Merge pull request #12829 from michaelnebel/csharp/refactordataflow4

C#: Re-factor tainttracking and dataflow configurations to use the new API.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll

@@ -52,23 +52,24 @@ class IDbCommandConstructionSqlExpr extends SqlExpr, ObjectCreation {
 class DapperCommandDefinitionMethodCallSqlExpr extends SqlExpr, ObjectCreation {
   DapperCommandDefinitionMethodCallSqlExpr() {
     this.getObjectType() instanceof Dapper::CommandDefinitionStruct and
-    exists(Conf c | c.hasFlow(DataFlow::exprNode(this), _))
+    DapperCommandDefinitionMethodCallSql::flow(DataFlow::exprNode(this), _)
   }
 
   override Expr getSql() { result = this.getArgumentForName("commandText") }
 }
 
-private class Conf extends DataFlow4::Configuration {
-  Conf() { this = "DapperCommandDefinitionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node node) {
+private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
     node.asExpr().(ObjectCreation).getObjectType() instanceof Dapper::CommandDefinitionStruct
   }
 
-  override predicate isSink(DataFlow::Node node) {
+  predicate isSink(DataFlow::Node node) {
     exists(MethodCall mc |
       mc.getTarget() = any(Dapper::SqlMapperClass c).getAQueryMethod() and
       node.asExpr() = mc.getArgumentForName("command")
     )
   }
 }
+
+private module DapperCommandDefinitionMethodCallSql =
+  DataFlow::Global<DapperCommandDefitionMethodCallSqlConfig>;

csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll

@@ -162,18 +162,14 @@ class XmlReaderSettingsCreation extends ObjectCreation {
   }
 }
 
-private class SettingsDataFlowConfig extends DataFlow3::Configuration {
-  SettingsDataFlowConfig() { this = "SettingsDataFlowConfig" }
+private module SettingsDataFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof XmlReaderSettingsCreation }
 
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof XmlReaderSettingsCreation
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() instanceof XmlReaderSettingsInstance
-  }
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof XmlReaderSettingsInstance }
 }
 
+private module SettingsDataFlow = DataFlow::Global<SettingsDataFlowConfig>;
+
 /** A call to `XmlReader.Create`. */
 class XmlReaderCreateCall extends MethodCall {
   XmlReaderCreateCall() { this.getTarget() = any(SystemXmlXmlReaderClass r).getCreateMethod() }
@@ -190,8 +186,6 @@ class XmlReaderSettingsInstance extends Expr {
 
   /** Gets a possible creation point for this instance of `XmlReaderSettings`. */
   XmlReaderSettingsCreation getASettingsCreation() {
-    exists(SettingsDataFlowConfig settingsFlow |
-      settingsFlow.hasFlow(DataFlow::exprNode(result), DataFlow::exprNode(this))
-    )
+    SettingsDataFlow::flow(DataFlow::exprNode(result), DataFlow::exprNode(this))
   }
 }

csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll

@@ -78,26 +78,40 @@ predicate isExponentialRegex(StringLiteral s) {
 }
 
 /**
+ * DEPRECATED: Use `ExponentialRegexDataflow` instead.
+ *
  * A data flow configuration for tracking exponential worst case time regular expression string
  * literals to the pattern argument of a regex.
  */
-class ExponentialRegexDataflow extends DataFlow2::Configuration {
+deprecated class ExponentialRegexDataflow extends DataFlow2::Configuration {
   ExponentialRegexDataflow() { this = "ExponentialRegex" }
 
   override predicate isSource(DataFlow::Node s) { isExponentialRegex(s.asExpr()) }
 
   override predicate isSink(DataFlow::Node s) { s.asExpr() = any(RegexOperation c).getPattern() }
 }
 
