Merge pull request #367 from calumgrant/cs/path-problems

C#: Update all security queries to path-problems

Author: hvitved

csharp/ql/src/Security Features/CWE-022/TaintedPath.ql

@@ -1,7 +1,7 @@
 /**
  * @name Uncontrolled data used in path expression
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cs/path-injection
@@ -14,7 +14,9 @@
  */
 import csharp
 import semmle.code.csharp.security.dataflow.TaintedPath::TaintedPath
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, Sink sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is used in a path.", source, "User-provided value"
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in a path.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-022/ZipSlip.ql

@@ -3,7 +3,7 @@
  * @description Extracting files from a malicious zip archive without validating that the
  *              destination file path is within the destination directory can cause files outside
  *              the destination directory to be overwritten.
- * @kind problem
+ * @kind path-problem
  * @id cs/zipslip
  * @problem.severity error
  * @precision high
@@ -13,7 +13,9 @@
 
 import csharp
 import semmle.code.csharp.security.dataflow.ZipSlip::ZipSlip
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration zipTaintTracking, DataFlow::Node source, DataFlow::Node sink
-where zipTaintTracking.hasFlow(source, sink)
-select sink, "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source, "item path"
+from TaintTrackingConfiguration zipTaintTracking, DataFlow::PathNode source, DataFlow::PathNode sink
+where zipTaintTracking.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source.getNode(), "item path"

csharp/ql/src/Security Features/CWE-078/CommandInjection.ql

@@ -2,7 +2,7 @@
  * @name Uncontrolled command line
  * @description Using externally controlled strings in a command line may allow a malicious
  *              user to change the meaning of the command.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cs/command-line-injection
@@ -14,7 +14,9 @@
 
 import csharp
 import semmle.code.csharp.security.dataflow.CommandInjection::CommandInjection
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, Sink sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is used in a command.", source, "User-provided value"
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in a command.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql

@@ -2,7 +2,7 @@
  * @name Uncontrolled command line from stored user input
  * @description Using externally controlled strings in a command line may allow a malicious
  *              user to change the meaning of the command.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision medium
  * @id cs/stored-command-line-injection
@@ -15,13 +15,15 @@
 import csharp
 import semmle.code.csharp.security.dataflow.flowsources.Stored
 import semmle.code.csharp.security.dataflow.CommandInjection::CommandInjection
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
   override predicate isSource(DataFlow::Node source) {
     source instanceof StoredFlowSource
   }
 }
 
-from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is used in a command.", source, "Stored user-provided value"
+from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in a command.", source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-079/StoredXSS.ql

@@ -2,7 +2,7 @@
  * @name Stored cross-site scripting
  * @description Writing input from the database directly to a web page indicates a cross-site
  *              scripting vulnerability if the data was originally user-provided.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision medium
  * @id cs/web/stored-xss
@@ -13,17 +13,19 @@
 import csharp
 import semmle.code.csharp.security.dataflow.flowsources.Stored
 import semmle.code.csharp.security.dataflow.XSS::XSS
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
   override predicate isSource(DataFlow::Node source) {
     source instanceof StoredFlowSource
   }
 }
 
-from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink, string explanation
-where c.hasFlow(source, sink)
+from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink, string explanation
+where c.hasFlowPath(source, sink)
 and
-  if exists(sink.explanation())
-  then explanation = ": " + sink.explanation() + "."
+  if exists(sink.getNode().(Sink).explanation())
+  then explanation = ": " + sink.getNode().(Sink).explanation() + "."
   else explanation = "."
-select sink, "$@ flows to here and is written to HTML or javascript" + explanation, source, "Stored user-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is written to HTML or JavaScript" + explanation, source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql

@@ -2,7 +2,7 @@
  * @name SQL query built from stored user-controlled sources
  * @description Building a SQL query from stored user-controlled sources is vulnerable to insertion
  *              of malicious SQL code by the user.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision medium
  * @id cs/second-order-sql-injection
@@ -13,13 +13,15 @@
 import csharp
 import semmle.code.csharp.security.dataflow.SqlInjection
 import semmle.code.csharp.security.dataflow.flowsources.Stored
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 class StoredTaintTrackingConfiguration extends SqlInjection::TaintTrackingConfiguration {
   override predicate isSource(DataFlow::Node source) {
     source instanceof StoredFlowSource
   }
 }
 
-from StoredTaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is used in an SQL query.", source, "Stored user-provided value"
+from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in an SQL query.", source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-089/SqlInjection.ql

@@ -2,7 +2,7 @@
 * @name SQL query built from user-controlled sources
 * @description Building a SQL query from user-controlled sources is vulnerable to insertion of
 *              malicious SQL code by the user.
-* @kind problem
+* @kind path-problem
 * @problem.severity error
 * @precision high
 * @id cs/sql-injection
@@ -12,7 +12,9 @@
 
 import csharp
 import semmle.code.csharp.security.dataflow.SqlInjection::SqlInjection
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, RemoteFlowSource source, Sink sink
-where c.hasFlow(source, sink)
-select sink, "Query might include code from $@.", source, ("this " + source.getSourceType())
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Query might include code from $@.", source, ("this " + source.getNode().(RemoteFlowSource).getSourceType())

csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql

@@ -2,7 +2,7 @@
  * @name LDAP query built from user-controlled sources
  * @description Building an LDAP query from user-controlled sources is vulnerable to insertion of
  *              malicious LDAP code by the user.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cs/ldap-injection
@@ -11,7 +11,9 @@
  */
 import csharp
 import semmle.code.csharp.security.dataflow.LDAPInjection::LDAPInjection
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, Sink sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is used in an LDAP query.", source, "User-provided value"
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in an LDAP query.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql

@@ -2,7 +2,7 @@
  * @name LDAP query built from stored user-controlled sources
  * @description Building an LDAP query from stored user-controlled sources is vulnerable to
  *              insertion of malicious LDAP code by the user.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision medium
  * @id cs/stored-ldap-injection
@@ -12,13 +12,15 @@
 import csharp
 import semmle.code.csharp.security.dataflow.LDAPInjection::LDAPInjection
 import semmle.code.csharp.security.dataflow.flowsources.Stored
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
   override predicate isSource(DataFlow::Node source) {
     source instanceof StoredFlowSource
   }
 }
 
-from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is used in an LDAP query.", source, "Stored user-provided value"
+from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in an LDAP query.", source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-094/CodeInjection.ql

@@ -2,7 +2,7 @@
  * @name Improper control of generation of code
  * @description Treating externally controlled strings as code can allow an attacker to execute
  *              malicious code.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cs/code-injection
@@ -13,7 +13,9 @@
  */
 import csharp
 import semmle.code.csharp.security.dataflow.CodeInjection::CodeInjection
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, Sink sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is compiled as code.", source, "User-provided value"
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is compiled as code.", source.getNode(), "User-provided value"