Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/**
* @name Uncontrolled data used in path expression
* @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/path-injection
Expand All @@ -14,7 +14,9 @@
*/
import csharp
import semmle.code.csharp.security.dataflow.TaintedPath::TaintedPath
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, Source source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is used in a path.", source, "User-provided value"
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is used in a path.", source.getNode(), "User-provided value"
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
* @description Extracting files from a malicious zip archive without validating that the
* destination file path is within the destination directory can cause files outside
* the destination directory to be overwritten.
* @kind problem
* @kind path-problem
* @id cs/zipslip
* @problem.severity error
* @precision high
Expand All @@ -13,7 +13,9 @@

import csharp
import semmle.code.csharp.security.dataflow.ZipSlip::ZipSlip
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration zipTaintTracking, DataFlow::Node source, DataFlow::Node sink
where zipTaintTracking.hasFlow(source, sink)
select sink, "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source, "item path"
from TaintTrackingConfiguration zipTaintTracking, DataFlow::PathNode source, DataFlow::PathNode sink
where zipTaintTracking.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source.getNode(), "item path"
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name Uncontrolled command line
* @description Using externally controlled strings in a command line may allow a malicious
* user to change the meaning of the command.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/command-line-injection
Expand All @@ -14,7 +14,9 @@

import csharp
import semmle.code.csharp.security.dataflow.CommandInjection::CommandInjection
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, Source source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is used in a command.", source, "User-provided value"
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is used in a command.", source.getNode(), "User-provided value"
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name Uncontrolled command line from stored user input
* @description Using externally controlled strings in a command line may allow a malicious
* user to change the meaning of the command.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision medium
* @id cs/stored-command-line-injection
Expand All @@ -15,13 +15,15 @@
import csharp
import semmle.code.csharp.security.dataflow.flowsources.Stored
import semmle.code.csharp.security.dataflow.CommandInjection::CommandInjection
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
override predicate isSource(DataFlow::Node source) {
source instanceof StoredFlowSource
}
}

from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is used in a command.", source, "Stored user-provided value"
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is used in a command.", source.getNode(), "Stored user-provided value"
14 changes: 8 additions & 6 deletions csharp/ql/src/Security Features/CWE-079/StoredXSS.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name Stored cross-site scripting
* @description Writing input from the database directly to a web page indicates a cross-site
* scripting vulnerability if the data was originally user-provided.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision medium
* @id cs/web/stored-xss
Expand All @@ -13,17 +13,19 @@
import csharp
import semmle.code.csharp.security.dataflow.flowsources.Stored
import semmle.code.csharp.security.dataflow.XSS::XSS
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
override predicate isSource(DataFlow::Node source) {
source instanceof StoredFlowSource
}
}

from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink, string explanation
where c.hasFlow(source, sink)
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink, string explanation
where c.hasFlowPath(source, sink)
and
if exists(sink.explanation())
then explanation = ": " + sink.explanation() + "."
if exists(sink.getNode().(Sink).explanation())
then explanation = ": " + sink.getNode().(Sink).explanation() + "."
else explanation = "."
select sink, "$@ flows to here and is written to HTML or javascript" + explanation, source, "Stored user-provided value"
select sink.getNode(), source, sink,
"$@ flows to here and is written to HTML or JavaScript" + explanation, source.getNode(), "Stored user-provided value"
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name SQL query built from stored user-controlled sources
* @description Building a SQL query from stored user-controlled sources is vulnerable to insertion
* of malicious SQL code by the user.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision medium
* @id cs/second-order-sql-injection
Expand All @@ -13,13 +13,15 @@
import csharp
import semmle.code.csharp.security.dataflow.SqlInjection
import semmle.code.csharp.security.dataflow.flowsources.Stored
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

class StoredTaintTrackingConfiguration extends SqlInjection::TaintTrackingConfiguration {
override predicate isSource(DataFlow::Node source) {
source instanceof StoredFlowSource
}
}

from StoredTaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is used in an SQL query.", source, "Stored user-provided value"
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is used in an SQL query.", source.getNode(), "Stored user-provided value"
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name SQL query built from user-controlled sources
* @description Building a SQL query from user-controlled sources is vulnerable to insertion of
* malicious SQL code by the user.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/sql-injection
Expand All @@ -12,7 +12,9 @@

import csharp
import semmle.code.csharp.security.dataflow.SqlInjection::SqlInjection
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, RemoteFlowSource source, Sink sink
where c.hasFlow(source, sink)
select sink, "Query might include code from $@.", source, ("this " + source.getSourceType())
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Query might include code from $@.", source, ("this " + source.getNode().(RemoteFlowSource).getSourceType())
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name LDAP query built from user-controlled sources
* @description Building an LDAP query from user-controlled sources is vulnerable to insertion of
* malicious LDAP code by the user.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/ldap-injection
Expand All @@ -11,7 +11,9 @@
*/
import csharp
import semmle.code.csharp.security.dataflow.LDAPInjection::LDAPInjection
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, Source source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is used in an LDAP query.", source, "User-provided value"
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is used in an LDAP query.", source.getNode(), "User-provided value"
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name LDAP query built from stored user-controlled sources
* @description Building an LDAP query from stored user-controlled sources is vulnerable to
* insertion of malicious LDAP code by the user.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision medium
* @id cs/stored-ldap-injection
Expand All @@ -12,13 +12,15 @@
import csharp
import semmle.code.csharp.security.dataflow.LDAPInjection::LDAPInjection
import semmle.code.csharp.security.dataflow.flowsources.Stored
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
override predicate isSource(DataFlow::Node source) {
source instanceof StoredFlowSource
}
}

from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is used in an LDAP query.", source, "Stored user-provided value"
from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is used in an LDAP query.", source.getNode(), "Stored user-provided value"
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name Improper control of generation of code
* @description Treating externally controlled strings as code can allow an attacker to execute
* malicious code.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/code-injection
Expand All @@ -13,7 +13,9 @@
*/
import csharp
import semmle.code.csharp.security.dataflow.CodeInjection::CodeInjection
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, Source source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is compiled as code.", source, "User-provided value"
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is compiled as code.", source.getNode(), "User-provided value"
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name Resource injection
* @description Building a resource descriptor from untrusted user input is vulnerable to a
* malicious user providing an unintended resource.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/resource-injection
Expand All @@ -11,7 +11,9 @@
*/
import csharp
import semmle.code.csharp.security.dataflow.ResourceInjection::ResourceInjection
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, Source source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is used in a resource descriptor.", source, "User-provided value"
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is used in a resource descriptor.", source.getNode(), "User-provided value"
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name Missing XML validation
* @description User input should not be processed as XML without validating it against a known
* schema.
* @kind problem
* @kind path-problem
* @problem.severity recommendation
* @precision high
* @id cs/xml/missing-validation
Expand All @@ -11,7 +11,9 @@
*/
import csharp
import semmle.code.csharp.security.dataflow.MissingXMLValidation::MissingXMLValidation
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, Source source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to here and is processed as XML without validation because " + sink.getReason(), source, "User-provided value"
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to here and is processed as XML without validation because " + sink.getNode().(Sink).getReason(), source.getNode(), "User-provided value"
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-117/LogForging.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name Log entries created from user input
* @description Building log entries from user-controlled sources is vulnerable to
* insertion of forged log entries by a malicious user.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/log-forging
Expand All @@ -11,7 +11,9 @@
*/
import csharp
import semmle.code.csharp.security.dataflow.LogForging::LogForging
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, Source source, Sink sink
where c.hasFlow(source, sink)
select sink, "$@ flows to log entry.", source, "User-provided value"
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"$@ flows to log entry.", source.getNode(), "User-provided value"
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/**
* @name Information exposure through transmitted data
* @description Transmitting sensitive information to the user is a potential security risk.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/sensitive-data-transmission
Expand All @@ -15,6 +15,7 @@ import semmle.code.csharp.security.dataflow.XSS
import semmle.code.csharp.security.dataflow.Email
import semmle.code.csharp.frameworks.system.data.Common
import semmle.code.csharp.frameworks.System
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

class TaintTrackingConfiguration extends TaintTracking::Configuration {
TaintTrackingConfiguration() {
Expand Down Expand Up @@ -49,6 +50,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
}
}

from TaintTrackingConfiguration configuration, DataFlow::Node source, DataFlow::Node sink
where configuration.hasFlow(source, sink)
select sink, "Sensitive information from $@ flows to here, and is transmitted to the user.", source, source.toString()
from TaintTrackingConfiguration configuration, DataFlow::PathNode source, DataFlow::PathNode sink
where configuration.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Sensitive information from $@ flows to here, and is transmitted to the user.", source.getNode(), source.toString()
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
* @description Leaking information about an exception, such as messages and stack traces, to an
* external user can expose implementation details that are useful to an attacker for
* developing a subsequent exploit.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/information-exposure-through-exception
Expand All @@ -15,6 +15,7 @@
import csharp
import semmle.code.csharp.frameworks.System
import semmle.code.csharp.security.dataflow.XSS
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

/**
* A taint-tracking configuration for reasoning about stack traces that flow to web page outputs.
Expand Down Expand Up @@ -56,6 +57,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
}
}

from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
select sink, "Exception information from $@ flows to here, and is exposed to the user.", source, source.toString()
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Exception information from $@ flows to here, and is exposed to the user.", source.getNode(), source.toString()
10 changes: 6 additions & 4 deletions csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
* @name Clear text storage of sensitive information
* @description Sensitive information stored without encryption or hashing can expose it to an
* attacker.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision high
* @id cs/cleartext-storage-of-sensitive-information
Expand All @@ -13,7 +13,9 @@
*/
import csharp
import semmle.code.csharp.security.dataflow.CleartextStorage::CleartextStorage
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph

from TaintTrackingConfiguration c, Source source, Sink sink
where c.hasFlow(source, sink)
select sink, "Sensitive data returned by $@ is stored here.", source, source.toString()
from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Sensitive data returned by $@ is stored here.", source.getNode(), source.toString()
Loading