Skip to content

C#: Add more environment and commandargs sources for the C# Standard Library #15605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Mar 8, 2024
Merged

C#: Add more environment and commandargs sources for the C# Standard Library #15605

merged 8 commits into from
Mar 8, 2024

Conversation

egregius313
Copy link
Contributor

@egregius313 egregius313 commented Feb 13, 2024
edited
Loading

Adds more models for the environment and commandargs local source kinds.

This primarily focuses on the .NET standard library and the Microsoft.Extensions.Configuration library.

@github-actions github-actions bot added the C# label Feb 13, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 13, 2024
edited
Loading

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    System,"``System.*``, ``System``",25,11862,67,9
+    System,"``System.*``, ``System``",30,11862,67,9
-    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32.SafeHandles``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",6,1541,148,
+    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32.SafeHandles``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",8,1547,148,
-    Totals,,31,13410,409,9
+    Totals,,38,13416,409,9
  • Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code-injection,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:file-content-store,sink:html-injection,sink:js-injection,sink:log-injection,sink:sql-injection,source:file,source:file-write,source:local,source:remote,summary:taint,summary:value
+ package,sink,source,summary,sink:code-injection,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:file-content-store,sink:html-injection,sink:js-injection,sink:log-injection,sink:sql-injection,source:commandargs,source:environment,source:file,source:file-write,source:local,source:remote,summary:taint,summary:value
- Amazon.Lambda.APIGatewayEvents,,6,,,,,,,,,,,,,,,6,,
+ Amazon.Lambda.APIGatewayEvents,,6,,,,,,,,,,,,,,,,,6,,
- Amazon.Lambda.Core,10,,,,,,,,,,,10,,,,,,,
+ Amazon.Lambda.Core,10,,,,,,,,,,,10,,,,,,,,,
- Dapper,55,,,,,,,,,,,,55,,,,,,
+ Dapper,55,,,,,,,,,,,,55,,,,,,,,
- ILCompiler,,,81,,,,,,,,,,,,,,,81,
+ ILCompiler,,,81,,,,,,,,,,,,,,,,,81,
- ILLink.RoslynAnalyzer,,,63,,,,,,,,,,,,,,,63,
+ ILLink.RoslynAnalyzer,,,63,,,,,,,,,,,,,,,,,63,
- ILLink.Shared,,,32,,,,,,,,,,,,,,,29,3
+ ILLink.Shared,,,32,,,,,,,,,,,,,,,,,29,3
- ILLink.Tasks,,,5,,,,,,,,,,,,,,,5,
+ ILLink.Tasks,,,5,,,,,,,,,,,,,,,,,5,
- Internal.IL,,,69,,,,,,,,,,,,,,,67,2
+ Internal.IL,,,69,,,,,,,,,,,,,,,,,67,2
- Internal.Pgo,,,9,,,,,,,,,,,,,,,8,1
+ Internal.Pgo,,,9,,,,,,,,,,,,,,,,,8,1
- Internal.TypeSystem,,,367,,,,,,,,,,,,,,,331,36
+ Internal.TypeSystem,,,367,,,,,,,,,,,,,,,,,331,36
- JsonToItemsTaskFactory,,,7,,,,,,,,,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,,,,,,,,,,7,
- Microsoft.Android.Build,,,14,,,,,,,,,,,,,,,14,
+ Microsoft.Android.Build,,,14,,,,,,,,,,,,,,,,,14,
- Microsoft.Apple.Build,,,7,,,,,,,,,,,,,,,7,
+ Microsoft.Apple.Build,,,7,,,,,,,,,,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,,28,,,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,,28,,,,,,,,
- Microsoft.CSharp,,,24,,,,,,,,,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,,,,,,,,,,24,
- Microsoft.Diagnostics.Tools.Pgo,,,13,,,,,,,,,,,,,,,13,
+ Microsoft.Diagnostics.Tools.Pgo,,,13,,,,,,,,,,,,,,,,,13,
- Microsoft.EntityFrameworkCore,6,,12,,,,,,,,,,6,,,,,,12
+ Microsoft.EntityFrameworkCore,6,,12,,,,,,,,,,6,,,,,,,,12
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,38,,,,,,,,,,,,,,,37,1
+ Microsoft.Extensions.Caching.Memory,,,38,,,,,,,,,,,,,,,,,37,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,2,89,,,,,,,,,,,,2,,,,,86,3
- Microsoft.Extensions.DependencyInjection,,,120,,,,,,,,,,,,,,,120,
+ Microsoft.Extensions.DependencyInjection,,,120,,,,,,,,,,,,,,,,,120,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,,,,,,12,
- Microsoft.Extensions.Diagnostics.Metrics,,,13,,,,,,,,,,,,,,,13,
+ Microsoft.Extensions.Diagnostics.Metrics,,,13,,,,,,,,,,,,,,,,,13,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,16,,,,,,,,,,,,,,,14,2
+ Microsoft.Extensions.FileSystemGlobbing,,,16,,,,,,,,,,,,,,,,,14,2
- Microsoft.Extensions.Hosting,,,23,,,,,,,,,,,,,,,22,1
+ Microsoft.Extensions.Hosting,,,23,,,,,,,,,,,,,,,,,22,1
- Microsoft.Extensions.Http,,,10,,,,,,,,,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,,,,,,,,,,10,
- Microsoft.Extensions.Logging,,,60,,,,,,,,,,,,,,,59,1
+ Microsoft.Extensions.Logging,,,60,,,,,,,,,,,,,,,,,59,1
- Microsoft.Extensions.Options,,,8,,,,,,,,,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,,,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,64,,,,,,,,,,,,,,,64,
+ Microsoft.Extensions.Primitives,,,64,,,,,,,,,,,,,,,,,64,
- Microsoft.Interop,,,78,,,,,,,,,,,,,,,78,
+ Microsoft.Interop,,,78,,,,,,,,,,,,,,,,,78,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,,,,,,1,
- Microsoft.NET.WebAssembly.Webcil,,,7,,,,,,,,,,,,,,,7,
+ Microsoft.NET.WebAssembly.Webcil,,,7,,,,,,,,,,,,,,,,,7,
- Microsoft.VisualBasic,,,10,,,,,,,,,,,,,,,5,5
+ Microsoft.VisualBasic,,,10,,,,,,,,,,,,,,,,,5,5
- Microsoft.WebAssembly.Build.Tasks,,,3,,,,,,,,,,,,,,,3,
+ Microsoft.WebAssembly.Build.Tasks,,,3,,,,,,,,,,,,,,,,,3,
- Microsoft.Win32.SafeHandles,,,4,,,,,,,,,,,,,,,4,
+ Microsoft.Win32.SafeHandles,,,4,,,,,,,,,,,,,,,,,4,
- Mono.Linker,,,163,,,,,,,,,,,,,,,163,
+ Mono.Linker,,,163,,,,,,,,,,,,,,,,,163,
- MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,
+ MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,
- Newtonsoft.Json,,,91,,,,,,,,,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,73,18
- ServiceStack,194,,7,27,,,,,75,,,,92,,,,,7,
+ ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,7,
- SourceGenerators,,,4,,,,,,,,,,,,,,,4,
+ SourceGenerators,,,4,,,,,,,,,,,,,,,,,4,
- System,67,25,11862,,8,8,9,,,4,5,,33,1,17,3,4,9896,1966
+ System,67,30,11862,,8,8,9,,,4,5,,33,2,3,1,17,3,4,9896,1966
- Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,
+ Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,

