wip

Author: hvitved

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/Index.cshtml.g.cs

@@ -30,15 +30,15 @@ public class Pages_Index : global::Microsoft.AspNetCore.Mvc.RazorPages.Page
 #line 3 "Index.cshtml"
 
     ViewData["Title"] = "ASP.NET Core";
-    var message = Request.Query["m"];
+    var message = Request.Query["m"]; // $ Source=message
 
 #line default
 #line hidden
 #nullable disable
             WriteLiteral("<div class=\"cli\">\n    <div class=\"cli-example\">        \n");
 #nullable restore
 #line 14 "Index.cshtml"
-Write(Html.Raw(message)); // BAD
+Write(Html.Raw(message)); // $ Alert=message
 
 #line default
 #line hidden

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSS.expected

@@ -1,2 +1,4 @@
 query: Security Features/CWE-079/XSS.ql
-postprocess: TestUtilities/PrettyPrintModels.ql
+postprocess:
+  - TestUtilities/PrettyPrintModels.ql
+  - TestUtilities/InlineExpectationsTestQuery.ql

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSS.qlref

@@ -16,14 +16,14 @@ public override void Execute()
         {
             Layout = "~/_SiteLayout.cshtml";
             Page.Title = "Contact";
-            var sayHi = Request.QueryString["sayHi"];
+            var sayHi = Request.QueryString["sayHi"]; // $ Source=sayHi
             if (sayHi.IsEmpty())
             {
                 WriteLiteral("<script>alert(\"XSS via WriteLiteral\")</script>"); // GOOD: hard-coded, not user input
             }
             else
             {
-                WriteLiteral(sayHi); // BAD: user input flows to HTML unencoded
+                WriteLiteral(sayHi); // $ Alert=sayHi
                 WriteLiteral(HttpUtility.HtmlEncode(sayHi)); // Good: user input is encoded before it flows to HTML
             }
 
@@ -33,15 +33,16 @@ public override void Execute()
             }
             else
             {
-                WriteLiteralTo(Output, sayHi); // BAD: user input flows to HTML unencoded
+                WriteLiteralTo(Output, sayHi); // $ Alert=sayHi
                 WriteLiteralTo(Output, Html.Encode(sayHi)); // Good: user input is encoded before it flows to HTML
             }
 
             BeginContext("~/Views/Home/Contact.cshtml", 288, 32, false);
 
             Write(Html.Raw("<script>alert(\"XSS via Html.Raw()\")</script>")); // GOOD: hard-coded, not user input
-            Write(Html.Raw(Request.QueryString["sayHi"])); // BAD: user input flows to HTML unencoded
-            Write(Html.Raw(HttpContext.Current.Server.HtmlEncode(Request.QueryString["sayHi"]))); // Good: user input is encoded before it flows to HTML
+            var sayHi2 = Request.QueryString["sayHi"]; // $ Source=sayHi2
+            Write(Html.Raw(sayHi2)); // $ Alert=sayHi2
+            Write(Html.Raw(HttpContext.Current.Server.HtmlEncode(sayHi2))); // Good: user input is encoded before it flows to HTML
             EndContext("~/Views/Home/Contact.cshtml", 288, 32, false);
         }
     }

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSSAspNet.cs

@@ -18,7 +18,8 @@ public IActionResult Index()
         {
             // BAD: flow of content type to.
             var v = new ViewResult();
-            v.ViewData["BadData"] = new HtmlString(Request.Query["Bad data"]);
+            var source = Request.Query["Bad data"]; // $ Source=req1
+            v.ViewData["BadData"] = new HtmlString(source); // $ Alert=req1
 
             StringValues vOut;
             Request.Query.TryGetValue("Foo", out vOut);
@@ -37,39 +38,44 @@ public IActionResult Index()
 
         [HttpPost("Test")]
         [ValidateAntiForgeryToken]
-        public IActionResult Submit([FromQuery] string foo)
+        public IActionResult Submit([FromQuery] string foo) // $ Source=foo
         {
             var view = new ViewResult();
             //BAD: flow of submitted value to view in HtmlString.
-            view.ViewData["FOO"] = new HtmlString(foo);
+            view.ViewData["FOO"] = new HtmlString(foo); // $ Alert=foo
             return view;
         }
 
         public IActionResult IndexToModel()
         {
             //BAD: flow of submitted value to view in HtmlString.
-            HtmlString v = new HtmlString(Request.QueryString.Value);
+            var req2 = Request.QueryString.Value; // $ Source=req2
+            HtmlString v = new HtmlString(req2); // $ Alert=req2
             return View(new HomeViewModel() { Message = "Message from Index", Description = v });
         }
 
         public IActionResult About()
         {
             //BAD: flow of submitted value to view in HtmlString.
-            HtmlString v = new HtmlString(Request.Query["Foo"].ToString());
+            var req3 = Request.Query["Foo"].ToString(); // $ Source=req3
+            HtmlString v = new HtmlString(req3); // $ Alert=req3
 
             //BAD: flow of submitted value to view in HtmlString.
-            HtmlString v1 = new HtmlString(Request.Query["Foo"][0]);
+            var req4 = Request.Query["Foo"][0]; // $ Source=req4
+            HtmlString v1 = new HtmlString(req4); // $ Alert=req4
 
             return View(new HomeViewModel() { Message = "Message from About", Description = v });
         }
 
         public IActionResult Contact()
         {
             //BAD: flow of user content type to view in HtmlString.
-            HtmlString v = new HtmlString(Request.ContentType);
+            var ct = Request.ContentType; // $ Source=ct
+            HtmlString v = new HtmlString(ct); // $ Alert=ct
 
             //BAD: flow of headers to view in HtmlString.
-            HtmlString v1 = new HtmlString(value: Request.Headers["Foo"]);
+            var header = Request.Headers["Foo"]; // $ Source=header
+            HtmlString v1 = new HtmlString(value: header); // $ Alert=header
 
             return View(new HomeViewModel() { Message = "Message from Contact", Description = v });
         }

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSSAspNetCore.cs

@@ -21,3 +21,9 @@ nodes
 | Gin.go:27:20:27:27 | filepath | semmle.label | filepath |
 | Gin.go:29:32:29:39 | filepath | semmle.label | filepath |
 subpaths
+testFailures
+| Gin.go:24:15:24:33 | call to Query | Unexpected result: Source |
+| Gin.go:25:10:25:17 | filepath | Unexpected result: Sink |
+| Gin.go:26:39:26:46 | filepath | Unexpected result: Sink |
+| Gin.go:27:20:27:27 | filepath | Unexpected result: Sink |
+| Gin.go:29:32:29:39 | filepath | Unexpected result: Sink |

go/ql/test/library-tests/semmle/go/frameworks/Gin/TaintedPath.expected

@@ -148,6 +148,16 @@ module Make<InlineExpectationsTestSig Impl> {
     bindingset[expectedTag]
     default predicate tagIsOptional(string expectedTag) { none() }
 
+    /**
+     * Holds if expected tag `expectedTag` matches actual tag `actualTag`.
+     *
+     * This is normally defined as `expectedTag = actualTag`.
+     */
+    bindingset[expectedValue, actualValue]
+    default predicate valueMatches(string expectedValue, string actualValue) {
+      expectedValue = actualValue
+    }
+
     /**
      * Returns the actual results of the query that is being tested. Each result consist of the
      * following values:
@@ -324,7 +334,7 @@ module Make<InlineExpectationsTestSig Impl> {
       predicate matchesActualResult(ActualTestResult actualResult) {
         onSameLine(pragma[only_bind_into](this), actualResult) and
         TestImpl::tagMatches(this.getTag(), actualResult.getTag()) and
-        this.getValue() = actualResult.getValue()
+        TestImpl::valueMatches(this.getValue(), actualResult.getValue())
       }
 
       predicate isOptional() { TestImpl::tagIsOptional(tag) }
@@ -351,6 +361,15 @@ module Make<InlineExpectationsTestSig Impl> {
       string getExpectation() { result = expectation }
     }
 
+    ValidTestExpectation getAMatchingExpectation(
+      Impl::Location location, string element, string tag, string val, boolean optional
+    ) {
+      exists(ActualTestResult actualResult |
+        result.matchesActualResult(actualResult) and
+        actualResult = TActualResult(location, element, tag, val, optional)
+      )
+    }
+
     query predicate testFailures(FailureLocatable element, string message) {
       hasFailureMessage(element, message)
     }
@@ -622,6 +641,8 @@ module TestPostProcessing {
 
   private string getQueryId() { queryMetadata("id", result) }
 
+  private string getQueryKind() { queryMetadata("kind", result) }
+
   signature module InputSig<InlineExpectationsTestSig Input> {
     string getRelativeUrl(Input::Location location);
   }
@@ -630,43 +651,158 @@ module TestPostProcessing {
     private import InlineExpectationsTest as InlineExpectationsTest
     private import InlineExpectationsTest::Make<Input>
 
+    /**
+     * Gets the tag to be used for the path-problem source at result row `row`.
+     *
+     * This is either `Source` or `Alert`, depending on whether the location
+     * of the source matches the location of the alert.
+     */
+    private string getSourceTag(int row) {
+      getQueryKind() = "path-problem" and
+      exists(string loc | queryResults("#select", row, 2, loc) |
+        if queryResults("#select", row, 0, loc) then result = "Alert" else result = "Source"
+      )
+    }
+
+    /**
+     * Gets the tag to be used for the path-problem sink at result row `row`.
+     *
+     * This is either `Sink` or `Alert`, depending on whether the location
+     * of the sink matches the location of the alert.
+     */
+    private string getSinkTag(int row) {
+      getQueryKind() = "path-problem" and
+      exists(string loc | queryResults("#select", row, 4, loc) |
+        if queryResults("#select", row, 0, loc) then result = "Alert" else result = "Sink"
+      )
+    }
+
+    /**
+     * A configuration for matching `// $ Source=foo` comments against actual
+     * path-problem sources.
+     */
+    private module PathProblemSourceTestInput implements TestSig {
+      string getARelevantTag() { result = getSourceTag(_) }
+
+      bindingset[expectedValue, actualValue]
+      predicate valueMatches(string expectedValue, string actualValue) {
+        exists(expectedValue) and
+        actualValue = ""
+      }
+
+      additional predicate hasPathProblemSource(
+        int row, Input::Location location, string element, string tag, string value
+      ) {
+        getQueryKind() = "path-problem" and
+        exists(string loc |
+          queryResults("#select", row, 2, loc) and
+          queryResults("#select", row, 3, element) and
+          tag = getSourceTag(row) and
+          value = "" and
+          Input2::getRelativeUrl(location) = loc
+        )
+      }
+
+      predicate hasActualResult(Input::Location location, string element, string tag, string value) {
+        hasPathProblemSource(_, location, element, tag, value)
+      }
+    }
+
+    private module PathProblemSourceTest = MakeTest<PathProblemSourceTestInput>;
+
     private module TestInput implements TestSig {
       bindingset[result]
       string getARelevantTag() { any() }
 
+      private string getTagRegex() {
+        exists(string sourceSinkTags |
+          getQueryKind() = "problem" and
+          sourceSinkTags = ""
+          or
+          sourceSinkTags = "|" + getSourceTag(_) + "|" + getSinkTag(_)
+        |
+          result = "(Alert" + sourceSinkTags + ")(\\[(.*)\\])?"
+        )
+      }
+
       bindingset[expectedTag, actualTag]
       predicate tagMatches(string expectedTag, string actualTag) {
+        actualTag = expectedTag.regexpCapture(getTagRegex(), 1) and
         (
-          expectedTag = "Alert"
+          getQueryId() = expectedTag.regexpCapture(getTagRegex(), 3)
           or
-          exists(string alertTagRegex |
-            alertTagRegex = "Alert\\[(.*)\\]" and
-            getQueryId() = expectedTag.regexpCapture(alertTagRegex, 1)
-          )
-        ) and
-        exists(actualTag)
+          not exists(expectedTag.regexpCapture(getTagRegex(), 3))
+        )
       }
 
       bindingset[expectedTag]
       predicate tagIsOptional(string expectedTag) {
-        not expectedTag.regexpMatch("Alert(\\[.*\\])?")
+        not expectedTag.regexpMatch(getTagRegex())
         or
-        exists(string alertTagRegex, string queryId |
-          alertTagRegex = "Alert\\[(.*)\\]" and
-          queryId = expectedTag.regexpCapture(alertTagRegex, 1) and
-          not queryId = getQueryId()
+        exists(string queryId |
+          queryId = expectedTag.regexpCapture(getTagRegex(), 3) and
+          queryId != getQueryId()
         )
       }
 
-      predicate hasActualResult(Input::Location location, string element, string tag, string value) {
+      bindingset[expectedValue, actualValue]
+      predicate valueMatches(string expectedValue, string actualValue) {
+        expectedValue = actualValue
+        or
+        actualValue = ""
+      }
+
+      private predicate hasPathProblemSource = PathProblemSourceTestInput::hasPathProblemSource/5;
+
+      /**
+       * Gets the expected sink value for result row `row`. This value must
+       * match the value at the corresponding path-problem source.
+       */
+      private string getSinkValue(int row) {
+        exists(Input::Location location, string element, string tag, string val |
+          hasPathProblemSource(row, location, element, tag, val) and
+          result =
+            PathProblemSourceTest::getAMatchingExpectation(location, element, tag, val, false)
+                .getValue()
+        )
+      }
+
+      private predicate hasPathProblemSink(
+        int row, Input::Location location, string element, string tag, string value
+      ) {
+        getQueryKind() = "path-problem" and
+        exists(string loc |
+          queryResults("#select", row, 4, loc) and
+          queryResults("#select", row, 5, element) and
+          tag = getSinkTag(row) and
+          Input2::getRelativeUrl(location) = loc
+        |
+          not exists(getSinkValue(row)) and value = ""
+          or
+          value = getSinkValue(row)
+        )
+      }
+
+      private predicate hasAlert(Input::Location location, string element, string tag, string value) {
+        getQueryKind() = ["problem", "path-problem"] and
         exists(int row, string loc |
           queryResults("#select", row, 0, loc) and
           queryResults("#select", row, 2, element) and
           tag = "Alert" and
           value = "" and
-          Input2::getRelativeUrl(location) = loc
+          Input2::getRelativeUrl(location) = loc and
+          not hasPathProblemSource(row, location, _, _, _) and
+          not hasPathProblemSink(row, location, _, _, _)
         )
       }
+
+      predicate hasActualResult(Input::Location location, string element, string tag, string value) {
+        hasAlert(location, element, tag, value)
+        or
+        hasPathProblemSource(_, location, element, tag, value)
+        or
+        hasPathProblemSink(_, location, element, tag, value)
+      }
     }
 
     private module Test = MakeTest<TestInput>;