Merge pull request #15605 from egregius313/egregius313/csharp/dataflow/sources/commandargs-and-environment

C#: Add more `environment` and `commandargs` sources for the C# Standard Library

Author: egregius313

csharp/ql/lib/change-notes/2024-03-05-new-commandargs-and-environment-models.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The .NET standard libraries APIs for accessing command line arguments and environment variables have been modeled using the `commandargs` and `environment` threat models.
+* The `cs/assembly-path-injection` query has been modified so that it's sources rely on `ThreatModelFlowSource`. In order to restore results from command line arguments, you should enable the `commandargs` threat model.

csharp/ql/lib/ext/Microsoft.Extensions.Configuration.model.yml

@@ -0,0 +1,17 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["Microsoft.Extensions.Configuration", "EnvironmentVariablesExtensions", False, "AddEnvironmentVariables", "", "", "Argument[0]", "environment", "manual"]
+      - ["Microsoft.Extensions.Configuration", "EnvironmentVariablesExtensions", False, "AddEnvironmentVariables", "", "", "ReturnValue", "environment", "manual"]
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: summaryModel
+    data:
+      - ["Microsoft.Extensions.Configuration", "IConfiguration", True, "get_Item", "(System.String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["Microsoft.Extensions.Configuration", "IConfigurationBuilder", True, "Build", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["Microsoft.Extensions.Configuration", "CommandLineConfigurationExtensions", False, "AddCommandLine", "", "", "Argument[1]", "Argument[0]", "taint", "manual"]
+      - ["Microsoft.Extensions.Configuration", "CommandLineConfigurationExtensions", False, "AddCommandLine", "(Microsoft.Extensions.Configuration.IConfigurationBuilder,System.String[],System.Collections.Generic.IDictionary<System.String,System.String>)", "", "Argument[2]", "Argument[0]", "taint", "manual"]
+      - ["Microsoft.Extensions.Configuration", "CommandLineConfigurationExtensions", False, "AddCommandLine", "", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["Microsoft.Extensions.Configuration", "CommandLineConfigurationExtensions", False, "AddCommandLine", "(Microsoft.Extensions.Configuration.IConfigurationBuilder,System.String[],System.Collections.Generic.IDictionary<System.String,System.String>)", "", "Argument[2]", "ReturnValue", "taint", "manual"]

csharp/ql/lib/ext/System.model.yml

@@ -6,6 +6,11 @@ extensions:
       - ["System", "Console", False, "Read", "", "", "ReturnValue", "local", "manual"]
       - ["System", "Console", False, "ReadKey", "", "", "ReturnValue", "local", "manual"]
       - ["System", "Console", False, "ReadLine", "", "", "ReturnValue", "local", "manual"]
+      - ["System", "Environment", False, "ExpandEnvironmentVariables", "(System.String)", "", "ReturnValue", "environment", "manual"]
+      - ["System", "Environment", False, "GetCommandLineArgs", "()", "", "ReturnValue", "commandargs", "manual"]
+      - ["System", "Environment", False, "get_CommandLine", "()", "", "ReturnValue", "commandargs", "manual"]
+      - ["System", "Environment", False, "GetEnvironmentVariable", "", "", "ReturnValue", "environment", "manual"]
+      - ["System", "Environment", False, "GetEnvironmentVariables", "", "", "ReturnValue", "environment", "manual"]
   - addsTo:
       pack: codeql/csharp-all
       extensible: summaryModel

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Local.qll

@@ -6,6 +6,7 @@ import csharp
 private import semmle.code.csharp.frameworks.system.windows.Forms
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
 private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
+private import semmle.code.csharp.commons.Util
 