@egregius313 egregius313 force-pushed the egregius313/csharp/dataflow/sources/commandargs-and-environment branch 2 times, most recently from ceb169b to b32a08a Compare February 26, 2024 17:58
@egregius313 egregius313 force-pushed the egregius313/csharp/dataflow/sources/commandargs-and-environment branch 3 times, most recently from 09f00b3 to 386cf4d Compare March 6, 2024 03:28
@egregius313 egregius313 marked this pull request as ready for review March 6, 2024 03:28
@egregius313 egregius313 requested a review from a team as a code owner March 6, 2024 03:28
michaelnebel
michaelnebel reviewed Mar 6, 2024
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
I have added some comments.
Could you elaborate a bit on, how you found the sources?

@egregius313
Copy link
Contributor Author

egregius313 commented Mar 6, 2024
edited
Loading

Could you elaborate a bit on, how you found the sources?

I was looking into packages under the System.* and Microsoft.* namespaces (.NET standard library and Microsoft libraries) for APIs dealing with environment variables and/or command line arguments. And in the process, I found System.CommandLine and Microsoft.Extensions.Configuration.

But I've currently paused the System.CommandLine modeling for now, because it mostly involved marking parameters to callbacks as sources, which is currently unsupported in MaD for C# as I understand it.

The standard library models were mostly from looking into the standard way to access command line arguments and environment variables with System.Environment.

@egregius313 egregius313 force-pushed the egregius313/csharp/dataflow/sources/commandargs-and-environment branch from 386cf4d to 4fb2693 Compare March 6, 2024 18:29
@egregius313
Copy link
Contributor Author

@michaelnebel I have modified the Microsoft.Extensions.Configuration models to handle the fluent API, and have added taint flow tests for the extension methods to check that things are being tracked appropriately with both versions of the fluent API.

michaelnebel
michaelnebel reviewed Mar 7, 2024
View reviewed changes
@egregius313 egregius313 force-pushed the egregius313/csharp/dataflow/sources/commandargs-and-environment branch from 96c3346 to 608a3f9 Compare March 7, 2024 17:32
michaelnebel
michaelnebel reviewed Mar 8, 2024
View reviewed changes
csharp/ql/test/library-tests/dataflow/flowsources/local/environment/EnvironmentVariableFlow.ql
import semmle.code.csharp.dataflow.internal.ExternalFlow

module EnvironmentVariableFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { sourceNode(source, "environment") }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: You can consider to do this using threat models (also fine to leave it as it is).

michaelnebel
michaelnebel approved these changes Mar 8, 2024
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent!
I will start a DCA run; Also we need to hold the merge of this PR as one of the queries now relies on threat models.

@michaelnebel
Copy link
Contributor

Excellent! I will start a DCA run; Also we need to hold the merge of this PR as one of the queries now relies on threat models.

Alternatively split the PR in two such that it is follow up PR that changes the semantics of the query.

@michaelnebel
Copy link
Contributor

Excellent! I will start a DCA run; Also we need to hold the merge of this PR as one of the queries now relies on threat models.

Alternatively split the PR in two such that it is follow up PR that changes the semantics of the query.

Looks like there is no need for this.
I think that we can start to merge all the threat model PRs.

@egregius313 egregius313 merged commit e7852f5 into github:main Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelnebel michaelnebel michaelnebel approved these changes

Assignees
No one assigned
Labels
C# documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egregius313 @michaelnebel