+/**
+ * A data flow configuration for tracking exponential worst case time regular expression string
+ * literals to the pattern argument of a regex.
+ */
+private module ExponentialRegexDataFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node s) { isExponentialRegex(s.asExpr()) }
+
+  predicate isSink(DataFlow::Node s) { s.asExpr() = any(RegexOperation c).getPattern() }
+}
+
+module ExponentialRegexDataFlow = DataFlow::Global<ExponentialRegexDataFlowConfig>;
+
 /**
  * An expression passed as the `input` to a call to a `Regex` method, where the regex appears to
  * have exponential behavior.
  */
 class ExponentialRegexSink extends DataFlow::ExprNode, Sink {
   ExponentialRegexSink() {
-    exists(ExponentialRegexDataflow regexDataflow, RegexOperation regexOperation |
+    exists(RegexOperation regexOperation |
       // Exponential regex flows to the pattern argument
-      regexDataflow.hasFlow(_, DataFlow::exprNode(regexOperation.getPattern()))
+      ExponentialRegexDataFlow::flow(_, DataFlow::exprNode(regexOperation.getPattern()))
     |
       // This is used as an input for this pattern
       this.getExpr() = regexOperation.getInput() and

csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll

@@ -75,9 +75,11 @@ class JsonConvertTrackingConfig extends TaintTracking::Configuration {
 }
 
 /**
+ * DEPRECATED: Use `TypeNameTracking` instead.
+ *
  * Tracks unsafe `TypeNameHandling` setting to `JsonConvert` call
  */
-class TypeNameTrackingConfig extends DataFlow::Configuration {
+deprecated class TypeNameTrackingConfig extends DataFlow::Configuration {
   TypeNameTrackingConfig() { this = "TypeNameTrackingConfig" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -127,6 +129,62 @@ class TypeNameTrackingConfig extends DataFlow::Configuration {
   }
 }
 
+/**
+ * Configuration module for tracking unsafe `TypeNameHandling` setting to `JsonConvert` calls.
+ */
+private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    (
+      source.asExpr() instanceof MemberConstantAccess and
+      source.getType() instanceof TypeNameHandlingEnum
+      or
+      source.asExpr() instanceof IntegerLiteral
+    ) and
+    source.asExpr().hasValue() and
+    not source.asExpr().getValue() = "0"
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc, Method m, Expr expr |
+      m = mc.getTarget() and
+      (
+        not mc.getArgument(0).hasValue() and
+        m instanceof NewtonsoftJsonConvertClassDeserializeObjectMethod
+      ) and
+      expr = mc.getAnArgument() and
+      sink.asExpr() = expr and
+      expr.getType() instanceof JsonSerializerSettingsClass
+    )
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.asExpr() instanceof IntegerLiteral and
+    node2.asExpr().(CastExpr).getExpr() = node1.asExpr()
+    or
+    node1.getType() instanceof TypeNameHandlingEnum and
+    exists(PropertyWrite pw, Property p, Assignment a |
+      a.getLValue() = pw and
+      pw.getProperty() = p and
+      p.getDeclaringType() instanceof JsonSerializerSettingsClass and
+      p.hasName("TypeNameHandling") and
+      (
+        node1.asExpr() = a.getRValue() and
+        node2.asExpr() = pw.getQualifier()
+        or
+        exists(ObjectInitializer oi |
+          node1.asExpr() = oi.getAMemberInitializer().getRValue() and
+          node2.asExpr() = oi
+        )
+      )
+    )
+  }
+}
+
+/**
+ * Configuration module for tracking unsafe `TypeNameHandling` setting to `JsonConvert` calls.
+ */
+module TypeNameTracking = DataFlow::Global<TypeNameTrackingConfig>;
+
 /**
  * User input to static method or constructor call deserialization flow tracking.
  */

csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll

@@ -172,26 +172,24 @@ module XmlReader {
       isNetFrameworkBefore(this.(MethodCall).getTarget().getDeclaringType(), "4.0")
       or
       // bad settings flow here
-      exists(SettingsDataFlowConfig flow, ObjectCreation settings |
-        flow.hasFlow(DataFlow::exprNode(settings), DataFlow::exprNode(this.getSettings())) and
+      exists(ObjectCreation settings |
+        SettingsDataFlow::flow(DataFlow::exprNode(settings), DataFlow::exprNode(this.getSettings())) and
         XmlSettings::dtdEnabledSettings(settings, evidence, reason)
       )
     }
 
