deprecated module;

import csharp

module RequestForgery {

import semmle.code.csharp.controlflow.Guards

import semmle.code.csharp.frameworks.System

import semmle.code.csharp.frameworks.system.Web

import semmle.code.csharp.frameworks.Format

import semmle.code.csharp.security.dataflow.flowsources.FlowSources

/**

* A data flow source for server side request forgery vulnerabilities.

*/

abstract private class Source extends DataFlow::Node { }

/**

* A data flow sink for server side request forgery vulnerabilities.

*/

abstract private class Sink extends DataFlow::ExprNode { }

/**

* A data flow Barrier that blocks the flow of taint for

* server side request forgery vulnerabilities.

*/

abstract private class Barrier extends DataFlow::Node { }

/**

* A data flow configuration for detecting server side request forgery vulnerabilities.

*/

private module RequestForgeryFlowConfig implements DataFlow::ConfigSig {

predicate isSource(DataFlow::Node source) { source instanceof Source }

predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

predicate isAdditionalFlowStep(DataFlow::Node prev, DataFlow::Node succ) {

interpolatedStringFlowStep(prev, succ)

or

stringReplaceStep(prev, succ)

or

uriCreationStep(prev, succ)

or

formatConvertStep(prev, succ)

or

toStringStep(prev, succ)

or

stringConcatStep(prev, succ)

or

stringFormatStep(prev, succ)

or

pathCombineStep(prev, succ)

}

predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }

}

/**

* A data flow module for detecting server side request forgery vulnerabilities.

*/

module RequestForgeryFlow = DataFlow::Global<RequestForgeryFlowConfig>;

/**

* A dataflow source for Server Side Request Forgery(SSRF) Vulnerabilities.

*/

private class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }

/**

* An url argument to a `HttpRequestMessage` constructor call

* taken as a sink for Server Side Request Forgery(SSRF) Vulnerabilities.

*/

private class SystemWebHttpRequestMessageSink extends Sink {

SystemWebHttpRequestMessageSink() {

exists(Class c | c.hasFullyQualifiedName("System.Net.Http", "HttpRequestMessage") |

c.getAConstructor().getACall().getArgument(1) = this.asExpr()

)

}

}

/**

* An argument to a `WebRequest.Create` call taken as a

* sink for Server Side Request Forgery(SSRF) Vulnerabilities. *

*/

private class SystemNetWebRequestCreateSink extends Sink {

SystemNetWebRequestCreateSink() {

exists(Method m |

m.getDeclaringType().hasFullyQualifiedName("System.Net", "WebRequest") and

m.hasName("Create")

|

m.getACall().getArgument(0) = this.asExpr()

)

}

}

/**

* An argument to a new HTTP Request call of a `System.Net.Http.HttpClient` object

* taken as a sink for Server Side Request Forgery(SSRF) Vulnerabilities.

*/

private class SystemNetHttpClientSink extends Sink {

SystemNetHttpClientSink() {

exists(Method m |

m.getDeclaringType().hasFullyQualifiedName("System.Net.Http", "HttpClient") and

m.hasName([

"DeleteAsync", "GetAsync", "GetByteArrayAsync", "GetStreamAsync", "GetStringAsync",

"PatchAsync", "PostAsync", "PutAsync"

])

|

m.getACall().getArgument(0) = this.asExpr()

)

}

}

/**

* An url argument to a method call of a `System.Net.WebClient` object

* taken as a sink for Server Side Request Forgery(SSRF) Vulnerabilities.

*/

private class SystemNetClientBaseAddressSink extends Sink {

SystemNetClientBaseAddressSink() {

exists(Property p, Type t |

p.hasName("BaseAddress") and

t = p.getDeclaringType() and

(

t.hasFullyQualifiedName("System.Net", "WebClient") or

t.hasFullyQualifiedName("System.Net.Http", "HttpClient")

)

|

p.getAnAssignedValue() = this.asExpr()

)

}

}

/**

* A method call which checks the base of the tainted uri is assumed

* to be a guard for Server Side Request Forgery(SSRF) Vulnerabilities.

* This guard considers all checks as valid.

*/

private predicate baseUriGuard(Guard g, Expr e, GuardValue v) {

g.(MethodCall).getTarget().hasFullyQualifiedName("System", "Uri", "IsBaseOf") and

// we consider any checks against the tainted value to sainitize the taint.

// This implies any check such as shown below block the taint flow.

// Uri url = new Uri("whitelist.com")

// if (url.isBaseOf(`taint1))

(e = g.(MethodCall).getArgument(0) or e = g.(MethodCall).getQualifier()) and

v.asBooleanValue() = true

}

private class BaseUriBarrier extends Barrier {

BaseUriBarrier() { this = DataFlow::BarrierGuard<baseUriGuard/3>::getABarrierNode() }

}

/**

* A method call which checks if the Uri starts with a white-listed string is assumed

* to be a guard for Server Side Request Forgery(SSRF) Vulnerabilities.

* This guard considers all checks as valid.

*/

private predicate stringStartsWithGuard(Guard g, Expr e, GuardValue v) {

g.(MethodCall).getTarget().hasFullyQualifiedName("System", "String", "StartsWith") and

// Any check such as the ones shown below

// "https://myurl.com/".startsWith(`taint`)

// `taint`.startsWith("https://myurl.com/")

// are assumed to sainitize the taint

(e = g.(MethodCall).getQualifier() or g.(MethodCall).getArgument(0) = e) and

v.asBooleanValue() = true

}

private class StringStartsWithBarrier extends Barrier {

StringStartsWithBarrier() {

this = DataFlow::BarrierGuard<stringStartsWithGuard/3>::getABarrierNode()

}

}

private predicate stringFormatStep(DataFlow::Node prev, DataFlow::Node succ) {

exists(FormatCall c | c.getArgument(0) = prev.asExpr() and c = succ.asExpr())

}

private predicate pathCombineStep(DataFlow::Node prev, DataFlow::Node succ) {

exists(MethodCall combineCall |

combineCall.getTarget().hasFullyQualifiedName("System.IO", "Path", "Combine") and

combineCall.getArgument(0) = prev.asExpr() and

combineCall = succ.asExpr()

)

}

private predicate uriCreationStep(DataFlow::Node prev, DataFlow::Node succ) {

exists(ObjectCreation oc |

oc.getTarget().getDeclaringType().hasFullyQualifiedName("System", "Uri") and

oc.getArgument(0) = prev.asExpr() and

oc = succ.asExpr()

)

}

private predicate interpolatedStringFlowStep(DataFlow::Node prev, DataFlow::Node succ) {

exists(InterpolatedStringExpr i |

// allow `$"http://{`taint`}/blabla/");"` or

// allow `$"https://{`taint`}/blabla/");"`

i.getText(0).getValue().matches(["http://", "http://"]) and

i.getInsert(1) = prev.asExpr() and

succ.asExpr() = i

or

// allow `$"{`taint`}/blabla/");"`

i.getInsert(0) = prev.asExpr() and

succ.asExpr() = i

)

}

private predicate stringReplaceStep(DataFlow::Node prev, DataFlow::Node succ) {

exists(MethodCall mc, SystemStringClass s |

mc = s.getReplaceMethod().getACall() and

mc.getQualifier() = prev.asExpr() and

succ.asExpr() = mc

)

}

private predicate stringConcatStep(DataFlow::Node prev, DataFlow::Node succ) {

exists(AddOperation a |

a.getLeftOperand() = prev.asExpr()

or

a.getRightOperand() = prev.asExpr() and

a.getLeftOperand().(StringLiteral).getValue() = ["http://", "https://"]

|

a = succ.asExpr()

)

}

private predicate formatConvertStep(DataFlow::Node prev, DataFlow::Node succ) {

exists(Method m |

m.hasFullyQualifiedName("System", "Convert",

["FromBase64String", "FromHexString", "FromBase64CharArray"]) and

m.getParameter(0) = prev.asParameter() and

succ.asExpr() = m.getACall()

)

}

private predicate toStringStep(DataFlow::Node prev, DataFlow::Node succ) {

exists(MethodCall ma |

ma.getTarget().hasName("ToString") and

ma.getQualifier() = prev.asExpr() and

succ.asExpr() = ma

)

}

}