diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll index 1256ae5a7ee4..e33c4e37d282 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.system.codedom.Compiler private import semmle.code.csharp.security.Sanitizers @@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for user input treated as code vulnerabilities. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for user input treated as code vulnerabilities. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll index a8938ecc6c90..cd7119a36af5 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll @@ -6,6 +6,7 @@ import csharp private import semmle.code.csharp.controlflow.Guards private import semmle.code.csharp.controlflow.BasicBlocks +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.System private import semmle.code.csharp.frameworks.system.Net @@ -14,12 +15,12 @@ private import semmle.code.csharp.security.SensitiveActions /** * A data flow source for user-controlled bypass of sensitive method. */ -abstract class Source extends DataFlow::Node { } +abstract class Source extends ApiSourceNode { } /** * A data flow sink for user-controlled bypass of sensitive method. */ -abstract class Sink extends DataFlow::ExprNode { +abstract class Sink extends ApiSinkExprNode { /** Gets the 'MethodCall' which is considered sensitive. */ abstract MethodCall getSensitiveMethodCall(); } diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll index 03db7fadf811..1e5f5ae82567 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink private import semmle.code.csharp.security.PrivateData @@ -15,7 +16,7 @@ abstract class Source extends DataFlow::ExprNode { } /** * A data flow sink for private information flowing unencrypted to an external location. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for private information flowing unencrypted to an external location. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/HardcodedCredentialsQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/HardcodedCredentialsQuery.qll index dd6669579e1e..63a0bb50732e 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/HardcodedCredentialsQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/HardcodedCredentialsQuery.qll @@ -9,6 +9,7 @@ private import semmle.code.csharp.frameworks.Moq private import semmle.code.csharp.frameworks.system.web.Security private import semmle.code.csharp.frameworks.system.security.cryptography.X509Certificates private import semmle.code.csharp.frameworks.Test +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks /** * A data flow source for hard coded credentials. @@ -18,7 +19,7 @@ abstract class Source extends DataFlow::ExprNode { } /** * A data flow sink for hard coded credentials. */ -abstract class Sink extends DataFlow::ExprNode { +abstract class Sink extends ApiSinkExprNode { /** * Gets a description of this sink, including a placeholder for the sink and a placeholder for * the supplementary element. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll index 58a34f7604bd..78800f392097 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll @@ -4,6 +4,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.system.DirectoryServices private import semmle.code.csharp.frameworks.system.directoryservices.Protocols @@ -18,7 +19,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for unvalidated user input that is used to construct LDAP queries. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for unvalidated user input that is used to construct LDAP queries. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll index ed6e69f0709c..f0153fea2d4f 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.System private import semmle.code.csharp.frameworks.system.text.RegularExpressions @@ -18,7 +19,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for untrusted user input used in log entries. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for untrusted user input used in log entries. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll index 914239bf7d5b..b2934d31edac 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll @@ -4,6 +4,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.system.Xml private import semmle.code.csharp.security.Sanitizers @@ -18,7 +19,7 @@ abstract class Source extends DataFlow::Node { } * A data flow sink for untrusted user input processed as XML without validation against a known * schema. */ -abstract class Sink extends DataFlow::ExprNode { +abstract class Sink extends ApiSinkExprNode { /** Gets a string describing the reason why this is a sink. */ abstract string getReason(); } diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll index 84d12fca0ccd..bf4fbd993233 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll @@ -5,6 +5,7 @@ import csharp private import semmle.code.csharp.dataflow.DataFlow2 +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.system.text.RegularExpressions private import semmle.code.csharp.security.Sanitizers @@ -17,7 +18,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for untrusted user input used in dangerous regular expression operations. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for untrusted user input used in dangerous regular expression operations. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll index 501ede13f299..1a053c29f24d 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll @@ -4,6 +4,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.system.text.RegularExpressions private import semmle.code.csharp.security.Sanitizers @@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for untrusted user input used to construct regular expressions. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for untrusted user input used to construct regular expressions. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll index a66283de02a7..fb016dcddae6 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.system.Data private import semmle.code.csharp.security.Sanitizers @@ -15,7 +16,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for untrusted user input used in resource descriptors. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for untrusted user input used in resource descriptors. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll index b7b198bbca0e..6473aa58e1cc 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.Sql private import semmle.code.csharp.security.Sanitizers @@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { } /** * A sink for SQL injection vulnerabilities. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for SQL injection vulnerabilities. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll index bbd32b583533..ca2b13439cee 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll @@ -5,6 +5,7 @@ import csharp private import semmle.code.csharp.controlflow.Guards +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.system.IO private import semmle.code.csharp.frameworks.system.Web @@ -18,7 +19,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for uncontrolled data in path expression vulnerabilities. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for uncontrolled data in path expression vulnerabilities. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll index 6de1305a11d1..a5341aca42f8 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll @@ -6,6 +6,7 @@ import csharp private import semmle.code.csharp.serialization.Deserializers private import semmle.code.csharp.dataflow.TaintTracking2 +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources /** @@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for unsafe deserialization vulnerabilities. */ -abstract class Sink extends DataFlow::Node { } +abstract class Sink extends ApiSinkNode { } /** * A data flow sink for unsafe deserialization vulnerabilities to an instance method. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll index 9a5ec46cb37a..b21d5846bf56 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.controlflow.Guards private import semmle.code.csharp.frameworks.Format @@ -20,7 +21,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for unvalidated URL redirect vulnerabilities. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for unvalidated URL redirect vulnerabilities. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll index 7e7fd61fb1c9..0bb842adf79d 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.System private import semmle.code.csharp.frameworks.system.text.RegularExpressions @@ -19,7 +20,7 @@ private class ThreatModelSource extends Source instanceof ThreatModelFlowSource /** * A data flow sink for untrusted user input used in XML processing. */ -abstract class Sink extends DataFlow::ExprNode { +abstract class Sink extends ApiSinkExprNode { /** * Gets the reason for the insecurity of this sink. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll index 1edddf45f56f..c471a4324251 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks private import semmle.code.csharp.security.dataflow.flowsources.FlowSources private import semmle.code.csharp.frameworks.system.xml.XPath private import semmle.code.csharp.frameworks.system.Xml @@ -16,7 +17,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for untrusted user input used in XPath expression. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for untrusted user input used in XPath expression. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll index a83bb8b4f5a4..93e7b601585d 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll @@ -4,6 +4,7 @@ import csharp private import semmle.code.csharp.controlflow.Guards +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks /** * A data flow source for unsafe zip extraction. @@ -13,7 +14,7 @@ abstract class Source extends DataFlow::Node { } /** * A data flow sink for unsafe zip extraction. */ -abstract class Sink extends DataFlow::ExprNode { } +abstract class Sink extends ApiSinkExprNode { } /** * A sanitizer for unsafe zip extraction. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/AllSinks.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/AllSinks.qll deleted file mode 100644 index bf601bdf9b66..000000000000 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/AllSinks.qll +++ /dev/null @@ -1,84 +0,0 @@ -/** Provides classes representing various flow sinks for data flow / taint tracking. */ - -private import semmle.code.csharp.dataflow.internal.ExternalFlow - -/** - * A data flow sink node. - */ -abstract class SinkNode extends DataFlow::Node { } - -/** - * Module that adds all sinks to `SinkNode`, excluding sinks for cryptography based - * queries, and queries where sinks are not succifiently explicit. - */ -private module AllSinks { - private import ParallelSink as ParallelSink - private import Remote as Remote - private import semmle.code.csharp.security.dataflow.CodeInjectionQuery as CodeInjectionQuery - private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery - private import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery as ExposureOfPrivateInformationQuery - private import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery as HardcodedCredentialsQuery - private import semmle.code.csharp.security.dataflow.LDAPInjectionQuery as LdapInjectionQuery - private import semmle.code.csharp.security.dataflow.LogForgingQuery as LogForgingQuery - private import semmle.code.csharp.security.dataflow.MissingXMLValidationQuery as MissingXmlValidationQuery - private import semmle.code.csharp.security.dataflow.ReDoSQuery as ReDosQuery - private import semmle.code.csharp.security.dataflow.RegexInjectionQuery as RegexInjectionQuery - private import semmle.code.csharp.security.dataflow.ResourceInjectionQuery as ResourceInjectionQuery - private import semmle.code.csharp.security.dataflow.SqlInjectionQuery as SqlInjectionQuery - private import semmle.code.csharp.security.dataflow.TaintedPathQuery as TaintedPathQuery - private import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery as UnsafeDeserializationQuery - private import semmle.code.csharp.security.dataflow.UrlRedirectQuery as UrlRedirectQuery - private import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery as XmlEntityInjectionQuery - private import semmle.code.csharp.security.dataflow.XPathInjectionQuery as XpathInjectionQuery - private import semmle.code.csharp.security.dataflow.XSSSinks as XssSinks - private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery - - private class ParallelSink extends SinkNode instanceof ParallelSink::ParallelSink { } - - private class RemoteSinkFlowSinks extends SinkNode instanceof Remote::RemoteFlowSink { } - - private class CodeInjectionSink extends SinkNode instanceof CodeInjectionQuery::Sink { } - - private class ConditionalBypassSink extends SinkNode instanceof ConditionalBypassQuery::Sink { } - - private class ExposureOfPrivateInformationSink extends SinkNode instanceof ExposureOfPrivateInformationQuery::Sink - { } - - private class HardcodedCredentialsSink extends SinkNode instanceof HardcodedCredentialsQuery::Sink - { } - - private class LdapInjectionSink extends SinkNode instanceof LdapInjectionQuery::Sink { } - - private class LogForgingSink extends SinkNode instanceof LogForgingQuery::Sink { } - - private class MissingXmlValidationSink extends SinkNode instanceof MissingXmlValidationQuery::Sink - { } - - private class ReDosSink extends SinkNode instanceof ReDosQuery::Sink { } - - private class RegexInjectionSink extends SinkNode instanceof RegexInjectionQuery::Sink { } - - private class ResourceInjectionSink extends SinkNode instanceof ResourceInjectionQuery::Sink { } - - private class SqlInjectionSink extends SinkNode instanceof SqlInjectionQuery::Sink { } - - private class TaintedPathSink extends SinkNode instanceof TaintedPathQuery::Sink { } - - private class UnsafeDeserializationSink extends SinkNode instanceof UnsafeDeserializationQuery::Sink - { } - - private class UrlRedirectSink extends SinkNode instanceof UrlRedirectQuery::Sink { } - - private class XmlEntityInjectionSink extends SinkNode instanceof XmlEntityInjectionQuery::Sink { } - - private class XpathInjectionSink extends SinkNode instanceof XpathInjectionQuery::Sink { } - - private class XssSink extends SinkNode instanceof XssSinks::Sink { } - - /** - * Add all models as data sinks. - */ - private class SinkNodeExternal extends SinkNode { - SinkNodeExternal() { sinkNode(this, _) } - } -} diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ApiSinks.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ApiSinks.qll new file mode 100644 index 000000000000..15c64b45ca08 --- /dev/null +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ApiSinks.qll @@ -0,0 +1,35 @@ +/** Provides classes representing various flow sinks for data flow / taint tracking. */ + +private import semmle.code.csharp.dataflow.internal.ExternalFlow +private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks + +/** + * A data flow sink node. + */ +final class SinkNode = ApiSinkNode; + +/** + * Module that adds all API like sinks to `SinkNode`, excluding sinks for cryptography based + * queries, and queries where sinks are not sufficiently defined (eg. using broad method name matching). + */ +private module AllApiSinks { + private import ParallelSink + private import Remote + private import semmle.code.csharp.security.dataflow.CodeInjectionQuery as CodeInjectionQuery + private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery + private import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery as ExposureOfPrivateInformationQuery + private import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery as HardcodedCredentialsQuery + private import semmle.code.csharp.security.dataflow.LDAPInjectionQuery as LdapInjectionQuery + private import semmle.code.csharp.security.dataflow.LogForgingQuery as LogForgingQuery + private import semmle.code.csharp.security.dataflow.MissingXMLValidationQuery as MissingXmlValidationQuery + private import semmle.code.csharp.security.dataflow.ReDoSQuery as ReDosQuery + private import semmle.code.csharp.security.dataflow.RegexInjectionQuery as RegexInjectionQuery + private import semmle.code.csharp.security.dataflow.ResourceInjectionQuery as ResourceInjectionQuery + private import semmle.code.csharp.security.dataflow.SqlInjectionQuery as SqlInjectionQuery + private import