|
| 1 | +/** |
| 2 | + * Classes modelling EntityFramework and EntityFrameworkCore. |
| 3 | + */ |
| 4 | + |
| 5 | +import csharp |
| 6 | +private import semmle.code.csharp.frameworks.system.data.Entity |
| 7 | +private import semmle.code.csharp.frameworks.system.collections.Generic |
| 8 | +private import semmle.code.csharp.frameworks.Sql |
| 9 | +private import semmle.code.csharp.dataflow.LibraryTypeDataFlow |
| 10 | + |
| 11 | +module DataAnnotations { |
| 12 | + class NotMappedAttribute extends Attribute { |
| 13 | + NotMappedAttribute() { |
| 14 | + this |
| 15 | + .getType() |
| 16 | + .hasQualifiedName("System.ComponentModel.DataAnnotations.Schema.NotMappedAttribute") |
| 17 | + } |
| 18 | + } |
| 19 | +} |
| 20 | + |
| 21 | +module EntityFramework { |
| 22 | + /** An EF6 or EFCore namespace. */ |
| 23 | + class EFNamespace extends Namespace { |
| 24 | + EFNamespace() { |
| 25 | + this.getQualifiedName() = "Microsoft.EntityFrameworkCore" |
| 26 | + or |
| 27 | + this.getQualifiedName() = "System.Data.Entity" |
| 28 | + } |
| 29 | + } |
| 30 | + |
| 31 | + /** A taint source where the data has come from a mapped property stored in the database. */ |
| 32 | + class StoredFlowSource extends DataFlow::Node { |
| 33 | + StoredFlowSource() { |
| 34 | + this.asExpr() = any(PropertyRead read | read.getTarget() instanceof MappedProperty) |
| 35 | + } |
| 36 | + } |
| 37 | + |
| 38 | + private class EFClass extends Class { |
| 39 | + EFClass() { this.getDeclaringNamespace() instanceof EFNamespace } |
| 40 | + } |
| 41 | + |
| 42 | + /** The class `Microsoft.EntityFrameworkCore.DbContext` or `System.Data.Entity.DbContext`. */ |
| 43 | + class DbContext extends EFClass { |
| 44 | + DbContext() { this.getName() = "DbContext" } |
| 45 | + |
| 46 | + Method getAFindMethod() { |
| 47 | + result = this.getAMethod("Find") |
| 48 | + or |
| 49 | + result = this.getAMethod("FindAsync") |
| 50 | + } |
| 51 | + |
| 52 | + Method getAnUpdateMethod() { result = this.getAMethod("Update") } |
| 53 | + } |
| 54 | + |
| 55 | + /** The class `Microsoft.EntityFrameworkCore.DbSet<>` or `System.Data.Entity.DbSet<>`. */ |
| 56 | + class DbSet extends EFClass, UnboundGenericClass { DbSet() { this.getName() = "DbSet<>" } } |
| 57 | + |
| 58 | + /** The class `Microsoft.EntityFrameworkCore.DbQuery<>` or `System.Data.Entity.DbQuery<>`. */ |
| 59 | + class DbQuery extends EFClass, UnboundGenericClass { DbQuery() { this.hasName("DbQuery<>") } } |
| 60 | + |
| 61 | + /** A generic type or method that takes a mapped type as its type argument. */ |
| 62 | + private predicate usesMappedType(UnboundGeneric g) { |
| 63 | + g instanceof DbSet |
| 64 | + or |
| 65 | + g instanceof DbQuery |
| 66 | + or |
| 67 | + exists(DbContext db | |
| 68 | + g = db.getAnUpdateMethod() |
| 69 | + or |
| 70 | + g = db.getAFindMethod() |
| 71 | + ) |
| 72 | + } |
| 73 | + |
| 74 | + /** A type that is mapped to database table, or used as a query. */ |
| 75 | + class MappedType extends ValueOrRefType { |
| 76 | + MappedType() { |
| 77 | + not this instanceof ObjectType and |
| 78 | + not this instanceof StringType and |
| 79 | + not this instanceof ValueType and |
| 80 | + ( |
| 81 | + exists(UnboundGeneric g | usesMappedType(g) | |
| 82 | + this = g.getAConstructedGeneric().getATypeArgument() |
| 83 | + ) |
| 84 | + or |
| 85 | + this.getASubType() instanceof MappedType |
| 86 | + ) |
| 87 | + } |
| 88 | + } |
| 89 | + |
| 90 | + /** A property that is potentially stored and retrieved from a database. */ |
| 91 | + class MappedProperty extends Property { |
| 92 | + MappedProperty() { |
| 93 | + this = any(MappedType t).getAMember() and |
| 94 | + this.isPublic() and |
| 95 | + not this.getAnAttribute() instanceof DataAnnotations::NotMappedAttribute |
| 96 | + } |
| 97 | + } |
| 98 | + |
| 99 | + /** The struct `Microsoft.EntityFrameworkCore.RawSqlString`. */ |
| 100 | + class RawSqlStringStruct extends Struct, LibraryTypeDataFlow { |
| 101 | + RawSqlStringStruct() { this.getQualifiedName() = "Microsoft.EntityFrameworkCore.RawSqlString" } |
| 102 | + |
| 103 | + override predicate callableFlow( |
| 104 | + CallableFlowSource source, CallableFlowSink sink, SourceDeclarationCallable c, |
| 105 | + boolean preservesValue |
| 106 | + ) { |
| 107 | + c = this.getAConstructor() and |
| 108 | + source.(CallableFlowSourceArg).getArgumentIndex() = 0 and |
| 109 | + sink instanceof CallableFlowSinkReturn and |
| 110 | + preservesValue = true |
| 111 | + or |
| 112 | + c = this.getAConversionTo() and |
| 113 | + source.(CallableFlowSourceArg).getArgumentIndex() = 0 and |
| 114 | + sink instanceof CallableFlowSinkReturn and |
| 115 | + preservesValue = true |
| 116 | + } |
| 117 | + |
| 118 | + ConversionOperator getAConversionTo() { |
| 119 | + result = this.getAMember() and |
| 120 | + result.getTargetType() instanceof RawSqlStringStruct and |
| 121 | + result.getSourceType() instanceof StringType |
| 122 | + } |
| 123 | + } |
| 124 | + |
| 125 | + /** |
| 126 | + * A parameter that accepts raw SQL. Parameters of type `System.FormattableString` |
| 127 | + * are not included as they are not vulnerable to SQL injection. |
| 128 | + */ |
| 129 | + private class SqlParameter extends Parameter { |
| 130 | + SqlParameter() { |
| 131 | + this.getType() instanceof StringType and |
| 132 | + ( |
| 133 | + exists(Callable c | this = c.getParameter(0) | c.getName().matches("%Sql")) |
| 134 | + or |
| 135 | + this.getName() = "sql" |
| 136 | + ) and |
| 137 | + this.getCallable().getDeclaringType().getDeclaringNamespace().getParentNamespace*() instanceof |
| 138 | + EFNamespace |
| 139 | + or |
| 140 | + this.getType() instanceof RawSqlStringStruct |
| 141 | + or |
| 142 | + this = any(RawSqlStringStruct s).getAConstructor().getAParameter() |
| 143 | + or |
| 144 | + this = any(RawSqlStringStruct s).getAConversionTo().getAParameter() |
| 145 | + } |
| 146 | + } |
| 147 | + |
| 148 | + /** A call to a method in EntityFrameworkCore that executes SQL. */ |
| 149 | + class EntityFrameworkCoreSqlSink extends SqlExpr, Call { |
| 150 | + SqlParameter sqlParam; |
| 151 | + |
| 152 | + EntityFrameworkCoreSqlSink() { this.getTarget().getAParameter() = sqlParam } |
| 153 | + |
| 154 | + override Expr getSql() { result = this.getArgumentForParameter(sqlParam) } |
| 155 | + } |
| 156 | + |
| 157 | + /** A call to `System.Data.Entity.DbSet.SqlQuery`. */ |
| 158 | + class SystemDataEntityDbSetSqlExpr extends SqlExpr, MethodCall { |
| 159 | + SystemDataEntityDbSetSqlExpr() { |
| 160 | + this.getTarget() = any(SystemDataEntity::DbSet dbSet).getSqlQueryMethod() |
| 161 | + } |
| 162 | + |
| 163 | + override Expr getSql() { result = this.getArgumentForName("sql") } |
| 164 | + } |
| 165 | + |
| 166 | + /** A call to a method in `System.Data.Entity.Database` that executes SQL. */ |
| 167 | + class SystemDataEntityDatabaseSqlExpr extends SqlExpr, MethodCall { |
| 168 | + SystemDataEntityDatabaseSqlExpr() { |
| 169 | + exists(SystemDataEntity::Database db | |
| 170 | + this.getTarget() = db.getSqlQueryMethod() or |
| 171 | + this.getTarget() = db.getExecuteSqlCommandMethod() or |
| 172 | + this.getTarget() = db.getExecuteSqlCommandAsyncMethod() |
| 173 | + ) |
| 174 | + } |
| 175 | + |
| 176 | + override Expr getSql() { result = this.getArgumentForName("sql") } |
| 177 | + } |
| 178 | + |
| 179 | + /** |
| 180 | + * A dataflow node whereby data flows from a property write to a property read |
| 181 | + * via some database. The assumption is that all writes can flow to all reads. |
| 182 | + */ |
| 183 | + class MappedPropertyJumpNode extends DataFlow::NonLocalJumpNode { |
| 184 | + MappedProperty property; |
| 185 | + |
| 186 | + MappedPropertyJumpNode() { this.asExpr() = property.getAnAssignedValue() } |
| 187 | + |
| 188 | + override DataFlow::Node getAJumpSuccessor() { |
| 189 | + result.asExpr().(PropertyRead).getTarget() = property |
| 190 | + } |
| 191 | + } |
| 192 | +} |
0 commit comments