Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 392eac5

Browse files
egregius313egregius313
committed
Refactor source node classes to use SourceNode superclass
Refactor the existing flowsource classes to use the `SourceNode` class to specify which threat model they support.
1 parent d29df68 commit 392eac5

3 files changed

Lines changed: 23 additions & 8 deletions

File tree

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,14 @@
55
import csharp
66
private import semmle.code.csharp.frameworks.system.windows.Forms
77
private import semmle.code.csharp.dataflow.internal.ExternalFlow
8+
private import semmle.code.csharp.security.dataflow.flowsources.SourceNode
89

910
/** A data flow source of local data. */
10-
abstract class LocalFlowSource extends DataFlow::Node {
11+
abstract class LocalFlowSource extends SourceNode {
1112
/** Gets a string that describes the type of this local flow source. */
1213
abstract string getSourceType();
14+
15+
override string getThreatModel() { result = "local" }
1316
}
1417

1518
private class ExternalLocalFlowSource extends LocalFlowSource {

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,14 @@ private import semmle.code.csharp.frameworks.WCF
1313
private import semmle.code.csharp.frameworks.microsoft.Owin
1414
private import semmle.code.csharp.frameworks.microsoft.AspNetCore
1515
private import semmle.code.csharp.dataflow.internal.ExternalFlow
16+
private import semmle.code.csharp.security.dataflow.flowsources.SourceNode
1617

1718
/** A data flow source of remote user input. */
18-
abstract class RemoteFlowSource extends DataFlow::Node {
19+
abstract class RemoteFlowSource extends SourceNode {
1920
/** Gets a string that describes the type of this remote flow source. */
2021
abstract string getSourceType();
22+
23+
override string getThreatModel() { result = "remote" }
2124
}
2225

2326
/**

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,15 +9,22 @@ private import semmle.code.csharp.frameworks.system.data.Entity
99
private import semmle.code.csharp.frameworks.EntityFramework
1010
private import semmle.code.csharp.frameworks.NHibernate
1111
private import semmle.code.csharp.frameworks.Sql
12+
private import semmle.code.csharp.security.dataflow.flowsources.SourceNode
1213

1314
/** A data flow source of stored user input. */
14-
abstract class StoredFlowSource extends DataFlow::Node { }
15+
abstract class StoredFlowSource extends SourceNode {
16+
override string getThreatModel() { result = "local" }
17+
}
18+
19+
abstract class DatabaseInputSource extends StoredFlowSource {
20+
override string getThreatModel() { result = "database" }
21+
}
1522

1623
/**
1724
* An expression that has a type of `DbRawSqlQuery`, representing the result of an Entity Framework
1825
* SqlQuery.
1926
*/
20-
class DbRawSqlStoredFlowSource extends StoredFlowSource {
27+
class DbRawSqlStoredFlowSource extends DatabaseInputSource {
2128
DbRawSqlStoredFlowSource() {
2229
this.asExpr().getType() instanceof SystemDataEntityInfrastructure::DbRawSqlQuery
2330
}
@@ -27,30 +34,30 @@ class DbRawSqlStoredFlowSource extends StoredFlowSource {
2734
* An expression that has a type of `DbDataReader` or a sub-class, representing the result of a
2835
* data command.
2936
*/
30-
class DbDataReaderStoredFlowSource extends StoredFlowSource {
37+
class DbDataReaderStoredFlowSource extends DatabaseInputSource {
3138
DbDataReaderStoredFlowSource() {
3239
this.asExpr().getType() = any(SystemDataCommon::DbDataReader dataReader).getASubType*()
3340
}
3441
}
3542

3643
/** An expression that accesses a method of `DbDataReader` or a sub-class. */
37-
class DbDataReaderMethodStoredFlowSource extends StoredFlowSource {
44+
class DbDataReaderMethodStoredFlowSource extends DatabaseInputSource {
3845
DbDataReaderMethodStoredFlowSource() {
3946
this.asExpr().(MethodCall).getTarget().getDeclaringType() =
4047
any(SystemDataCommon::DbDataReader dataReader).getASubType*()
4148
}
4249
}
4350

4451
/** An expression that accesses a property of `DbDataReader` or a sub-class. */
45-
class DbDataReaderPropertyStoredFlowSource extends StoredFlowSource {
52+
class DbDataReaderPropertyStoredFlowSource extends DatabaseInputSource {
4653
DbDataReaderPropertyStoredFlowSource() {
4754
this.asExpr().(PropertyAccess).getTarget().getDeclaringType() =
4855
any(SystemDataCommon::DbDataReader dataReader).getASubType*()
4956
}
5057
}
5158

5259
/** A read of a mapped property. */
53-
class ORMMappedProperty extends StoredFlowSource {
60+
class ORMMappedProperty extends DatabaseInputSource {
5461
ORMMappedProperty() {
5562
this instanceof EntityFramework::StoredFlowSource or
5663
this instanceof NHibernate::StoredFlowSource
@@ -60,4 +67,6 @@ class ORMMappedProperty extends StoredFlowSource {
6067
/** A file stream source is considered a stored flow source. */
6168
class FileStreamStoredFlowSource extends StoredFlowSource {
6269
FileStreamStoredFlowSource() { sourceNode(this, "file") }
70+
71+
override string getThreatModel() { result = "file" }
6372
}

0 commit comments

Comments
 (0)