C#: Only consider directly public auto implemented properties with public getters and setters as being tainted.

michaelnebel · michaelnebel · commit e1c7003cde08 · 2022-06-16T08:43:06.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
@@ -179,7 +179,12 @@ abstract class AspNetCoreRemoteFlowSource extends RemoteFlowSource { }
  */
 private class AspNetCoreRemoteFlowSourceMember extends TaintTracking::TaintedMember {
   AspNetCoreRemoteFlowSourceMember() {
-    this.getDeclaringType() = any(AspNetCoreRemoteFlowSource source).getType()
+    this.getDeclaringType() = any(AspNetCoreRemoteFlowSource source).getType() and
+    this.isPublic() and
+    not this.isStatic() and
+    exists(Property p | p = this |
+      p.isAutoImplemented() and p.getGetter().isPublic() and p.getSetter().isPublic()
+    )
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,12 @@ abstract class AspNetCoreRemoteFlowSource extends RemoteFlowSource { }`
`179`	`179`	`*/`
`180`	`180`	`private class AspNetCoreRemoteFlowSourceMember extends TaintTracking::TaintedMember {`
`181`	`181`	`AspNetCoreRemoteFlowSourceMember() {`
`182`		`- this.getDeclaringType() = any(AspNetCoreRemoteFlowSource source).getType()`
	`182`	`+ this.getDeclaringType() = any(AspNetCoreRemoteFlowSource source).getType() and`
	`183`	`+ this.isPublic() and`
	`184`	`+ not this.isStatic() and`
	`185`	`+ exists(Property p \| p = this \|`
	`186`	`+ p.isAutoImplemented() and p.getGetter().isPublic() and p.getSetter().isPublic()`
	`187`	`+ )`
`183`	`188`	`}`
`184`	`189`	`}`
`185`	`190`