From e35e9be566a0985eae7ffb8a03fe84834548c950 Mon Sep 17 00:00:00 2001
From: Mathew Payne <geekmasher@gmail.com>
Date: Thu, 2 Feb 2023 19:21:55 +0000
Subject: [PATCH 1/3] Add 4 CSharp Audit Queries

---
 csharp/CWE-078/CommandInjectionAudit.ql      | 21 ++++++++++++++++++
 csharp/CWE-094/CodeInjectionAudit.ql         | 22 +++++++++++++++++++
 csharp/CWE-502/UnsafeDeserializationAudit.ql | 21 ++++++++++++++++++
 csharp/CWE-611/UnsafeXMLResolverAudit.ql     | 23 ++++++++++++++++++++
 csharp/suites/codeql-csharp-audit.qls        | 15 +++++++++++++
 5 files changed, 102 insertions(+)
 create mode 100644 csharp/CWE-078/CommandInjectionAudit.ql
 create mode 100644 csharp/CWE-094/CodeInjectionAudit.ql
 create mode 100644 csharp/CWE-502/UnsafeDeserializationAudit.ql
 create mode 100644 csharp/CWE-611/UnsafeXMLResolverAudit.ql
 create mode 100644 csharp/suites/codeql-csharp-audit.qls

diff --git a/csharp/CWE-078/CommandInjectionAudit.ql b/csharp/CWE-078/CommandInjectionAudit.ql
new file mode 100644
index 0000000000..2c52cd0d17
--- /dev/null
+++ b/csharp/CWE-078/CommandInjectionAudit.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Usage of Command Injection sink
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 2.0
+ * @precision low
+ * @id cs/audit/command-line-injection
+ * @tags security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ *       audit
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.CommandInjectionQuery
+
+from DataFlow::Node sink
+where sink instanceof Sink
+select sink, "Usage of Command Injection sink"
diff --git a/csharp/CWE-094/CodeInjectionAudit.ql b/csharp/CWE-094/CodeInjectionAudit.ql
new file mode 100644
index 0000000000..9b92699bb0
--- /dev/null
+++ b/csharp/CWE-094/CodeInjectionAudit.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Use of Code Injection sink
+ * @description Treating externally controlled strings as code can allow an attacker to execute
+ *              malicious code.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 2.0
+ * @precision low
+ * @id cs/audit/code-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-096
+ *       audit
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.CodeInjectionQuery
+
+from DataFlow::Node sink
+where sink instanceof Sink
+select sink, "Usage of Code Injection sink"
diff --git a/csharp/CWE-502/UnsafeDeserializationAudit.ql b/csharp/CWE-502/UnsafeDeserializationAudit.ql
new file mode 100644
index 0000000000..2ced4cb65b
--- /dev/null
+++ b/csharp/CWE-502/UnsafeDeserializationAudit.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Usage of Unsafe Deserialize sink
+ * @description Calling an unsafe deserializer with data controlled by an attacker
+ *              can lead to denial of service and other security problems.
+ * @kind problem
+ * @id cs/audit/unsafe-deserialization
+ * @problem.severity warning
+ * @security-severity 2.0
+ * @precision low
+ * @tags security
+ *       external/cwe/cwe-502
+ *       audit
+ */
+
+// https://github.com/advanced-security/codeql-queries/blob/audit-csharp/codeql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
+import csharp
+import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery
+
+from DataFlow::Node sink
+where sink instanceof Sink
+select sink, "Usage of Unsafe Deserialize sink"
diff --git a/csharp/CWE-611/UnsafeXMLResolverAudit.ql b/csharp/CWE-611/UnsafeXMLResolverAudit.ql
new file mode 100644
index 0000000000..2667a14e5f
--- /dev/null
+++ b/csharp/CWE-611/UnsafeXMLResolverAudit.ql
@@ -0,0 +1,23 @@
+/**
+ * @name XML is read insecurely
+ * @description XML may include dangerous external references, which should
+ *              be restricted using a secure resolver or disabling DTD processing.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 2.0
+ * @precision low
+ * @id cs/audit/insecure-xml-read
+ * @tags security
+ *       external/cwe/cwe-611
+ *       external/cwe/cwe-827
+ *       external/cwe/cwe-776
+ *       audit
+ */
+
+// https://github.com/advanced-security/codeql-queries/blob/c8cfb6a0cc44da3d2baae4b985262a84652f71ee/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql#L22s
+import csharp
+import semmle.code.csharp.security.xml.InsecureXMLQuery
+
+from InsecureXmlProcessing xmlProcessing, string reason
+where xmlProcessing.isUnsafe(reason)
+select xmlProcessing, "Insecure XML processing: " + reason
diff --git a/csharp/suites/codeql-csharp-audit.qls b/csharp/suites/codeql-csharp-audit.qls
new file mode 100644
index 0000000000..b447d72447
--- /dev/null
+++ b/csharp/suites/codeql-csharp-audit.qls
@@ -0,0 +1,15 @@
+# This is the field security specialist audit pack
+
+- description: "CSharp Audit Pack"
+
+# Field query pack with some audit queries
+- qlpack: github-queries-csharp
+
+- include:
+    kind:
+    - problem
+    - path-problem
+    - metric
+    - diagnostic
+    tags contain:
+    - audit

From 7fa7c9b8d3db012469365f6bfb58c6c3aa592daa Mon Sep 17 00:00:00 2001
From: Mathew Payne <geekmasher@gmail.com>
Date: Thu, 2 Feb 2023 19:29:55 +0000
Subject: [PATCH 2/3] Add CSharp suite to audit pack

---
 config/codeql-audit.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/codeql-audit.yml b/config/codeql-audit.yml
index ae897852a5..92b43272e7 100644
--- a/config/codeql-audit.yml
+++ b/config/codeql-audit.yml
@@ -1,6 +1,9 @@
 name: "GitHub Field CodeQL Audit Configuration"
 
 queries:
+  # CSharp queries
+  - uses: advanced-security/codeql-queries/csharp/suites/codeql-csharp-audit.qls@main
+
   # JavaScript/TypeScript queries
   - uses: advanced-security/codeql-queries/javascript/suites/codeql-javascript-audit.qls@main
 

From 48524177b47f19f9acbce45f50095170cf1b4629 Mon Sep 17 00:00:00 2001
From: Chad Bentz <1760475+felickz@users.noreply.github.com>
Date: Thu, 2 Feb 2023 23:45:23 +0000
Subject: [PATCH 3/3] Initial run of coverage report

---
 csharp/.data/queries.json | 10 ++++++----
 csharp/README.md          |  9 +++++----
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/csharp/.data/queries.json b/csharp/.data/queries.json
index bcadfcbb4e..b1c55e3be1 100644
--- a/csharp/.data/queries.json
+++ b/csharp/.data/queries.json
@@ -1,4 +1,10 @@
 {
+  "audit": [
+    "csharp/CWE-078/CommandInjectionAudit.ql",
+    "csharp/CWE-094/CodeInjectionAudit.ql",
+    "csharp/CWE-502/UnsafeDeserializationAudit.ql",
+    "csharp/CWE-611/UnsafeXMLResolverAudit.ql"
+  ],
   "default": [
     "codeql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql",
     "codeql/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql",
@@ -49,7 +55,6 @@
     "codeql/csharp/ql/src/Diagnostics/ExtractorMessage.ql",
     "codeql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql",
     "codeql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql",
-    "codeql/csharp/ql/src/Telemetry/SupportedExternalApis.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSources.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql",
@@ -122,7 +127,6 @@
     "codeql/csharp/ql/src/Diagnostics/ExtractorMessage.ql",
     "codeql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql",
     "codeql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql",
-    "codeql/csharp/ql/src/Telemetry/SupportedExternalApis.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSources.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql",
@@ -296,7 +300,6 @@
     "codeql/csharp/ql/src/Diagnostics/ExtractorMessage.ql",
     "codeql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql",
     "codeql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql",
-    "codeql/csharp/ql/src/Telemetry/SupportedExternalApis.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSources.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql",
@@ -369,7 +372,6 @@
     "codeql/csharp/ql/src/Diagnostics/ExtractorMessage.ql",
     "codeql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql",
     "codeql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql",
-    "codeql/csharp/ql/src/Telemetry/SupportedExternalApis.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSources.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql",
diff --git a/csharp/README.md b/csharp/README.md
index 8e8e96c1ea..b73a4b4573 100644
--- a/csharp/README.md
+++ b/csharp/README.md
@@ -4,10 +4,11 @@
 <!-- AUTOMATION-SUITES -->
 | Name | Queries Count | Description | Path |
 | :--- | :---- | :--- | :--- |
-| `default` | 54 | Default Query Suite | `codeql/csharp/ql/src/codeql-suites/code-scanning` |
-| `extended` | 71 | Security Extended Suite | `codeql/csharp/ql/src/codeql-suites/security-extended` |
-| `quality` | 172 | Security and Quality Extended Suite | `codeql/csharp/ql/src/codeql-suites/security-and-quality` |
-| `super-extended` | 81 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/csharp/suites/codeql-csharp.qls@main` |
+| `default` | 53 | Default Query Suite | `codeql/csharp/ql/src/codeql-suites/code-scanning` |
+| `extended` | 70 | Security Extended Suite | `codeql/csharp/ql/src/codeql-suites/security-extended` |
+| `quality` | 171 | Security and Quality Extended Suite | `codeql/csharp/ql/src/codeql-suites/security-and-quality` |
+| `super-extended` | 80 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/csharp/suites/codeql-csharp.qls@main` |
+| `audit` | 4 | Security Audit Query Suite | `advanced-security/codeql-queries/csharp/suites/codeql-csharp-audit.qls@main` |
 
 
 <!-- AUTOMATION-SUITES -->
\ No newline at end of file