Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[C#] Taint analysis does not have flow path for non constant field of a class as its source #9569

Open
kanan1832 opened this issue Jun 15, 2022 · 2 comments
Open

[C#] Taint analysis does not have flow path for non constant field of a class as its source #9569

kanan1832 opened this issue Jun 15, 2022 · 2 comments
Labels
question Further information is requested

Comments

@kanan1832
Copy link

I have this simple Test class, where I'm trying to mimic a path problem.
with Message1 as source and Console.WriteLine(Message1) as sink.

 class Test
    {
        private const string Message1 = "Test Message 1";
        private readonly string Message2 = "Test Message 2";

        public void Run()
        {
            Console.WriteLine(Message1);
            Console.WriteLine(Message2);
        }
    }
import csharp
import DataFlow::PathGraph

class Source extends DataFlow::Node {
  Source() { this.asExpr() instanceof StringLiteral }
}

class WriteLineMethod extends Method {
  WriteLineMethod() { this.hasQualifiedName("System.Console.WriteLine") }
}

class Sink extends DataFlow::Node {
  Sink() {
    exists(MethodCall m |
      m.getTarget() instanceof WriteLineMethod and
      this.asExpr() = m.getArgument(0)
    )
  }
}

class SimpleConfiguration extends TaintTracking::Configuration {
  SimpleConfiguration() { this = "Simple configuration" }

  override predicate isSource(DataFlow::Node source) { source instanceof Source }

  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
  
}

from DataFlow::PathNode source, DataFlow::PathNode sink, SimpleConfiguration cfg
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ is used in WriteLine method.", source.getNode(),
  "String"

Here I did simple taint tracking analysis on above Test class using above query, for const field private const string Message1 = "Test Message 1"; as source and
Console.WriteLine(Message1); as sink i'm getting correct result, But for non const field private readonly string Message2 = "Test Message 2"; it doesn't seem to work.

Did i miss something here? why does taint tracking works for const field or static field in static class but not for instance field?

test.ql result
@kanan1832 kanan1832 added the question Further information is requested label Jun 15, 2022
@kanan1832
Copy link
Author

you can use following database zip file for test https://github.com/manundev/jekyll-pages/releases/download/0.1/csharp-test.zip

@tamasvajk
Copy link
Contributor

I've added an answer in #9728.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tamasvajk @kanan1832