C#: Consider FileStreams StoredFlowSources and propagate taint via StreamReader.

michaelnebel · michaelnebel · commit f1cc7bb60ccf · 2022-08-10T11:08:27.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -383,7 +383,7 @@ module CsvValidation {
     or
     exists(string row, string kind | sourceModel(row) |
       kind = row.splitAt(";", 7) and
-      not kind = "local" and
+      not kind = ["local", "file"] and
       msg = "Invalid kind \"" + kind + "\" in source model."
     )
   }
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/system/IO.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/system/IO.qll
@@ -179,6 +179,7 @@ class SystemIOMemoryStreamClass extends SystemIOClass {
   }
 }
 
+/** Data flow for `System.IO.MemoryStream`. */
 private class SystemIOMemoryStreamFlowModelCsv extends SummaryModelCsv {
   override predicate row(string row) {
     row =
@@ -192,3 +193,17 @@ private class SystemIOMemoryStreamFlowModelCsv extends SummaryModelCsv {
       ]
   }
 }
+
+/** Sources for `System.IO.FileStream`. */
+private class SystemIOFileStreamSourceModelCsv extends SourceModelCsv {
+  override predicate row(string row) {
+    row = "System.IO;FileStream;false;FileStream;;;Argument[Qualifier];file;manual"
+  }
+}
+
+/** Data flow for `System.IO.StreamReader`. */
+private class SystemIOStreamSummaryModelCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = "System.IO;StreamReader;false;StreamReader;;;Argument[0];Argument[Qualifier];taint;manual"
+  }
+}
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll
@@ -3,6 +3,7 @@
  */
 
 import csharp
+private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.frameworks.system.data.Common
 private import semmle.code.csharp.frameworks.system.data.Entity
 private import semmle.code.csharp.frameworks.EntityFramework
@@ -55,3 +56,8 @@ class ORMMappedProperty extends StoredFlowSource {
     this instanceof NHibernate::StoredFlowSource
   }
 }
+
+/** A file stream source is considered a stored flow source. */
+class FileStreamStoredFlowSource extends StoredFlowSource {
+  FileStreamStoredFlowSource() { sourceNode(this, "file") }
+}

Original file line number	Diff line number	Diff line change
`@@ -383,7 +383,7 @@ module CsvValidation {`
`383`	`383`	`or`
`384`	`384`	`exists(string row, string kind \| sourceModel(row) \|`
`385`	`385`	`kind = row.splitAt(";", 7) and`
`386`		`- not kind = "local" and`
	`386`	`+ not kind = ["local", "file"] and`
`387`	`387`	`msg = "Invalid kind \"" + kind + "\" in source model."`
`388`	`388`	`)`
`389`	`389`	`}`
Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,7 @@ class SystemIOMemoryStreamClass extends SystemIOClass {`
`179`	`179`	`}`
`180`	`180`	`}`
`181`	`181`
	`182`	+/** Data flow for `System.IO.MemoryStream`. */
`182`	`183`	`private class SystemIOMemoryStreamFlowModelCsv extends SummaryModelCsv {`
`183`	`184`	`override predicate row(string row) {`
`184`	`185`	`row =`
`@@ -192,3 +193,17 @@ private class SystemIOMemoryStreamFlowModelCsv extends SummaryModelCsv {`
`192`	`193`	`]`
`193`	`194`	`}`
`194`	`195`	`}`
	`196`	`+`
	`197`	+/** Sources for `System.IO.FileStream`. */
	`198`	`+private class SystemIOFileStreamSourceModelCsv extends SourceModelCsv {`
	`199`	`+ override predicate row(string row) {`
	`200`	`+ row = "System.IO;FileStream;false;FileStream;;;Argument[Qualifier];file;manual"`
	`201`	`+ }`
	`202`	`+}`
	`203`	`+`
	`204`	+/** Data flow for `System.IO.StreamReader`. */
	`205`	`+private class SystemIOStreamSummaryModelCsv extends SummaryModelCsv {`
	`206`	`+ override predicate row(string row) {`
	`207`	`+ row = "System.IO;StreamReader;false;StreamReader;;;Argument[0];Argument[Qualifier];taint;manual"`
	`208`	`+ }`
	`209`	`+}`