Merge pull request github#5308 from tamasvajk/feature/flow-sources-sinks

tamasvajk · web-flow · commit a7030c7fed48 · 2021-04-23T16:36:16.000+02:00
C#: Add Console.Read* to local flow sources
diff --git a/csharp/change-notes/2021-04-22-console-read-local-source.md b/csharp/change-notes/2021-04-22-console-read-local-source.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* `System.Console.Read` methods have been added as data flow sources of local user input.
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
@@ -20,3 +20,15 @@ class TextFieldSource extends LocalUserInputSource {
 
   override string getSourceType() { result = "TextBox text" }
 }
+
+/** A call to any `System.Console.Read*` method. */
+class SystemConsoleReadSource extends LocalUserInputSource {
+  SystemConsoleReadSource() {
+    this.asExpr() =
+      any(MethodCall call |
+        call.getTarget().hasQualifiedName("System.Console", ["ReadLine", "Read", "ReadKey"])
+      )
+  }
+
+  override string getSourceType() { result = "System.Console input" }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/ConsoleUncontrolledFormatString.cs b/csharp/ql/test/query-tests/Security Features/CWE-134/ConsoleUncontrolledFormatString.cs
@@ -0,0 +1,13 @@
+using System;
+using System;
+
+public class Program
+{
+    public static void Main()
+    {
+        var format = Console.ReadLine();
+
+        // BAD: Uncontrolled format string.
+        var x = string.Format(format, 1, 2);
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected
@@ -1,15 +1,19 @@
 edges
+| ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format |
 | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path |
 | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
 | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString : NameValueCollection | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
 nodes
+| ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
+| ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | semmle.label | access to local variable format |
 | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | semmle.label | access to local variable path |
 | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | semmle.label | access to local variable path |
 | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | semmle.label | access to property Text |
 | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | semmle.label | access to local variable format |
 #select
+| ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | $@ flows to here and is used as a format string. | ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine | call to method ReadLine |
 | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
 | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
 | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | access to property Text |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* `System.Console.Read` methods have been added as data flow sources of local user input.