C#: Migrate System.Web.HttpResponse sinks to CSV

tamasvajk · tamasvajk · commit a9ccd65fa979 · 2021-06-28T11:20:32.000+02:00
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/ExternalFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -85,6 +85,7 @@ private import internal.FlowSummaryImplSpecific
  */
 private module Frameworks {
   private import semmle.code.csharp.security.dataflow.flowsources.Local
+  private import semmle.code.csharp.security.dataflow.flowsinks.Html
 }
 
 /**
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Html.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsinks/Html.qll
@@ -13,6 +13,7 @@ private import semmle.code.csharp.frameworks.system.web.UI
 private import semmle.code.csharp.frameworks.system.web.ui.WebControls
 private import semmle.code.csharp.frameworks.system.windows.Forms
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
+private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.asp.AspNet
 
 /**
@@ -21,21 +22,23 @@ private import semmle.code.asp.AspNet
  */
 abstract class HtmlSink extends DataFlow::ExprNode, RemoteFlowSink { }
 
+private class ExternalHtmlSink extends HtmlSink {
+  ExternalHtmlSink() { sinkNode(this, "html") }
+}
+
 /**
  * An expression that is used as an argument to an HTML sink method on
  * `HttpResponse`.
  */
-class HttpResponseSink extends HtmlSink {
-  HttpResponseSink() {
-    exists(Method m, SystemWebHttpResponseClass responseClass |
-      m = responseClass.getAWriteMethod() or
-      m = responseClass.getAWriteFileMethod() or
-      m = responseClass.getATransmitFileMethod() or
-      m = responseClass.getABinaryWriteMethod()
-    |
-      // Calls to these methods, or overrides of them
-      this.getExpr() = m.getAnOverrider*().getParameter(0).getAnAssignedArgument()
-    )
+private class HttpResponseSinkModelCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "System.Web;HttpResponse;false;Write;;;Argument[0];html",
+        "System.Web;HttpResponse;false;WriteFile;;;Argument[0];html",
+        "System.Web;HttpResponse;false;TransmitFile;;;Argument[0];html",
+        "System.Web;HttpResponse;false;BinaryWrite;;;Argument[0];html"
+      ]
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,7 @@ private import internal.FlowSummaryImplSpecific`
`85`	`85`	`*/`
`86`	`86`	`private module Frameworks {`
`87`	`87`	`private import semmle.code.csharp.security.dataflow.flowsources.Local`
	`88`	`+ private import semmle.code.csharp.security.dataflow.flowsinks.Html`
`88`	`89`	`}`
`89`	`90`
`90`	`91`	`/**`