commandargs sources

egregius313 · egregius313 · commit 0a7e00fb74fe · 2024-02-26T10:11:36.000-05:00
diff --git a/csharp/ql/lib/ext/System.model.yml b/csharp/ql/lib/ext/System.model.yml
@@ -7,6 +7,8 @@ extensions:
       - ["System", "Console", False, "ReadKey", "", "", "ReturnValue", "local", "manual"]
       - ["System", "Console", False, "ReadLine", "", "", "ReturnValue", "local", "manual"]
       - ["System", "Environment", False, "ExpandEnvironmentVariables", "", "", "ReturnValue", "environment", "manual"]
+      - ["System", "Environment", False, "GetCommandLineArgs", "", "", "ReturnValue", "commandargs", "manual"]
+      - ["System", "Environment", False, "get_CommandLine", "", "", "ReturnValue", "commandargs", "manual"]
       - ["System", "Environment", False, "GetEnvironmentVariable", "", "", "ReturnValue", "environment", "manual"]
       - ["System", "Environment", False, "GetEnvironmentVariables", "", "", "ReturnValue", "environment", "manual"]
   - addsTo:
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll
@@ -6,6 +6,7 @@ import csharp
 private import semmle.code.csharp.frameworks.system.windows.Forms
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
 private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
+private import semmle.code.csharp.commons.Util
 
 /** A data flow source of local data. */
 abstract class LocalFlowSource extends SourceNode {
@@ -37,3 +38,20 @@ abstract class EnvironmentVariableSource extends LocalFlowSource {
   override string getSourceType() { result = "environment variable" }
 }
 
+abstract class CommandLineArgumentSource extends LocalFlowSource {
+  override string getThreatModel() { result = "commandargs" }
+
+  override string getSourceType() { result = "command line argument" }
+}
+
+// private class SystemEnvironmentCommandLineSource extends CommandLineArgumentSource {
+//   SystemEnvironmentCommandLineSource() {
+//     exists(PropertyAccess pa | this.asExpr() = pa |
+//       pa.getTarget().hasName("CommandLine") and
+//       pa.getTarget().getDeclaringType().hasFullyQualifiedName("System", "Environment")
+//     )
+//   }
+// }
+private class MainMethodArgumentSource extends CommandLineArgumentSource {
+  MainMethodArgumentSource() { this.asParameter() = any(MainMethod mainMethod).getAParameter() }
+}
diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.cs b/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.cs
@@ -0,0 +1,17 @@
+using System;
+
+namespace CommandArgs
+{
+    class CommandArgsUse
+    {
+        public static void M1()
+        {
+            string result = Environment.GetCommandLineArgs()[0];
+        }
+
+        public static void M2()
+        {
+            string result = Environment.CommandLine;
+        }
+    }
+}
diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.expected b/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.expected
@@ -0,0 +1,2 @@
+| CommandArgs.cs:9:29:9:60 | call to method GetCommandLineArgs |
+| CommandArgs.cs:14:29:14:51 | access to property CommandLine |
diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.ql b/csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.ql
@@ -0,0 +1,6 @@
+import csharp
+import semmle.code.csharp.dataflow.internal.ExternalFlow
+
+from DataFlow::Node source
+where sourceNode(source, "commandargs")
+select source

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| CommandArgs.cs:9:29:9:60 \| call to method GetCommandLineArgs \|`
	`2`	`+\| CommandArgs.cs:14:29:14:51 \| access to property CommandLine \|`