Merge branch 'main' into typenamehandling-queries

Author: ropwareJB

powershell/ql/lib/semmle/code/powershell/security/Sanitizers.qll

@@ -4,11 +4,11 @@ private import semmle.code.powershell.dataflow.DataFlow
 /**
  * A dataflow node that is guarenteed to have a "simple" type.
  *
- * Simple types include integers, floats, characters, booleans, and `datetime`.
+ * Simple types include integers, floats, characters, booleans, `datetime`, and `guid`.
  */
 class SimpleTypeSanitizer extends DataFlow::Node {
   SimpleTypeSanitizer() {
     this.asParameter().getStaticType() =
-      ["int32", "int64", "single", "double", "decimal", "char", "boolean", "datetime"]
+      ["int32", "int64", "single", "double", "decimal", "char", "boolean", "datetime", "guid"]
   }
 }

powershell/ql/src/queries/security/cwe-347/JwtNoneAlgorithm.qhelp

@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+
+<p>Using the <code>"none"</code> algorithm when creating a JWT token with
+<code>JwtSecurityTokenHandler</code> disables signature verification. This allows attackers to
+forge arbitrary tokens that will be accepted as valid, potentially leading to authentication
+bypass and privilege escalation.</p>
+
+</overview>
+<recommendation>
+
+<p>Always use a secure signing algorithm such as <code>HS256</code>, <code>RS256</code>, or
+<code>ES256</code> when creating JWT tokens. Ensure that tokens are signed with a strong secret
+or key pair.</p>
+
+</recommendation>
+<example>
+
+<p>In this example, a JWT token is created using the <code>"none"</code> algorithm, which produces
+an unsigned token:</p>
+
+<sample src="examples/JwtNoneAlgorithmBad.ps1" />
+
+<p>The fix is to use a secure algorithm instead:</p>
+
+<sample src="examples/JwtNoneAlgorithmGood.ps1" />
+
+</example>
+<references>
+
+<li>
+RFC 7518:
+<a href="https://datatracker.ietf.org/doc/html/rfc7518#section-3.6">JSON Web Algorithms - Unsecured JWS</a>.
+</li>
+
+<li>
+CWE-347:
+<a href="https://cwe.mitre.org/data/definitions/347.html">Improper Verification of Cryptographic Signature</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/queries/security/cwe-347/JwtNoneAlgorithm.ql

@@ -0,0 +1,37 @@
+/**
+ * @name JWT none algorithm usage
+ * @description Using the "none" algorithm for JWT tokens disables signature verification,
+ *              allowing token forgery.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id powershell/jwt-none-algorithm
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.DataFlow
+
+/**
+ * A string literal "none" passed as an algorithm argument to .NET JWT methods
+ * on a JwtSecurityTokenHandler instance.
+ */
+class JwtNoneInDotNetCall extends StringConstExpr {
+  JwtNoneInDotNetCall() {
+    this.getValueString().toLowerCase() = "none" and
+    exists(DataFlow::CallNode cn, DataFlow::ObjectCreationNode ocn |
+      cn.getQualifier().getALocalSource() = ocn and
+      ocn.getConstructedTypeNode().asExpr().getExpr().(TypeNameExpr).hasQualifiedName("system.identitymodel.tokens.jwt", "jwtsecuritytokenhandler") and
+      cn.getLowerCaseName() in [
+          "createtoken", "writetoken", "createjwtsecuritytoken", "createencodedjwt"
+        ] and
+      cn.getAnArgument().asExpr().getExpr() = this
+    )
+  }
+}
+
+from JwtNoneInDotNetCall noneAlg
+select noneAlg,
+  "JWT token created with 'none' algorithm via .NET API, disabling signature verification."

powershell/ql/src/queries/security/cwe-347/examples/JwtNoneAlgorithmBad.ps1

@@ -0,0 +1,4 @@
+$handler = [System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler]::new()
+
+# BAD: Creating a JWT token with the "none" algorithm disables signature verification.
+$token = $handler.CreateToken("none")

powershell/ql/src/queries/security/cwe-347/examples/JwtNoneAlgorithmGood.ps1

@@ -0,0 +1,4 @@
+$handler = [System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler]::new()
+
+# GOOD: Creating a JWT token with a secure algorithm.
+$token = $handler.CreateToken("HS256")

powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp

@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols
+      used to secure network communications. Older versions of these protocols have known
+      vulnerabilities that can be exploited by attackers to compromise the confidentiality and
+      integrity of data in transit.
+    </p>
+    <p>
+      The following versions are considered deprecated:
+    </p>
+    <ul>
+      <li>SSL 3.0 is vulnerable to the POODLE attack and other weaknesses.</li>
+      <li>TLS 1.0 has known vulnerabilities including the BEAST attack and weak cipher suites.</li>
+      <li>TLS 1.1 lacks support for modern cryptographic algorithms and is deprecated by RFC 8996.</li>
+    </ul>
+  </overview>
+  <recommendation>
+    <p>
+      Use TLS 1.2 or TLS 1.3 for all secure communications. TLS 1.3 is preferred as it removes
+      support for legacy cryptographic features and provides improved performance. When configuring
+      <code>SecurityProtocolType</code>, use <code>Tls12</code> or <code>Tls13</code>.
+    </p>
+  </recommendation>
+  <example>
+    <p>
+      In the following example, the script enables the deprecated SSL 3.0 and TLS 1.0 protocols:
+    </p>
+    <sample src="examples/DeprecatedTls/DeprecatedTlsBad.ps1" />
+    <p>
+      The following example shows the corrected code using TLS 1.2:
+    </p>
+    <sample src="examples/DeprecatedTls/DeprecatedTlsGood.ps1" />
+  </example>
+  <references>
+    <li>IETF, RFC 8996: <a href="https://datatracker.ietf.org/doc/html/rfc8996">Deprecating TLS 1.0 and TLS 1.1</a>.</li>
+    <li>NIST, SP 800-52 Rev. 2: <a href="https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final">Guidelines for the Selection, Configuration, and Use of TLS Implementations</a>.</li>
+    <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html">Transport Layer Security Cheat Sheet</a>.</li>
+    <li>CWE-757: <a href="https://cwe.mitre.org/data/definitions/757.html">Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')</a>.</li>
+  </references>
+</qhelp>

powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql

@@ -0,0 +1,90 @@
+/**
+ * @name Use of deprecated TLS/SSL version
+ * @description Using deprecated TLS/SSL versions (SSL3, TLS 1.0, TLS 1.1) weakens transport security.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/deprecated-tls
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-757
+ */
+
+import powershell
+import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.dataflow.DataFlow
+
+/**
+ * Gets the human-readable name for a deprecated protocol.
+ */
+bindingset[protocolName]
+string getProtocolDisplayName(string protocolName) {
+  protocolName = "ssl3" and result = "SSL 3.0"
+  or
+  protocolName = "tls" and result = "TLS 1.0"
+  or
+  protocolName = "tls11" and result = "TLS 1.1"
+}
+
+abstract class SecurityProtocol extends Expr {
+  abstract string getProtocolName();
+}
+
+/**
+ * A reference to a deprecated SecurityProtocolType enum value, e.g.
+ * [Net.SecurityProtocolType]::Ssl3
+ */
+class DeprecatedSecurityProtocolType extends SecurityProtocol {
+  string protocolName;
+
+  DeprecatedSecurityProtocolType() {
+    exists(API::Node node |
+      (
+        node =
+          API::getTopLevelMember("system")
+              .getMember("net")
+              .getMember("securityprotocoltype")
+              .getMember(protocolName)
+        or
+        node =
+          API::getTopLevelMember("net")
+              .getMember("securityprotocoltype")
+              .getMember(protocolName)
+      ) and
+      this = node.asSource().asExpr().getExpr()
+    )
+  }
+
+  override string getProtocolName() { result = protocolName }
+}
+
+/**
+ * A reference to a deprecated SslProtocols enum value, e.g.
+ * [System.Security.Authentication.SslProtocols]::Tls
+ */
+class DeprecatedSslProtocols extends SecurityProtocol {
+  string protocolName;
+
+  DeprecatedSslProtocols() {
+    exists(API::Node node |
+      node =
+        API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("authentication")
+            .getMember("sslprotocols")
+            .getMember(protocolName) and
+      this = node.asSource().asExpr().getExpr()
+    )
+  }
+
+  override string getProtocolName() { result = protocolName }
+}
+
+from SecurityProtocol sp, string protocolName
+where
+  protocolName = sp.getProtocolName() and 
+  protocolName = ["ssl3", "tls", "tls11"]
+select sp,
+  "Use of deprecated protocol " + getProtocolDisplayName(protocolName) +
+    ". Use TLS 1.2 or TLS 1.3 instead."

powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1

@@ -0,0 +1,8 @@
+# BAD: Using deprecated SSL 3.0
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3
+
+# BAD: Using deprecated TLS 1.0
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls
+
+# BAD: Using deprecated TLS 1.1
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11

powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1

@@ -0,0 +1,5 @@
+# GOOD: Using TLS 1.2
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+# GOOD: Using TLS 1.3
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13

powershell/ql/test/query-tests/security/cwe-089/test.ps1

@@ -138,4 +138,13 @@ $QueryConn3 = @{
 
 Invoke-Sqlcmd @QueryConn3 # GOOD
 
-&sqlcmd -e -S $userinput -U "Login" -P "MyPassword" -d "MyDBName" -i "input_file.sql" # GOOD
+&sqlcmd -e -S $userinput -U "Login" -P "MyPassword" -d "MyDBName" -i "input_file.sql" # GOOD
+
+function WithGuid {
+    PARAM([Parameter(Mandatory = $true)] [guid] $r)
+
+    $query = "SELECT * FROM MyTable WHERE MyColumn = '$r'"
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -q $query # GOOD
+}
+
+WithGuid $userinput