Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 3bc035f

Browse files
lcarteylcartey
committed
C#: Reformat ZipSlip module.
Reformat the ZipSlip module to adhere to the "QL Style Guide".
1 parent 80e4815 commit 3bc035f

1 file changed

Lines changed: 33 additions & 25 deletions

File tree

  • csharp/ql/src/semmle/code/csharp/security/dataflow

csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll

Lines changed: 33 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -6,47 +6,51 @@ import csharp
66
module ZipSlip {
77
// access to full name of the archive item
88
Expr archiveFullName(PropertyAccess pa) {
9-
pa.getTarget().getDeclaringType().hasQualifiedName("System.IO.Compression.ZipArchiveEntry")
10-
and pa.getTarget().getName() = "FullName"
11-
and result = pa
9+
pa.getTarget().getDeclaringType().hasQualifiedName("System.IO.Compression.ZipArchiveEntry") and
10+
pa.getTarget().getName() = "FullName" and
11+
result = pa
1212
}
1313

1414
// argument to extract to file extension method
1515
Expr compressionExtractToFileArgument(MethodCall mc) {
16-
mc.getTarget().hasQualifiedName("System.IO.Compression.ZipFileExtensions", "ExtractToFile")
17-
and result = mc.getArgumentForName("destinationFileName")
16+
mc.getTarget().hasQualifiedName("System.IO.Compression.ZipFileExtensions", "ExtractToFile") and
17+
result = mc.getArgumentForName("destinationFileName")
1818
}
1919

2020
// File Stream created from tainted file name through File.Open/File.Create
2121
Expr fileOpenArgument(MethodCall mc) {
22-
(mc.getTarget().hasQualifiedName("System.IO.File", "Open") or
23-
mc.getTarget().hasQualifiedName("System.IO.File", "OpenWrite") or
24-
mc.getTarget().hasQualifiedName("System.IO.File", "Create"))
25-
and result = mc.getArgumentForName("path")
22+
(
23+
mc.getTarget().hasQualifiedName("System.IO.File", "Open") or
24+
mc.getTarget().hasQualifiedName("System.IO.File", "OpenWrite") or
25+
mc.getTarget().hasQualifiedName("System.IO.File", "Create")
26+
) and
27+
result = mc.getArgumentForName("path")
2628
}
2729

2830
// File Stream created from tainted file name passed directly to the constructor
2931
Expr streamConstructorArgument(ObjectCreation oc) {
30-
oc.getTarget().getDeclaringType().hasQualifiedName("System.IO.FileStream")
31-
and result = oc.getArgumentForName("path")
32+
oc.getTarget().getDeclaringType().hasQualifiedName("System.IO.FileStream") and
33+
result = oc.getArgumentForName("path")
3234
}
3335

3436
// constructor to FileInfo can take tainted file name and subsequently be used to open file stream
3537
Expr fileInfoConstructorArgument(ObjectCreation oc) {
36-
oc.getTarget().getDeclaringType().hasQualifiedName("System.IO.FileInfo")
37-
and result = oc.getArgumentForName("fileName")
38+
oc.getTarget().getDeclaringType().hasQualifiedName("System.IO.FileInfo") and
39+
result = oc.getArgumentForName("fileName")
3840
}
3941
// extracting just file name, not the full path
4042
Expr fileNameExtraction(MethodCall mc) {
41-
mc.getTarget().hasQualifiedName("System.IO.Path", "GetFileName")
42-
and result = mc.getAnArgument()
43+
mc.getTarget().hasQualifiedName("System.IO.Path", "GetFileName") and
44+
result = mc.getAnArgument()
4345
}
4446

4547
// Checks the string for relative path, or checks the destination folder for whitelisted/target path, etc.
4648
Expr stringCheck(MethodCall mc) {
47-
(mc.getTarget().hasQualifiedName("System.String", "StartsWith") or
48-
mc.getTarget().hasQualifiedName("System.String", "Substring"))
49-
and result = mc.getQualifier()
49+
(
50+
mc.getTarget().hasQualifiedName("System.String", "StartsWith") or
51+
mc.getTarget().hasQualifiedName("System.String", "Substring")
52+
) and
53+
result = mc.getQualifier()
5054
}
5155

5256
// Taint tracking configuration for ZipSlip
@@ -57,23 +61,27 @@ module ZipSlip {
5761

5862
override predicate isSource(DataFlow::Node source) {
5963
exists(PropertyAccess pa |
60-
source.asExpr() = archiveFullName(pa))
64+
source.asExpr() = archiveFullName(pa)
65+
)
6166
}
6267

6368
override predicate isSink(DataFlow::Node sink) {
6469
exists(MethodCall mc |
65-
sink.asExpr() = compressionExtractToFileArgument(mc) or
66-
sink.asExpr() = fileOpenArgument(mc))
70+
sink.asExpr() = compressionExtractToFileArgument(mc) or
71+
sink.asExpr() = fileOpenArgument(mc)
72+
)
6773
or
6874
exists(ObjectCreation oc |
69-
sink.asExpr() = streamConstructorArgument(oc) or
70-
sink.asExpr() = fileInfoConstructorArgument(oc))
75+
sink.asExpr() = streamConstructorArgument(oc) or
76+
sink.asExpr() = fileInfoConstructorArgument(oc)
77+
)
7178
}
7279

7380
override predicate isSanitizer(DataFlow::Node node) {
7481
exists(MethodCall mc |
75-
node.asExpr() = fileNameExtraction(mc) or
76-
node.asExpr() = stringCheck(mc))
82+
node.asExpr() = fileNameExtraction(mc) or
83+
node.asExpr() = stringCheck(mc)
84+
)
7785
}
7886
}
7987
}

0 commit comments

Comments
 (0)