Merge pull request #10554 from michaelnebel/csharp/datetime-sanitizer

C#: Consider DateTime as simple type sanitizer.

Author: michaelnebel

csharp/ql/lib/change-notes/2022-09-23-simpletypesanitizer.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.

csharp/ql/lib/semmle/code/csharp/security/Sanitizers.qll

@@ -54,7 +54,12 @@ class UrlSanitizedExpr extends Expr {
  * An expression node with a simple type.
  */
 class SimpleTypeSanitizedExpr extends DataFlow::ExprNode {
-  SimpleTypeSanitizedExpr() { this.getType() instanceof SimpleType }
+  SimpleTypeSanitizedExpr() {
+    exists(Type t | t = this.getType() |
+      t instanceof SimpleType or
+      t instanceof SystemDateTimeStruct
+    )
+  }
 }
 
 /**

csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected

@@ -4,12 +4,16 @@ edges
 | LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | LogForging.cs:26:50:26:72 | ... + ... |
 | LogForging.cs:17:27:17:61 | access to indexer : String | LogForging.cs:20:21:20:43 | ... + ... |
 | LogForging.cs:17:27:17:61 | access to indexer : String | LogForging.cs:26:50:26:72 | ... + ... |
+| LogForgingAsp.cs:8:32:8:39 | username : String | LogForgingAsp.cs:12:21:12:43 | ... + ... |
 nodes
 | LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | LogForging.cs:17:27:17:61 | access to indexer : String | semmle.label | access to indexer : String |
 | LogForging.cs:20:21:20:43 | ... + ... | semmle.label | ... + ... |
 | LogForging.cs:26:50:26:72 | ... + ... | semmle.label | ... + ... |
+| LogForgingAsp.cs:8:32:8:39 | username : String | semmle.label | username : String |
+| LogForgingAsp.cs:12:21:12:43 | ... + ... | semmle.label | ... + ... |
 subpaths
 #select
 | LogForging.cs:20:21:20:43 | ... + ... | LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | LogForging.cs:20:21:20:43 | ... + ... | $@ flows to log entry. | LogForging.cs:17:27:17:49 | access to property QueryString | User-provided value |
 | LogForging.cs:26:50:26:72 | ... + ... | LogForging.cs:17:27:17:49 | access to property QueryString : NameValueCollection | LogForging.cs:26:50:26:72 | ... + ... | $@ flows to log entry. | LogForging.cs:17:27:17:49 | access to property QueryString | User-provided value |
+| LogForgingAsp.cs:12:21:12:43 | ... + ... | LogForgingAsp.cs:8:32:8:39 | username : String | LogForgingAsp.cs:12:21:12:43 | ... + ... | $@ flows to log entry. | LogForgingAsp.cs:8:32:8:39 | username | User-provided value |

csharp/ql/test/query-tests/Security Features/CWE-117/LogForgingAsp.cs

@@ -0,0 +1,21 @@
+using System;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Headers;
+using Microsoft.AspNetCore.Mvc;
+
+public class AspController : ControllerBase
+{
+    public void Action1(string username)
+    {
+        var logger = new ILogger();
+        // BAD: Logged as-is
+        logger.Warn(username + " logged in");
+    }
+
+    public void Action1(DateTime date)
+    {
+        var logger = new ILogger();
+        // GOOD: DateTime is a sanitizer.
+        logger.Warn($"Warning about the date: {date:yyyy-MM-dd}");
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-117/options

@@ -1 +1,4 @@
-semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll /r:System.Runtime.Extensions.dll /r:System.Diagnostics.TraceSource.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs