Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b7d6165

Browse files
hvitvedhvitved
committed
C#: Convert cs/web/xss to a path-problem 
1 parent a1b4d09 commit b7d6165

4 files changed

Lines changed: 79 additions & 35 deletions

File tree

csharp/ql/src/Security Features/CWE-079/XSS.ql

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
* @name Cross-site scripting
33
* @description Writing user input directly to a web page
44
* allows for a cross-site scripting vulnerability.
5-
* @kind problem
5+
* @kind path-problem
66
* @problem.severity error
77
* @precision high
88
* @id cs/web/xss
@@ -13,7 +13,8 @@
1313

1414
import csharp
1515
import semmle.code.csharp.security.dataflow.XSS::XSS
16+
import PathGraph
1617

1718
from XssNode source, XssNode sink, string message
1819
where xssFlow(source, sink, message)
19-
select sink, "$@ flows to here and " + message, source, "User-provided value"
20+
select sink, source, sink, "$@ flows to here and " + message, source, "User-provided value"

csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -26,14 +26,16 @@ module XSS {
2626
*/
2727
predicate xssFlow(XssNode source, XssNode sink, string message) {
2828
// standard taint-tracking
29-
exists(TaintTrackingConfiguration c, DataFlow::Node sourceNode, DataFlow::Node sinkNode |
29+
exists(
30+
TaintTrackingConfiguration c, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
31+
|
3032
sourceNode = source.asDataFlowNode() and
3133
sinkNode = sink.asDataFlowNode() and
32-
c.hasFlow(sourceNode, sinkNode) and
34+
c.hasFlowPath(sourceNode, sinkNode) and
3335
message = "is written to HTML or JavaScript" +
3436
any(string explanation |
35-
if exists(sinkNode.(Sink).explanation())
36-
then explanation = ": " + sinkNode.(Sink).explanation() + "."
37+
if exists(sinkNode.getNode().(Sink).explanation())
38+
then explanation = ": " + sinkNode.getNode().(Sink).explanation() + "."
3739
else explanation = "."
3840
)
3941
)
@@ -44,8 +46,20 @@ module XSS {
4446
message = "is a remote source accessed inline in an ASPX page."
4547
}
4648

49+
module PathGraph {
50+
query predicate edges(XssNode pred, XssNode succ) {
51+
exists(DataFlow::PathNode a, DataFlow::PathNode b | DataFlow::PathGraph::edges(a, b) |
52+
pred.asDataFlowNode() = a and
53+
succ.asDataFlowNode() = b
54+
)
55+
or
56+
xssFlow(pred, succ, _) and
57+
pred instanceof XssAspNode
58+
}
59+
}
60+
4761
private newtype TXssNode =
48-
TXssDataFlowNode(DataFlow::Node node) or
62+
TXssDataFlowNode(DataFlow::PathNode node) or
4963
TXssAspNode(AspInlineMember m)
5064

5165
/**
@@ -61,20 +75,20 @@ module XSS {
6175
Location getLocation() { none() }
6276

6377
/** Gets the data flow node corresponding to this node, if any. */
64-
DataFlow::Node asDataFlowNode() { result = this.(XssDataFlowNode).getDataFlowNode() }
78+
DataFlow::PathNode asDataFlowNode() { result = this.(XssDataFlowNode).getDataFlowNode() }
6579

6680
/** Gets the ASP inline code element corresponding to this node, if any. */
6781
AspInlineMember asAspInlineMember() { result = this.(XssAspNode).getAspInlineMember() }
6882
}
6983

7084
/** A data flow node, viewed as an XSS flow node. */
7185
class XssDataFlowNode extends TXssDataFlowNode, XssNode {
72-
DataFlow::Node node;
86+
DataFlow::PathNode node;
7387

7488
XssDataFlowNode() { this = TXssDataFlowNode(node) }
7589

7690
/** Gets the data flow node corresponding to this node. */
77-
DataFlow::Node getDataFlowNode() { result = node }
91+
DataFlow::PathNode getDataFlowNode() { result = node }
7892