semmle.code.csharp.security.dataflow.TaintedPathQuery as TaintedPathQuery + private import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery as UnsafeDeserializationQuery + private import semmle.code.csharp.security.dataflow.UrlRedirectQuery as UrlRedirectQuery + private import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery as XmlEntityInjectionQuery + private import semmle.code.csharp.security.dataflow.XPathInjectionQuery as XpathInjectionQuery + private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery +} diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll index abd1ad92733e..3bcfdde669a4 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll @@ -3,6 +3,7 @@ */ import csharp +private import FlowSinks private import Remote private import semmle.code.csharp.commons.Loggers private import semmle.code.csharp.frameworks.system.Web @@ -16,7 +17,7 @@ private import semmle.code.csharp.dataflow.internal.ExternalFlow * which the application may have no access control. For example, files on a local or remote * filesystem (including log files and cookies). */ -abstract class ExternalLocationSink extends DataFlow::ExprNode { } +abstract class ExternalLocationSink extends ApiSinkExprNode { } private class ExternalModelSink extends ExternalLocationSink { ExternalModelSink() { sinkNode(this, "file-content-store") } diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/FlowSinks.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/FlowSinks.qll new file mode 100644 index 000000000000..0c5bf14e65cf --- /dev/null +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/FlowSinks.qll @@ -0,0 +1,23 @@ +/** Provides classes representing various flow sinks for data flow / taint tracking. */ + +private import csharp +private import semmle.code.csharp.dataflow.internal.ExternalFlow + +/** + * A data flow sink node for an API, which should be considered + * supported from a modeling perspective. + */ +abstract class ApiSinkNode extends DataFlow::Node { } + +/** + * A data flow sink expression node for an API, which should be considered + * supported from a modeling perspective. + */ +abstract class ApiSinkExprNode extends ApiSinkNode, DataFlow::ExprNode { } + +/** + * Add all sink models as data sinks. + */ +private class ApiSinkNodeExternal extends ApiSinkNode { + ApiSinkNodeExternal() { sinkNode(this, _) } +} diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ParallelSink.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ParallelSink.qll index 5e53c9bd8fd2..1546d72887d5 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ParallelSink.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ParallelSink.qll @@ -3,11 +3,12 @@ */ import csharp +private import FlowSinks /** * A data flow sink node for parallel execution. */ -abstract class ParallelSink extends DataFlow::Node { } +abstract class ParallelSink extends ApiSinkNode { } /** * A data flow sink node for lambda parallel sink. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll index 0770a948b095..b58beb38ca59 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Remote.qll @@ -5,12 +5,13 @@ import csharp private import Email::Email private import ExternalLocationSink +private import FlowSinks private import Html private import semmle.code.csharp.security.dataflow.XSSSinks as XssSinks private import semmle.code.csharp.frameworks.system.web.UI /** A data flow sink of remote user output. */ -abstract class RemoteFlowSink extends DataFlow::Node { } +abstract class RemoteFlowSink extends ApiSinkNode { } /** * A value written to the `[Inner]Text` property of an object defined in the diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/AllSources.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/AllSources.qll deleted file mode 100644 index 7d05500446a4..000000000000 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/AllSources.qll +++ /dev/null @@ -1,77 +0,0 @@ -/** Provides classes representing various flow sources for data flow / taint tracking. */ - -private import semmle.code.csharp.dataflow.internal.ExternalFlow - -/** - * A data flow source node. - */ -abstract class SourceNode extends DataFlow::Node { } - -/** - * Module that adds all sources to `SourceNode`, excluding source for cryptography based - * queries, and queries where sources are not succifiently explicit or mainly hardcoded constants. - */ -private module AllSources { - private import FlowSources as FlowSources - private import semmle.code.csharp.security.cryptography.HardcodedSymmetricEncryptionKey - private import semmle.code.csharp.security.dataflow.CleartextStorageQuery as CleartextStorageQuery - private import semmle.code.csharp.security.dataflow.CodeInjectionQuery as CodeInjectionQuery - private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery - private import semmle.code.csharp.security.dataflow.ExposureOfPrivateInformationQuery as ExposureOfPrivateInformationQuery - private import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery as HardcodedCredentialsQuery - private import semmle.code.csharp.security.dataflow.LDAPInjectionQuery as LdapInjectionQuery - private import semmle.code.csharp.security.dataflow.LogForgingQuery as LogForgingQuery - private import semmle.code.csharp.security.dataflow.MissingXMLValidationQuery as MissingXmlValidationQuery - private import semmle.code.csharp.security.dataflow.ReDoSQuery as ReDosQuery - private import semmle.code.csharp.security.dataflow.RegexInjectionQuery