-
Notifications
You must be signed in to change notification settings - Fork 1.9k
[csharp] How to add a flow step with a separate class #20090
-
Hello,
I'm facing a problem with csharp global data flow. It breaks at property accessors:
Order {
get { return order_; } // order_ is the last node which codeql tracks
set {
order_ = value;
}
}
Because of this problem, codeql build-in queries sometimes fail to build proper flow between a source and a sink.
To fix this problem, I could add default predicate isAdditionalFlowStep(Node node1, Node node2) into sql/ssrf/xss/... queries, as was suggested in #19794 but it's cumbersome in my case.
I'd prefer to create a single class in a customization .qll file which would add the missing flowstep throughout codeql. This mechanism is claimed to be already available https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-csharp/#extending-library-data-flow, but it isn't))
There is no such predicate as callableFlow() in the source code of codeql latest versions.
Could you tell me how to create an additional flow step so that it is recognized by the global dataflow across codeql, please?
My codeql version is 2.21.0
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment 3 replies
-
Here are the latest docs for library modelling -- apologies for the out-of-date reference to the old way of doing things; I'll pass that onto the team:
https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/
Beta Was this translation helpful? Give feedback.
All reactions
-
👍 1
-
Thank you for the link)
I followed the instructions but my extension doesn’t work.
In my example below, model is tainted but taint is not propagated further towards sorting :
[ApiController]
public class DataController : ControllerBase
{
[HttpPost("/dangerous-smth")]
public IActionResult DangerousSmth([FromBody] SomeModel model)
{
var sorting = model.Sort;
return Ok($"Received sort value: {sorting}");
}
}
}
The Sort property is defined this way:
namespace TaintFlowDemo.Controllers
{
public class SomeModel
{
private string sort_;
public string Sort
{
get { return sort_; }
set { sort_ = value; }
}
}
Into the qlpacks/codeql/csharp-queries/1.1.0/.codeql/libraries/codeql/csharp-all/5.1.3/ext/Test.model.yml file, I added this:
extensions:
- addsTo:
pack: codeql/csharp-all
extensible: summaryModel
data:
- ["TaintFlowDemo.Controllers", "SomeModel", False, "get_Sort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["TaintFlowDemo.Controllers", "SomeModel", False, "set_Sort", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
I also tried to move elements in the tuples around, but nothing works.
Or maybe this yml extension is not enough to fix the flow?
Can you tell me why this doesn't work, please?
Beta Was this translation helpful? Give feedback.
All reactions
-
@smowton Would you tell me if there is any debug mechanism for testing yml extensibles in codeql? Or are there tests for existing extensibles?
The documentation doesn't seem to cover all possible variants which can be passed into the tuple.
Beta Was this translation helpful? Give feedback.
All reactions
-
Some suggestions / comments.
- The model for
set_Sortlooks incorrect. Try["TaintFlowDemo.Controllers", "SomeModel", False, "set_Sort", "", "", "Argument[0]", "Argument[this]", "value", "manual"]. Maybe consider changing the model to "taint" instead of "value" as well. Please note that such models "taint" the entire object (and not only the backing field), when taint/value is propagated intoArgument[this]. - If you want to debug data flow and models, I recommend creating a "partial" flow variant of your query (then it is easier to identify where data-flow "gets stuck").
- If you want to test models in isolation it is possible to do so via CodeQL tests (add a YAML file with the extensions
ext.ymlnext to the test as done here.
Beta Was this translation helpful? Give feedback.