sink, string kind where c.hasWrongEncoding(encodedValue, sink, kind) -select sink, encodedValue, sink, - "This " + kind + " may include data from a $@.", encodedValue, "possibly inappropriately encoded value" +select sink.getNode(), encodedValue, sink, + "This " + kind + " may include data from a $@.", encodedValue.getNode(), "possibly inappropriately encoded value" diff --git a/csharp/ql/src/Security Features/InsecureRandomness.ql b/csharp/ql/src/Security Features/InsecureRandomness.ql index 5b270a760137..37dd0f1d4812 100644 --- a/csharp/ql/src/Security Features/InsecureRandomness.ql +++ b/csharp/ql/src/Security Features/InsecureRandomness.ql @@ -107,4 +107,4 @@ module Random { from Random::TaintTrackingConfiguration randomTracking, DataFlow::PathNode source, DataFlow::PathNode sink where randomTracking.hasFlowPath(source, sink) select sink.getNode(), source, sink, - "Cryptographically insecure random number is generated at $@ and used here in a security context.", source.getNode(), source.toString() + "Cryptographically insecure random number is generated at $@ and used here in a security context.", source.getNode(), source.getNode().toString() diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected index eec21ad90a13..97a7725ef1bd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected @@ -1,14 +1,30 @@ -| UrlRedirect.cs:14:31:14:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:14:31:14:53 | access to property QueryString | user-provided value | -| UrlRedirect.cs:39:44:39:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:39:44:39:66 | access to property QueryString | user-provided value | -| UrlRedirect.cs:40:47:40:77 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:40:47:40:69 | access to property QueryString | user-provided value | -| UrlRedirect.cs:49:29:49:31 | access to local variable url | Untrusted URL redirection due to $@. | UrlRedirect.cs:24:22:24:44 | access to property QueryString | user-provided value | -| UrlRedirectCore.cs:18:22:18:26 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | -| UrlRedirectCore.cs:21:44:21:48 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | -| UrlRedirectCore.cs:27:46:27:50 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | -| UrlRedirectCore.cs:33:66:33:70 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | -| UrlRedirectCore.cs:36:49:36:53 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | -| UrlRedirectCore.cs:39:69:39:73 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | -| UrlRedirectCore.cs:42:39:42:53 | ... + ... | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | -| UrlRedirectCore.cs:50:28:50:32 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:47:51:47:55 | value | user-provided value | -| UrlRedirectCore.cs:55:32:55:45 | object creation of type Uri | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:47:51:47:55 | value | user-provided value | -| UrlRedirectCore.cs:58:31:58:35 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:47:51:47:55 | value | user-provided value | +edges +| UrlRedirect.cs:14:31:14:53 | access to property QueryString | UrlRedirect.cs:14:31:14:61 | access to indexer | +| UrlRedirect.cs:24:22:24:44 | access to property QueryString | UrlRedirect.cs:49:29:49:31 | access to local variable url | +| UrlRedirect.cs:39:44:39:66 | access to property QueryString | UrlRedirect.cs:39:44:39:74 | access to indexer | +| UrlRedirect.cs:40:47:40:69 | access to property QueryString | UrlRedirect.cs:40:47:40:77 | access to indexer | +| UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:18:22:18:26 | access to parameter value | +| UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:21:44:21:48 | call to operator implicit conversion | +| UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:27:46:27:50 | call to operator implicit conversion | +| UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:33:66:33:70 | access to parameter value | +| UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:36:49:36:53 | call to operator implicit conversion | +| UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:39:69:39:73 | access to parameter value | +| UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:42:39:42:53 | ... + ... | +| UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:50:28:50:32 | access to parameter value | +| UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:55:32:55:45 | object creation of type Uri | +| UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:58:31:58:35 | access to parameter value | +#select +| UrlRedirect.cs:14:31:14:61 | access to indexer | UrlRedirect.cs:14:31:14:53 | access to property QueryString | UrlRedirect.cs:14:31:14:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:14:31:14:53 | access to property QueryString | user-provided value | +| UrlRedirect.cs:39:44:39:74 | access to indexer | UrlRedirect.cs:39:44:39:66 | access to property QueryString | UrlRedirect.cs:39:44:39:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:39:44:39:66 | access to property QueryString | user-provided value | +| UrlRedirect.cs:40:47:40:77 | access to indexer | UrlRedirect.cs:40:47:40:69 | access to property QueryString | UrlRedirect.cs:40:47:40:77 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:40:47:40:69 | access to property QueryString | user-provided value | +| UrlRedirect.cs:49:29:49:31 | access to local variable url | UrlRedirect.cs:24:22:24:44 | access to property QueryString | UrlRedirect.cs:49:29:49:31 | access to local variable url | Untrusted URL redirection due to $@. | UrlRedirect.cs:24:22:24:44 | access to property QueryString | user-provided value | +| UrlRedirectCore.cs:18:22:18:26 | access to parameter value | UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:18:22:18:26 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | +| UrlRedirectCore.cs:21:44:21:48 | call to operator implicit conversion | UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:21:44:21:48 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | +| UrlRedirectCore.cs:27:46:27:50 | call to operator implicit conversion | UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:27:46:27:50 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | +| UrlRedirectCore.cs:33:66:33:70 | access to parameter value | UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:33:66:33:70 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | +| UrlRedirectCore.cs:36:49:36:53 | call to operator implicit conversion | UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:36:49:36:53 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | +| UrlRedirectCore.cs:39:69:39:73 | access to parameter value | UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:39:69:39:73 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | +| UrlRedirectCore.cs:42:39:42:53 | ... + ... | UrlRedirectCore.cs:15:44:15:48 | value | UrlRedirectCore.cs:42:39:42:53 | ... + ... | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:15:44:15:48 | value | user-provided value | +| UrlRedirectCore.cs:50:28:50:32 | access to parameter value | UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:50:28:50:32 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:47:51:47:55 | value | user-provided value | +| UrlRedirectCore.cs:55:32:55:45 | object creation of type Uri | UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:55:32:55:45 | object creation of type Uri | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:47:51:47:55 | value | user-provided value | +| UrlRedirectCore.cs:58:31:58:35 | access to parameter value | UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:58:31:58:35 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:47:51:47:55 | value | user-provided value | From 8c753d7e94c8e3e596d23c85b51f317c616b4069 Mon Sep 17 00:00:00 2001 From: calum Date: Wed, 21 Nov 2018 11:15:55 +0000 Subject: [PATCH 4/6] C#: Fix ReDoS query. --- csharp/ql/src/Security Features/CWE-730/ReDoS.ql | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql index bb159cc0c6aa..f1dbe5a068ec 100644 --- a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql +++ b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql @@ -16,8 +16,14 @@ import semmle.code.csharp.frameworks.system.text.RegularExpressions import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink -where c.hasFlowPath(source, sink) +where + c.hasFlowPath(source, sink) and // No global timeout set - and not exists(RegexGlobalTimeout r) -select sink.getNode().(Sink), source, sink, + not exists(RegexGlobalTimeout r) and + ( + sink.getNode() instanceof Sink + or + sink.getNode() instanceof ExponentialRegexSink + ) +select sink.getNode(), source, sink, "$@ flows to regular expression operation with dangerous regex.", source.getNode(), "User-provided value" From 69ab1ed5bd1d577c3264f6399a7686a12db29a87 Mon Sep 17 00:00:00 2001 From: calum Date: Wed, 21 Nov 2018 12:35:05 +0000 Subject: [PATCH 5/6] C#: Add `nodes` predicate to all path queries. --- .../semmle/code/csharp/dataflow/DataFlow.qll | 3 +++ .../CWE-022/TaintedPath/TaintedPath.expected | 9 ++++++++ .../CWE-022/ZipSlip/ZipSlip.expected | 15 +++++++++++++ .../CWE-078/CommandInjection.expected | 9 ++++++++ .../CWE-078/StoredCommandInjection.expected | 3 +++ .../CWE-079/StoredXSS/StoredXSS.expected | 3 +++ .../CWE-089/SecondOrderSqlInjection.expected | 3 +++ .../CWE-089/SqlInjection.expected | 10 +++++++++ .../CWE-090/LDAPInjection.expected | 8 +++++++ .../CWE-090/StoredLDAPInjection.expected | 3 +++ .../CWE-094/CodeInjection.expected | 4 ++++ .../CWE-099/ResourceInjection.expected | 4 ++++ .../CWE-112/MissingXMLValidation.expected | 15 +++++++++++++ .../CWE-117/LogForging.expected | 4 ++++ .../ExposureInTransmittedData.expected | 12 +++++++++++ .../ExceptionInformationExposure.expected | 6 ++++++ .../CWE-312/CleartextStorage.expected | 6 ++++++ .../DontInstallRootCert.expected | 7 +++++++ .../CWE-338/InsecureRandomness.expected | 11 ++++++++++ .../ExposureOfPrivateInformation.expected | 4 ++++ .../CWE-601/UrlRedirect/UrlRedirect.expected | 21 +++++++++++++++++++ .../CWE-611/UntrustedDataInsecureXml.expected | 5 +++++ .../CWE-643/StoredXPathInjection.expected | 5 +++++ .../CWE-643/XPathInjection.expected | 5 +++++ .../CWE-730/ReDoS/ReDoS.expected | 19 +++++++++++++++++ .../CWE-730/ReDoSGlobalTimeout/ReDoS.expected | 4 ++++ .../RegexInjection/RegexInjection.expected | 3 +++ .../HardcodedConnectionString.expected | 14 +++++++++++++ .../CWE-798/HardcodedCredentials.expected | 12 +++++++++++ .../CWE-807/ConditionalBypass.expected | 13 ++++++++++++ .../CWE-838/InappropriateEncoding.expected | 21 +++++++++++++++++++ 31 files changed, 261 insertions(+) diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll index 6843d67087b7..dfd7885899c5 100755 --- a/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll +++ b/csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll @@ -130,6 +130,9 @@ module DataFlow { module PathGraph { /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */ query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b } + + /** Holds if `node` is a node in the graph of data flow path explanations. */ + query predicate nodes(PathNode node) { any() } } /** diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected index 8586fc5266d2..9207136a1c64 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected @@ -6,6 +6,15 @@ edges | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:38:25:38:31 | access to local variable badPath | | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:40:49:40:55 | access to local variable badPath | | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:53:26:53:29 | access to local variable path | +nodes +| TaintedPath.cs:12:23:12:45 | access to property QueryString | +| TaintedPath.cs:14:50:14:53 | access to local variable path | +| TaintedPath.cs:19:51:19:54 | access to local variable path | +| TaintedPath.cs:27:30:27:33 | access to local variable path | +| TaintedPath.cs:33:30:33:33 | access to local variable path | +| TaintedPath.cs:38:25:38:31 | access to local variable badPath | +| TaintedPath.cs:40:49:40:55 | access to local variable badPath | +| TaintedPath.cs:53:26:53:29 | access to local variable path | #select | TaintedPath.cs:14:50:14:53 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:14:50:14:53 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | | TaintedPath.cs:19:51:19:54 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:19:51:19:54 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected index 2672f945a628..a95aff9ad550 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected @@ -10,6 +10,21 @@ edges | ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:83:57:83:68 | access to local variable destFilePath | | ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:91:58:91:69 | access to local variable destFilePath | | ZipSlipBad.cs:9:59:9:72 | access to property FullName | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | +nodes +| ZipSlip.cs:16:52:16:65 | access to property FullName | +| ZipSlip.cs:19:31:19:44 | access to property FullName | +| ZipSlip.cs:24:41:24:52 | access to local variable destFileName | +| ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | +| ZipSlip.cs:36:45:36:56 | access to local variable destFilePath | +| ZipSlip.cs:39:53:39:89 | call to method Combine | +| ZipSlip.cs:40:41:40:52 | access to local variable destFilePath | +| ZipSlip.cs:62:72:62:85 | access to property FullName | +| ZipSlip.cs:69:74:69:85 | access to local variable destFilePath | +| ZipSlip.cs:76:71:76:82 | access to local variable destFilePath | +| ZipSlip.cs:83:57:83:68 | access to local variable destFilePath | +| ZipSlip.cs:91:58:91:69 | access to local variable destFilePath | +| ZipSlipBad.cs:9:59:9:72 | access to property FullName | +| ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName | #select | ZipSlip.cs:24:41:24:52 | access to local variable destFileName | ZipSlip.cs:19:31:19:44 | access to property FullName | ZipSlip.cs:24:41:24:52 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:19:31:19:44 | access to property FullName | item path | | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected index 7c2a68cec355..433556e9edee 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected @@ -6,6 +6,15 @@ edges | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | +nodes +| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | +| CommandInjection.cs:26:27:26:47 | ... + ... | +| CommandInjection.cs:26:50:26:66 | ... + ... | +| CommandInjection.cs:28:63:28:71 | access to local variable userInput | +| CommandInjection.cs:28:74:28:82 | access to local variable userInput | +| CommandInjection.cs:32:39:32:47 | access to local variable userInput | +| CommandInjection.cs:33:40:33:48 | access to local variable userInput | +| CommandInjection.cs:34:47:34:55 | access to local variable userInput | #select | CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | | CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected index 8c41bafe5b51..a66196c3c151 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected @@ -1,4 +1,7 @@ edges | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | StoredCommandInjection.cs:24:46:24:80 | ... + ... | +nodes +| StoredCommandInjection.cs:24:46:24:80 | ... + ... | +| StoredCommandInjection.cs:24:54:24:80 | call to method GetString | #select | StoredCommandInjection.cs:24:46:24:80 | ... + ... | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | StoredCommandInjection.cs:24:46:24:80 | ... + ... | $@ flows to here and is used in a command. | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected index 91263323cae3..fb150f874110 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected @@ -1,4 +1,7 @@ edges | StoredXSS.cs:24:60:24:86 | call to method GetString | StoredXSS.cs:24:44:24:86 | ... + ... | +nodes +| StoredXSS.cs:24:44:24:86 | ... + ... | +| StoredXSS.cs:24:60:24:86 | call to method GetString | #select | StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString | StoredXSS.cs:24:44:24:86 | ... + ... | $@ flows to here and is written to HTML or JavaScript. | StoredXSS.cs:24:60:24:86 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected index 9789f8d2dd7c..e51bc365ccb2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected @@ -1,4 +1,7 @@ edges | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | +nodes +| SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | +| SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | #select | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected index cd94b55c6388..1bc4ebc47642 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected @@ -18,6 +18,16 @@ edges | SqlInjection.cs:61:62:61:81 | access to property Text | SqlInjection.cs:75:55:75:60 | access to local variable query1 | | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | +nodes +| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | +| SqlInjection.cs:39:50:39:55 | access to local variable query1 | +| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | +| SqlInjection.cs:49:62:49:81 | access to property Text | +| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | +| SqlInjection.cs:61:62:61:81 | access to property Text | +| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | +| SqlInjection.cs:74:56:74:61 | access to local variable query1 | +| SqlInjection.cs:75:55:75:60 | access to local variable query1 | #select | SqlInjection.cs:39:50:39:55 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input | | SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected index b41e03c73da7..4d78cbb644c9 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected @@ -5,6 +5,14 @@ edges | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:26:53:26:77 | ... + ... | | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:29:48:29:70 | ... + ... | | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:31:20:31:42 | ... + ... | +nodes +| LDAPInjection.cs:13:27:13:49 | access to property QueryString | +| LDAPInjection.cs:16:54:16:78 | ... + ... | +| LDAPInjection.cs:18:21:18:45 | ... + ... | +| LDAPInjection.cs:25:21:25:45 | ... + ... | +| LDAPInjection.cs:26:53:26:77 | ... + ... | +| LDAPInjection.cs:29:48:29:70 | ... + ... | +| LDAPInjection.cs:31:20:31:42 | ... + ... | #select | LDAPInjection.cs:16:54:16:78 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:16:54:16:78 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | | LDAPInjection.cs:18:21:18:45 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:18:21:18:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected index 8fd27bbc970a..9b1065d2ea2d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected @@ -1,4 +1,7 @@ edges | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | StoredLDAPInjection.cs:24:66:24:109 | ... + ... | +nodes +| StoredLDAPInjection.cs:24:66:24:109 | ... + ... | +| StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | #select | StoredLDAPInjection.cs:24:66:24:109 | ... + ... | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | StoredLDAPInjection.cs:24:66:24:109 | ... + ... | $@ flows to here and is used in an LDAP query. | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected index aa41bff24941..696a6e4841a9 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected @@ -1,6 +1,10 @@ edges | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:31:64:31:67 | access to local variable code | | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:42:36:42:39 | access to local variable code | +nodes +| CodeInjection.cs:25:23:25:45 | access to property QueryString | +| CodeInjection.cs:31:64:31:67 | access to local variable code | +| CodeInjection.cs:42:36:42:39 | access to local variable code | #select | CodeInjection.cs:31:64:31:67 | access to local variable code | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:31:64:31:67 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value | | CodeInjection.cs:42:36:42:39 | access to local variable code | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:42:36:42:39 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected index df1075794275..a362b1d9ad55 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected @@ -1,6 +1,10 @@ edges | ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | | ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | +nodes +| ResourceInjection.cs:10:27:10:49 | access to property QueryString | +| ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | +| ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | #select | ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:10:27:10:49 | access to property QueryString | User-provided value | | ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:10:27:10:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected index b9732e9b44c6..2345ce847550 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected @@ -8,6 +8,21 @@ edges | MissingXMLValidation.cs:27:42:27:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:29:61:29:72 | access to local variable badSettings2 | | MissingXMLValidation.cs:32:42:32:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:37:61:37:72 | access to local variable goodSettings | | MissingXMLValidation.cs:40:42:40:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:47:61:47:72 | access to local variable badSettings3 | +nodes +| MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | +| MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | +| MissingXMLValidation.cs:22:42:22:64 | object creation of type XmlReaderSettings | +| MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | +| MissingXMLValidation.cs:23:61:23:72 | access to local variable badSettings1 | +| MissingXMLValidation.cs:27:42:27:64 | object creation of type XmlReaderSettings | +| MissingXMLValidation.cs:29:26:29:58 | object creation of type StringReader | +| MissingXMLValidation.cs:29:61:29:72 | access to local variable badSettings2 | +| MissingXMLValidation.cs:32:42:32:64 | object creation of type XmlReaderSettings | +| MissingXMLValidation.cs:37:26:37:58 | object creation of type StringReader | +| MissingXMLValidation.cs:37:61:37:72 | access to local variable goodSettings | +| MissingXMLValidation.cs:40:42:40:64 | object creation of type XmlReaderSettings | +| MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader | +| MissingXMLValidation.cs:47:61:47:72 | access to local variable badSettings3 | #select | MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because there is no 'XmlReaderSettings' instance specifying schema validation. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | | MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance does not specify the 'ValidationType' as 'Schema'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected b/csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected index fdda0a73e98a..5cba04b42c24 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected @@ -1,6 +1,10 @@ edges | LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:22:21:22:43 | ... + ... | | LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:28:50:28:72 | ... + ... | +nodes +| LogForging.cs:19:27:19:49 | access to property QueryString | +| LogForging.cs:22:21:22:43 | ... + ... | +| LogForging.cs:28:50:28:72 | ... + ... | #select | LogForging.cs:22:21:22:43 | ... + ... | LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:22:21:22:43 | ... + ... | $@ flows to log entry. | LogForging.cs:19:27:19:49 | access to property QueryString | User-provided value | | LogForging.cs:28:50:28:72 | ... + ... | LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:28:50:28:72 | ... + ... | $@ flows to log entry. | LogForging.cs:19:27:19:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected index 7f512300244b..78ef8bdf19e1 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected @@ -4,6 +4,18 @@ edges | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:33:56:33:56 | access to local variable p | | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:34:24:34:52 | ... + ... | | ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:35:27:35:27 | access to local variable p | +nodes +| ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | +| ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | +| ExposureInTransmittedData.cs:24:32:24:41 | access to property Message | +| ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString | +| ExposureInTransmittedData.cs:26:32:26:38 | access to property Data | +| ExposureInTransmittedData.cs:26:32:26:50 | access to indexer | +| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | +| ExposureInTransmittedData.cs:33:53:33:53 | access to local variable p | +| ExposureInTransmittedData.cs:33:56:33:56 | access to local variable p | +| ExposureInTransmittedData.cs:34:24:34:52 | ... + ... | +| ExposureInTransmittedData.cs:35:27:35:27 | access to local variable p | #select | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | access to local variable password | | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | call to method ToString | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected index 734ac5b026c8..7d3578bc71e0 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected @@ -1,5 +1,11 @@ edges | ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | +nodes +| ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | +| ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | +| ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | +| ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace | +| ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString | #select | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | call to method ToString | | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | access to local variable ex | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected index 8bf93c08f857..7d564153bca1 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected @@ -1,4 +1,10 @@ edges +nodes +| CleartextStorage.cs:14:50:14:59 | access to field accountKey | +| CleartextStorage.cs:15:62:15:74 | call to method GetPassword | +| CleartextStorage.cs:16:69:16:81 | call to method GetPassword | +| CleartextStorage.cs:17:50:17:63 | call to method GetAccountID | +| CleartextStorage.cs:25:21:25:33 | call to method GetPassword | #select | CleartextStorage.cs:14:50:14:59 | access to field accountKey | CleartextStorage.cs:14:50:14:59 | access to field accountKey | CleartextStorage.cs:14:50:14:59 | access to field accountKey | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:14:50:14:59 | access to field accountKey | access to field accountKey | | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | call to method GetPassword | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected index c766b3581ea8..5ef8bf776435 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected @@ -2,6 +2,13 @@ edges | Test.cs:17:31:17:59 | object creation of type X509Store | Test.cs:20:13:20:17 | access to local variable store | | Test.cs:27:31:27:86 | object creation of type X509Store | Test.cs:30:13:30:17 | access to local variable store | | Test.cs:72:31:72:86 | object creation of type X509Store | Test.cs:75:13:75:17 | access to local variable store | +nodes +| Test.cs:17:31:17:59 | object creation of type X509Store | +| Test.cs:20:13:20:17 | access to local variable store | +| Test.cs:27:31:27:86 | object creation of type X509Store | +| Test.cs:30:13:30:17 | access to local variable store | +| Test.cs:72:31:72:86 | object creation of type X509Store | +| Test.cs:75:13:75:17 | access to local variable store | #select | Test.cs:20:13:20:17 | access to local variable store | Test.cs:17:31:17:59 | object creation of type X509Store | Test.cs:20:13:20:17 | access to local variable store | Certificate added to the root certificate store. | | Test.cs:30:13:30:17 | access to local variable store | Test.cs:27:31:27:86 | object creation of type X509Store | Test.cs:30:13:30:17 | access to local variable store | Certificate added to the root certificate store. | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected index dd5727c7a463..a5fb3480409d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected @@ -7,6 +7,17 @@ edges | InsecureRandomness.cs:62:16:62:32 | call to method ToString | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | | InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:74:16:74:21 | access to local variable result | | InsecureRandomness.cs:74:16:74:21 | access to local variable result | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | +nodes +| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | +| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | +| InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | +| InsecureRandomness.cs:28:29:28:43 | call to method Next | +| InsecureRandomness.cs:29:27:29:61 | call to method GetString | +| InsecureRandomness.cs:31:16:31:32 | call to method ToString | +| InsecureRandomness.cs:60:31:60:39 | call to method Next | +| InsecureRandomness.cs:62:16:62:32 | call to method ToString | +| InsecureRandomness.cs:72:31:72:39 | call to method Next | +| InsecureRandomness.cs:74:16:74:21 | access to local variable result | #select | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next | | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected index 09d661ed9c72..e0a0bcbe3fe6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected @@ -1,4 +1,8 @@ edges +nodes +| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | +| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | +| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | #select | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | access to indexer | | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | call to method getTelephone | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected index 97a7725ef1bd..ea4b2b5a6054 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected @@ -13,6 +13,27 @@ edges | UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:50:28:50:32 | access to parameter value | | UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:55:32:55:45 | object creation of type Uri | | UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:58:31:58:35 | access to parameter value | +nodes +| UrlRedirect.cs:14:31:14:53 | access to property QueryString | +| UrlRedirect.cs:14:31:14:61 | access to indexer | +| UrlRedirect.cs:24:22:24:44 | access to property QueryString | +| UrlRedirect.cs:39:44:39:66 | access to property QueryString | +| UrlRedirect.cs:39:44:39:74 | access to indexer | +| UrlRedirect.cs:40:47:40:69 | access to property QueryString | +| UrlRedirect.cs:40:47:40:77 | access to indexer | +| UrlRedirect.cs:49:29:49:31 | access to local variable url | +| UrlRedirectCore.cs:15:44:15:48 | value | +| UrlRedirectCore.cs:18:22:18:26 | access to parameter value | +| UrlRedirectCore.cs:21:44:21:48 | call to operator implicit conversion | +| UrlRedirectCore.cs:27:46:27:50 | call to operator implicit conversion | +| UrlRedirectCore.cs:33:66:33:70 | access to parameter value | +| UrlRedirectCore.cs:36:49:36:53 | call to operator implicit conversion | +| UrlRedirectCore.cs:39:69:39:73 | access to parameter value | +| UrlRedirectCore.cs:42:39:42:53 | ... + ... | +| UrlRedirectCore.cs:47:51:47:55 | value | +| UrlRedirectCore.cs:50:28:50:32 | access to parameter value | +| UrlRedirectCore.cs:55:32:55:45 | object creation of type Uri | +| UrlRedirectCore.cs:58:31:58:35 | access to parameter value | #select | UrlRedirect.cs:14:31:14:61 | access to indexer | UrlRedirect.cs:14:31:14:53 | access to property QueryString | UrlRedirect.cs:14:31:14:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:14:31:14:53 | access to property QueryString | user-provided value | | UrlRedirect.cs:39:44:39:74 | access to indexer | UrlRedirect.cs:39:44:39:66 | access to property QueryString | UrlRedirect.cs:39:44:39:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:39:44:39:66 | access to property QueryString | user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected b/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected index 6dd51cf91ed4..5f68dc30cd0c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected @@ -1,5 +1,10 @@ edges | Test.cs:13:50:13:72 | access to property QueryString | Test.cs:13:50:13:84 | access to indexer | | Test.cs:18:38:18:60 | object creation of type XmlReaderSettings | Test.cs:23:55:23:62 | access to local variable settings | +nodes +| Test.cs:13:50:13:72 | access to property QueryString | +| Test.cs:13:50:13:84 | access to indexer | +| Test.cs:18:38:18:60 | object creation of type XmlReaderSettings | +| Test.cs:23:55:23:62 | access to local variable settings | #select | Test.cs:13:50:13:84 | access to indexer | Test.cs:13:50:13:72 | access to property QueryString | Test.cs:13:50:13:84 | access to indexer | $@ flows to here and is loaded insecurely as XML (DTD processing is enabled with an insecure resolver). | Test.cs:13:50:13:72 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected index 0b2c001a1552..3415ec969760 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected @@ -3,6 +3,11 @@ edges | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | StoredXPathInjection.cs:30:41:30:144 | ... + ... | | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:30:41:30:144 | ... + ... | +nodes +| StoredXPathInjection.cs:24:39:24:65 | call to method GetString | +| StoredXPathInjection.cs:25:39:25:65 | call to method GetString | +| StoredXPathInjection.cs:27:45:27:148 | ... + ... | +| StoredXPathInjection.cs:30:41:30:144 | ... + ... | #select | StoredXPathInjection.cs:27:45:27:148 | ... + ... | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | Stored user-provided value | | StoredXPathInjection.cs:27:45:27:148 | ... + ... | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | Stored user-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected index 7106a842df11..84f46930c1a1 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected @@ -3,6 +3,11 @@ edges | XPathInjection.cs:12:27:12:49 | access to property QueryString | XPathInjection.cs:19:29:19:132 | ... + ... | | XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | | XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:19:29:19:132 | ... + ... | +nodes +| XPathInjection.cs:12:27:12:49 | access to property QueryString | +| XPathInjection.cs:13:27:13:49 | access to property QueryString | +| XPathInjection.cs:16:33:16:136 | ... + ... | +| XPathInjection.cs:19:29:19:132 | ... + ... | #select | XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value | | XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected index 69cd05915601..370665a4e63c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected @@ -14,6 +14,25 @@ edges | ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX | | ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX | | ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX | +nodes +| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | +| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | +| ExponentialRegex.cs:17:19:17:31 | "^([a-z]+)+$" | +| ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | +| ExponentialRegex.cs:18:19:18:31 | "^([a-z]*)*$" | +| ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | +| ExponentialRegex.cs:21:19:21:130 | "^([a-zA-Z0-9])(([\\-.]\|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})\|([a-z]{2,3}[.]{1}[a-z]{2,3}))$" | +| ExponentialRegex.cs:21:139:21:147 | access to local variable userInput | +| ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | +| ExponentialRegex.cs:24:43:24:51 | access to local variable userInput | +| ExponentialRegex.cs:26:21:26:29 | access to local variable userInput | +| ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX | +| ExponentialRegex.cs:28:47:28:55 | access to local variable userInput | +| ExponentialRegex.cs:29:19:29:31 | "^([a-z]+)+$" | +| ExponentialRegex.cs:29:90:29:98 | access to local variable userInput | +| ExponentialRegex.cs:30:21:30:29 | access to local variable userInput | +| ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX | +| ExponentialRegex.cs:32:57:32:65 | access to local variable userInput | #select | ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | | ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected index 3c7330c90356..140050954bce 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected @@ -1,3 +1,7 @@ edges | ExponentialRegex.cs:15:28:15:50 | access to property QueryString | ExponentialRegex.cs:18:40:18:48 | access to local variable userInput | +nodes +| ExponentialRegex.cs:15:28:15:50 | access to property QueryString | +| ExponentialRegex.cs:18:19:18:31 | "^([a-z]+)+$" | +| ExponentialRegex.cs:18:40:18:48 | access to local variable userInput | #select diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected index 50b64034e091..b17c50306940 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected @@ -1,4 +1,7 @@ edges | RegexInjection.cs:12:24:12:46 | access to property QueryString | RegexInjection.cs:16:19:16:23 | access to local variable regex | +nodes +| RegexInjection.cs:12:24:12:46 | access to property QueryString | +| RegexInjection.cs:16:19:16:23 | access to local variable regex | #select | RegexInjection.cs:16:19:16:23 | access to local variable regex | RegexInjection.cs:12:24:12:46 | access to property QueryString | RegexInjection.cs:16:19:16:23 | access to local variable regex | $@ flows to the construction of a regular expression. | RegexInjection.cs:12:24:12:46 | access to property QueryString | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected index 985c4d67e31f..6d67b1996705 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected @@ -1,5 +1,19 @@ edges | HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | +nodes +| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | +| HardcodedCredentials.cs:33:19:33:28 | "username" | +| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | +| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | +| HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | +| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | +| HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | +| HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | +| HardcodedCredentials.cs:76:31:76:42 | "myusername" | +| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | +| TestHardcodedCredentials.cs:21:31:21:42 | "myusername" | +| TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" | +| TestHardcodedCredentials.cs:26:19:26:28 | "username" | #select | HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:56:30:56:64 | object creation of type SqlConnection | object creation of type SqlConnection | | HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:58:31:58:64 | object creation of type SqlConnection | object creation of type SqlConnection | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected index 0276293a89a8..20d70fe7a373 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected @@ -1,5 +1,17 @@ edges | HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | +nodes +| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | +| HardcodedCredentials.cs:33:19:33:28 | "username" | +| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | +| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | +| HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | +| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | +| HardcodedCredentials.cs:76:31:76:42 | "myusername" | +| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | +| TestHardcodedCredentials.cs:21:31:21:42 | "myusername" | +| TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" | +| TestHardcodedCredentials.cs:26:19:26:28 | "username" | #select | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password | | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected index f04e8969bfc6..016f6b802dfb 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected @@ -6,6 +6,19 @@ edges | ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | ConditionalBypass.cs:51:13:51:29 | access to property HostName | | ConditionalBypass.cs:72:34:72:52 | access to property Cookies | ConditionalBypass.cs:74:13:74:40 | ... == ... | | ConditionalBypass.cs:85:34:85:52 | access to property Cookies | ConditionalBypass.cs:86:13:86:40 | ... == ... | +nodes +| ConditionalBypass.cs:14:26:14:48 | access to property QueryString | +| ConditionalBypass.cs:18:13:18:30 | ... == ... | +| ConditionalBypass.cs:21:34:21:52 | access to property Cookies | +| ConditionalBypass.cs:24:13:24:45 | call to method Equals | +| ConditionalBypass.cs:29:13:29:40 | ... == ... | +| ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | +| ConditionalBypass.cs:46:13:46:46 | ... == ... | +| ConditionalBypass.cs:51:13:51:29 | access to property HostName | +| ConditionalBypass.cs:72:34:72:52 | access to property Cookies | +| ConditionalBypass.cs:74:13:74:40 | ... == ... | +| ConditionalBypass.cs:85:34:85:52 | access to property Cookies | +| ConditionalBypass.cs:86:13:86:40 | ... == ... | #select | ConditionalBypass.cs:19:13:19:33 | call to method login | ConditionalBypass.cs:14:26:14:48 | access to property QueryString | ConditionalBypass.cs:18:13:18:30 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:18:13:18:30 | ... == ... | this condition | ConditionalBypass.cs:14:26:14:48 | access to property QueryString | user input | | ConditionalBypass.cs:25:13:25:33 | call to method login | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | ConditionalBypass.cs:24:13:24:45 | call to method Equals | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:24:13:24:45 | call to method Equals | this condition | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | user input | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected index 9fea9d5d65bf..5f031e3db297 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected @@ -9,6 +9,27 @@ edges | InappropriateEncoding.cs:68:16:68:42 | call to method Replace | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | | SqlEncode.cs:16:62:16:87 | call to method Replace | SqlEncode.cs:17:46:17:50 | access to local variable query | | UrlEncode.cs:12:43:12:69 | call to method HtmlEncode | UrlEncode.cs:12:31:12:69 | ... + ... | +nodes +| HtmlEncode.cs:12:28:12:65 | ... + ... | +| HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | +| InappropriateEncoding.cs:15:28:15:40 | call to method Encode | +| InappropriateEncoding.cs:15:28:15:40 | call to method Encode | +| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | +| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | +| InappropriateEncoding.cs:33:22:33:34 | call to method Encode | +| InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode | +| InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode | +| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | +| InappropriateEncoding.cs:37:32:37:43 | access to local variable encodedValue | +| InappropriateEncoding.cs:38:22:38:59 | ... + ... | +| InappropriateEncoding.cs:39:22:39:71 | call to method Format | +| InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode | +| InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue | +| InappropriateEncoding.cs:68:16:68:42 | call to method Replace | +| SqlEncode.cs:16:62:16:87 | call to method Replace | +| SqlEncode.cs:17:46:17:50 | access to local variable query | +| UrlEncode.cs:12:31:12:69 | ... + ... | +| UrlEncode.cs:12:43:12:69 | call to method HtmlEncode | #select | HtmlEncode.cs:12:28:12:65 | ... + ... | HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | HtmlEncode.cs:12:28:12:65 | ... + ... | This HTML expression may include data from a $@. | HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | possibly inappropriately encoded value | | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | This SQL expression may include data from a $@. | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | possibly inappropriately encoded value | From 3eae1cd500a6898aca824119d70f88d9d73994f5 Mon Sep 17 00:00:00 2001 From: calum Date: Wed, 21 Nov 2018 17:28:48 +0000 Subject: [PATCH 6/6] C#: Update test outputs. --- .../dataflow/global/DataFlowPath.expected | 130 +++++++++++++ .../global/TaintTrackingPath.expected | 175 ++++++++++++++++++ 2 files changed, 305 insertions(+) diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected index e76529ab3aea..d02b28059d60 100644 --- a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected +++ b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected @@ -172,6 +172,136 @@ edges | GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | | GlobalDataFlow.cs:399:9:399:11 | value | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | | GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | +nodes +| Capture.cs:7:20:7:26 | tainted | +| Capture.cs:9:9:13:9 | SSA capture def(tainted) | +| Capture.cs:12:19:12:24 | access to local variable sink27 | +| Capture.cs:14:9:14:20 | tainted [implicit argument] | +| Capture.cs:18:13:22:13 | SSA capture def(tainted) | +| Capture.cs:21:23:21:28 | access to local variable sink28 | +| Capture.cs:25:9:25:20 | tainted [implicit argument] | +| Capture.cs:27:43:32:9 | SSA capture def(tainted) | +| Capture.cs:30:19:30:24 | access to local variable sink29 | +| Capture.cs:33:9:33:40 | tainted [implicit argument] | +| Capture.cs:57:13:57:35 | SSA def(sink30) | +| Capture.cs:57:22:57:35 | "taint source" | +| Capture.cs:59:9:59:21 | SSA call def(sink30) | +| Capture.cs:60:15:60:20 | access to local variable sink30 | +| Capture.cs:67:17:67:39 | SSA def(sink31) | +| Capture.cs:67:26:67:39 | "taint source" | +| Capture.cs:71:9:71:21 | SSA call def(sink31) | +| Capture.cs:72:15:72:20 | access to local variable sink31 | +| Capture.cs:77:13:77:35 | SSA def(sink32) | +| Capture.cs:77:22:77:35 | "taint source" | +| Capture.cs:80:9:80:41 | SSA call def(sink32) | +| Capture.cs:81:15:81:20 | access to local variable sink32 | +| Capture.cs:101:25:101:31 | tainted | +| Capture.cs:108:9:108:25 | SSA call def(sink33) | +| Capture.cs:108:9:108:25 | tainted [implicit argument] | +| Capture.cs:109:15:109:20 | access to local variable sink33 | +| Capture.cs:120:9:120:25 | SSA call def(sink34) | +| Capture.cs:120:9:120:25 | tainted [implicit argument] | +| Capture.cs:121:15:121:20 | access to local variable sink34 | +| Capture.cs:129:9:129:45 | SSA call def(sink35) | +| Capture.cs:129:9:129:45 | tainted [implicit argument] | +| Capture.cs:130:15:130:20 | access to local variable sink35 | +| Capture.cs:136:22:136:38 | call to local function CaptureThrough4 | +| Capture.cs:136:22:136:38 | tainted [implicit argument] | +| Capture.cs:137:15:137:20 | access to local variable sink36 | +| Capture.cs:144:9:144:32 | SSA call def(sink37) | +| Capture.cs:144:25:144:31 | access to parameter tainted | +| Capture.cs:145:15:145:20 | access to local variable sink37 | +| Capture.cs:170:22:170:32 | call to local function Id | +| Capture.cs:170:25:170:31 | access to parameter tainted | +| Capture.cs:171:15:171:20 | access to local variable sink38 | +| GlobalDataFlow.cs:17:27:17:40 | "taint source" | +| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | +| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | +| GlobalDataFlow.cs:35:13:35:30 | access to property SinkProperty0 | +| GlobalDataFlow.cs:37:35:37:52 | access to property SinkProperty0 | +| GlobalDataFlow.cs:44:30:44:39 | sinkParam2 | +| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | +| GlobalDataFlow.cs:45:13:45:30 | access to property SinkProperty0 | +| GlobalDataFlow.cs:52:20:52:37 | access to property SinkProperty0 | +| GlobalDataFlow.cs:53:15:53:15 | x | +| GlobalDataFlow.cs:53:24:53:24 | access to parameter x | +| GlobalDataFlow.cs:53:28:53:45 | access to property SinkProperty0 | +| GlobalDataFlow.cs:54:44:54:61 | access to property SinkProperty0 | +| GlobalDataFlow.cs:55:28:55:45 | access to property SinkProperty0 | +| GlobalDataFlow.cs:56:37:56:37 | x | +| GlobalDataFlow.cs:56:46:56:46 | access to parameter x | +| GlobalDataFlow.cs:57:35:57:52 | access to property SinkProperty0 | +| GlobalDataFlow.cs:64:22:64:39 | access to property SinkProperty0 | +| GlobalDataFlow.cs:70:21:70:46 | call to method Return | +| GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 | +| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | +| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | +| GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 | +| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | +| GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 | +| GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) | +| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 | +| GlobalDataFlow.cs:78:19:78:23 | access to local variable sink2 | +| GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) | +| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 | +| GlobalDataFlow.cs:131:21:131:34 | delegate call | +| GlobalDataFlow.cs:131:29:131:33 | access to local variable sink3 | +| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 | +| GlobalDataFlow.cs:139:21:139:44 | call to method ApplyFunc | +| GlobalDataFlow.cs:139:39:139:43 | access to local variable sink4 | +| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 | +| GlobalDataFlow.cs:149:21:149:25 | call to method Out | +| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 | +| GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) | +| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 | +| GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) | +| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | +| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | +| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 | +| GlobalDataFlow.cs:175:35:175:48 | "taint source" | +| GlobalDataFlow.cs:176:21:176:26 | delegate call | +| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | +| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func | +| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 | +| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | +| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 | +| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | +| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | +| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 | +| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 | +| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | +| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | +| GlobalDataFlow.cs:236:26:236:35 | sinkParam1 | +| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | +| GlobalDataFlow.cs:241:26:241:35 | sinkParam3 | +| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | +| GlobalDataFlow.cs:246:26:246:35 | sinkParam4 | +| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | +| GlobalDataFlow.cs:251:26:251:35 | sinkParam5 | +| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 | +| GlobalDataFlow.cs:256:26:256:35 | sinkParam6 | +| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 | +| GlobalDataFlow.cs:261:26:261:35 | sinkParam7 | +| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 | +| GlobalDataFlow.cs:313:16:313:29 | "taint source" | +| GlobalDataFlow.cs:318:13:318:26 | "taint source" | +| GlobalDataFlow.cs:323:13:323:26 | "taint source" | +| GlobalDataFlow.cs:354:41:354:41 | x | +| GlobalDataFlow.cs:354:41:354:41 | x | +| GlobalDataFlow.cs:356:11:356:11 | access to parameter x | +| GlobalDataFlow.cs:356:11:356:11 | access to parameter x | +| GlobalDataFlow.cs:368:52:368:52 | x | +| GlobalDataFlow.cs:368:52:368:52 | x | +| GlobalDataFlow.cs:368:52:368:52 | x | +| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | +| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | +| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | +| GlobalDataFlow.cs:373:39:373:45 | tainted | +| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | +| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | +| GlobalDataFlow.cs:399:9:399:11 | value | +| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | +| GlobalDataFlow.cs:410:22:410:35 | "taint source" | #select | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | access to field SinkField0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | access to local variable sink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected index 08dc92d3b269..7c1c2b73e46c 100644 --- a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected +++ b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected @@ -215,6 +215,181 @@ edges | GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | | GlobalDataFlow.cs:399:9:399:11 | value | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | | GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | +nodes +| Capture.cs:7:20:7:26 | tainted | +| Capture.cs:9:9:13:9 | SSA capture def(tainted) | +| Capture.cs:12:19:12:24 | access to local variable sink27 | +| Capture.cs:14:9:14:20 | tainted [implicit argument] | +| Capture.cs:18:13:22:13 | SSA capture def(tainted) | +| Capture.cs:21:23:21:28 | access to local variable sink28 | +| Capture.cs:25:9:25:20 | tainted [implicit argument] | +| Capture.cs:27:43:32:9 | SSA capture def(tainted) | +| Capture.cs:30:19:30:24 | access to local variable sink29 | +| Capture.cs:33:9:33:40 | tainted [implicit argument] | +| Capture.cs:57:13:57:35 | SSA def(sink30) | +| Capture.cs:57:22:57:35 | "taint source" | +| Capture.cs:59:9:59:21 | SSA call def(sink30) | +| Capture.cs:60:15:60:20 | access to local variable sink30 | +| Capture.cs:67:17:67:39 | SSA def(sink31) | +| Capture.cs:67:26:67:39 | "taint source" | +| Capture.cs:71:9:71:21 | SSA call def(sink31) | +| Capture.cs:72:15:72:20 | access to local variable sink31 | +| Capture.cs:77:13:77:35 | SSA def(sink32) | +| Capture.cs:77:22:77:35 | "taint source" | +| Capture.cs:80:9:80:41 | SSA call def(sink32) | +| Capture.cs:81:15:81:20 | access to local variable sink32 | +| Capture.cs:101:25:101:31 | tainted | +| Capture.cs:108:9:108:25 | SSA call def(sink33) | +| Capture.cs:108:9:108:25 | tainted [implicit argument] | +| Capture.cs:109:15:109:20 | access to local variable sink33 | +| Capture.cs:120:9:120:25 | SSA call def(sink34) | +| Capture.cs:120:9:120:25 | tainted [implicit argument] | +| Capture.cs:121:15:121:20 | access to local variable sink34 | +| Capture.cs:129:9:129:45 | SSA call def(sink35) | +| Capture.cs:129:9:129:45 | tainted [implicit argument] | +| Capture.cs:130:15:130:20 | access to local variable sink35 | +| Capture.cs:136:22:136:38 | call to local function CaptureThrough4 | +| Capture.cs:136:22:136:38 | tainted [implicit argument] | +| Capture.cs:137:15:137:20 | access to local variable sink36 | +| Capture.cs:144:9:144:32 | SSA call def(sink37) | +| Capture.cs:144:25:144:31 | access to parameter tainted | +| Capture.cs:145:15:145:20 | access to local variable sink37 | +| Capture.cs:170:22:170:32 | call to local function Id | +| Capture.cs:170:25:170:31 | access to parameter tainted | +| Capture.cs:171:15:171:20 | access to local variable sink38 | +| GlobalDataFlow.cs:17:27:17:40 | "taint source" | +| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | +| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | +| GlobalDataFlow.cs:35:13:35:30 | access to property SinkProperty0 | +| GlobalDataFlow.cs:37:35:37:52 | access to property SinkProperty0 | +| GlobalDataFlow.cs:44:30:44:39 | sinkParam2 | +| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | +| GlobalDataFlow.cs:45:13:45:30 | access to property SinkProperty0 | +| GlobalDataFlow.cs:52:20:52:37 | access to property SinkProperty0 | +| GlobalDataFlow.cs:53:15:53:15 | x | +| GlobalDataFlow.cs:53:24:53:24 | access to parameter x | +| GlobalDataFlow.cs:53:28:53:45 | access to property SinkProperty0 | +| GlobalDataFlow.cs:54:44:54:61 | access to property SinkProperty0 | +| GlobalDataFlow.cs:55:28:55:45 | access to property SinkProperty0 | +| GlobalDataFlow.cs:56:37:56:37 | x | +| GlobalDataFlow.cs:56:46:56:46 | access to parameter x | +| GlobalDataFlow.cs:57:35:57:52 | access to property SinkProperty0 | +| GlobalDataFlow.cs:64:22:64:39 | access to property SinkProperty0 | +| GlobalDataFlow.cs:70:21:70:46 | call to method Return | +| GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 | +| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | +| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | +| GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 | +| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 | +| GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 | +| GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) | +| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 | +| GlobalDataFlow.cs:78:19:78:23 | access to local variable sink2 | +| GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) | +| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 | +| GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven | +| GlobalDataFlow.cs:80:23:80:65 | (...) ... | +| GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 | +| GlobalDataFlow.cs:82:23:82:74 | (...) ... | +| GlobalDataFlow.cs:82:84:82:94 | [implicit call] delegate creation of type Func | +| GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 | +| GlobalDataFlow.cs:84:23:84:74 | (...) ... | +| GlobalDataFlow.cs:84:125:84:135 | [implicit call] (...) => ... | +| GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 | +| GlobalDataFlow.cs:86:70:86:121 | (...) ... | +| GlobalDataFlow.cs:86:125:86:135 | [implicit call] (...) => ... | +| GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 | +| GlobalDataFlow.cs:88:22:88:27 | access to local variable sink14 | +| GlobalDataFlow.cs:88:43:88:61 | [implicit call] (...) => ... | +| GlobalDataFlow.cs:88:64:88:69 | [implicit call] (...) => ... | +| GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 | +| GlobalDataFlow.cs:90:75:90:88 | call to method First | +| GlobalDataFlow.cs:90:91:90:109 | [implicit call] (...) => ... | +| GlobalDataFlow.cs:90:112:90:117 | [implicit call] (...) => ... | +| GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 | +| GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 | +| GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 | +| GlobalDataFlow.cs:131:21:131:34 | delegate call | +| GlobalDataFlow.cs:131:29:131:33 | access to local variable sink3 | +| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 | +| GlobalDataFlow.cs:139:21:139:44 | call to method ApplyFunc | +| GlobalDataFlow.cs:139:39:139:43 | access to local variable sink4 | +| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 | +| GlobalDataFlow.cs:149:21:149:25 | call to method Out | +| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 | +| GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) | +| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 | +| GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) | +| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | +| GlobalDataFlow.cs:157:22:157:31 | call to method OutYield | +| GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 | +| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | +| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 | +| GlobalDataFlow.cs:175:35:175:48 | "taint source" | +| GlobalDataFlow.cs:176:21:176:26 | delegate call | +| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | +| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func | +| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 | +| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | +| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 | +| GlobalDataFlow.cs:201:39:201:45 | tainted | +| GlobalDataFlow.cs:204:35:204:45 | sinkParam10 | +| GlobalDataFlow.cs:204:58:204:68 | access to parameter sinkParam10 | +| GlobalDataFlow.cs:205:71:205:71 | x | +| GlobalDataFlow.cs:205:89:205:89 | access to parameter x | +| GlobalDataFlow.cs:206:22:206:28 | access to parameter tainted | +| GlobalDataFlow.cs:206:37:206:38 | [implicit call] access to local variable f1 | +| GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 | +| GlobalDataFlow.cs:208:22:208:28 | access to parameter tainted | +| GlobalDataFlow.cs:208:37:208:38 | [implicit call] access to local variable f2 | +| GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 | +| GlobalDataFlow.cs:210:22:210:28 | access to parameter tainted | +| GlobalDataFlow.cs:210:37:210:48 | [implicit call] delegate creation of type Func | +| GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 | +| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | +| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | +| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 | +| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 | +| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | +| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | +| GlobalDataFlow.cs:236:26:236:35 | sinkParam1 | +| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | +| GlobalDataFlow.cs:241:26:241:35 | sinkParam3 | +| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | +| GlobalDataFlow.cs:246:26:246:35 | sinkParam4 | +| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | +| GlobalDataFlow.cs:251:26:251:35 | sinkParam5 | +| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 | +| GlobalDataFlow.cs:256:26:256:35 | sinkParam6 | +| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 | +| GlobalDataFlow.cs:261:26:261:35 | sinkParam7 | +| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 | +| GlobalDataFlow.cs:287:31:287:40 | sinkParam8 | +| GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 | +| GlobalDataFlow.cs:293:32:293:41 | sinkParam9 | +| GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 | +| GlobalDataFlow.cs:299:32:299:42 | sinkParam11 | +| GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 | +| GlobalDataFlow.cs:313:16:313:29 | "taint source" | +| GlobalDataFlow.cs:318:13:318:26 | "taint source" | +| GlobalDataFlow.cs:323:13:323:26 | "taint source" | +| GlobalDataFlow.cs:329:22:329:35 | "taint source" | +| GlobalDataFlow.cs:354:41:354:41 | x | +| GlobalDataFlow.cs:354:41:354:41 | x | +| GlobalDataFlow.cs:356:11:356:11 | access to parameter x | +| GlobalDataFlow.cs:356:11:356:11 | access to parameter x | +| GlobalDataFlow.cs:368:52:368:52 | x | +| GlobalDataFlow.cs:368:52:368:52 | x | +| GlobalDataFlow.cs:368:52:368:52 | x | +| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | +| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | +| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | +| GlobalDataFlow.cs:373:39:373:45 | tainted | +| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | +| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | +| GlobalDataFlow.cs:399:9:399:11 | value | +| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | +| GlobalDataFlow.cs:410:22:410:35 | "taint source" | #select | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | access to field SinkField0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | access to local variable sink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |