C#: Treat GetFileName method call as sanitizer

lcartey · lcartey · commit 43d7e598a56a · 2018-08-24T12:08:57.000+01:00
Use the GetFileName call as a sanitizer, rather than an argument to that
call. It is the _result_ of the GetFileName call which should be
considered sanitized. By using the argument, we can spuriously suppress
use-use flow. Consider:
```
var path = Path.Combine(destDir, entry.GetFullName());
var fileName = Path.GetFileName(path);
log("Extracting " + fileName);
entry.ExtractToFile(path);
```
Previously, the `ExtractToFile(path)` call would not have been flagged,
because the `path` argument to `GetFileName` was considered sanitized,
and that argument formed a use-use pair with the `path` argument to
`ExtractToFile`. Now, this result would be flagged because only the
result of the `GetFileName` call is considered sanitized.
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll
@@ -104,7 +104,7 @@ module ZipSlip {
     GetFileNameSanitizer() {
       exists(MethodCall mc |
         mc.getTarget().hasQualifiedName("System.IO.Path", "GetFileName") |
-        this.asExpr() = mc.getAnArgument()
+        this.asExpr() = mc
       )
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ module ZipSlip {`
`104`	`104`	`GetFileNameSanitizer() {`
`105`	`105`	`exists(MethodCall mc \|`
`106`	`106`	`mc.getTarget().hasQualifiedName("System.IO.Path", "GetFileName") \|`
`107`		`- this.asExpr() = mc.getAnArgument()`
	`107`	`+ this.asExpr() = mc`
`108`	`108`	`)`
`109`	`109`	`}`
`110`	`110`	`}`