 /** A data flow source of local data. */
 abstract class LocalFlowSource extends SourceNode {
@@ -29,3 +30,28 @@ class TextFieldSource extends LocalUserInputSource {
 
   override string getSourceType() { result = "TextBox text" }
 }
+
+/**
+ * A dataflow source that represents the access of an environment variable.
+ */
+abstract class EnvironmentVariableSource extends LocalFlowSource {
+  override string getThreatModel() { result = "environment" }
+
+  override string getSourceType() { result = "environment variable" }
+}
+
+/**
+ * A dataflow source that represents the access of a command line argument.
+ */
+abstract class CommandLineArgumentSource extends LocalFlowSource {
+  override string getThreatModel() { result = "commandargs" }
+
+  override string getSourceType() { result = "command line argument" }
+}
+
+/**
+ * A data flow source that represents the parameters of the `Main` method of a program.
+ */
+private class MainMethodArgumentSource extends CommandLineArgumentSource {
+  MainMethodArgumentSource() { this.asParameter() = any(MainMethod mainMethod).getAParameter() }
+}

csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql

@@ -21,10 +21,7 @@ import AssemblyPathInjection::PathGraph
  * A taint-tracking configuration for untrusted user input used to load a DLL.
  */
 module AssemblyPathInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source instanceof ThreatModelFlowSource or
-    source.asExpr() = any(MainMethod main).getParameter(0).getAnAccess()
-  }
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
     exists(MethodCall mc, string name, int arg |

csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.cs

@@ -0,0 +1,39 @@
+using System;
+using System.Collections.Generic;
+using Microsoft.Extensions.Configuration;
+
+namespace CommandArgs
+{
+    public class CommandArgsUse
+    {
+        public static void M1()
+        {
+            string result = Environment.GetCommandLineArgs()[0];
+        }
+
+        public static void M2()
+        {
+            string result = Environment.CommandLine;
+        }
+
+        public static void Main(string[] args)
+        {
+            var builder = new ConfigurationBuilder();
+            builder.AddCommandLine(args);
+            var config = builder.Build();
+            var arg1 = config["arg1"];
+            Sink(arg1);
+        }
+
+        public static void AddCommandLine2()
+        {
+            var config = new ConfigurationBuilder()
+                .AddCommandLine(Environment.GetCommandLineArgs())
+                .Build();
+            var arg1 = config["arg1"];
+            Sink(arg1);
+        }
+
+        static void Sink(object o) { }
+    }
+}

csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.expected

@@ -0,0 +1,4 @@
+| CommandArgs.cs:11:29:11:60 | call to method GetCommandLineArgs |
+| CommandArgs.cs:16:29:16:51 | access to property CommandLine |
+| CommandArgs.cs:19:42:19:45 | args |
+| CommandArgs.cs:31:33:31:64 | call to method GetCommandLineArgs |

csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["commandargs", true, 0]

csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandArgs.ql

@@ -0,0 +1,6 @@
+import csharp
+import semmle.code.csharp.security.dataflow.flowsources.FlowSources
+
+from DataFlow::Node source
+where source instanceof ThreatModelFlowSource
+select source

csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandLineFlow.expected

@@ -0,0 +1,2 @@
+| CommandArgs.cs:25:18:25:21 | access to local variable arg1 | CommandArgs.cs:19:42:19:45 | args |
+| CommandArgs.cs:34:18:34:21 | access to local variable arg1 | CommandArgs.cs:31:33:31:64 | call to method GetCommandLineArgs |

csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandLineFlow.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["commandargs", true, 0]

csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/CommandLineFlow.ql

@@ -0,0 +1,16 @@
+import csharp
+import semmle.code.csharp.security.dataflow.flowsources.FlowSources
+
+module CommandLineFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc | mc.getTarget().hasName("Sink") | sink.asExpr() = mc.getArgument(0))
+  }
+}
+
+module CommandLineFlow = TaintTracking::Global<CommandLineFlowConfig>;
+
+from DataFlow::Node source, DataFlow::Node sink
+where CommandLineFlow::flow(source, sink)
+select sink, source

csharp/ql/test/library-tests/dataflow/flowsources/local/commandargs/options

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariableFlow.expected

@@ -0,0 +1,2 @@
+| EnvironmentVariables.cs:34:18:34:21 | access to local variable path | EnvironmentVariables.cs:30:26:31:42 | call to method AddEnvironmentVariables |
+| EnvironmentVariables.cs:44:18:44:21 | access to local variable path | EnvironmentVariables.cs:41:13:41:19 | [post] access to local variable builder |

