forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathLogForgingQuery.qll
More file actions
101 lines (83 loc) · 3.27 KB
/
LogForgingQuery.qll
File metadata and controls
101 lines (83 loc) · 3.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/**
* Provides a taint-tracking configuration for reasoning about untrusted user input used in log entries.
*/
import csharp
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
private import semmle.code.csharp.frameworks.System
private import semmle.code.csharp.frameworks.system.text.RegularExpressions
private import semmle.code.csharp.security.Sanitizers
private import semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink
private import semmle.code.csharp.dataflow.internal.ExternalFlow
/**
* A data flow source for untrusted user input used in log entries.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for untrusted user input used in log entries.
*/
abstract class Sink extends ApiSinkExprNode { }
/**
* A sanitizer for untrusted user input used in log entries.
*/
abstract class Sanitizer extends DataFlow::ExprNode { }
/**
* A taint-tracking configuration for untrusted user input used in log entries.
*/
private module LogForgingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
}
/**
* A taint-tracking module for untrusted user input used in log entries.
*/
module LogForging = TaintTracking::Global<LogForgingConfig>;
/** A source supported by the current threat model. */
private class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
private class HtmlSanitizer extends Sanitizer {
HtmlSanitizer() { this.asExpr() instanceof HtmlSanitizedExpr }
}
/**
* An argument to a call to a method on a logger class, excluding extension methods
* with source code which are analyzed interprocedurally.
*/
private class LogForgingLogMessageSink extends Sink, LogMessageSink {
LogForgingLogMessageSink() {
not exists(ExtensionMethodCall mc |
this.getExpr() = mc.getAnArgument() and
mc.getTarget().fromSource()
)
}
}
/**
* An argument to a call to a method on a trace class.
*/
private class LogForgingTraceMessageSink extends Sink, TraceMessageSink { }
/** A Log Forging sink defined through Models as Data. */
private class ExternalLoggingExprSink extends Sink {
ExternalLoggingExprSink() { sinkNode(this, "log-injection") }
}
/** A sanitizer for log forging defined through Models as Data. */
private class ExternalLogForgingSanitizer extends Sanitizer {
ExternalLogForgingSanitizer() { barrierNode(this, "log-injection") }
}
/**
* A call to String replace or remove that is considered to sanitize replaced string.
*/
private class StringReplaceSanitizer extends Sanitizer {
StringReplaceSanitizer() {
exists(Method m |
exists(SystemStringClass s |
m = s.getReplaceMethod() or m = s.getRemoveMethod() or m = s.getReplaceLineEndingsMethod()
)
or
m = any(SystemTextRegularExpressionsRegexClass r).getAReplaceMethod()
|
this.asExpr() = m.getACall()
)
}
}
private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }