System.Data.SQLite SQLi sinks added

security-code-scan · Nov 12, 2018 · 067e8f6 · 067e8f6
1 parent ce02c56
commit 067e8f6
Show file tree

Hide file tree

Showing 5 changed files with 171 additions and 28 deletions.
diff --git a/SecurityCodeScan.Test/SecurityCodeScan.Test.csproj b/SecurityCodeScan.Test/SecurityCodeScan.Test.csproj
@@ -273,6 +273,9 @@
     <Reference Include="System.Configuration" />
     <Reference Include="System.Core" />
     <Reference Include="System.Data.Linq" />
+    <Reference Include="System.Data.SQLite, Version=1.0.109.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139, processorArchitecture=MSIL">
+      <HintPath>..\packages\System.Data.SQLite.Core.1.0.109.2\lib\net451\System.Data.SQLite.dll</HintPath>
+    </Reference>
     <Reference Include="System.Diagnostics.DiagnosticSource, Version=4.0.1.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51, processorArchitecture=MSIL">
       <HintPath>..\packages\System.Diagnostics.DiagnosticSource.4.3.1\lib\portable-net45+win8+wpa81\System.Diagnostics.DiagnosticSource.dll</HintPath>
     </Reference>
@@ -421,8 +424,10 @@
     </PropertyGroup>
     <Error Condition="!Exists('..\packages\MSTest.TestAdapter.1.2.0\build\net45\MSTest.TestAdapter.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSTest.TestAdapter.1.2.0\build\net45\MSTest.TestAdapter.props'))" />
     <Error Condition="!Exists('..\packages\MSTest.TestAdapter.1.2.0\build\net45\MSTest.TestAdapter.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\MSTest.TestAdapter.1.2.0\build\net45\MSTest.TestAdapter.targets'))" />
+    <Error Condition="!Exists('..\packages\System.Data.SQLite.Core.1.0.109.2\build\net451\System.Data.SQLite.Core.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\System.Data.SQLite.Core.1.0.109.2\build\net451\System.Data.SQLite.Core.targets'))" />
   </Target>
   <Import Project="..\packages\MSTest.TestAdapter.1.2.0\build\net45\MSTest.TestAdapter.targets" Condition="Exists('..\packages\MSTest.TestAdapter.1.2.0\build\net45\MSTest.TestAdapter.targets')" />
+  <Import Project="..\packages\System.Data.SQLite.Core.1.0.109.2\build\net451\System.Data.SQLite.Core.targets" Condition="Exists('..\packages\System.Data.SQLite.Core.1.0.109.2\build\net451\System.Data.SQLite.Core.targets')" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
        Other similar extension points exist, see Microsoft.Common.targets.
   <Target Name="BeforeBuild">

diff --git a/SecurityCodeScan.Test/Tests/Taint/CommandTextAnalyzerTest.cs b/SecurityCodeScan.Test/Tests/Taint/CommandTextAnalyzerTest.cs
@@ -1,5 +1,6 @@
 using System.Collections.Generic;
 using System.Threading.Tasks;
+using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.Diagnostics;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 using SecurityCodeScan.Analyzers.Taint;
@@ -15,24 +16,58 @@ protected override IEnumerable<DiagnosticAnalyzer> GetDiagnosticAnalyzers(string
             return new List<DiagnosticAnalyzer> { new TaintAnalyzerCSharp(), new TaintAnalyzerVisualBasic() };
         }
 