7993
override string toString() { result = node.toString() }
8094

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.expected

Lines changed: 32 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,32 @@
1-
| XSS.cs:26:32:26:51 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox | User-provided value |
2-
| XSS.cs:27:29:27:48 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox | User-provided value |
3-
| XSS.cs:28:26:28:45 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox | User-provided value |
4-
| XSS.cs:38:36:38:39 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:37:27:37:53 | access to property QueryString | User-provided value |
5-
| XSS.cs:59:22:59:25 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:57:27:57:65 | access to property QueryString | User-provided value |
6-
| XSS.cs:69:13:69:49 | access to property OutputStream | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:65:27:65:65 | access to property QueryString | User-provided value |
7-
| XSS.cs:76:36:76:39 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:75:27:75:53 | access to property QueryString | User-provided value |
8-
| XSS.cs:79:36:79:40 | access to local variable name2 | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:78:28:78:42 | access to property Request | User-provided value |
9-
| XSS.cs:86:28:86:31 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:85:27:85:53 | access to property QueryString | User-provided value |
10-
| XSS.cs:87:31:87:34 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:85:27:85:53 | access to property QueryString | User-provided value |
11-
| XSS.cs:95:31:95:34 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:94:27:94:53 | access to property QueryString | User-provided value |
12-
| XSS.cs:134:20:134:33 | access to property RawUrl | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:134:20:134:33 | access to property RawUrl | User-provided value |
13-
| script.aspx:12:1:12:14 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:12:1:12:14 | <%= ... %> | User-provided value |
14-
| script.aspx:16:1:16:34 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:16:1:16:34 | <%= ... %> | User-provided value |
15-
| script.aspx:20:1:20:41 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:20:1:20:41 | <%= ... %> | User-provided value |
1+
edges
2+
| XSS.cs:25:48:25:62 | access to field categoryTextBox | XSS.cs:26:32:26:51 | call to method ToString |
3+
| XSS.cs:25:48:25:62 | access to field categoryTextBox | XSS.cs:27:29:27:48 | call to method ToString |
4+
| XSS.cs:25:48:25:62 | access to field categoryTextBox | XSS.cs:28:26:28:45 | call to method ToString |
5+
| XSS.cs:37:27:37:53 | access to property QueryString | XSS.cs:38:36:38:39 | access to local variable name |
6+
| XSS.cs:57:27:57:65 | access to property QueryString | XSS.cs:59:22:59:25 | access to local variable name |
7+
| XSS.cs:65:27:65:65 | access to property QueryString | XSS.cs:69:13:69:49 | access to property OutputStream |
8+
| XSS.cs:75:27:75:53 | access to property QueryString | XSS.cs:76:36:76:39 | access to local variable name |
9+
| XSS.cs:78:28:78:42 | access to property Request | XSS.cs:79:36:79:40 | access to local variable name2 |
10+
| XSS.cs:85:27:85:53 | access to property QueryString | XSS.cs:86:28:86:31 | access to local variable name |
11+
| XSS.cs:85:27:85:53 | access to property QueryString | XSS.cs:87:31:87:34 | access to local variable name |
12+
| XSS.cs:94:27:94:53 | access to property QueryString | XSS.cs:95:31:95:34 | access to local variable name |
13+
| XSS.cs:134:20:134:33 | access to property RawUrl | XSS.cs:134:20:134:33 | access to property RawUrl |
14+
| script.aspx:12:1:12:14 | <%= ... %> | script.aspx:12:1:12:14 | <%= ... %> |
15+
| script.aspx:16:1:16:34 | <%= ... %> | script.aspx:16:1:16:34 | <%= ... %> |
