Updated to handle lambda statements (previously false negatives) + a couple of bug fixes.

raulgarciamsft · raulgarciamsft · commit 5a7b6532a9b4 · 2022-07-29T13:47:53.000-07:00
diff --git a/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll b/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll
@@ -18,7 +18,8 @@ class TokenValidationParametersPropertyWriteToBypassSensitiveValidation extends
       p.getAnAccess() = this and
       c.getAProperty() = p and
       p.getName() in [
-          "ValidateIssuer", "ValidateAudience", "ValidateLifetime", "RequireExpirationTime", "RequireAudience"
+          "ValidateIssuer", "ValidateAudience", "ValidateLifetime", "RequireExpirationTime",
+          "RequireAudience"
         ]
     )
   }
@@ -38,9 +39,9 @@ class FalseValueFlowsToTokenValidationParametersPropertyWriteToBypassValidation
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(Assignment a | 
-      sink.asExpr() = a.getRValue()
-      and a.getLValue() instanceof TokenValidationParametersPropertyWrite
+    exists(Assignment a |
+      sink.asExpr() = a.getRValue() and
+      a.getLValue() instanceof TokenValidationParametersPropertyWrite
     )
   }
 }
@@ -139,18 +140,28 @@ class TokenValidationParametersPropertyWriteToValidationDelegated extends Proper
  * Holds if the callable has a return statement and it always returns true for all such statements
  */
 predicate callableHasAReturnStmtAndAlwaysReturnsTrue(Callable c) {
-  c.getReturnType().toString() = "Boolean" and
+  c.getReturnType() instanceof BoolType and
+  not callableMayThrowException(c) and
   forall(ReturnStmt rs | rs.getEnclosingCallable() = c |
-    rs.getChildExpr(0).(BoolLiteral).getBoolValue() = true
+    rs.getNumberOfChildren() = 1 and
+    isExpressionAlwaysTrue(rs.getChildExpr(0))
   ) and
   exists(ReturnStmt rs | rs.getEnclosingCallable() = c)
 }
 
 /**
  * Holds if the lambda expression `le` always returns true
  */
-predicate lambdaExprReturnsOnlyLiteralTrue(LambdaExpr le) {
+predicate lambdaExprReturnsOnlyLiteralTrue(AnonymousFunctionExpr le) {
   le.getExpressionBody().(BoolLiteral).getBoolValue() = true
+  or
+  // special scenarios where the expression is not a `BoolLiteral`, but it will evaluatue to `true`
+  exists(Expr e | le.getExpressionBody() = e |
+    not e instanceof Call and
+    not e instanceof Literal and
+    e.getType() instanceof BoolType and
+    e.getValue() = "true"
+  )
 }
 
 class CallableAlwaysReturnsTrue extends Callable {
@@ -159,9 +170,12 @@ class CallableAlwaysReturnsTrue extends Callable {
     or
     lambdaExprReturnsOnlyLiteralTrue(this)
     or
-    exists(LambdaExpr le, Call call, CallableAlwaysReturnsTrue cat | this = le |
+    exists(AnonymousFunctionExpr le, Call call, CallableAlwaysReturnsTrue cat, Callable callable |
+      this = le
+    |
+      callable.getACall() = call and
       call = le.getExpressionBody() and
-      cat.getACall() = call
+      callableHasAReturnStmtAndAlwaysReturnsTrue(callable)
     )
   }
 }
@@ -188,10 +202,16 @@ class CallableAlwaysReturnsTrueHigherPrecision extends CallableAlwaysReturnsTrue
         callable instanceof CallableAlwaysReturnsTrueHigherPrecision
       )
       or
-      exists(LambdaExpr le, Call call, CallableAlwaysReturnsTrueHigherPrecision cat | this = le |
+      exists(AnonymousFunctionExpr le, Call call, CallableAlwaysReturnsTrueHigherPrecision cat |
+        this = le
+      |
         le.canReturn(call) and
         cat.getACall() = call
       )
+      or
+      exists(LambdaExpr le | le = this |
+        le.getBody() instanceof CallableAlwaysReturnsTrueHigherPrecision
+      )
     )
   }
 }
@@ -231,7 +251,7 @@ class CallableAlwaysReturnsParameter0 extends CallableReturnsStringAndArg0IsStri
     ) and
     exists(ReturnStmt rs | rs.getEnclosingCallable() = this)
     or
-    exists(LambdaExpr le, Call call, CallableAlwaysReturnsParameter0 cat | this = le |
+    exists(AnonymousFunctionExpr le, Call call, CallableAlwaysReturnsParameter0 cat | this = le |
       call = le.getExpressionBody() and
       cat.getACall() = call
     )
@@ -251,7 +271,9 @@ class CallableAlwaysReturnsParameter0MayThrowExceptions extends CallableReturnsS
     ) and
     exists(ReturnStmt rs | rs.getEnclosingCallable() = this)
     or
-    exists(LambdaExpr le, Call call, CallableAlwaysReturnsParameter0MayThrowExceptions cat |
+    exists(
+      AnonymousFunctionExpr le, Call call, CallableAlwaysReturnsParameter0MayThrowExceptions cat
+    |
       this = le
     |
       call = le.getExpressionBody() and
@@ -263,3 +285,31 @@ class CallableAlwaysReturnsParameter0MayThrowExceptions extends CallableReturnsS
     this.getBody() = this.getParameter(0).getAnAccess()
   }
 }
+
+/**
+ * Hold if the `Expr` e is a `BoolLiteral` with value true,
+ * the expression has a predictable value == `true`,
+ * or if it is a `ConditionalExpr` where the `then` and `else` expressions meet `isExpressionAlwaysTrue` criteria
+ */
+predicate isExpressionAlwaysTrue(Expr e) {
+  e.(BoolLiteral).getBoolValue() = true
+  or
+  e.(Expr).getValue() = "true"
+  or
+  e instanceof ConditionalExpr and
+  isExpressionAlwaysTrue(e.(ConditionalExpr).getThen()) and
+  isExpressionAlwaysTrue(e.(ConditionalExpr).getElse())
+  or
+  exists(Callable callable |
+    callableHasAReturnStmtAndAlwaysReturnsTrue(callable) and
+    callable.getACall() = e
+  )
+}
+
+/**
+ * Holds if the `Callable` c throws any exception other than `ThrowsArgumentNullException`
+ */
+predicate callableMayThrowException(Callable c) {
+  exists(ThrowStmt thre | c = thre.getEnclosingCallable()) and
+  not callableOnlyThrowsArgumentNullException(c)
+}
diff --git a/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql b/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
@@ -19,6 +19,5 @@ from
   TokenValidationParametersPropertyWriteToValidationDelegated tv, Assignment a,
   CallableAlwaysReturnsTrueHigherPrecision e
 where a.getLValue() = tv and a.getRValue().getAChild*() = e
-select tv,
-  "JsonWebTokenHandler security-sensitive property $@ is being delegated to $@.",
-  tv, tv.getTarget().toString(), e, "a callable that always returns \"true\""
+select tv, "JsonWebTokenHandler security-sensitive property $@ is being delegated to $@.", tv,
+  tv.getTarget().toString(), e, "a callable that always returns \"true\""
diff --git a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.expected b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.expected
@@ -1,2 +1,7 @@
 | delegation-test.cs:101:13:101:59 | access to property LifetimeValidator | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | delegation-test.cs:101:13:101:59 | access to property LifetimeValidator | LifetimeValidator | delegation-test.cs:101:63:101:186 | (...) => ... | a callable that always returns "true" |
 | delegation-test.cs:102:13:102:59 | access to property AudienceValidator | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | delegation-test.cs:102:13:102:59 | access to property AudienceValidator | AudienceValidator | delegation-test.cs:102:63:102:178 | (...) => ... | a callable that always returns "true" |
+| delegation-test.cs:115:13:115:59 | access to property AudienceValidator | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | delegation-test.cs:115:13:115:59 | access to property AudienceValidator | AudienceValidator | delegation-test.cs:115:63:115:190 | (...) => ... | a callable that always returns "true" |
+| delegation-test.cs:116:13:116:59 | access to property AudienceValidator | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | delegation-test.cs:116:13:116:59 | access to property AudienceValidator | AudienceValidator | delegation-test.cs:116:63:116:180 | (...) => ... | a callable that always returns "true" |
+| delegation-test.cs:117:13:117:59 | access to property AudienceValidator | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | delegation-test.cs:117:13:117:59 | access to property AudienceValidator | AudienceValidator | delegation-test.cs:117:63:117:217 | (...) => ... | a callable that always returns "true" |
+| delegation-test.cs:118:13:118:59 | access to property AudienceValidator | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | delegation-test.cs:118:13:118:59 | access to property AudienceValidator | AudienceValidator | delegation-test.cs:118:63:118:248 | (...) => ... | a callable that always returns "true" |
+| delegation-test.cs:119:13:119:59 | access to property AudienceValidator | JsonWebTokenHandler security-sensitive property $@ is being delegated to $@. | delegation-test.cs:119:13:119:59 | access to property AudienceValidator | AudienceValidator | delegation-test.cs:119:63:119:177 | (...) => ... | a callable that always returns "true" |
diff --git a/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegation-test.cs b/csharp/ql/test/experimental/Security Features/JsonWebTokenHandler/delegation-test.cs
@@ -109,7 +109,29 @@ public void TestCase01()
                     return true;
                 };
 
+            tokenValidationParamsBaseline.LifetimeValidator = (notBefore, expires, securityToken, validationParameters) => ValidateLifetime02(securityToken, validationParameters); // GOOD
+            tokenValidationParamsBaseline.AudienceValidator = (IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => {return securityToken is null?false:true; }; // GOOD
+            
+            tokenValidationParamsBaseline.AudienceValidator = (IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return true; }; // BUG 
+            tokenValidationParamsBaseline.AudienceValidator = (IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => !false ; // BUG
+            tokenValidationParamsBaseline.AudienceValidator = (IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return securityToken is null?true:true; }; // BUG
+            tokenValidationParamsBaseline.AudienceValidator = (IEnumerable<string> audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) => { return ValidateLifetimeAlwaysTrue(securityToken, validationParameters);}; //BUG
+            tokenValidationParamsBaseline.AudienceValidator = (audiences, securityToken, validationParameters) => ValidateLifetimeAlwaysTrue(securityToken, validationParameters); //BUG
+
+        }
+
+        internal static bool ValidateLifetime02(
+            SecurityToken token,
+            TokenValidationParameters validationParameters)
+        {
+            return token is null?false:true;
         }
 
+        internal static bool ValidateLifetimeAlwaysTrue02(
+            SecurityToken token,
+            TokenValidationParameters validationParameters)
+        {
+            return !false;
+        }
     }
 }