+        private static readonly PortableExecutableReference[] References =
+        {
+            MetadataReference.CreateFromFile(typeof(System.Data.SQLite.SQLiteCommand).Assembly.Location)
+        };
+
+        protected override IEnumerable<MetadataReference> GetAdditionalReferences() => References;
+
         [TestCategory("Detect")]
         [DataTestMethod]
-        [DataRow("SqlCommand", "new SqlCommand { CommandText = sql }")]
-        [DataRow("DbCommand",  "new SqlCommand { CommandText = sql }")]
-        [DataRow("IDbCommand", "new SqlCommand { CommandText = sql }")]
-        [DataRow("SqlCommand", "new SqlCommand(); sqlCommand.CommandText = sql")]
-        [DataRow("DbCommand",  "new SqlCommand(); sqlCommand.CommandText = sql")]
-        [DataRow("IDbCommand", "new SqlCommand(); sqlCommand.CommandText = sql")]
-        [DataRow("SqlCommand", "Create(); sqlCommand.CommandText = sql")]
-        [DataRow("DbCommand",  "Create(); sqlCommand.CommandText = sql")]
-        [DataRow("IDbCommand", "Create(); sqlCommand.CommandText = sql")]
-        public async Task CommandTextUnSafeCSharp(string type, string factory)
+        [DataRow("SQLiteCommand", "new SQLiteCommand { CommandText = sql }", true)]
+        [DataRow("DbCommand",     "new SQLiteCommand { CommandText = sql }", true)]
+        [DataRow("IDbCommand",    "new SQLiteCommand { CommandText = sql }", true)]
+        [DataRow("SQLiteCommand", "new SQLiteCommand(); sqlCommand.CommandText = sql", true)]
+        [DataRow("DbCommand",     "new SQLiteCommand(); sqlCommand.CommandText = sql", true)]
+        [DataRow("IDbCommand",    "new SQLiteCommand(); sqlCommand.CommandText = sql", true)]
+        [DataRow("SQLiteCommand", "Create(); sqlCommand.CommandText = sql", true)]
+
+        [DataRow("SqlCommand",    "new SqlCommand { CommandText = sql }", true)]
+        [DataRow("DbCommand",     "new SqlCommand { CommandText = sql }", true)]
+        [DataRow("IDbCommand",    "new SqlCommand { CommandText = sql }", true)]
+        [DataRow("SqlCommand",    "new SqlCommand(); sqlCommand.CommandText = sql", true)]
+        [DataRow("DbCommand",     "new SqlCommand(); sqlCommand.CommandText = sql", true)]
+        [DataRow("IDbCommand",    "new SqlCommand(); sqlCommand.CommandText = sql", true)]
+        [DataRow("SqlCommand",    "Create(); sqlCommand.CommandText = sql", true)]
+        [DataRow("DbCommand",     "Create(); sqlCommand.CommandText = sql", true)]
+        [DataRow("IDbCommand",    "Create(); sqlCommand.CommandText = sql", true)]
+
+        [DataRow("SQLiteCommand", "new SQLiteCommand { CommandText = \"select\" }",           false)]
+        [DataRow("DbCommand",     "new SQLiteCommand { CommandText = \"select\" }",           false)]
+        [DataRow("IDbCommand",    "new SQLiteCommand { CommandText = \"select\" }",           false)]
+        [DataRow("SQLiteCommand", "new SQLiteCommand(); sqlCommand.CommandText = \"select\"", false)]
+        [DataRow("DbCommand",     "new SQLiteCommand(); sqlCommand.CommandText = \"select\"", false)]
+        [DataRow("IDbCommand",    "new SQLiteCommand(); sqlCommand.CommandText = \"select\"", false)]
+        [DataRow("SQLiteCommand", "Create(); sqlCommand.CommandText = \"select\"",            false)]
+
+        [DataRow("SqlCommand", "new SqlCommand { CommandText = \"select\" }",           false)]
+        [DataRow("DbCommand",  "new SqlCommand { CommandText = \"select\" }",           false)]
+        [DataRow("IDbCommand", "new SqlCommand { CommandText = \"select\" }",           false)]
+        [DataRow("SqlCommand", "new SqlCommand(); sqlCommand.CommandText = \"select\"", false)]
+        [DataRow("DbCommand",  "new SqlCommand(); sqlCommand.CommandText = \"select\"", false)]
+        [DataRow("IDbCommand", "new SqlCommand(); sqlCommand.CommandText = \"select\"", false)]
+        [DataRow("SqlCommand", "Create(); sqlCommand.CommandText = \"select\"",         false)]
+        [DataRow("DbCommand",  "Create(); sqlCommand.CommandText = \"select\"",         false)]
+        [DataRow("IDbCommand", "Create(); sqlCommand.CommandText = \"select\"",         false)]
+        public async Task CommandTextUnsafeCSharp(string type, string factory, bool warn)
         {
             var cSharpTest = $@"
 #pragma warning disable 8019
     using System.Data.SqlClient;
     using System.Data.Common;
     using System.Data;
+    using System.Data.SQLite;
 #pragma warning restore 8019
 
 namespace sample
@@ -52,29 +87,63 @@ public static void Run(string sql)
 }}
 ";
 
-            await VerifyCSharpDiagnostic(cSharpTest,
-                                         new DiagnosticResult { Id = "SCS0026" }.WithLocation(14))
-                .ConfigureAwait(false);
+            if (warn)
+            {
+                await VerifyCSharpDiagnostic(cSharpTest,
+                                             new DiagnosticResult { Id = "SCS0026" }.WithLocation(15))
+                    .ConfigureAwait(false);
+            }
+            else
+            {
+                await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
+            }
         }
 
         [TestCategory("Detect")]
         [DataTestMethod]
-        [DataRow("SqlCommand", "New SqlCommand With \r\n{ .CommandText = sql }")]
-        [DataRow("DbCommand",  "New SqlCommand With \r\n{ .CommandText = sql }")]
-        [DataRow("IDbCommand", "New SqlCommand With \r\n{ .CommandText = sql }")]
-        [DataRow("SqlCommand", "New SqlCommand\r\nsqlCommand.CommandText = sql")]
-        [DataRow("DbCommand",  "New SqlCommand\r\nsqlCommand.CommandText = sql")]
-        [DataRow("IDbCommand", "New SqlCommand\r\nsqlCommand.CommandText = sql")]
-        [DataRow("SqlCommand", "Create()\r\nsqlCommand.CommandText = sql")]
-        [DataRow("DbCommand",  "Create()\r\nsqlCommand.CommandText = sql")]
-        [DataRow("IDbCommand", "Create()\r\nsqlCommand.CommandText = sql")]
-        public async Task CommandTextUnSafeVBasic(string type, string factory)
+        [DataRow("SQLiteCommand", "New SQLiteCommand With \r\n{ .CommandText = sql }", true)]
+        [DataRow("DbCommand",     "New SQLiteCommand With \r\n{ .CommandText = sql }", true)]
+        [DataRow("IDbCommand",    "New SQLiteCommand With \r\n{ .CommandText = sql }", true)]
+        [DataRow("SQLiteCommand", "New SQLiteCommand\r\nsqlCommand.CommandText = sql", true)]
+        [DataRow("DbCommand",     "New SQLiteCommand\r\nsqlCommand.CommandText = sql", true)]
+        [DataRow("IDbCommand",    "New SQLiteCommand\r\nsqlCommand.CommandText = sql", true)]
+        [DataRow("SQLiteCommand", "Create\r\nsqlCommand.CommandText = sql", true)]
+
+        [DataRow("SqlCommand", "New SqlCommand With \r\n{ .CommandText = sql }", true)]
+        [DataRow("DbCommand",  "New SqlCommand With \r\n{ .CommandText = sql }", true)]
+        [DataRow("IDbCommand", "New SqlCommand With \r\n{ .CommandText = sql }", true)]
+        [DataRow("SqlCommand", "New SqlCommand\r\nsqlCommand.CommandText = sql", true)]
+        [DataRow("DbCommand",  "New SqlCommand\r\nsqlCommand.CommandText = sql", true)]
+        [DataRow("IDbCommand", "New SqlCommand\r\nsqlCommand.CommandText = sql", true)]
+        [DataRow("SqlCommand", "Create()\r\nsqlCommand.CommandText = sql", true)]
+        [DataRow("DbCommand",  "Create()\r\nsqlCommand.CommandText = sql", true)]
+        [DataRow("IDbCommand", "Create()\r\nsqlCommand.CommandText = sql", true)]
+
+        [DataRow("SQLiteCommand", "New SQLiteCommand With \r\n{ .CommandText = \"select\" }", false)]
+        [DataRow("DbCommand",     "New SQLiteCommand With \r\n{ .CommandText = \"select\" }", false)]
+        [DataRow("IDbCommand",    "New SQLiteCommand With \r\n{ .CommandText = \"select\" }", false)]
+        [DataRow("SQLiteCommand", "New SQLiteCommand\r\nsqlCommand.CommandText = \"select\"", false)]
+        [DataRow("DbCommand",     "New SQLiteCommand\r\nsqlCommand.CommandText = \"select\"", false)]
+        [DataRow("IDbCommand",    "New SQLiteCommand\r\nsqlCommand.CommandText = \"select\"", false)]
+        [DataRow("SQLiteCommand", "Create\r\nsqlCommand.CommandText = \"select\"",            false)]
+
+        [DataRow("SqlCommand", "New SqlCommand With \r\n{ .CommandText = \"select\" }", false)]
+        [DataRow("DbCommand",  "New SqlCommand With \r\n{ .CommandText = \"select\" }", false)]
+        [DataRow("IDbCommand", "New SqlCommand With \r\n{ .CommandText = \"select\" }", false)]
+        [DataRow("SqlCommand", "New SqlCommand\r\nsqlCommand.CommandText = \"select\"", false)]
+        [DataRow("DbCommand",  "New SqlCommand\r\nsqlCommand.CommandText = \"select\"", false)]
+        [DataRow("IDbCommand", "New SqlCommand\r\nsqlCommand.CommandText = \"select\"", false)]
+        [DataRow("SqlCommand", "Create()\r\nsqlCommand.CommandText = \"select\"",       false)]
+        [DataRow("DbCommand",  "Create()\r\nsqlCommand.CommandText = \"select\"",       false)]
+        [DataRow("IDbCommand", "Create()\r\nsqlCommand.CommandText = \"select\"",       false)]
+        public async Task CommandTextUnsafeVBasic(string type, string factory, bool warn)
         {
             var visualBasicTest = $@"
 #Disable Warning BC50001
     Imports System.Data.SqlClient
     Imports System.Data.Common
     Imports System.Data
+    Imports System.Data.SQLite
 #Enable Warning BC50001
 
 Namespace sample
@@ -90,9 +159,16 @@ End Class
 End Namespace
 ";
 
-            await VerifyVisualBasicDiagnostic(visualBasicTest,
-                                              new DiagnosticResult { Id = "SCS0026" }.WithLocation(12))
-                .ConfigureAwait(false);
+            if (warn)
+            {
+                await VerifyVisualBasicDiagnostic(visualBasicTest,
+                                                  new DiagnosticResult { Id = "SCS0026" }.WithLocation(13))
+                    .ConfigureAwait(false);
+            }
+            else
+            {
+                await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
+            }
         }
     }
 }
diff --git a/SecurityCodeScan.Test/Tests/Taint/SqlInjectionAnalyzerTest.cs b/SecurityCodeScan.Test/Tests/Taint/SqlInjectionAnalyzerTest.cs
@@ -23,6 +23,7 @@ protected override IEnumerable<DiagnosticAnalyzer> GetDiagnosticAnalyzers(string
             MetadataReference.CreateFromFile(typeof(Microsoft.Practices.EnterpriseLibrary.Data.Sql.SqlDatabase).Assembly.Location),
             MetadataReference.CreateFromFile(typeof(Microsoft.EntityFrameworkCore.DbContext).Assembly.Location),
             MetadataReference.CreateFromFile(typeof(Microsoft.EntityFrameworkCore.RelationalQueryableExtensions).Assembly.Location),
+            MetadataReference.CreateFromFile(typeof(System.Data.SQLite.SQLiteCommand).Assembly.Location)
         };
 
         protected override IEnumerable<MetadataReference> GetAdditionalReferences() => References;
@@ -240,6 +241,19 @@ End Namespace
         [DataRow("new SqlDatabase(\"connectionString\").ExecuteScalar(new SqlConnection(\"\").BeginTransaction(), input, parameters)", true, "SCS0036")]
         [DataRow("new SqlDatabase(\"connectionString\").ExecuteScalar(new SqlConnection(\"\").BeginTransaction(), \"select\", parameters)", false, null)]
 
+        [DataRow("new SQLiteCommand()",                                                                              false, null)]
+        [DataRow("new SQLiteCommand(new SQLiteConnection())",                                                        false, null)]
+        [DataRow("new SQLiteCommand(input)",                                                                         true,  "SCS0026")]
+        [DataRow("new SQLiteCommand(\"select\")",                                                                    false, null)]
+        [DataRow("new SQLiteCommand(input, new SQLiteConnection())",                                                 true,  "SCS0026")]
+        [DataRow("new SQLiteCommand(\"select\", new SQLiteConnection())",                                            false, null)]
+        [DataRow("new SQLiteCommand(input, new SQLiteConnection(), new SQLiteConnection().BeginTransaction())",      true,  "SCS0026")]
+        [DataRow("new SQLiteCommand(\"select\", new SQLiteConnection(), new SQLiteConnection().BeginTransaction())", false, null)]
+        [DataRow("SQLiteCommand.Execute(input, SQLiteExecuteType.Reader, CommandBehavior.Default, null)",            true,  "SCS0026")]
+        [DataRow("SQLiteCommand.Execute(\"select\", SQLiteExecuteType.Reader, CommandBehavior.Default, null)",       false, null)]
+        [DataRow("SQLiteCommand.Execute(input, SQLiteExecuteType.Reader, null)",                                     true,  "SCS0026")]
+        [DataRow("SQLiteCommand.Execute(\"select\", SQLiteExecuteType.Reader, null)",                                false, null)]
+
         // Tests below are covered by SCS0026
         [DataRow("new SqlDataAdapter(new SqlCommand(input))", true, "SCS0026")]
         [DataRow("new SqlDatabase(\"connectionString\").ExecuteDataSet(new SqlCommand(input))", true, "SCS0026")]
@@ -264,6 +278,7 @@ public async Task SqlInjection(string sink, bool warn, string warningId)
     using System.Data.Entity;
     using System.Threading;
     using Microsoft.Practices.EnterpriseLibrary.Data.Sql;
+    using System.Data.SQLite;
 #pragma warning restore 8019
 
 namespace sample
@@ -293,6 +308,7 @@ Imports System.Web.UI.WebControls
     Imports System.Data.Entity
     Imports System.Threading
     Imports Microsoft.Practices.EnterpriseLibrary.Data.Sql
+    Imports System.Data.SQLite
 #Enable Warning BC50001
 
 Namespace sample
@@ -329,7 +345,7 @@ End Namespace
         public async Task SqlInjectionEntityFrameworkCore(string sink, bool warn)
         {
             var cSharpTest = $@"
-    using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore;
 
 namespace sample
 {{
@@ -354,7 +370,7 @@ public static void Run(string input, params object[] parameters)
                        .Replace("<Object>", "(Of Object)");
 
             var visualBasicTest = $@"
-    Imports Microsoft.EntityFrameworkCore
+Imports Microsoft.EntityFrameworkCore
 
 Namespace sample
     Public Class SampleContext

diff --git a/SecurityCodeScan.Test/packages.config b/SecurityCodeScan.Test/packages.config
@@ -76,6 +76,7 @@
   <package id="System.Collections.Concurrent" version="4.3.0" targetFramework="net452" />
   <package id="System.Collections.Immutable" version="1.3.0" targetFramework="net452" />
   <package id="System.ComponentModel" version="4.3.0" targetFramework="net452" />
+  <package id="System.Data.SQLite.Core" version="1.0.109.2" targetFramework="net452" />
   <package id="System.Diagnostics.Contracts" version="4.3.0" targetFramework="net452" />
   <package id="System.Diagnostics.Debug" version="4.3.0" targetFramework="net452" />
   <package id="System.Diagnostics.DiagnosticSource" version="4.3.1" targetFramework="net452" />

diff --git a/SecurityCodeScan/Config/Main.yml b/SecurityCodeScan/Config/Main.yml
@@ -408,6 +408,51 @@ Sinks:
 
 # SQL Injection
 
+ # System.Data.SQLite
+
+  SystemDataSQLite_Execute:
+    Namespace: System.Data.SQLite
+    ClassName: SQLiteCommand
+    Member: method
+    Name: Execute
+    InjectableArguments: [0]
+    Locale: SCS0026
+
+  SystemDataSQLite_sqlcommand_constructor1:
+    Namespace: System.Data.SQLite
+    ClassName: SQLiteCommand
+    Member: method
+    Name: .ctor
+    ArgTypes: (System.String, System.Data.SQLite.SQLiteConnection, System.Data.SQLite.SQLiteTransaction)
+    InjectableArguments: [0]
+    Locale: SCS0026
+
+  SystemDataSQLite_sqlcommand_constructor2:
+    Namespace: System.Data.SQLite
+    ClassName: SQLiteCommand
+    Member: method
+    Name: .ctor
+    ArgTypes: (System.String, System.Data.SQLite.SQLiteConnection)
+    InjectableArguments: [0]
+    Locale: SCS0026
+
+  SystemDataSQLite_sqlcommand_constructor3:
+    Namespace: System.Data.SQLite
+    ClassName: SQLiteCommand
+    Member: method
+    Name: .ctor
+    ArgTypes: (System.String)
+    InjectableArguments: [0]
+    Locale: SCS0026
+
+  SystemDataSQLite_sqlcommand_field:
+    Namespace: System.Data.SQLite
+    ClassName: SQLiteCommand
+    Member: field
+    Name: CommandText
+    InjectableField: true
+    Locale: SCS0026
+
  # System.Data
 
   SqlDataAdapter_constructor_1: