WIP: handle binding on InputText

tamasvajk · tamasvajk · commit 7433e8e0ca77 · 2024-09-05T16:05:23.000+02:00
diff --git a/csharp/ql/integration-tests/all-platforms/blazor/XSS.expected b/csharp/ql/integration-tests/all-platforms/blazor/XSS.expected
@@ -1,8 +1,13 @@
 edges
+| BlazorTest/Components/Pages/TestPage.razor:27:29:27:39 | access to property InputValue1 : String | BlazorTest/Components/Pages/TestPage.razor:27:29:27:39 | access to property InputValue1 : String | provenance |  |
+| BlazorTest/Components/Pages/TestPage.razor:27:29:27:39 | access to property InputValue1 : String | BlazorTest/Components/Pages/TestPage.razor:29:53:29:63 | access to property InputValue1 | provenance |  Sink:MaD:142 |
 nodes
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
+| BlazorTest/Components/Pages/TestPage.razor:27:29:27:39 | access to property InputValue1 : String | semmle.label | access to property InputValue1 : String |
+| BlazorTest/Components/Pages/TestPage.razor:29:53:29:63 | access to property InputValue1 | semmle.label | access to property InputValue1 |
 subpaths
 #select
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
+| BlazorTest/Components/Pages/TestPage.razor:29:53:29:63 | access to property InputValue1 | BlazorTest/Components/Pages/TestPage.razor:27:29:27:39 | access to property InputValue1 : String | BlazorTest/Components/Pages/TestPage.razor:29:53:29:63 | access to property InputValue1 | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:27:29:27:39 | access to property InputValue1 : String | User-provided value |
diff --git a/csharp/ql/integration-tests/all-platforms/blazor/remoteFlowSource.expected b/csharp/ql/integration-tests/all-platforms/blazor/remoteFlowSource.expected
@@ -2,3 +2,4 @@
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | ASP.NET Core component route parameter |
 | BlazorTest/Components/Pages/TestPage.razor:19:38:19:47 | access to property QueryParam | ASP.NET Core component query string |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | ASP.NET Core component query string |
+| BlazorTest/Components/Pages/TestPage.razor:27:29:27:39 | access to property InputValue1 | ASP.NET Core `InputBase<>.Value`-bound property read |
diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml
@@ -1,7 +1,17 @@
 extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data: []
+
   - addsTo:
       pack: codeql/csharp-all
       extensible: sinkModel
     data:
       - ["Microsoft.AspNetCore.Components", "MarkupString", False, "MarkupString", "(System.String)", "", "Argument[0]", "html-injection", "manual"]
       - ["Microsoft.AspNetCore.Components", "MarkupString", False, "op_Explicit", "(System.String)", "", "Argument[0]", "html-injection", "manual"]
+
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: summaryModel
+    data: []
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -15,6 +15,7 @@ private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
 private import semmle.code.csharp.frameworks.Razor
+private import semmle.code.csharp.frameworks.microsoft.Blazor
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.threading.Tasks
 private import semmle.code.csharp.internal.Location
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/Blazor.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/Blazor.qll
@@ -85,4 +85,151 @@ class Component extends Class {
       result.getAnAttribute().getType() instanceof ParameterAttributeClass
     )
   }
+
+  private predicate hasSubComponent(
+    MethodCall openCall, int openCallIndex, MethodCall closeCall, int closeCallIndex,
+    ValueOrRefType componentType, Callable enclosing
+  ) {
+    openCall.getEnclosingCallable+() = this.getAMethod("BuildRenderTree") and
+    openCall.getEnclosingCallable() = enclosing and
+    // TODO: there's another overload of OpenComponent
+    openCall = this.getRenderTreeBuilderCall(openCallIndex, "OpenComponent`1", enclosing) and
+    openCall.getTarget().(ConstructedGeneric).getTypeArgument(0) = componentType and
+    closeCall = this.getCloseComponentCall(closeCallIndex, enclosing) and
+    closeCallIndex > openCallIndex and
+    not exists(int k, MethodCall mc |
+      k in [openCallIndex + 1 .. closeCallIndex - 1] and
+      mc = this.getCloseComponentCall(k, enclosing)
+    )
+  }
+
+  predicate hasPropertySetOnSubComponent(
+    MethodCall addCall, ValueOrRefType componentType, Property p, Expr value
+  ) {
+    exists(
+      int i, int j, int k, MethodCall openCall, Callable enclosing, Expr cast, Expr typeCheckCall
+    |
+      this.hasSubComponent(openCall, i, _, j, componentType, enclosing) and
+      p = componentType.getABaseType*().getAProperty() and
+      // The below doesn't work for InputText:
+      // p.getAnAttribute().getType() instanceof ParameterAttributeClass and
+      k in [i + 1 .. j - 1] and
+      addCall = this.getRenderTreeBuilderCall(k, "AddComponentParameter", enclosing) and
+      p.getName() = addCall.getArgument(1).getValue() and
+      cast = addCall.getArgument(2) and
+      (
+        if cast.(CastExpr).getTargetType().hasFullyQualifiedName("System", "Object")
+        then typeCheckCall = cast.(CastExpr).getExpr()
+        else typeCheckCall = cast
+      ) and
+      (
+        if
+          typeCheckCall
+              .(MethodCall)
+              .getTarget()
+              .getUnboundDeclaration()
+              .hasFullyQualifiedName("Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers",
+                "TypeCheck`1")
+        then value = typeCheckCall.(MethodCall).getArgument(0)
+        else value = typeCheckCall
+      )
+    )
+  }
+
+  private MethodCall getRenderTreeBuilderCall(int index, string name, Callable enclosing) {
+    result.getEnclosingCallable() = enclosing and
+    result.getParent().getIndex() = index and
+    result
+        .getTarget()
+        .getUnboundDeclaration()
+        .hasFullyQualifiedName("Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder", name)
+  }
+
+  private MethodCall getCloseComponentCall(int index, Callable enclosing) {
+    result = this.getRenderTreeBuilderCall(index, "CloseComponent", enclosing)
+  }
+}
+
+private AssignableMemberAccess getMemberAccessAssignedToInputValueProperty(
+  Component c, AssignableMember member
+) {
+  exists(ValueOrRefType componentType, Property componentProperty |
+    c.hasPropertySetOnSubComponent(_, componentType, componentProperty, result) and
+    componentType
+        .getBaseClass+()
+        .getUnboundDeclaration()
+        .hasFullyQualifiedName("Microsoft.AspNetCore.Components.Forms", "InputBase`1") and
+    componentProperty.hasName("Value") and
+    result.getTarget() = member and
+    member.getDeclaringType() = c and
+    result.hasThisQualifier()
+    // TODO: add support for Prop1.Prop2.Prop3 chains
+  )
+}
+
+module Sources {
+  private import semmle.code.csharp.security.dataflow.flowsources.Remote
+
+  /** A data flow source of remote user input (ASP.NET Core component query string). */
+  private class AspNetComponentQueryStringRemoteFlowSource extends AspNetRemoteFlowSource,
+    DataFlow::ExprNode
+  {
+    AspNetComponentQueryStringRemoteFlowSource() {
+      exists(Property p |
+        p = any(Component c).getACascadingParameterProperty() and
+        p.getAnAttribute().getType() instanceof SupplyParameterFromQueryAttributeClass and
+        this.getExpr() = p.getGetter().getACall()
+      )
+    }
+
+    override string getSourceType() { result = "ASP.NET Core component query string" }
+  }
+
+  /** A data flow source of remote user input (ASP.NET Core component route parameter). */
+  private class AspNetComponentRouteParameterRemoteFlowSource extends AspNetRemoteFlowSource,
+    DataFlow::ExprNode
+  {
+    AspNetComponentRouteParameterRemoteFlowSource() {
+      exists(Property p |
+        p = any(Component c).getARouteParameterProperty() and
+        this.getExpr() = p.getGetter().getACall()
+      )
+    }
+
+    override string getSourceType() { result = "ASP.NET Core component route parameter" }
+  }
+
+  private class AspNetComponentInputBaseValueFlowSource extends AspNetRemoteFlowSource,
+    DataFlow::ExprNode
+  {
+    AspNetComponentInputBaseValueFlowSource() {
+      this.getExpr() = getMemberAccessAssignedToInputValueProperty(_, _)
+    }
+
+    override string getSourceType() {
+      result = "ASP.NET Core `InputBase<>.Value`-bound property read"
+    }
+  }
+}
+
+// TODO: this is only true
+// - if there's no custom `ValueChanged` handler defined on the `InputText` component, such as `<InputText Value="@InputValue1" ValueChanged="HandleChange" />` or
+// - if `@bind-Value` is used on the component. In case of `<InputText Value="@InputValue1" />`, there's only one way binding.
+private class InputBaseValuePropertyJumpNode extends DataFlow::NonLocalJumpNode {
+  Component c;
+  AssignableMember member;
+
+  InputBaseValuePropertyJumpNode() {
+    this.asExpr() = getMemberAccessAssignedToInputValueProperty(c, member)
+  }
+
+  override DataFlow::Node getAJumpSuccessor(boolean preservesValue) {
+    preservesValue = true and
+    exists(MemberAccess access |
+      result.asExpr() = access and
+      access.getTarget() = member and
+      access.hasThisQualifier() and
+      access instanceof AssignableRead
+    )
+  }
 }
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
@@ -12,7 +12,6 @@ private import semmle.code.csharp.frameworks.system.web.ui.WebControls
 private import semmle.code.csharp.frameworks.WCF
 private import semmle.code.csharp.frameworks.microsoft.Owin
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
-private import semmle.code.csharp.frameworks.microsoft.Blazor
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
 private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 
@@ -27,7 +26,8 @@ abstract class RemoteFlowSource extends SourceNode {
  * A module for importing frameworks that defines remote flow sources.
  */
 private module RemoteFlowSources {
-  private import semmle.code.csharp.frameworks.ServiceStack
+  private import semmle.code.csharp.frameworks.ServiceStack as ServiceStack
+  private import semmle.code.csharp.frameworks.microsoft.Blazor as Blazor
 }
 
 /** A data flow source of remote user input (ASP.NET). */
@@ -76,33 +76,6 @@ class AspNetQueryStringRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow
   override string getSourceType() { result = "ASP.NET query string" }
 }
 
-/** A data flow source of remote user input (ASP.NET Core component query string). */
-class AspNetComponentQueryStringRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode {
-  AspNetComponentQueryStringRemoteFlowSource() {
-    exists(Property p |
-      p = any(Component c).getACascadingParameterProperty() and
-      p.getAnAttribute().getType() instanceof SupplyParameterFromQueryAttributeClass and
-      this.getExpr() = p.getGetter().getACall()
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET Core component query string" }
-}
-
-/** A data flow source of remote user input (ASP.NET Core component route parameter). */
-class AspNetComponentRouteParameterRemoteFlowSource extends AspNetRemoteFlowSource,
-  DataFlow::ExprNode
-{
-  AspNetComponentRouteParameterRemoteFlowSource() {
-    exists(Property p |
-      p = any(Component c).getARouteParameterProperty() and
-      this.getExpr() = p.getGetter().getACall()
-    )
-  }
-
-  override string getSourceType() { result = "ASP.NET Core component route parameter" }
-}
-
 /** A data flow source of remote user input (ASP.NET unvalidated request data). */
 class AspNetUnvalidatedQueryStringRemoteFlowSource extends AspNetRemoteFlowSource,
   DataFlow::ExprNode