16+
| script.aspx:20:1:20:41 | <%= ... %> | script.aspx:20:1:20:41 | <%= ... %> |
17+
#select
18+
| XSS.cs:26:32:26:51 | call to method ToString | XSS.cs:25:48:25:62 | access to field categoryTextBox | XSS.cs:26:32:26:51 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox | User-provided value |
19+
| XSS.cs:27:29:27:48 | call to method ToString | XSS.cs:25:48:25:62 | access to field categoryTextBox | XSS.cs:27:29:27:48 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox | User-provided value |
20+
| XSS.cs:28:26:28:45 | call to method ToString | XSS.cs:25:48:25:62 | access to field categoryTextBox | XSS.cs:28:26:28:45 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:25:48:25:62 | access to field categoryTextBox | User-provided value |
21+
| XSS.cs:38:36:38:39 | access to local variable name | XSS.cs:37:27:37:53 | access to property QueryString | XSS.cs:38:36:38:39 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:37:27:37:53 | access to property QueryString | User-provided value |
22+
| XSS.cs:59:22:59:25 | access to local variable name | XSS.cs:57:27:57:65 | access to property QueryString | XSS.cs:59:22:59:25 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:57:27:57:65 | access to property QueryString | User-provided value |
23+
| XSS.cs:69:13:69:49 | access to property OutputStream | XSS.cs:65:27:65:65 | access to property QueryString | XSS.cs:69:13:69:49 | access to property OutputStream | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:65:27:65:65 | access to property QueryString | User-provided value |
24+
| XSS.cs:76:36:76:39 | access to local variable name | XSS.cs:75:27:75:53 | access to property QueryString | XSS.cs:76:36:76:39 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:75:27:75:53 | access to property QueryString | User-provided value |
25+
| XSS.cs:79:36:79:40 | access to local variable name2 | XSS.cs:78:28:78:42 | access to property Request | XSS.cs:79:36:79:40 | access to local variable name2 | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:78:28:78:42 | access to property Request | User-provided value |
26+
| XSS.cs:86:28:86:31 | access to local variable name | XSS.cs:85:27:85:53 | access to property QueryString | XSS.cs:86:28:86:31 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:85:27:85:53 | access to property QueryString | User-provided value |
27+
| XSS.cs:87:31:87:34 | access to local variable name | XSS.cs:85:27:85:53 | access to property QueryString | XSS.cs:87:31:87:34 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:85:27:85:53 | access to property QueryString | User-provided value |
28+
| XSS.cs:95:31:95:34 | access to local variable name | XSS.cs:94:27:94:53 | access to property QueryString | XSS.cs:95:31:95:34 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:94:27:94:53 | access to property QueryString | User-provided value |
29+
| XSS.cs:134:20:134:33 | access to property RawUrl | XSS.cs:134:20:134:33 | access to property RawUrl | XSS.cs:134:20:134:33 | access to property RawUrl | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:134:20:134:33 | access to property RawUrl | User-provided value |
30+
| script.aspx:12:1:12:14 | <%= ... %> | script.aspx:12:1:12:14 | <%= ... %> | script.aspx:12:1:12:14 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:12:1:12:14 | <%= ... %> | User-provided value |
31+
| script.aspx:16:1:16:34 | <%= ... %> | script.aspx:16:1:16:34 | <%= ... %> | script.aspx:16:1:16:34 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:16:1:16:34 | <%= ... %> | User-provided value |
32+
| script.aspx:20:1:20:41 | <%= ... %> | script.aspx:20:1:20:41 | <%= ... %> | script.aspx:20:1:20:41 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:20:1:20:41 | <%= ... %> | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-079/XSS/XSS.expected

Lines changed: 22 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,22 @@
1-
| XSSAspNet.cs:27:30:27:34 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteral() method. | XSSAspNet.cs:20:25:20:43 | access to property QueryString | User-provided value |
2-
| XSSAspNet.cs:37:40:37:44 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteralTo() method. | XSSAspNet.cs:20:25:20:43 | access to property QueryString | User-provided value |
3-
| XSSAspNet.cs:44:28:44:55 | access to indexer | $@ flows to here and is written to HTML or JavaScript. | XSSAspNet.cs:44:28:44:46 | access to property QueryString | User-provided value |
4-
| XSSAspNetCore.cs:21:52:21:76 | call to operator implicit conversion | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:21:52:21:64 | access to property Query | User-provided value |
5-
| XSSAspNetCore.cs:44:51:44:53 | access to parameter foo | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:40:56:40:58 | foo | User-provided value |
6-
| XSSAspNetCore.cs:51:43:51:67 | access to property Value | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:51:43:51:67 | access to property Value | User-provided value |
7-
| XSSAspNetCore.cs:58:43:58:73 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:58:43:58:55 | access to property Query | User-provided value |
8-
| XSSAspNetCore.cs:61:44:61:66 | access to indexer | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:61:44:61:56 | access to property Query | User-provided value |
9-
| XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | User-provided value |
10-
| XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:72:51:72:65 | access to property Headers | User-provided value |
1+
edges
2+
| XSSAspNet.cs:20:25:20:43 | access to property QueryString | XSSAspNet.cs:27:30:27:34 | access to local variable sayHi |
3+
| XSSAspNet.cs:20:25:20:43 | access to property QueryString | XSSAspNet.cs:37:40:37:44 | access to local variable sayHi |
4+
| XSSAspNet.cs:44:28:44:46 | access to property QueryString | XSSAspNet.cs:44:28:44:55 | access to indexer |
5+
| XSSAspNetCore.cs:21:52:21:64 | access to property Query | XSSAspNetCore.cs:21:52:21:76 | call to operator implicit conversion |
6+
| XSSAspNetCore.cs:40:56:40:58 | foo | XSSAspNetCore.cs:44:51:44:53 | access to parameter foo |
7+
| XSSAspNetCore.cs:51:43:51:67 | access to property Value | XSSAspNetCore.cs:51:43:51:67 | access to property Value |
8+
| XSSAspNetCore.cs:58:43:58:55 | access to property Query | XSSAspNetCore.cs:58:43:58:73 | call to method ToString |
9+
| XSSAspNetCore.cs:61:44:61:56 | access to property Query | XSSAspNetCore.cs:61:44:61:66 | access to indexer |
10+
| XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | XSSAspNetCore.cs:69:43:69:61 | access to property ContentType |
11+
| XSSAspNetCore.cs:72:51:72:65 | access to property Headers | XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion |
12+
#select
13+
| XSSAspNet.cs:27:30:27:34 | access to local variable sayHi | XSSAspNet.cs:20:25:20:43 | access to property QueryString | XSSAspNet.cs:27:30:27:34 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteral() method. | XSSAspNet.cs:20:25:20:43 | access to property QueryString | User-provided value |
14+
| XSSAspNet.cs:37:40:37:44 | access to local variable sayHi | XSSAspNet.cs:20:25:20:43 | access to property QueryString | XSSAspNet.cs:37:40:37:44 | access to local variable sayHi | $@ flows to here and is written to HTML or JavaScript: System.Web.WebPages.WebPage.WriteLiteralTo() method. | XSSAspNet.cs:20:25:20:43 | access to property QueryString | User-provided value |
15+
| XSSAspNet.cs:44:28:44:55 | access to indexer | XSSAspNet.cs:44:28:44:46 | access to property QueryString | XSSAspNet.cs:44:28:44:55 | access to indexer | $@ flows to here and is written to HTML or JavaScript. | XSSAspNet.cs:44:28:44:46 | access to property QueryString | User-provided value |
16+
| XSSAspNetCore.cs:21:52:21:76 | call to operator implicit conversion | XSSAspNetCore.cs:21:52:21:64 | access to property Query | XSSAspNetCore.cs:21:52:21:76 | call to operator implicit conversion | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:21:52:21:64 | access to property Query | User-provided value |
17+
| XSSAspNetCore.cs:44:51:44:53 | access to parameter foo | XSSAspNetCore.cs:40:56:40:58 | foo | XSSAspNetCore.cs:44:51:44:53 | access to parameter foo | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:40:56:40:58 | foo | User-provided value |
18+
| XSSAspNetCore.cs:51:43:51:67 | access to property Value | XSSAspNetCore.cs:51:43:51:67 | access to property Value | XSSAspNetCore.cs:51:43:51:67 | access to property Value | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:51:43:51:67 | access to property Value | User-provided value |
19+
| XSSAspNetCore.cs:58:43:58:73 | call to method ToString | XSSAspNetCore.cs:58:43:58:55 | access to property Query | XSSAspNetCore.cs:58:43:58:73 | call to method ToString | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:58:43:58:55 | access to property Query | User-provided value |
20+
| XSSAspNetCore.cs:61:44:61:66 | access to indexer | XSSAspNetCore.cs:61:44:61:56 | access to property Query | XSSAspNetCore.cs:61:44:61:66 | access to indexer | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:61:44:61:56 | access to property Query | User-provided value |
21+
| XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:69:43:69:61 | access to property ContentType | User-provided value |
22+
| XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion | XSSAspNetCore.cs:72:51:72:65 | access to property Headers | XSSAspNetCore.cs:72:51:72:72 | call to operator implicit conversion | $@ flows to here and is written to HTML or JavaScript. | XSSAspNetCore.cs:72:51:72:65 | access to property Headers | User-provided value |

0 commit comments

Comments
 (0)