-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathCodeInjectionQuery.qll
More file actions
106 lines (88 loc) · 3.4 KB
/
CodeInjectionQuery.qll
File metadata and controls
106 lines (88 loc) · 3.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/**
* Provides a taint-tracking configuration for reasoning about user input treated as code vulnerabilities.
*/
import csharp
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
private import semmle.code.csharp.frameworks.system.codedom.Compiler
private import semmle.code.csharp.security.Sanitizers
private import semmle.code.csharp.dataflow.internal.ExternalFlow
/**
* A data flow source for user input treated as code vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for user input treated as code vulnerabilities.
*/
abstract class Sink extends ApiSinkExprNode { }
/**
* A sanitizer for user input treated as code vulnerabilities.
*/
abstract class Sanitizer extends DataFlow::ExprNode { }
/**
* A taint-tracking configuration for user input treated as code vulnerabilities.
*/
private module CodeInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
}
/**
* A taint-tracking module for user input treated as code vulnerabilities.
*/
module CodeInjection = TaintTracking::Global<CodeInjectionConfig>;
/**
* DEPRECATED: Use `ThreatModelSource` instead.
*
* A source of remote user input.
*/
deprecated class RemoteSource extends DataFlow::Node instanceof RemoteFlowSource { }
/**
* DEPRECATED: Use `ThreatModelSource` instead.
*
* A source of local user input.
*/
deprecated class LocalSource extends DataFlow::Node instanceof LocalFlowSource { }
/** A source supported by the current threat model. */
class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }
/**
* A `source` argument to a call to `ICodeCompiler.CompileAssemblyFromSource*` which is a sink for
* code injection vulnerabilities.
*/
class CompileAssemblyFromSourceSink extends Sink {
CompileAssemblyFromSourceSink() {
exists(Method m, MethodCall mc |
m.getName().matches("CompileAssemblyFromSource%") and
m = any(SystemCodeDomCompilerICodeCompilerClass c).getAMethod() and
mc = m.getAnOverrider*().getACall()
|
this.getExpr() = mc.getArgumentForName("source") or
this.getExpr() = mc.getArgumentForName("sources")
)
}
}
/**
* A `code` argument to a call to a method on `CSharpScript`.
*
* This class is provided by Roslyn, and allows dynamic evaluation of C#.
*/
class RoslynCSharpScriptSink extends Sink {
RoslynCSharpScriptSink() {
exists(Class c |
c.hasFullyQualifiedName("Microsoft.CodeAnalysis.CSharp.Scripting", "CSharpScript")
|
this.getExpr() = c.getAMethod().getACall().getArgumentForName("code")
)
}
}
/** A code injection sink defined through Models as Data. */
private class ExternalCodeInjectionExprSink extends Sink {
ExternalCodeInjectionExprSink() { sinkNode(this, "code-injection") }
}
/** A sanitizer for code injection defined through Models as Data. */
private class ExternalCodeInjectionSanitizer extends Sanitizer {
ExternalCodeInjectionSanitizer() { barrierNode(this, "code-injection") }
}