Merge pull request #15359 from egregius313/egregius313/csharp/dataflow/threat-modeling/add-threatmodelflowsource

C#: Threat Modeling - Introduce `ThreatModelFlowSource`

Author: egregius313

csharp/ql/lib/change-notes/2024-01-17-introduce-threatmodelflowsource.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a new library `semmle.code.csharp.security.dataflow.flowsources.FlowSources`, which provides a new class `ThreatModelFlowSource`. The `ThreatModelFlowSource` class can be used to include sources which match the current *threat model* configuration.

csharp/ql/lib/qlpack.yml

@@ -10,6 +10,7 @@ dependencies:
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
   codeql/ssa: ${workspace}
+  codeql/threat-models: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
 dataExtensions:

csharp/ql/lib/semmle/code/csharp/frameworks/EntityFramework.qll

@@ -12,6 +12,7 @@ private import semmle.code.csharp.frameworks.Sql
 private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl::Public
 private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl::Private
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+private import semmle.code.csharp.security.dataflow.flowsources.Stored as Stored
 
 /**
  * Definitions relating to the `System.ComponentModel.DataAnnotations`
@@ -44,7 +45,7 @@ module EntityFramework {
   }
 
   /** A taint source where the data has come from a mapped property stored in the database. */
-  class StoredFlowSource extends DataFlow::Node {
+  class StoredFlowSource extends Stored::DatabaseInputSource {
     StoredFlowSource() {
       this.asExpr() = any(PropertyRead read | read.getTarget() instanceof MappedProperty)
     }

csharp/ql/lib/semmle/code/csharp/frameworks/NHibernate.qll

@@ -6,6 +6,7 @@ import csharp
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.Sql
+private import semmle.code.csharp.security.dataflow.flowsources.Stored as Stored
 
 /** Definitions relating to the `NHibernate` package. */
 module NHibernate {
@@ -86,7 +87,7 @@ module NHibernate {
   }
 
   /** A taint source where the data has come from a mapped property stored in the database. */
-  class StoredFlowSource extends DataFlow::Node {
+  class StoredFlowSource extends Stored::DatabaseInputSource {
     StoredFlowSource() {
       this.asExpr() = any(PropertyRead read | read.getTarget() instanceof MappedProperty)
     }

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/FlowSources.qll

@@ -0,0 +1,31 @@
+/** Provides classes representing various flow sources for taint tracking. */
+
+private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import codeql.threatmodels.ThreatModels
+import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.security.dataflow.flowsources.Local
+import semmle.code.csharp.security.dataflow.flowsources.Stored
+
+/**
+ * A data flow source.
+ */
+abstract class SourceNode extends DataFlow::Node {
+  /**
+   * Gets a string that represents the source kind with respect to threat modeling.
+   */
+  abstract string getThreatModel();
+}
+
+/**
+ * A class of data flow sources that respects the
+ * current threat model configuration.
+ */
+class ThreatModelFlowSource extends DataFlow::Node {
+  ThreatModelFlowSource() {
+    exists(string kind |
+      // Specific threat model.
+      currentThreatModel(kind) and
+      (this.(SourceNode).getThreatModel() = kind or sourceNode(this, kind))
+    )
+  }
+}

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll

@@ -5,11 +5,14 @@
 import csharp
 private import semmle.code.csharp.frameworks.system.windows.Forms
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 
 /** A data flow source of local data. */
-abstract class LocalFlowSource extends DataFlow::Node {
+abstract class LocalFlowSource extends SourceNode {
   /** Gets a string that describes the type of this local flow source. */
   abstract string getSourceType();
+
+  override string getThreatModel() { result = "local" }
 }
 
 private class ExternalLocalFlowSource extends LocalFlowSource {

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

@@ -13,11 +13,14 @@ private import semmle.code.csharp.frameworks.WCF
 private import semmle.code.csharp.frameworks.microsoft.Owin
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 
 /** A data flow source of remote user input. */
-abstract class RemoteFlowSource extends DataFlow::Node {
+abstract class RemoteFlowSource extends SourceNode {
   /** Gets a string that describes the type of this remote flow source. */
   abstract string getSourceType();
+
+  override string getThreatModel() { result = "remote" }
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll

@@ -9,15 +9,25 @@ private import semmle.code.csharp.frameworks.system.data.Entity
 private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
 private import semmle.code.csharp.frameworks.Sql
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 
 /** A data flow source of stored user input. */
-abstract class StoredFlowSource extends DataFlow::Node { }
+abstract class StoredFlowSource extends SourceNode {
+  override string getThreatModel() { result = "local" }
+}
+
+/**
+ * A node with input from a database.
+ */
+abstract class DatabaseInputSource extends StoredFlowSource {
+  override string getThreatModel() { result = "database" }
+}
 
