Merge branch 'GitHubSecurityLab:main' into main

Author: Sim4n6

csharp/lib/codeql-pack.lock.yml

@@ -2,17 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 0.0.3
+    version: 0.1.16
   codeql/csharp-all:
-    version: 0.7.4
+    version: 0.10.1
   codeql/dataflow:
-    version: 0.0.3
+    version: 0.2.7
   codeql/mad:
-    version: 0.1.4
+    version: 0.2.16
   codeql/ssa:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/threat-models:
+    version: 0.0.15
   codeql/tutorial:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/typetracking:
+    version: 0.2.16
   codeql/util:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
 compiled: false

csharp/lib/ghsl/Cryptography.qll

@@ -36,7 +36,7 @@ module Cryptography {
   class CryptoRfc2898DeriveBytes extends HashingAlgorithms {
     CryptoRfc2898DeriveBytes() {
       exists(ObjectCreation object |
-        object.getType().getQualifiedName() = "System.Security.Cryptography.Rfc2898DeriveBytes" and
+        object.getType().hasFullyQualifiedName("System.Security.Cryptography", "Rfc2898DeriveBytes") and
         this.asExpr() = object
       )
     }
@@ -67,7 +67,7 @@ module Cryptography {
       exists(ObjectCreation object |
         object
             .getType()
-            .hasQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
+            .hasFullyQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
         this.asExpr() = object
       )
     }
@@ -90,7 +90,7 @@ module Cryptography {
       exists(ObjectCreation object |
         object
             .getType()
-            .hasQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider") and
+            .hasFullyQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider") and
         this.asExpr() = object
       )
     }
@@ -113,12 +113,13 @@ module Cryptography {
       exists(ObjectCreation object |
         object
             .getType()
-            .hasQualifiedName("System.Security.Cryptography", ["RSACryptoServiceProvider", "RSACng"]) and
+            .hasFullyQualifiedName("System.Security.Cryptography",
+              ["RSACryptoServiceProvider", "RSACng"]) and
         this.asExpr() = object
       )
       or
       exists(MethodCall call |
-        call.getType().hasQualifiedName("System.Security.Cryptography", ["RSA"]) and
+        call.getType().hasFullyQualifiedName("System.Security.Cryptography", ["RSA"]) and
         call.getTarget().hasName("Create") and
         this.asExpr() = call
       )
@@ -152,7 +153,7 @@ module Cryptography {
       exists(ObjectCreation object |
         object
             .getType()
-            .hasQualifiedName("System.Security.Cryptography",
+            .hasFullyQualifiedName("System.Security.Cryptography",
               ["HMACMD5", "HMACSHA1", "HMACSHA256", "HMACSHA384", "HMACSHA512", "HMACRIPEMD160"]) and
         this.asExpr() = object
       )

csharp/lib/ghsl/HardcodedCredentials.qll

@@ -1,4 +1,3 @@
-
 private import csharp
 private import semmle.code.csharp.frameworks.Moq
 private import semmle.code.csharp.frameworks.System
@@ -25,10 +24,10 @@ abstract class Sanitizer extends DataFlow::ExprNode { }
 class NonEmptyStringLiteral extends Source {
   NonEmptyStringLiteral() {
     exists(StringLiteral literal |
-      this.getExpr() = literal
-      and literal.getValue().length() > 1
-      and literal.fromSource()
-      and not literal.getValue().matches("${%}")
+      this.getExpr() = literal and
+      literal.getValue().length() > 1 and
+      literal.fromSource() and
+      not literal.getValue().matches("${%}")
     )
   }
 }
@@ -42,8 +41,8 @@ class ByteArrayLiteral extends Source {
       any(ArrayCreation ac |
         ac.getArrayType().getElementType() instanceof ByteType and
         ac.hasInitializer()
-      )
-    and this.getExpr().fromSource()
+      ) and
+    this.getExpr().fromSource()
   }
 }
 
@@ -56,71 +55,70 @@ class CharArrayLiteral extends Source {
       any(ArrayCreation ac |
         ac.getArrayType().getElementType() instanceof CharType and
         ac.hasInitializer()
-      )
-    and this.getExpr().fromSource()
+      ) and
+    this.getExpr().fromSource()
   }
 }
 
 // taint from a string literal to the constructor of a SymmetricSecurityKey
-class LiteralToSecurityKeyConfig extends TaintTracking::Configuration {
-  LiteralToSecurityKeyConfig() { this = "LiteralToSecurityKeyConfig" }
+module LiteralToSecurityKeyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof Sink
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 }
 
+module LiteralToSecurityKeyFlow = TaintTracking::Global<LiteralToSecurityKeyConfig>;
+
 class SymmetricSecurityKey extends Sink {
   SymmetricSecurityKey() {
     exists(ObjectCreation securityKey |
       securityKey.getAnArgument() = this.getExpr() and
-      securityKey.getType().getQualifiedName() in [
-        "Microsoft.IdentityModel.Tokens.SymmetricSecurityKey",
-        "System.IdentityModel.Tokens.SymmetricSecurityKey"
-      ]
+      securityKey
+          .getType()
+          .hasFullyQualifiedName(["Microsoft.IdentityModel.Tokens", "System.IdentityModel.Tokens"],
+            "SymmetricSecurityKey")
     )
   }
 }
 
-
-/** 
+/**
  *  A result from a mock interface
  *  Ignore values that are ultimately returned by mocks, as they don't represent "real" credentials.
-*/
+ */
 class MockSanitizer extends Sanitizer {
   MockSanitizer() {
-    exists(ReturnedByMockObject mock|
-      mock.getAMemberInitializationValue() = this.asExpr()
-      or mock.getAnArgument() = this.asExpr()
+    exists(ReturnedByMockObject mock |
+      mock.getAMemberInitializationValue() = this.asExpr() or
+      mock.getAnArgument() = this.asExpr()
     )
   }
 }
 
-/** 
+/**
  *  A result from a mock interface
  *  The function is not itself marked as a mock, but all uses of it are in mocks.
-*/
+ */
 class MockSanitizer2 extends Sanitizer {
   MockSanitizer2() {
     exists(Method method, ReturnedByMockObject mock |
       exists(Call call |
-        call = method.getACall() and method.getAChild*() = this.asExpr() and
+        call = method.getACall() and
+        method.getAChild*() = this.asExpr() and
         (
-          mock.getAMemberInitializationValue().getAChild*() = call
-          or mock.getAnArgument().getAChild*() = call
+          mock.getAMemberInitializationValue().getAChild*() = call or
+          mock.getAnArgument().getAChild*() = call
         )
-      )
-      and not exists(Call call |
-        call = method.getACall() and method.getAChild*() = this.asExpr() and
+      ) and
+      not exists(Call call |
+        call = method.getACall() and
+        method.getAChild*() = this.asExpr() and
         not (
-          mock.getAMemberInitializationValue().getAChild*() = call
-          or mock.getAnArgument().getAChild*() = call
-        )
+          mock.getAMemberInitializationValue().getAChild*() = call or
+          mock.getAnArgument().getAChild*() = call
         )
+      )
     )
   }
 }
@@ -161,11 +159,12 @@ class ToStringSanitizer extends Sanitizer {
 class ConfigurationSanitizer extends Sanitizer {
   ConfigurationSanitizer() {
     exists(Access configuration, MethodCall call |
-      configuration.getType().getQualifiedName() in [
-        "Microsoft.Extensions.Configuration.IConfiguration", "Microsoft.Extensions.Configuration.ConfigurationManager"
-      ]
-      and call.getQualifier() = configuration
-      and call.getAnArgument() = this.getExpr() 
+      configuration
+          .getType()
+          .hasFullyQualifiedName("Microsoft.Extensions.Configuration",
+            ["IConfiguration", "ConfigurationManager"]) and
+      call.getQualifier() = configuration and
+      call.getAnArgument() = this.getExpr()
     )
   }
 }
@@ -175,9 +174,14 @@ class ConfigurationSanitizer extends Sanitizer {
  */
 class FileSanitizer extends Sanitizer {
   FileSanitizer() {
-    exists(Call c | c.getTarget().hasQualifiedName("System.IO.File", [
-      "ReadAllBytes", "ReadAllText", "Open", "OpenText", "OpenRead", "OpenHandle", "ReadAllTextAsync", "ReadAllBytesAsync", "ReadAllLines", "ReadAllLinesAsync", "ReadLines", "ReadLinesAsync", "OpenTextAsync"
-    ]) and
+    exists(Call c |
+      c.getTarget()
+          .hasFullyQualifiedName("System.IO.File",
+            [
+              "ReadAllBytes", "ReadAllText", "Open", "OpenText", "OpenRead", "OpenHandle",
+              "ReadAllTextAsync", "ReadAllBytesAsync", "ReadAllLines", "ReadAllLinesAsync",
+              "ReadLines", "ReadLinesAsync", "OpenTextAsync"
+            ]) and
       c.getAnArgument() = this.getExpr()
     )
   }
@@ -207,7 +211,8 @@ class TestClassSanitizer extends Sanitizer {
  */
 class TestNamespaceSanitizer extends Sanitizer {
   TestNamespaceSanitizer() {
-    exists(Namespace n | n.getName().matches(["Test%", "%Test", "%Tests", "Mock%", "%Mocks", "%Mock", "Fake%"]) and
+    exists(Namespace n |
+      n.getName().matches(["Test%", "%Test", "%Tests", "Mock%", "%Mocks", "%Mock", "Fake%"]) and
       (
         this.getExpr() = n.getAClass().getAMethod().getAChild*() or
         this.getExpr() = n.getAClass().getAField().getAChild*() or
@@ -222,13 +227,17 @@ class TestNamespaceSanitizer extends Sanitizer {
  */
 class DebugSanitizer extends Sanitizer {
   DebugSanitizer() {
-    exists(IfDirective if_d, EndifDirective endif_d, Location if_loc, Location endif_loc, Location loc |
+    exists(
+      IfDirective if_d, EndifDirective endif_d, Location if_loc, Location endif_loc, Location loc
+    |
       loc = this.getLocation() and
-      if_d.getCondition().toString() = "DEBUG" and if_d.getEndifDirective() = endif_d
-      and if_d.getLocation() = if_loc and endif_d.getLocation() = endif_loc
-      and loc.getStartLine() > if_loc.getEndLine()
-      and loc.getEndLine() < endif_loc.getStartLine()
-      and loc.getFile() = if_loc.getFile()
+      if_d.getCondition().toString() = "DEBUG" and
+      if_d.getEndifDirective() = endif_d and
+      if_d.getLocation() = if_loc and
+      endif_d.getLocation() = endif_loc and
+      loc.getStartLine() > if_loc.getEndLine() and
+      loc.getEndLine() < endif_loc.getStartLine() and
+      loc.getFile() = if_loc.getFile()
     )
   }
-}
+}

csharp/lib/qlpack.yml

@@ -2,4 +2,4 @@ library: true
 name: githubsecuritylab/codeql-csharp-libs
 version: 0.0.1
 dependencies:
-  codeql/csharp-all: '*'
+  codeql/csharp-all: 0.10.1

csharp/src/codeql-pack.lock.yml

@@ -2,21 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 0.0.3
+    version: 0.1.16
   codeql/csharp-all:
-    version: 0.7.4
+    version: 0.10.1
   codeql/csharp-queries:
-    version: 0.7.4
+    version: 0.8.16
   codeql/dataflow:
-    version: 0.0.3
+    version: 0.2.7
   codeql/mad:
-    version: 0.1.4
+    version: 0.2.16
   codeql/ssa:
-    version: 0.1.4
+    version: 0.2.16
   codeql/suite-helpers:
-    version: 0.6.4
+    version: 0.7.16
+  codeql/threat-models:
+    version: 0.0.15
   codeql/tutorial:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/typetracking:
+    version: 0.2.16
   codeql/util:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
 compiled: false