Merge pull request #2658 from calumgrant/cs/serialization-check-bypass-type

hvitved · web-flow · commit 78380f5d598f · 2020-02-12T10:26:01.000+01:00
C#: Fix cs/serialization-check-bypass
diff --git a/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql
@@ -11,6 +11,7 @@
 
 import semmle.code.csharp.serialization.Serialization
 import semmle.code.csharp.controlflow.Guards
+import semmle.code.csharp.dataflow.DataFlow
 
 /**
  * The result is a write to the field `f`, assigning it the value
@@ -29,7 +30,11 @@ GuardedExpr checkedWrite(Field f, Variable v, IfStmt check) {
 Expr uncheckedWrite(Callable callable, Field f) {
   result = f.getAnAssignedValue() and
   result.getEnclosingCallable() = callable and
-  not callable.calls*(checkedWrite(f, _, _).getEnclosingCallable())
+  not callable.calls*(checkedWrite(f, _, _).getEnclosingCallable()) and
+  // Exclude object creations because they were not deserialized
+  not exists(Expr src | DataFlow::localExprFlow(src, result) |
+    src instanceof ObjectCreation or src.hasValue()
+  )
 }
 
 from BinarySerializableType t, Field f, IfStmt check, Expr write, Expr unsafeWrite
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypass.cs b/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksBypass.cs
@@ -10,14 +10,14 @@ public Test1(string v)
     {
         if (v == "valid")
         {
-            f = v /* safe write */;
+            f = v;  // GOOD
         }
     }
 
     [OnDeserializing]
     public void Deserialize()
     {
-        f = "invalid" /* unsafe write */;
+        f = $"invalid";  // BAD
     }
 }
 
@@ -30,19 +30,19 @@ public Test2(string v)
     {
         if (v == "valid")
         {
-            f = v /* safe write */;
+            f = v;  // GOOD
         }
     }
 
     [OnDeserializing]
     public void Deserialize()
     {
-        var v = "invalid";
-        f = v /* unsafe write -- false negative */;
+        var v = $"invalid";
+        f = v;  // BAD: False negative
 
         if (v == "valid")
         {
-            f = v;  /* safe write */
+            f = v;  // GOOD
         }
     }
 }
@@ -56,25 +56,25 @@ public Test3(string v)
     {
         if (v == "valid")
         {
-            f = v /* safe write */;
+            f = v;  // GOOD
         }
     }
 
     [OnDeserializing]
     public void Deserialize()
     {
-        var v = "invalid";
-        f = v /* unsafe write -- false negative */;
+        var v = $"invalid";
+        f = v;  // GOOD: False negative
         Assign(v);
     }
 
     private void Assign(string v)
     {
-        f = v /* unsafe write -- false negative */;
+        f = v;  // GOOD: False negative
 
         if (v == "valid")
         {
-            f = v /* safe write */;
+            f = v;  // GOOD
         }
     }
 }
@@ -88,21 +88,21 @@ public Test4(string v)
     {
         if (v == "valid")
         {
-            f = v /* safe write */;
+            f = v;  // GOOD
         }
     }
 
     [OnDeserializing]
     public void Deserialize()
     {
-        var v = "invalid";
+        var v = $"invalid";
         if (v == "valid")
             Assign(v);
     }
 
     private void Assign(string v)
     {
-        f = v /* safe write */;
+        f = v;  // GOOD
     }
 }
 
@@ -115,13 +115,13 @@ public Test5(int age)
     {
         if (age < 0)
             throw new ArgumentException(nameof(age));
-        Age = age /* safe write */;
+        Age = age;  // GOOD
     }
 
     [OnDeserializing]
     void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
     {
-        Age = info.GetInt32("age"); /* unsafe write */;
+        Age = info.GetInt32("age");  // BAD
     }
 }
 
@@ -134,7 +134,7 @@ public Test6(int age)
     {
         if (age < 0)
             throw new ArgumentException(nameof(age));
-        Age = age /* safe write */;
+        Age = age;  // GOOD
     }
 
     [OnDeserializing]
@@ -143,7 +143,7 @@ void ISerializable.GetObjectData(SerializationInfo info, StreamingContext contex
         int age = info.GetInt32("age");
         if (age < 0)
             throw new SerializationException("age");
-        Age = age; /* safe write */;
+        Age = age;  // GOOD
     }
 }
 
@@ -156,7 +156,7 @@ public Test7(int age)
     {
         if (age < 0)
             throw new ArgumentException(nameof(age));
-        Age = age /* safe write */;
+        Age = age;  // GOOD
     }
 
     [OnDeserializing]
@@ -165,6 +165,27 @@ void ISerializable.GetObjectData(SerializationInfo info, StreamingContext contex
         int age = info.GetInt32("age");
         if (false)
             throw new SerializationException("age");
-        Age = age; /* unsafe write */;
+        Age = age;  // BAD
+    }
+}
+
+[Serializable]
+public class Test8 : ISerializable
+{
+    string Options;
+
+    public int Age;
+
+    public Test8(string options)
+    {
+        if (options == null)
+            throw new ArgumentNullException(nameof(options));
+        Options = options;  // GOOD
+    }
+
+    [OnDeserializing]
+    void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)
+    {
+        Options = new string("");  // GOOD: A created object
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksbypass.expected b/csharp/ql/test/query-tests/Security Features/CWE-020/RuntimeChecksbypass.expected
@@ -1,4 +1,4 @@
-| RuntimeChecksBypass.cs:20:13:20:21 | "invalid" | This write to $@ may be circumventing a $@. | RuntimeChecksBypass.cs:7:19:7:19 | f | f | RuntimeChecksBypass.cs:11:9:14:9 | if (...) ... | check |
+| RuntimeChecksBypass.cs:20:13:20:22 | $"..." | This write to $@ may be circumventing a $@. | RuntimeChecksBypass.cs:7:19:7:19 | f | f | RuntimeChecksBypass.cs:11:9:14:9 | if (...) ... | check |
 | RuntimeChecksBypass.cs:124:15:124:34 | call to method GetInt32 | This write to $@ may be circumventing a $@. | RuntimeChecksBypass.cs:112:16:112:18 | Age | Age | RuntimeChecksBypass.cs:116:9:117:53 | if (...) ... | check |
 | RuntimeChecksBypass.cs:168:15:168:17 | access to local variable age | This write to $@ may be circumventing a $@. | RuntimeChecksBypass.cs:153:16:153:18 | Age | Age | RuntimeChecksBypass.cs:157:9:158:53 | if (...) ... | check |
 | RuntimeChecksBypassBad.cs:19:15:19:34 | call to method GetInt32 | This write to $@ may be circumventing a $@. | RuntimeChecksBypassBad.cs:7:16:7:18 | Age | Age | RuntimeChecksBypassBad.cs:11:9:12:53 | if (...) ... | check |