 /**
  * An expression that has a type of `DbRawSqlQuery`, representing the result of an Entity Framework
  * SqlQuery.
  */
-class DbRawSqlStoredFlowSource extends StoredFlowSource {
+class DbRawSqlStoredFlowSource extends DatabaseInputSource {
   DbRawSqlStoredFlowSource() {
     this.asExpr().getType() instanceof SystemDataEntityInfrastructure::DbRawSqlQuery
   }
@@ -27,30 +37,34 @@ class DbRawSqlStoredFlowSource extends StoredFlowSource {
  * An expression that has a type of `DbDataReader` or a sub-class, representing the result of a
  * data command.
  */
-class DbDataReaderStoredFlowSource extends StoredFlowSource {
+class DbDataReaderStoredFlowSource extends DatabaseInputSource {
   DbDataReaderStoredFlowSource() {
     this.asExpr().getType() = any(SystemDataCommon::DbDataReader dataReader).getASubType*()
   }
 }
 
 /** An expression that accesses a method of `DbDataReader` or a sub-class. */
-class DbDataReaderMethodStoredFlowSource extends StoredFlowSource {
+class DbDataReaderMethodStoredFlowSource extends DatabaseInputSource {
   DbDataReaderMethodStoredFlowSource() {
     this.asExpr().(MethodCall).getTarget().getDeclaringType() =
       any(SystemDataCommon::DbDataReader dataReader).getASubType*()
   }
 }
 
 /** An expression that accesses a property of `DbDataReader` or a sub-class. */
-class DbDataReaderPropertyStoredFlowSource extends StoredFlowSource {
+class DbDataReaderPropertyStoredFlowSource extends DatabaseInputSource {
   DbDataReaderPropertyStoredFlowSource() {
     this.asExpr().(PropertyAccess).getTarget().getDeclaringType() =
       any(SystemDataCommon::DbDataReader dataReader).getASubType*()
   }
 }
 
-/** A read of a mapped property. */
-class ORMMappedProperty extends StoredFlowSource {
+/**
+ * DEPRECATED: Use `EntityFramework::StoredFlowSource` and `NHibernate::StoredFlowSource` instead.
+ *
+ * A read of a mapped property.
+ */
+deprecated class ORMMappedProperty extends DataFlow::Node {
   ORMMappedProperty() {
     this instanceof EntityFramework::StoredFlowSource or
     this instanceof NHibernate::StoredFlowSource
@@ -60,4 +74,6 @@ class ORMMappedProperty extends StoredFlowSource {
 /** A file stream source is considered a stored flow source. */
 class FileStreamStoredFlowSource extends StoredFlowSource {
   FileStreamStoredFlowSource() { sourceNode(this, "file") }
+
+  override string getThreatModel() { result = "file" }
 }

csharp/ql/test/library-tests/dataflow/threat-models/Test.cs

@@ -0,0 +1,68 @@
+using System.Net.Sockets;
+using System.Data.SqlClient;
+
+namespace My.Qltest
+{
+    public class Test
+    {
+        private TestSources Sources = new TestSources();
+
+        private SqlConnection Connection => throw null;
+
+        private string BytesToString(byte[] bytes)
+        {
+            // Encode bytes to a UTF8 string.
+            return System.Text.Encoding.UTF8.GetString(bytes);
+        }
+
+        public void M1()
+        {
+            // Only a source if "remote" is a selected threat model.
+            // This is included in the "default" threat model.
+            using TcpClient client = new TcpClient("localhost", 1234);
+            using NetworkStream stream = client.GetStream();
+            byte[] buffer = new byte[1024];
+            int bytesRead = stream.Read(buffer, 0, buffer.Length);
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + BytesToString(buffer) + "'", Connection);
+        }
+
+        public void M2()
+        {
+            // Only a source if "database" is a selected threat model.
+            string result = Sources.ExecuteQuery("SELECT * FROM foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+
+        public void M3()
+        {
+            // Only a source if "environment" is a selected threat model.
+            string result = Sources.ReadEnv("foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+
+        }
+
+        public void M4()
+        {
+            // Only a source if "custom" is a selected threat model.
+            string result = Sources.GetCustom("foo");
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+
+        public void M5()
+        {
+            // Only a source if "commandargs" is a selected threat model.
+            string result = Sources.GetCliArg(0);
+
+            // SQL sink
+            var command = new SqlCommand("SELECT * FROM Users WHERE Username = '" + result + "'", Connection);
+        }
+    }
+}

csharp/ql/test/library-tests/dataflow/threat-models/Test.qll

@@ -0,0 +1,12 @@
+private import csharp
+private import semmle.code.csharp.dataflow.DataFlow
+private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
+
+private module ThreatModelConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+}
+
+module ThreatModel = TaintTracking::Global<ThreatModelConfig>;