Merge pull request #2211 from hvitved/csharp/unsafe-deserialization

semmle-qlci · web-flow · commit 2b120def01ff · 2019-11-07T14:16:13.000Z
Approved by jf205
diff --git a/change-notes/1.23/analysis-csharp.md b/change-notes/1.23/analysis-csharp.md
@@ -9,7 +9,9 @@ The following changes in version 1.23 affect C# analysis in all applications.
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
 | Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |
+| Deserialization of untrusted data (`cs/unsafe-deserialization-untrusted-input`) | security, external/cwe/cwe-502 | Finds flow of untrusted input to calls to unsafe deserializers. |
 | Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
+| Unsafe deserializer (`cs/unsafe-deserialization`) | security, external/cwe/cwe-502 | Finds calls to unsafe deserializers. |
 | Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |
 
 ## Changes to existing queries
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.qhelp
@@ -5,7 +5,7 @@
 <overview>
 
 <p>Deserializing an object from untrusted input may result in security problems, such
-as denial-of-service or remote code execution.</p>
+as denial of service or remote code execution.</p>
 
 </overview>
 <recommendation>
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
@@ -5,16 +5,13 @@
  * @kind problem
  * @id cs/unsafe-deserialization
  * @problem.severity warning
+ * @precision low
  * @tags security
  *       external/cwe/cwe-502
  */
 
-/*
- * consider: @precision low
- */
-
 import csharp
-import UnsafeDeserialization::UnsafeDeserialization
+import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
 
 from Call deserializeCall, Sink sink
 where deserializeCall.getAnArgument() = sink.asExpr()
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.qhelp
@@ -5,7 +5,7 @@
 <overview>
 
 <p>Deserializing an object from untrusted input may result in security problems, such
-as denial-of-service or remote code execution.</p>
+as denial of service or remote code execution.</p>
 
 </overview>
 <recommendation>
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
@@ -5,16 +5,13 @@
  * @kind path-problem
  * @id cs/unsafe-deserialization-untrusted-input
  * @problem.severity error
+ * @precision high
  * @tags security
  *       external/cwe/cwe-502
  */
 
-/*
- * consider: @precision high
- */
-
 import csharp
-import UnsafeDeserialization::UnsafeDeserialization
+import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
 import DataFlow::PathGraph
 
 from TaintTrackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/UnsafeDeserialization.qll
@@ -6,7 +6,6 @@
 import csharp
 
 module UnsafeDeserialization {
-  private import semmle.code.csharp.dataflow.flowsources.Remote
   private import semmle.code.csharp.dataflow.flowsources.Remote
   private import semmle.code.csharp.serialization.Deserializers
 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ExtractorOptions.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ExtractorOptions.cs
@@ -1 +1 @@
-// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll
+// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/SystemWebStub.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/SystemWebStub.cs
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ExtractorOptions.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ExtractorOptions.cs
@@ -1 +1 @@
-// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll
+// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/SystemWebStub.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/SystemWebStub.cs
diff --git a/csharp/ql/test/resources/stubs/System.Web.cs b/csharp/ql/test/resources/stubs/System.Web.cs
@@ -346,3 +346,25 @@ public static class AntiForgery
         public static void Validate() { }
     }
 }
+
+namespace System.Web.Script.Serialization
+{
+    // Generated from `System.Web.Script.Serialization.JavaScriptSerializer` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
+    public class JavaScriptSerializer
+    {
+        public JavaScriptSerializer() => throw null;
+        public JavaScriptSerializer(System.Web.Script.Serialization.JavaScriptTypeResolver resolver) => throw null;
+        public object DeserializeObject(string input) => throw null;
+    }
+
+    // Generated from `System.Web.Script.Serialization.JavaScriptTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
+    abstract public class JavaScriptTypeResolver
+    {
+    }
+
+    // Generated from `System.Web.Script.Serialization.SimpleTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
+    public class SimpleTypeResolver : System.Web.Script.Serialization.JavaScriptTypeResolver
+    {
+        public SimpleTypeResolver() => throw null;
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll`
	`1`	`+// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs`