Merge pull request #2211 from hvitved/csharp/unsafe-deserialization

Approved by jf205
This commit is contained in:
semmle-qlci 2019-11-07 14:16:13 +00:00 коммит произвёл GitHub
Родитель 3a7f9a588d 508b09f565
Коммит 2b120def01
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
11 изменённых файлов: 32 добавлений и 94 удалений

Просмотреть файл

@ -9,7 +9,9 @@ The following changes in version 1.23 affect C# analysis in all applications.
| **Query** | **Tags** | **Purpose** |
|-----------------------------|-----------|--------------------------------------------------------------------|
| Deserialized delegate (`cs/deserialized-delegate`) | security, external/cwe/cwe-502 | Finds unsafe deserialization of delegate types. |
| Deserialization of untrusted data (`cs/unsafe-deserialization-untrusted-input`) | security, external/cwe/cwe-502 | Finds flow of untrusted input to calls to unsafe deserializers. |
| Unsafe year argument for 'DateTime' constructor (`cs/unsafe-year-construction`) | reliability, date-time | Finds incorrect manipulation of `DateTime` values, which could lead to invalid dates. |
| Unsafe deserializer (`cs/unsafe-deserialization`) | security, external/cwe/cwe-502 | Finds calls to unsafe deserializers. |
| Mishandling the Japanese era start date (`cs/mishandling-japanese-era`) | reliability, date-time | Finds hard-coded Japanese era start dates that could be invalid. |
## Changes to existing queries

Просмотреть файл

@ -5,7 +5,7 @@
<overview>
<p>Deserializing an object from untrusted input may result in security problems, such
as denial-of-service or remote code execution.</p>
as denial of service or remote code execution.</p>
</overview>
<recommendation>

Просмотреть файл

@ -5,16 +5,13 @@
* @kind problem
* @id cs/unsafe-deserialization
* @problem.severity warning
* @precision low
* @tags security
* external/cwe/cwe-502
*/
/*
* consider: @precision low
*/
import csharp
import UnsafeDeserialization::UnsafeDeserialization
import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
from Call deserializeCall, Sink sink
where deserializeCall.getAnArgument() = sink.asExpr()

Просмотреть файл

@ -5,7 +5,7 @@
<overview>
<p>Deserializing an object from untrusted input may result in security problems, such
as denial-of-service or remote code execution.</p>
as denial of service or remote code execution.</p>
</overview>
<recommendation>

Просмотреть файл

@ -5,16 +5,13 @@
* @kind path-problem
* @id cs/unsafe-deserialization-untrusted-input
* @problem.severity error
* @precision high
* @tags security
* external/cwe/cwe-502
*/
/*
* consider: @precision high
*/
import csharp
import UnsafeDeserialization::UnsafeDeserialization
import semmle.code.csharp.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
import DataFlow::PathGraph
from TaintTrackingConfig config, DataFlow::PathNode source, DataFlow::PathNode sink

Просмотреть файл

@ -6,7 +6,6 @@
import csharp
module UnsafeDeserialization {
private import semmle.code.csharp.dataflow.flowsources.Remote
private import semmle.code.csharp.dataflow.flowsources.Remote
private import semmle.code.csharp.serialization.Deserializers

Просмотреть файл

@ -1 +1 @@
// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll
// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs

Просмотреть файл

@ -1,34 +0,0 @@
// This file contains auto-generated code.
// original-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll
namespace System
{
namespace Web
{
namespace Script
{
namespace Serialization
{
// Generated from `System.Web.Script.Serialization.JavaScriptSerializer` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
public class JavaScriptSerializer
{
public JavaScriptSerializer() => throw null;
public JavaScriptSerializer(System.Web.Script.Serialization.JavaScriptTypeResolver resolver) => throw null;
public object DeserializeObject(string input) => throw null;
}
// Generated from `System.Web.Script.Serialization.JavaScriptTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
abstract public class JavaScriptTypeResolver
{
}
// Generated from `System.Web.Script.Serialization.SimpleTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
public class SimpleTypeResolver : System.Web.Script.Serialization.JavaScriptTypeResolver
{
public SimpleTypeResolver() => throw null;
}
}
}
}
}

Просмотреть файл

@ -1 +1 @@
// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll
// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs

Просмотреть файл

@ -1,45 +0,0 @@
// This file contains auto-generated code.
// original-extractor-options: /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll
namespace System
{
namespace Web
{
namespace UI
{
namespace WebControls
{
public class TextBox
{
public string Text { get; set; }
}
}
}
namespace Script
{
namespace Serialization
{
// Generated from `System.Web.Script.Serialization.JavaScriptSerializer` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
public class JavaScriptSerializer
{
public JavaScriptSerializer() => throw null;
public JavaScriptSerializer(System.Web.Script.Serialization.JavaScriptTypeResolver resolver) => throw null;
public object DeserializeObject(string input) => throw null;
}
// Generated from `System.Web.Script.Serialization.JavaScriptTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
abstract public class JavaScriptTypeResolver
{
}
// Generated from `System.Web.Script.Serialization.SimpleTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
public class SimpleTypeResolver : System.Web.Script.Serialization.JavaScriptTypeResolver
{
public SimpleTypeResolver() => throw null;
}
}
}
}
}

Просмотреть файл

@ -346,3 +346,25 @@ namespace System.Web.Helpers
public static void Validate() { }
}
}
namespace System.Web.Script.Serialization
{
// Generated from `System.Web.Script.Serialization.JavaScriptSerializer` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
public class JavaScriptSerializer
{
public JavaScriptSerializer() => throw null;
public JavaScriptSerializer(System.Web.Script.Serialization.JavaScriptTypeResolver resolver) => throw null;
public object DeserializeObject(string input) => throw null;
}
// Generated from `System.Web.Script.Serialization.JavaScriptTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
abstract public class JavaScriptTypeResolver
{
}
// Generated from `System.Web.Script.Serialization.SimpleTypeResolver` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
public class SimpleTypeResolver : System.Web.Script.Serialization.JavaScriptTypeResolver
{
public SimpleTypeResolver() => throw null;
}
}