     private predicate insecureResolver(string reason, Expr evidence) {
       // bad settings flow here
-      exists(SettingsDataFlowConfig flow, ObjectCreation settings |
-        flow.hasFlow(DataFlow::exprNode(settings), DataFlow::exprNode(this.getSettings())) and
+      exists(ObjectCreation settings |
+        SettingsDataFlow::flow(DataFlow::exprNode(settings), DataFlow::exprNode(this.getSettings())) and
         XmlSettings::insecureResolverSettings(settings, evidence, reason)
       )
       // default is secure
     }
   }
 
-  private class SettingsDataFlowConfig extends DataFlow2::Configuration {
-    SettingsDataFlowConfig() { this = "SettingsDataFlowConfig" }
-
-    override predicate isSource(DataFlow::Node source) {
+  private module SettingsDataFlowConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
       // flow from places where we construct an XmlReaderSettings
       source
           .asExpr()
@@ -202,10 +200,12 @@ module XmlReader {
           .hasQualifiedName("System.Xml", "XmlReaderSettings")
     }
 
-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
       sink.asExpr() = any(InsecureXmlReaderCreate create).getSettings()
     }
   }
+
+  private module SettingsDataFlow = DataFlow::Global<SettingsDataFlowConfig>;
 }
 
 /** Provides predicates related to `System.Xml.XmlTextReader`. */

csharp/ql/src/Language Abuse/ForeachCapture.ql

@@ -37,19 +37,19 @@ predicate inForeachStmtBody(ForeachStmt loop, Element e) {
   )
 }
 
-class LambdaDataFlowConfiguration extends DataFlow::Configuration {
-  LambdaDataFlowConfiguration() { this = "LambdaDataFlowConfiguration" }
+module LambdaDataFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { lambdaCapturesLoopVariable(source.asExpr(), _, _) }
 
-  override predicate isSource(DataFlow::Node source) {
-    lambdaCapturesLoopVariable(source.asExpr(), _, _)
-  }
+  predicate isSink(DataFlow::Node sink) { exists(getAssignmentTarget(sink.asExpr())) }
+}
 
-  override predicate isSink(DataFlow::Node sink) { exists(getAssignmentTarget(sink.asExpr())) }
+module LambdaDataFlow {
+  private import DataFlow::Global<LambdaDataFlowConfig>
 
   predicate capturesLoopVarAndIsStoredIn(
     AnonymousFunctionExpr lambda, Variable loopVar, Element storage
   ) {
-    exists(DataFlow::Node sink | this.hasFlow(DataFlow::exprNode(lambda), sink) |
+    exists(DataFlow::Node sink | flow(DataFlow::exprNode(lambda), sink) |
       storage = getAssignmentTarget(sink.asExpr())
     ) and
     exists(ForeachStmt loop | lambdaCapturesLoopVariable(lambda, loop, loopVar) |
@@ -109,7 +109,7 @@ predicate declaredInsideLoop(ForeachStmt loop, LocalVariable v) {
   )
 }
 
-from LambdaDataFlowConfiguration c, AnonymousFunctionExpr lambda, Variable loopVar, Element storage
-where c.capturesLoopVarAndIsStoredIn(lambda, loopVar, storage)
+from AnonymousFunctionExpr lambda, Variable loopVar, Element storage
+where LambdaDataFlow::capturesLoopVarAndIsStoredIn(lambda, loopVar, storage)
 select lambda, "Function which may be stored in $@ captures variable $@.", storage,
   storage.toString(), loopVar, loopVar.getName()

csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql

@@ -12,12 +12,10 @@
 
 import csharp
 import semmle.code.csharp.dataflow.DataFlow::DataFlow
-import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
+import AddCertToRootStore::PathGraph
 
