Skip to content

C#: Adds check for Server Side Template Injection vulnerabilities in RazorEngine #4313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

C#: Adds check for Server Side Template Injection vulnerabilities in RazorEngine #4313

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2a34559
Adds check for Server Side Template Injection vulnerabilities in MVC …
cldrn Sep 22, 2020
b0dd573
Fixes method name
cldrn Sep 22, 2020
b36b07c
Extends possible sources
cldrn Sep 22, 2020
859079f
Updates sources to accept both POST requests and MVC methods
cldrn Oct 1, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions csharp/ql/src/experimental/CWE-095/razor_parse.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
/**
* @name Server-Side Template Injection in RazorEngine
* @description User-controlled data may be evaluated, leading to arbitrary code execution.
* @kind path-problem
* @problem.severity error
* @precision high
* @id csharp/razor-injection
* @tags security
*/

import csharp
import semmle.code.csharp.dataflow.TaintTracking
import DataFlow::PathGraph

/*
* The offending method is Parse from RazorEngine.Razor.
*/

class RazorEngineClass extends Class {
RazorEngineClass() { this.hasQualifiedName("RazorEngine.Razor") }

Method getIsValidMethod() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this called getIsValidMethod and not e.g. get(A)ParseMethod?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. Old function name. Changed it to getParseMethod()

result.getDeclaringType() = this and
result.hasName("Parse")
}
}

/*
* We are only interested in ASP.NET MVC Controller classes
*/

class ControllerMVC extends Class {
ControllerMVC() { this.hasQualifiedName("System.Web.Mvc", "Controller") }
Copy link
Contributor

@denislevin denislevin Sep 22, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New ASP.NET Core MVC has a different namespace. It's possible that this query can cover new MVC if you import codeql/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll and include the new namespace controller ('this.hasQualifiedName("Microsoft.AspNetCore.Mvc", "Controller")' or 'this instanceof MicrosoftAspNetCoreMvcController' )

Also, there could be custom controllers derived from ControllerBase. Consider defining namespace separately from the controller (see codeql/csharp/ql/src/semmle/code/csharp/frameworks/microsoft/AspNetCore.qll ):
class MicrosoftAspNetCoreMvcControllerBaseClass extends Class { MicrosoftAspNetCoreMvcControllerBaseClass() { getNamespace() = any(MicrosoftAspNetCoreMvcNamespace h) and (hasName("Controller") or hasName("ControllerBase")) } }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing this out. I've added the support for both the new namespace and ControllerBase classes.

}

/*
* We filter by the ActionResult. I think this might not be needed.
*/

class ActionResultCall extends Call {
ActionResultCall() {
this.getEnclosingCallable().getAnnotatedReturnType().toString() = "ActionResult"
}
}

/*
* TaintTracking configuration that will track any public method in MVC controllers that takes arguments that are parsed later by RazorEngine.Parse.
*/

class RazorEngineInjection extends TaintTracking::Configuration {
RazorEngineInjection() { this = "RazorEngineInjection" }

override predicate isSource(DataFlow::Node source) {
exists(ActionResultCall ar |
ar.getEnclosingCallable().getDeclaringType().getABaseType() instanceof ControllerMVC and
source.asParameter() = ar.getEnclosingCallable().getAParameter()
)
}

override predicate isSink(DataFlow::Node sink) {
exists(RazorEngineClass rec, MethodCall mc |
mc.getQualifiedDeclaration() = rec.getIsValidMethod() and
sink.asExpr() = mc.getArgument(0)
)
}
}

from RazorEngineInjection cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink,
"Server-Side Template Injection in RazorEngine leads to Remote Code Execution"
19 changes: 19 additions & 0 deletions csharp/ql/src/experimental/CWE-095/razor_parse.qlhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>This rule finds public <code>ActualResults</code> methods that have user controlled parameters that could contain malicious code that
is parsed by <code>RazorEngine.Parse()</code> leading to a Server-Side Template Injection vulnerability.

</overview>
<recommendation>
<p>Do not use the class RazorEngine. If not possible, do not parse user input into the template.</p>

</recommendation>
<references>
<li><a href="https://docs.microsoft.com/en-us/dotnet/api/system.web.razor.parser.razorparser.parse?view=aspnet-webpages-3.2">RazorParser</a>.</li>
<li><a href="https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/">RazorEngine Injection ASP.NET</a>.</li>

</references>
</qhelp>