C#: Introduce support for Negative summary models.

michaelnebel · michaelnebel · commit cc44e89065cb · 2022-08-24T09:46:54.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -5,12 +5,13 @@
  *
  * The CSV specification has the following columns:
  * - Sources:
- *   `namespace; type; subtypes; name; signature; ext; output; kind`
+ *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
  * - Sinks:
- *   `namespace; type; subtypes; name; signature; ext; input; kind`
+ *   `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
  * - Summaries:
- *   `namespace; type; subtypes; name; signature; ext; input; output; kind`
- *
+ *   `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
+ * - Negative Summaries:
+ *   `namespace; type; name; signature; provenance`
  * The interpretation of a row is similar to API-graphs with a left-to-right
  * reading.
  * 1. The `namespace` column selects a namespace.
@@ -163,12 +164,24 @@ class SummaryModelCsv extends Unit {
   abstract predicate row(string row);
 }
 
+/**
+ * A unit class for adding negative summary model rows.
+ *
+ * Extend this class to add additional flow summary definitions.
+ */
+class NegativeSummaryModelCsv extends Unit {
+  /** Holds if `row` specifies a negative summary definition. */
+  abstract predicate row(string row);
+}
+
 private predicate sourceModel(string row) { any(SourceModelCsv s).row(row) }
 
 private predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
 
 private predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
 
+private predicate negativeSummaryModel(string row) { any(NegativeSummaryModelCsv s).row(row) }
+
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
@@ -230,6 +243,20 @@ predicate summaryModel(
   )
 }
 
+/** Holds is a summary model exists indicating there is no flow for the given parameters. */
+predicate negativeSummaryModel(
+  string namespace, string type, string name, string signature, string provenance
+) {
+  exists(string row |
+    negativeSummaryModel(row) and
+    row.splitAt(";", 0) = namespace and
+    row.splitAt(";", 1) = type and
+    row.splitAt(";", 2) = name and
+    row.splitAt(";", 3) = signature and
+    row.splitAt(";", 4) = provenance
+  )
+}
+
 private predicate relevantNamespace(string namespace) {
   sourceModel(namespace, _, _, _, _, _, _, _, _) or
   sinkModel(namespace, _, _, _, _, _, _, _, _) or
@@ -298,6 +325,10 @@ module CsvValidation {
       or
       summaryModel(namespace, type, _, name, signature, ext, _, _, _, provenance) and
       pred = "summary"
+      or
+      negativeSummaryModel(namespace, type, name, signature, provenance) and
+      ext = "" and
+      pred = "nonesummary"
     |
       not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
       msg = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
@@ -392,9 +423,13 @@ module CsvValidation {
 private predicate elementSpec(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
-  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
-  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _)
+  or
+  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _)
+  or
   summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
+  or
+  negativeSummaryModel(namespace, type, name, signature, _) and ext = "" and subtypes = false
 }
 
 private predicate elementSpec(
@@ -508,7 +543,7 @@ private Element interpretElement0(
   )
 }
 
-/** Gets the source/sink/summary element corresponding to the supplied parameters. */
+/** Gets the source/sink/summary/negativesummary element corresponding to the supplied parameters. */
 Element interpretElement(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -2129,18 +2129,37 @@ module Csv {
     if isBaseCallableOrPrototype(c) then result = "true" else result = "false"
   }
 
-  /** Computes the first 6 columns for CSV rows of `c`. */
+  private predicate partialModel(
+    DotNet::Callable c, string namespace, string type, string name, string parameters
+  ) {
+    c.getDeclaringType().hasQualifiedName(namespace, type) and
+    c.hasQualifiedName(_, name) and
+    parameters = "(" + parameterQualifiedTypeNamesToString(c) + ")"
+  }
+
+  /** Computes the first 6 columns for positive CSV rows of `c`. */
   string asPartialModel(DotNet::Callable c) {
-    exists(string namespace, string type, string name |
-      c.getDeclaringType().hasQualifiedName(namespace, type) and
-      c.hasQualifiedName(_, name) and
+    exists(string namespace, string type, string name, string parameters |
+      partialModel(c, namespace, type, name, parameters) and
       result =
         namespace + ";" //
           + type + ";" //
           + getCallableOverride(c) + ";" //
           + name + ";" //
-          + "(" + parameterQualifiedTypeNamesToString(c) + ")" + ";" //
+          + parameters + ";" //
           + /* ext + */ ";" //
     )
   }
+
+  /** Computes the first 4 columns for negative CSV rows of `c`. */
+  string asPartialNegativeModel(DotNet::Callable c) {
+    exists(string namespace, string type, string name, string parameters |
+      partialModel(c, namespace, type, name, parameters) and
+      result =
+        namespace + ";" //
+          + type + ";" //
+          + name + ";" //
+          + parameters + ";" //
+    )
+  }
 }
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -240,6 +240,16 @@ module Public {
      */
     predicate isAutoGenerated() { none() }
   }
+
+  /** A callable with a flow summary stating there is no flow via the callable. */
+  class NegativeSummarizedCallable extends SummarizedCallableBase {
+    NegativeSummarizedCallable() { negativeSummaryElement(this, _) }
+
+    /**
+     *  Holds if the none summary is auto generated.
+     */
+    predicate isAutoGenerated() { negativeSummaryElement(this, true) }
+  }
 }
 
 /**
@@ -1094,7 +1104,7 @@ module Private {
 
   /** Provides a query predicate for outputting a set of relevant flow summaries. */
   module TestOutput {
-    /** A flow summary to include in the `summary/3` query predicate. */
+    /** A flow summary to include in the `summary/1` query predicate. */
     abstract class RelevantSummarizedCallable instanceof SummarizedCallable {
       /** Gets the string representation of this callable used by `summary/1`. */
       abstract string getCallableCsv();
@@ -1109,15 +1119,27 @@ module Private {
       string toString() { result = super.toString() }
     }
 
+    /** A flow summary to include in the `negativeSummary/1` query predicate. */
+    abstract class RelevantNegativeSummarizedCallable instanceof NegativeSummarizedCallable {
+      /** Gets the string representation of this callable used by `summary/1`. */
+      abstract string getCallableCsv();
+
+      string toString() { result = super.toString() }
+    }
+
     /** Render the kind in the format used in flow summaries. */
     private string renderKind(boolean preservesValue) {
       preservesValue = true and result = "value"
       or
       preservesValue = false and result = "taint"
     }
 
-    private string renderProvenance(RelevantSummarizedCallable c) {
-      if c.(SummarizedCallable).isAutoGenerated() then result = "generated" else result = "manual"
+    private string renderProvenance(SummarizedCallable c) {
+      if c.isAutoGenerated() then result = "generated" else result = "manual"
+    }
+
+    private string renderProvenanceNegative(NegativeSummarizedCallable c) {
+      if c.isAutoGenerated() then result = "generated" else result = "manual"
     }
 
     /**
@@ -1132,8 +1154,23 @@ module Private {
       |
         c.relevantSummary(input, output, preservesValue) and
         csv =
-          c.getCallableCsv() + getComponentStackCsv(input) + ";" + getComponentStackCsv(output) +
-            ";" + renderKind(preservesValue) + ";" + renderProvenance(c)
+          c.getCallableCsv() // Callable information
+            + getComponentStackCsv(input) + ";" // input
+            + getComponentStackCsv(output) + ";" // output
+            + renderKind(preservesValue) + ";" // kind
+            + renderProvenance(c) // provenance
+      )
+    }
+
+    /**
+     * Holds if a negative flow summary `csv` exists (semi-colon separated format). Used for testing purposes.
+     * The syntax is: "namespace;type;name;signature;provenance"",
+     */
+    query predicate negativeSummary(string csv) {
+      exists(RelevantNegativeSummarizedCallable c |
+        csv =
+          c.getCallableCsv() // Callable information
+            + renderProvenanceNegative(c) // provenance
       )
     }
   }
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -114,6 +114,18 @@ predicate summaryElement(Callable c, string input, string output, string kind, b
   )
 }
 
+/**
+ * Holds is an external flow summary exists for `c` which means that there is no
+ * flow through `c` and a flag `generated` stating whether the summary is autogenerated.
+ */
+predicate negativeSummaryElement(Callable c, boolean generated) {
+  exists(string namespace, string type, string name, string signature, string provenance |
+    negativeSummaryModel(namespace, type, name, signature, provenance) and
+    generated = isGenerated(provenance) and
+    c = interpretElement(namespace, type, false, name, signature, "")
+  )
+}
+
 /**
  * Holds if an external source specification exists for `e` with output specification
  * `output`, kind `kind`, and a flag `generated` stating whether the source specification is
diff --git a/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql b/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
@@ -8,11 +8,13 @@
 
 private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
+private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import ExternalApi
 
 private predicate getRelevantUsages(ExternalApi api, int usages) {
   not api.isUninteresting() and
   not api.isSupported() and
+  not api instanceof FlowSummaryImpl::Public::NegativeSummarizedCallable and
   usages = strictcount(DispatchCall c | c = api.getACall())
 }
 
diff --git a/csharp/ql/src/utils/model-generator/CaptureDiscardedSummaryModels.ql b/csharp/ql/src/utils/model-generator/CaptureDiscardedSummaryModels.ql
@@ -6,7 +6,7 @@
 
 private import semmle.code.csharp.dataflow.ExternalFlow
 private import internal.CaptureModels
-private import internal.CaptureFlow
+private import internal.CaptureSummaryFlow
 
 from TargetApi api, string flow
 where flow = captureFlow(api) and hasSummary(api, false)
diff --git a/csharp/ql/src/utils/model-generator/CaptureNegativeSummaryModels.ql b/csharp/ql/src/utils/model-generator/CaptureNegativeSummaryModels.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Capture negative summary models.
+ * @description Finds negative summary models to be used by other queries.
+ * @kind diagnostic
+ * @id cs/utils/model-generator/negative-summary-models
+ * @tags model-generator
+ */
+
+private import semmle.code.csharp.dataflow.ExternalFlow
+private import internal.CaptureModels
+private import internal.CaptureSummaryFlow
+
+from TargetApi api, string noflow
+where noflow = captureNoFlow(api) and not hasSummary(api, false)
+select noflow order by noflow
diff --git a/csharp/ql/src/utils/model-generator/CaptureSummaryModels.ql b/csharp/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -8,7 +8,7 @@
 
 private import semmle.code.csharp.dataflow.ExternalFlow
 private import internal.CaptureModels
-private import internal.CaptureFlow
+private import internal.CaptureSummaryFlow
 
 from TargetApi api, string flow
 where flow = captureFlow(api) and not hasSummary(api, false)
diff --git a/csharp/ql/src/utils/model-generator/internal/CaptureModels.qll b/csharp/ql/src/utils/model-generator/internal/CaptureModels.qll
@@ -48,6 +48,10 @@ private string asSummaryModel(TargetApi api, string input, string output, string
       + "generated"
 }
 
+string asNegativeSummaryModel(TargetApi api) { result = asPartialNegativeModel(api) + "generated" }
+
+predicate partialNegativeModel = asPartialNegativeModel/1;
+
 /**
  * Gets the value summary model for `api` with `input` and `output`.
  */
diff --git a/csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll b/csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
@@ -55,6 +55,8 @@ class TargetApiSpecific extends DotNet::Callable {
 
 predicate asPartialModel = DataFlowPrivate::Csv::asPartialModel/1;
 
+predicate asPartialNegativeModel = DataFlowPrivate::Csv::asPartialNegativeModel/1;
+
 /**
  * Holds for type `t` for fields that are relevant as an intermediate
  * read or write step in the data flow analysis.
diff --git a/csharp/ql/src/utils/model-generator/internal/CaptureSummaryFlow.qll b/csharp/ql/src/utils/model-generator/internal/CaptureSummaryFlow.qll
@@ -79,3 +79,16 @@ string captureFlow(TargetApi api) {
   result = captureQualifierFlow(api) or
   result = captureThroughFlow(api)
 }
+
+/**
+ * Gets the negative summary for `api`, if any.
+ * A negative summary is generated, if there does not exist any positive flow that
+ * shares the same summary prefix - otherwise these models will be indistinguishable.
+ */
+string captureNoFlow(TargetApi api) {
+  not exists(TargetApi other, string flow |
+    flow = captureFlow(other) and
+    partialNegativeModel(other) = partialNegativeModel(api)
+  ) and
+  result = asNegativeSummaryModel(api)
+}
diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.ql b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.ql
@@ -1,5 +1,16 @@
+private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import shared.FlowSummaries
 
 private class IncludeAllSummarizedCallable extends IncludeSummarizedCallable {
   IncludeAllSummarizedCallable() { exists(this) }
 }
+
+private class IncludeNegativeSummarizedCallable extends RelevantNegativeSummarizedCallable {
+  IncludeNegativeSummarizedCallable() {
+    this instanceof FlowSummaryImpl::Public::NegativeSummarizedCallable
+  }
+
+  /** Gets a string representing the callable in semi-colon separated format for use in flow summaries. */
+  final override string getCallableCsv() { result = Csv::asPartialNegativeModel(this) }
+}
diff --git a/csharp/ql/test/shared/FlowSummaries.qll b/csharp/ql/test/shared/FlowSummaries.qll
@@ -1,6 +1,6 @@
+private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
 import semmle.code.csharp.dataflow.FlowSummary
 import semmle.code.csharp.dataflow.internal.FlowSummaryImpl::Private::TestOutput
-private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
 
 abstract class IncludeSummarizedCallable extends RelevantSummarizedCallable {
   IncludeSummarizedCallable() {