-class AddCertToRootStoreConfig extends DataFlow::Configuration {
-  AddCertToRootStoreConfig() { this = "Adding Certificate To Root Store" }
-
-  override predicate isSource(DataFlow::Node source) {
+module AddCertToRootStoreConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     exists(ObjectCreation oc | oc = source.asExpr() |
       oc.getType()
           .(RefType)
@@ -26,7 +24,7 @@ class AddCertToRootStoreConfig extends DataFlow::Configuration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(MethodCall mc |
       (
         mc.getTarget()
@@ -40,6 +38,8 @@ class AddCertToRootStoreConfig extends DataFlow::Configuration {
   }
 }
 
-from DataFlow::PathNode oc, DataFlow::PathNode mc, AddCertToRootStoreConfig config
-where config.hasFlowPath(oc, mc)
+module AddCertToRootStore = DataFlow::Global<AddCertToRootStoreConfig>;
+
+from AddCertToRootStore::PathNode oc, AddCertToRootStore::PathNode mc
+where AddCertToRootStore::flowPath(oc, mc)
 select mc.getNode(), oc, mc, "This certificate is added to the root certificate store."

csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql

@@ -11,23 +11,21 @@
  */
 
 import csharp
-import DataFlow::PathGraph
+import InsecureSqlConnection::PathGraph
 
 /**
  * A data flow configuration for tracking strings passed to `SqlConnection[StringBuilder]` instances.
  */
-class TaintTrackingConfiguration extends DataFlow::Configuration {
-  TaintTrackingConfiguration() { this = "TaintTrackingConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
+module InsecureSqlConnectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     exists(string s | s = source.asExpr().(StringLiteral).getValue().toLowerCase() |
       s.matches("%encrypt=false%")
       or
       not s.matches("%encrypt=%")
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(ObjectCreation oc |
       oc.getRuntimeArgument(0) = sink.asExpr() and
       (
@@ -39,8 +37,13 @@ class TaintTrackingConfiguration extends DataFlow::Configuration {
   }
 }
 
-from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
-where c.hasFlowPath(source, sink)
+/**
+ * A data flow configuration for tracking strings passed to `SqlConnection[StringBuilder]` instances.
+ */
+module InsecureSqlConnection = DataFlow::Global<InsecureSqlConnectionConfig>;
+
+from InsecureSqlConnection::PathNode source, InsecureSqlConnection::PathNode sink
+where InsecureSqlConnection::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ flows to this SQL connection and does not specify `Encrypt=True`.", source.getNode(),
   "Connection string"

csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql

@@ -48,12 +48,9 @@ where
   )
   or
   // JsonConvert static method call, but with additional unsafe typename tracking
-  exists(
-    JsonConvertTrackingConfig taintTrackingJsonConvert, TypeNameTrackingConfig typenameTracking,
-    DataFlow::Node settingsCallArg
-  |
+  exists(JsonConvertTrackingConfig taintTrackingJsonConvert, DataFlow::Node settingsCallArg |
     taintTrackingJsonConvert.hasFlowPath(userInput, deserializeCallArg) and
-    typenameTracking.hasFlow(_, settingsCallArg) and
+    TypeNameTracking::flow(_, settingsCallArg) and
     deserializeCallArg.getNode().asExpr().getParent() = settingsCallArg.asExpr().getParent()
   )
 select deserializeCallArg, userInput, deserializeCallArg, "$@ flows to unsafe deserializer.",

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql

@@ -38,11 +38,8 @@ where
             // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
             not exists(OnAppendCookieHttpOnlyTrackingConfig config | config.hasFlowTo(_)) and
             // Passed as third argument to `IResponseCookies.Append`
-            exists(
-              CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
-              DataFlow::Node append
-            |
-              cookieTracking.hasFlow(creation, append) and
+            exists(DataFlow::Node creation, DataFlow::Node append |
+              CookieOptionsTracking::flow(creation, append) and
               creation.asExpr() = oc and
               append.asExpr() = mc.getArgument(2)
             )
@@ -79,8 +76,8 @@ where
             oc = c and
             oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
             not isPropertySet(oc, "HttpOnly") and
-            exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
-              cookieTracking.hasFlow(creation, _) and
+            exists(DataFlow::Node creation |
+              CookieOptionsTracking::flow(creation, _) and
               creation.asExpr() = oc
             )
           )