Address code review findings

tamasvajk · tamasvajk · commit 24670160c255 · 2020-12-04T13:26:53.000+01:00
diff --git a/csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql b/csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
@@ -10,7 +10,6 @@
 
 import csharp
 import semmle.code.csharp.security.dataflow.ExternalAPIs
-import semmle.code.csharp.dataflow.DataFlow
 
 from ExternalAPIUsedWithUntrustedData externalAPI
 select externalAPI, count(externalAPI.getUntrustedDataNode()) as numberOfUses,
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ExternalAPIs.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ExternalAPIs.qll
@@ -7,12 +7,17 @@ import csharp
 import semmle.code.csharp.dataflow.flowsources.Remote
 import semmle.code.csharp.dataflow.TaintTracking
 import semmle.code.csharp.frameworks.System
+import semmle.code.csharp.dataflow.FlowSummary
 
 /**
- * A `Callable` that is considered a "safe" external API from a security perspective.
+ * A callable that is considered a "safe" external API from a security perspective.
  */
 abstract class SafeExternalAPICallable extends Callable { }
 
+private class SummarizedCallableSafe extends SafeExternalAPICallable {
+  SummarizedCallableSafe() { this instanceof SummarizedCallable }
+}
+
 /** The default set of "safe" external APIs. */
 private class DefaultSafeExternalAPICallable extends SafeExternalAPICallable {
   DefaultSafeExternalAPICallable() {
@@ -53,13 +58,11 @@ class ExternalAPIDataNode extends DataFlow::Node {
       m.overridesOrImplementsOrEquals(call.getTarget().getSourceDeclaration()) and
       m.fromSource()
     ) and
-    // Not already modeled as a taint step
-    not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and
     // Not a call to a known safe external API
     not call.getTarget().getSourceDeclaration() instanceof SafeExternalAPICallable
   }
 
-  /** Gets the called API `Callable`. */
+  /** Gets the called API callable. */
   Callable getCallable() { result = call.getTarget().getSourceDeclaration() }
 
   /** Gets the index which is passed untrusted data (where -1 indicates the qualifier). */
@@ -80,12 +83,12 @@ class UntrustedDataToExternalAPIConfig extends TaintTracking::Configuration {
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalAPIDataNode extends ExternalAPIDataNode {
-  UntrustedExternalAPIDataNode() { any(UntrustedDataToExternalAPIConfig c).hasFlow(_, this) }
+  private UntrustedDataToExternalAPIConfig c;
+
+  UntrustedExternalAPIDataNode() { c.hasFlow(_, this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
-  DataFlow::Node getAnUntrustedSource() {
-    any(UntrustedDataToExternalAPIConfig c).hasFlow(result, this)
-  }
+  DataFlow::Node getAnUntrustedSource() { c.hasFlow(result, this) }
 }
 
 private newtype TExternalAPI =
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.expected b/csharp/ql/test/query-tests/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.expected
@@ -1,2 +1,3 @@
+| System.Collections.Specialized.NameValueCollection.get_Item(string) [qualifier] | 1 | 1 |
 | System.Web.HttpRequest.get_QueryString() [qualifier] | 1 | 1 |
 | System.Web.HttpResponse.Write(string) [param 0] | 1 | 1 |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.expected b/csharp/ql/test/query-tests/Security Features/CWE-020/UntrustedDataToExternalAPI.expected
@@ -2,8 +2,10 @@ edges
 | UntrustedData.cs:11:20:11:42 | access to property QueryString : NameValueCollection | UntrustedData.cs:12:28:12:31 | access to local variable name |
 nodes
 | UntrustedData.cs:11:20:11:30 | access to property Request | semmle.label | access to property Request |
+| UntrustedData.cs:11:20:11:42 | access to property QueryString | semmle.label | access to property QueryString |
 | UntrustedData.cs:11:20:11:42 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | UntrustedData.cs:12:28:12:31 | access to local variable name | semmle.label | access to local variable name |
 #select
 | UntrustedData.cs:11:20:11:30 | access to property Request | UntrustedData.cs:11:20:11:30 | access to property Request | UntrustedData.cs:11:20:11:30 | access to property Request | Call to System.Web.HttpRequest.get_QueryString with untrusted data from $@. | UntrustedData.cs:11:20:11:30 | access to property Request | access to property Request |
+| UntrustedData.cs:11:20:11:42 | access to property QueryString | UntrustedData.cs:11:20:11:42 | access to property QueryString | UntrustedData.cs:11:20:11:42 | access to property QueryString | Call to System.Collections.Specialized.NameValueCollection.get_Item with untrusted data from $@. | UntrustedData.cs:11:20:11:42 | access to property QueryString | access to property QueryString |
 | UntrustedData.cs:12:28:12:31 | access to local variable name | UntrustedData.cs:11:20:11:42 | access to property QueryString : NameValueCollection | UntrustedData.cs:12:28:12:31 | access to local variable name | Call to System.Web.HttpResponse.Write with untrusted data from $@. | UntrustedData.cs:11:20:11:42 | access to property QueryString : NameValueCollection | access to property QueryString : NameValueCollection |

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+\| System.Collections.Specialized.NameValueCollection.get_Item(string) [qualifier] \| 1 \| 1 \|`
`1`	`2`	`\| System.Web.HttpRequest.get_QueryString() [qualifier] \| 1 \| 1 \|`
`2`	`3`	`\| System.Web.HttpResponse.Write(string) [param 0] \| 1 \| 1 \|`