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariableFlow.ql

@@ -0,0 +1,16 @@
+import csharp
+import semmle.code.csharp.dataflow.internal.ExternalFlow
+
+module EnvironmentVariableFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { sourceNode(source, "environment") }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc | mc.getTarget().hasName("Sink") | sink.asExpr() = mc.getArgument(0))
+  }
+}
+
+module EnvironmentVariableFlow = TaintTracking::Global<EnvironmentVariableFlowConfig>;
+
+from DataFlow::Node source, DataFlow::Node sink
+where EnvironmentVariableFlow::flow(source, sink)
+select sink, source

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariables.cs

@@ -0,0 +1,49 @@
+using System;
+using System.Collections;
+using Microsoft.Extensions.Configuration;
+
+namespace EnvironmentVariables
+{
+    class EnvironmentVariables
+    {
+        public static void GetEnvironmentVariable(string environmnetVariable)
+        {
+            string value = Environment.GetEnvironmentVariable(environmnetVariable);
+            string valueFromRegistry = Environment.GetEnvironmentVariable(environmnetVariable, EnvironmentVariableTarget.Machine);
+            string valueFromProcess = Environment.GetEnvironmentVariable(environmnetVariable, EnvironmentVariableTarget.Process);
+        }
+
+        public static void GetEnvironmentVariables()
+        {
+            IDictionary environmentVariables = Environment.GetEnvironmentVariables();
+            IDictionary environmentVariablesFromRegistry = Environment.GetEnvironmentVariables(EnvironmentVariableTarget.Machine);
+            IDictionary environmentVariablesFromProcess = Environment.GetEnvironmentVariables(EnvironmentVariableTarget.Process);
+        }
+
+        public static void ExpandEnvironmentVariables(string environmentVariable)
+        {
+            string expanded = Environment.ExpandEnvironmentVariables("%PATH%");
+        }
+
+        public static void TaintedConfiguration()
+        {
+            var config = new ConfigurationBuilder()
+                .AddEnvironmentVariables()
+                .Build();
+            var path = config["PATH"];
+            Sink(path);
+        }
+
+        public static void TaintedConfigurationWithPrefix()
+        {
+            var builder = new ConfigurationBuilder();
+
+            builder.AddEnvironmentVariables("prefix");
+            var config = builder.Build();
+            var path = config["PATH"];
+            Sink(path);
+        }
+
+        static void Sink(object o) { }
+    }
+}

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariables.expected

@@ -0,0 +1,11 @@
+| EnvironmentVariables.cs:11:28:11:82 | call to method GetEnvironmentVariable |
+| EnvironmentVariables.cs:12:40:12:129 | call to method GetEnvironmentVariable |
+| EnvironmentVariables.cs:13:39:13:128 | call to method GetEnvironmentVariable |
+| EnvironmentVariables.cs:18:48:18:84 | call to method GetEnvironmentVariables |
+| EnvironmentVariables.cs:19:60:19:129 | call to method GetEnvironmentVariables |
+| EnvironmentVariables.cs:20:59:20:128 | call to method GetEnvironmentVariables |
+| EnvironmentVariables.cs:25:31:25:78 | call to method ExpandEnvironmentVariables |
+| EnvironmentVariables.cs:30:26:30:51 | [post] object creation of type ConfigurationBuilder |
+| EnvironmentVariables.cs:30:26:31:42 | call to method AddEnvironmentVariables |
+| EnvironmentVariables.cs:41:13:41:19 | [post] access to local variable builder |
+| EnvironmentVariables.cs:41:13:41:53 | call to method AddEnvironmentVariables |

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariables.ql

@@ -0,0 +1,6 @@
+import csharp
+import semmle.code.csharp.dataflow.internal.ExternalFlow
+
+from DataFlow::Node source
+where sourceNode(source, "environment")
+select source

csharp/ql/test/library-tests/dataflow/flowsources/local/environment/options

@@ -0,0 +1,3 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs