C#: Add MarkupString as an HtmlSink

tamasvajk · tamasvajk · commit 67ab0df30b8b · 2024-09-03T16:10:14.000+02:00
diff --git a/csharp/ql/integration-tests/all-platforms/blazor/htmlSinks.expected b/csharp/ql/integration-tests/all-platforms/blazor/htmlSinks.expected
@@ -0,0 +1,8 @@
+| BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value |
+| BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam |
+| BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam |
+| BlazorTest/Components/Pages/TestPage.razor:29:53:29:63 | access to property InputValue1 |
+| BlazorTest/Components/Pages/TestPage.razor:38:53:38:63 | access to property InputValue2 |
+| BlazorTest/Components/Pages/TestPage.razor:47:53:47:68 | access to property Value |
+| BlazorTest/Components/Pages/TestPage.razor:56:53:56:63 | access to property InputValue3 |
+| BlazorTest/Components/Pages/TestPage.razor:65:53:65:63 | access to property InputValue4 |
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/Blazor.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/Blazor.qll
@@ -0,0 +1,31 @@
+/** Provides definitions related to the namespace `Microsoft.AspNetCore.Components`. */
+
+import csharp
+private import AspNetCore
+
+/** The `Microsoft.AspNetCore.Components` namespace. */
+class MicrosoftAspNetCoreComponents extends Namespace {
+  MicrosoftAspNetCoreComponents() {
+    this.getParentNamespace() instanceof MicrosoftAspNetCoreNamespace and
+    this.hasName("Components")
+  }
+}
+
+/** A struct in the `Microsoft.AspNetCore.Components` namespace. */
+class MicrosoftAspNetCoreComponentsStruct extends Struct {
+  MicrosoftAspNetCoreComponentsStruct() {
+    this.getNamespace() instanceof MicrosoftAspNetCoreComponents
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.MarkupString` struct. */
+class MicrosoftAspNetCoreComponentsMarkupStringStruct extends MicrosoftAspNetCoreComponentsStruct {
+  MicrosoftAspNetCoreComponentsMarkupStringStruct() { this.hasName("MarkupString") }
+
+  /** Gets the explicit conversion operator from `string` to `StringStruct`. */
+  ExplicitConversionOperator getOpExplicit() {
+    result.getDeclaringType() instanceof MicrosoftAspNetCoreComponentsMarkupStringStruct and
+    result.getReturnType() instanceof MicrosoftAspNetCoreComponentsMarkupStringStruct and
+    result.getParameter(0).getType() instanceof StringType
+  }
+}
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Html.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/Html.qll
@@ -5,6 +5,7 @@
 import csharp
 private import Remote
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.frameworks.microsoft.Blazor
 private import semmle.code.csharp.frameworks.system.Net
 private import semmle.code.csharp.frameworks.system.Web
 private import semmle.code.csharp.frameworks.system.web.Mvc
@@ -139,6 +140,23 @@ class HtmlString extends HtmlSink {
   }
 }
 
+/**
+ * An expression passed to the constructor of a `MarkupString` or converted to a `MarkupString`.
+ */
+class MarkupStringSink extends HtmlSink {
+  MarkupStringSink() {
+    exists(ObjectCreation oc |
+      oc.getObjectType() instanceof MicrosoftAspNetCoreComponentsMarkupStringStruct and
+      oc.getAnArgument() = this.getExpr()
+    )
+    or
+    exists(OperatorCall oc |
+      oc.getTarget() = any(MicrosoftAspNetCoreComponentsMarkupStringStruct s).getOpExplicit() and
+      oc.getArgument(0) = this.getExpr()
+    )
+  }
+}
+
 /**
  * An expression that is used as an argument to `Page.WriteLiteral`, typically in
  * a `.cshtml` file.