as RegexInjectionQuery - private import semmle.code.csharp.security.dataflow.ResourceInjectionQuery as ResourceInjectionQuery - private import semmle.code.csharp.security.dataflow.SqlInjectionQuery as SqlInjectionQuery - private import semmle.code.csharp.security.dataflow.TaintedPathQuery as TaintedPathQuery - private import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery as UnsafeDeserializationQuery - private import semmle.code.csharp.security.dataflow.UrlRedirectQuery as UrlRedirectQuery - private import semmle.code.csharp.security.dataflow.XMLEntityInjectionQuery as XmlEntityInjectionQuery - private import semmle.code.csharp.security.dataflow.XPathInjectionQuery as XpathInjectionQuery - private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery - - private class FlowSourcesSources extends SourceNode instanceof FlowSources::SourceNode { } - - private class CodeInjectionSource extends SourceNode instanceof CodeInjectionQuery::Source { } - - private class ConditionalBypassSource extends SourceNode instanceof ConditionalBypassQuery::Source - { } - - private class LdapInjectionSource extends SourceNode instanceof LdapInjectionQuery::Source { } - - private class LogForgingSource extends SourceNode instanceof LogForgingQuery::Source { } - - private class MissingXmlValidationSource extends SourceNode instanceof MissingXmlValidationQuery::Source - { } - - private class ReDosSource extends SourceNode instanceof ReDosQuery::Source { } - - private class RegexInjectionSource extends SourceNode instanceof RegexInjectionQuery::Source { } - - private class ResourceInjectionSource extends SourceNode instanceof ResourceInjectionQuery::Source - { } - - private class SqlInjectionSource extends SourceNode instanceof SqlInjectionQuery::Source { } - - private class TaintedPathSource extends SourceNode instanceof TaintedPathQuery::Source { } - - private class UnsafeDeserializationSource extends SourceNode instanceof UnsafeDeserializationQuery::Source - { } - - private class UrlRedirectSource extends SourceNode instanceof UrlRedirectQuery::Source { } - - private class XmlEntityInjectionSource extends SourceNode instanceof XmlEntityInjectionQuery::Source - { } - - private class XpathInjectionSource extends SourceNode instanceof XpathInjectionQuery::Source { } - - /** - * Add all models as data sources. - */ - private class SourceNodeExternal extends SourceNode { - SourceNodeExternal() { sourceNode(this, _) } - } -} diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/ApiSources.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/ApiSources.qll new file mode 100644 index 000000000000..2aa451831aaf --- /dev/null +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/ApiSources.qll @@ -0,0 +1,14 @@ +/** Provides classes representing various flow sources for data flow / taint tracking. */ + +private import FlowSources as FlowSources + +final class SourceNode = FlowSources::SourceNode; + +/** + * Module that adds all API like sources to `SourceNode`, excluding some sources for cryptography based + * queries, and queries where sources are not sufficiently defined (eg. using broad method name matching). + */ +private module AllApiSources { + private import semmle.code.csharp.security.dataflow.ConditionalBypassQuery as ConditionalBypassQuery + private import semmle.code.csharp.security.dataflow.ZipSlipQuery as ZipSlipQuery +} diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll index a5ada1cbaf8b..c610b3de4c74 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll @@ -32,3 +32,18 @@ class ThreatModelFlowSource extends DataFlow::Node { ) } } + +/** + * A data flow source node for an API, which should be considered + * supported from a modeling perspective. + */ +abstract class ApiSourceNode extends DataFlow::Node { } + +private class AddSourceNodes extends ApiSourceNode instanceof SourceNode { } + +/** + * Add all source models as data sources. + */ +private class ApiSourceNodeExternal extends ApiSourceNode { + ApiSourceNodeExternal() { sourceNode(this, _) } +} diff --git a/csharp/ql/src/Telemetry/ExternalApi.qll b/csharp/ql/src/Telemetry/ExternalApi.qll index a710cdf7cfde..270db8b0d19c 100644 --- a/csharp/ql/src/Telemetry/ExternalApi.qll +++ b/csharp/ql/src/Telemetry/ExternalApi.qll @@ -8,8 +8,8 @@ private import semmle.code.csharp.dataflow.internal.DataFlowDispatch as DataFlow private import semmle.code.csharp.dataflow.internal.ExternalFlow private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate -private import semmle.code.csharp.security.dataflow.flowsources.AllSources -private import semmle.code.csharp.security.dataflow.flowsinks.AllSinks +private import semmle.code.csharp.security.dataflow.flowsources.ApiSources as ApiSources +private import semmle.code.csharp.security.dataflow.flowsinks.ApiSinks as ApiSinks private import TestLibrary /** Holds if the given callable is not worth supporting. */ @@ -85,11 +85,11 @@ class ExternalApi extends Callable { /** Holds if this API is a known source. */ pragma[nomagic] - predicate isSource() { this.getAnOutput() instanceof SourceNode } + predicate isSource() { this.getAnOutput() instanceof ApiSources::SourceNode } /** Holds if this API is a known sink. */ pragma[nomagic] - predicate isSink() { this.getAnInput() instanceof SinkNode } + predicate isSink() { this.getAnInput() instanceof ApiSinks::SinkNode } /** Holds if this API is a known neutral. */ pragma[nomagic]