C#: Add nodes predicate to all path queries.

Author: calumgrant

csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll

@@ -130,6 +130,9 @@ module DataFlow {
   module PathGraph {
     /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
     query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+
+    /** Holds if `node` is a node in the graph of data flow path explanations. */
+    query predicate nodes(PathNode node) { any() }
   }
 
   /**

csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected

@@ -6,6 +6,15 @@ edges
 | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:38:25:38:31 | access to local variable badPath |
 | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:40:49:40:55 | access to local variable badPath |
 | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:53:26:53:29 | access to local variable path |
+nodes
+| TaintedPath.cs:12:23:12:45 | access to property QueryString |
+| TaintedPath.cs:14:50:14:53 | access to local variable path |
+| TaintedPath.cs:19:51:19:54 | access to local variable path |
+| TaintedPath.cs:27:30:27:33 | access to local variable path |
+| TaintedPath.cs:33:30:33:33 | access to local variable path |
+| TaintedPath.cs:38:25:38:31 | access to local variable badPath |
+| TaintedPath.cs:40:49:40:55 | access to local variable badPath |
+| TaintedPath.cs:53:26:53:29 | access to local variable path |
 #select
 | TaintedPath.cs:14:50:14:53 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:14:50:14:53 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value |
 | TaintedPath.cs:19:51:19:54 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:19:51:19:54 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected

@@ -10,6 +10,21 @@ edges
 | ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:83:57:83:68 | access to local variable destFilePath |
 | ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:91:58:91:69 | access to local variable destFilePath |
 | ZipSlipBad.cs:9:59:9:72 | access to property FullName | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName |
+nodes
+| ZipSlip.cs:16:52:16:65 | access to property FullName |
+| ZipSlip.cs:19:31:19:44 | access to property FullName |
+| ZipSlip.cs:24:41:24:52 | access to local variable destFileName |
+| ZipSlip.cs:32:41:32:52 | access to local variable destFilePath |
+| ZipSlip.cs:36:45:36:56 | access to local variable destFilePath |
+| ZipSlip.cs:39:53:39:89 | call to method Combine |
+| ZipSlip.cs:40:41:40:52 | access to local variable destFilePath |
+| ZipSlip.cs:62:72:62:85 | access to property FullName |
+| ZipSlip.cs:69:74:69:85 | access to local variable destFilePath |
+| ZipSlip.cs:76:71:76:82 | access to local variable destFilePath |
+| ZipSlip.cs:83:57:83:68 | access to local variable destFilePath |
+| ZipSlip.cs:91:58:91:69 | access to local variable destFilePath |
+| ZipSlipBad.cs:9:59:9:72 | access to property FullName |
+| ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName |
 #select
 | ZipSlip.cs:24:41:24:52 | access to local variable destFileName | ZipSlip.cs:19:31:19:44 | access to property FullName | ZipSlip.cs:24:41:24:52 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:19:31:19:44 | access to property FullName | item path |
 | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path |

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected

@@ -6,6 +6,15 @@ edges
 | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput |
 | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput |
 | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput |
+nodes
+| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox |
+| CommandInjection.cs:26:27:26:47 | ... + ... |
+| CommandInjection.cs:26:50:26:66 | ... + ... |
+| CommandInjection.cs:28:63:28:71 | access to local variable userInput |
+| CommandInjection.cs:28:74:28:82 | access to local variable userInput |
+| CommandInjection.cs:32:39:32:47 | access to local variable userInput |
+| CommandInjection.cs:33:40:33:48 | access to local variable userInput |
+| CommandInjection.cs:34:47:34:55 | access to local variable userInput |
 #select
 | CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
 | CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected

@@ -1,4 +1,7 @@
 edges
 | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | StoredCommandInjection.cs:24:46:24:80 | ... + ... |
+nodes
+| StoredCommandInjection.cs:24:46:24:80 | ... + ... |
+| StoredCommandInjection.cs:24:54:24:80 | call to method GetString |
 #select
 | StoredCommandInjection.cs:24:46:24:80 | ... + ... | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | StoredCommandInjection.cs:24:46:24:80 | ... + ... | $@ flows to here and is used in a command. | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | Stored user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected

@@ -1,4 +1,7 @@
 edges
 | StoredXSS.cs:24:60:24:86 | call to method GetString | StoredXSS.cs:24:44:24:86 | ... + ... |
+nodes
+| StoredXSS.cs:24:44:24:86 | ... + ... |
+| StoredXSS.cs:24:60:24:86 | call to method GetString |
 #select
 | StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString | StoredXSS.cs:24:44:24:86 | ... + ... | $@ flows to here and is written to HTML or JavaScript. | StoredXSS.cs:24:60:24:86 | call to method GetString | Stored user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected

@@ -1,4 +1,7 @@
 edges
 | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... |
+nodes
+| SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... |
+| SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString |
 #select
 | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | Stored user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected

@@ -18,6 +18,16 @@ edges
 | SqlInjection.cs:61:62:61:81 | access to property Text | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
+nodes
+| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox |
+| SqlInjection.cs:39:50:39:55 | access to local variable query1 |
+| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox |
+| SqlInjection.cs:49:62:49:81 | access to property Text |
+| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox |
+| SqlInjection.cs:61:62:61:81 | access to property Text |
+| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox |
+| SqlInjection.cs:74:56:74:61 | access to local variable query1 |
+| SqlInjection.cs:75:55:75:60 | access to local variable query1 |
 #select
 | SqlInjection.cs:39:50:39:55 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input |
 | SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input |

csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected

@@ -5,6 +5,14 @@ edges
 | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:26:53:26:77 | ... + ... |
 | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:29:48:29:70 | ... + ... |
 | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:31:20:31:42 | ... + ... |
+nodes
+| LDAPInjection.cs:13:27:13:49 | access to property QueryString |
+| LDAPInjection.cs:16:54:16:78 | ... + ... |
+| LDAPInjection.cs:18:21:18:45 | ... + ... |
+| LDAPInjection.cs:25:21:25:45 | ... + ... |
+| LDAPInjection.cs:26:53:26:77 | ... + ... |
+| LDAPInjection.cs:29:48:29:70 | ... + ... |
+| LDAPInjection.cs:31:20:31:42 | ... + ... |
 #select
 | LDAPInjection.cs:16:54:16:78 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:16:54:16:78 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
 | LDAPInjection.cs:18:21:18:45 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:18:21:18:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected

@@ -1,4 +1,7 @@
 edges
 | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | StoredLDAPInjection.cs:24:66:24:109 | ... + ... |
+nodes
+| StoredLDAPInjection.cs:24:66:24:109 | ... + ... |
+| StoredLDAPInjection.cs:24:83:24:109 | call to method GetString |
 #select
 | StoredLDAPInjection.cs:24:66:24:109 | ... + ... | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | StoredLDAPInjection.cs:24:66:24:109 | ... + ... | $@ flows to here and is used in an LDAP query. | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | Stored user-provided value |