diff --git a/csharp/ql/lib/change-notes/2023-05-09-models-as-data.md b/csharp/ql/lib/change-notes/2023-05-09-models-as-data.md new file mode 100644 index 000000000000..c0abd8f06c0e --- /dev/null +++ b/csharp/ql/lib/change-notes/2023-05-09-models-as-data.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Additional support for `command-injection`, `ldap-injection`, `log-injection`, and `url-redirection` sink kinds for Models as Data. \ No newline at end of file diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll index 265cae5f08ad..90615faac9f5 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll @@ -6,6 +6,7 @@ import csharp private import semmle.code.csharp.security.dataflow.flowsources.Remote private import semmle.code.csharp.frameworks.system.Diagnostics private import semmle.code.csharp.security.Sanitizers +private import semmle.code.csharp.dataflow.ExternalFlow /** * A source specific to command injection vulnerabilities. @@ -66,6 +67,11 @@ module CommandInjection = TaintTracking::Global; /** A source of remote user input. */ class RemoteSource extends Source instanceof RemoteFlowSource { } +/** Command Injection sinks defined through Models as Data. */ +private class ExternalCommandInjectionExprSink extends Sink { + ExternalCommandInjectionExprSink() { sinkNode(this, "command-injection") } +} + /** * A sink in `System.Diagnostic.Process` or its related classes. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll index 3f9c5947b686..c059cb7523c1 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll @@ -8,6 +8,7 @@ private import semmle.code.csharp.security.dataflow.flowsources.Remote private import semmle.code.csharp.frameworks.system.DirectoryServices private import semmle.code.csharp.frameworks.system.directoryservices.Protocols private import semmle.code.csharp.security.Sanitizers +private import semmle.code.csharp.dataflow.ExternalFlow /** * A data flow source for unvalidated user input that is used to construct LDAP queries. @@ -68,6 +69,11 @@ module LdapInjection = TaintTracking::Global; /** A source of remote user input. */ class RemoteSource extends Source instanceof RemoteFlowSource { } +/** LDAP sinks defined through Models as Data. */ +private class ExternalLdapExprSink extends Sink { + ExternalLdapExprSink() { sinkNode(this, "ldap-injection") } +} + /** * An argument that sets the `Path` property of a `DirectoryEntry` object that is a sink for LDAP * injection. diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll index f145b18dfeb3..e219b5db589f 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll @@ -8,6 +8,7 @@ private import semmle.code.csharp.frameworks.System private import semmle.code.csharp.frameworks.system.text.RegularExpressions private import semmle.code.csharp.security.Sanitizers private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink +private import semmle.code.csharp.dataflow.ExternalFlow /** * A data flow source for untrusted user input used in log entries. @@ -72,6 +73,11 @@ private class LogForgingLogMessageSink extends Sink, LogMessageSink { } */ private class LogForgingTraceMessageSink extends Sink, TraceMessageSink { } +/** Log Forging sinks defined through Models as Data. */ +private class ExternalLoggingExprSink extends Sink { + ExternalLoggingExprSink() { sinkNode(this, "log-injection") } +} + /** * A call to String replace or remove that is considered to sanitize replaced string. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll index 44b90cf30968..56c409b38b56 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll @@ -9,6 +9,7 @@ private import semmle.code.csharp.frameworks.system.Web private import semmle.code.csharp.frameworks.system.web.Mvc private import semmle.code.csharp.security.Sanitizers private import semmle.code.csharp.frameworks.microsoft.AspNetCore +private import semmle.code.csharp.dataflow.ExternalFlow /** * A data flow source for unvalidated URL redirect vulnerabilities. @@ -70,6 +71,11 @@ module UrlRedirect = TaintTracking::Global; /** A source of remote user input. */ class RemoteSource extends Source instanceof RemoteFlowSource { } +/** URL Redirection sinks defined through Models as Data. */ +private class ExternalUrlRedirectExprSink extends Sink { + ExternalUrlRedirectExprSink() { sinkNode(this, "url-redirection") } +} + /** * A URL argument to a call to `HttpResponse.Redirect()` or `Controller.Redirect()`, that is a * sink for URL redirects.