Original file line number	Diff line number	Diff line change
`@@ -10,14 +10,14 @@ public Test1(string v)`
`10`	`10`	`{`
`11`	`11`	`if (v == "valid")`
`12`	`12`	`{`
`13`		`- f = v /* safe write */;`
	`13`	`+ f = v; // GOOD`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`[OnDeserializing]`
`18`	`18`	`public void Deserialize()`
`19`	`19`	`{`
`20`		`- f = "invalid" /* unsafe write */;`
	`20`	`+ f = $"invalid"; // BAD`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`
`@@ -30,19 +30,19 @@ public Test2(string v)`
`30`	`30`	`{`
`31`	`31`	`if (v == "valid")`
`32`	`32`	`{`
`33`		`- f = v /* safe write */;`
	`33`	`+ f = v; // GOOD`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`[OnDeserializing]`
`38`	`38`	`public void Deserialize()`
`39`	`39`	`{`
`40`		`- var v = "invalid";`
`41`		`- f = v /* unsafe write -- false negative */;`
	`40`	`+ var v = $"invalid";`
	`41`	`+ f = v; // BAD: False negative`
`42`	`42`
`43`	`43`	`if (v == "valid")`
`44`	`44`	`{`
`45`		`- f = v; /* safe write */`
	`45`	`+ f = v; // GOOD`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`	`}`
`@@ -56,25 +56,25 @@ public Test3(string v)`
`56`	`56`	`{`
`57`	`57`	`if (v == "valid")`
`58`	`58`	`{`
`59`		`- f = v /* safe write */;`
	`59`	`+ f = v; // GOOD`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`[OnDeserializing]`
`64`	`64`	`public void Deserialize()`
`65`	`65`	`{`
`66`		`- var v = "invalid";`
`67`		`- f = v /* unsafe write -- false negative */;`
	`66`	`+ var v = $"invalid";`
	`67`	`+ f = v; // GOOD: False negative`
`68`	`68`	`Assign(v);`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`private void Assign(string v)`
`72`	`72`	`{`
`73`		`- f = v /* unsafe write -- false negative */;`
	`73`	`+ f = v; // GOOD: False negative`
`74`	`74`
`75`	`75`	`if (v == "valid")`
`76`	`76`	`{`
`77`		`- f = v /* safe write */;`
	`77`	`+ f = v; // GOOD`
`78`	`78`	`}`
`79`	`79`	`}`
`80`	`80`	`}`
`@@ -88,21 +88,21 @@ public Test4(string v)`
`88`	`88`	`{`
`89`	`89`	`if (v == "valid")`
`90`	`90`	`{`
`91`		`- f = v /* safe write */;`
	`91`	`+ f = v; // GOOD`
`92`	`92`	`}`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`[OnDeserializing]`
`96`	`96`	`public void Deserialize()`
`97`	`97`	`{`
`98`		`- var v = "invalid";`
	`98`	`+ var v = $"invalid";`
`99`	`99`	`if (v == "valid")`
`100`	`100`	`Assign(v);`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`private void Assign(string v)`
`104`	`104`	`{`
`105`		`- f = v /* safe write */;`
	`105`	`+ f = v; // GOOD`
`106`	`106`	`}`
`107`	`107`	`}`
`108`	`108`
`@@ -115,13 +115,13 @@ public Test5(int age)`
`115`	`115`	`{`
`116`	`116`	`if (age < 0)`
`117`	`117`	`throw new ArgumentException(nameof(age));`
`118`		`- Age = age /* safe write */;`
	`118`	`+ Age = age; // GOOD`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	`[OnDeserializing]`
`122`	`122`	`void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)`
`123`	`123`	`{`
`124`		`- Age = info.GetInt32("age"); /* unsafe write */;`
	`124`	`+ Age = info.GetInt32("age"); // BAD`
`125`	`125`	`}`
`126`	`126`	`}`
`127`	`127`
`@@ -134,7 +134,7 @@ public Test6(int age)`
`134`	`134`	`{`
`135`	`135`	`if (age < 0)`
`136`	`136`	`throw new ArgumentException(nameof(age));`
`137`		`- Age = age /* safe write */;`
	`137`	`+ Age = age; // GOOD`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`[OnDeserializing]`
`@@ -143,7 +143,7 @@ void ISerializable.GetObjectData(SerializationInfo info, StreamingContext contex`
`143`	`143`	`int age = info.GetInt32("age");`
`144`	`144`	`if (age < 0)`
`145`	`145`	`throw new SerializationException("age");`
`146`		`- Age = age; /* safe write */;`
	`146`	`+ Age = age; // GOOD`
`147`	`147`	`}`
`148`	`148`	`}`
`149`	`149`
`@@ -156,7 +156,7 @@ public Test7(int age)`
`156`	`156`	`{`
`157`	`157`	`if (age < 0)`
`158`	`158`	`throw new ArgumentException(nameof(age));`
`159`		`- Age = age /* safe write */;`
	`159`	`+ Age = age; // GOOD`
`160`	`160`	`}`
`161`	`161`
`162`	`162`	`[OnDeserializing]`
`@@ -165,6 +165,27 @@ void ISerializable.GetObjectData(SerializationInfo info, StreamingContext contex`
`165`	`165`	`int age = info.GetInt32("age");`
`166`	`166`	`if (false)`
`167`	`167`	`throw new SerializationException("age");`
`168`		`- Age = age; /* unsafe write */;`
	`168`	`+ Age = age; // BAD`
	`169`	`+ }`
	`170`	`+}`
	`171`	`+`
	`172`	`+[Serializable]`
	`173`	`+public class Test8 : ISerializable`
	`174`	`+{`
	`175`	`+ string Options;`
	`176`	`+`
	`177`	`+ public int Age;`
	`178`	`+`
	`179`	`+ public Test8(string options)`
	`180`	`+ {`
	`181`	`+ if (options == null)`
	`182`	`+ throw new ArgumentNullException(nameof(options));`
	`183`	`+ Options = options; // GOOD`
	`184`	`+ }`
	`185`	`+`
	`186`	`+ [OnDeserializing]`
	`187`	`+ void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context)`
	`188`	`+ {`
	`189`	`+ Options = new string(""); // GOOD: A created object`
`169`	`190`	`}`
`170`	`191`	`}`