From 209f2f07130c5d57c8a5c676ac5735a4078ca645 Mon Sep 17 00:00:00 2001 From: Lindsay Simpkins Date: Thu, 27 Mar 2025 23:31:18 -0400 Subject: [PATCH 1/2] csharp update MaD for System.Uri --- csharp/ql/lib/change-notes/2025-03-27.md | 4 ++++ csharp/ql/lib/ext/System.model.yml | 14 +++++++++++ .../dataflow/library/FlowSummaries.expected | 24 +++++++++++-------- .../library/FlowSummariesFiltered.expected | 24 +++++++++++-------- 4 files changed, 46 insertions(+), 20 deletions(-) create mode 100644 csharp/ql/lib/change-notes/2025-03-27.md diff --git a/csharp/ql/lib/change-notes/2025-03-27.md b/csharp/ql/lib/change-notes/2025-03-27.md new file mode 100644 index 000000000000..2b88cfb44d03 --- /dev/null +++ b/csharp/ql/lib/change-notes/2025-03-27.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The models for `System.Uri` have been modified to better model the flow of tainted URIs. \ No newline at end of file diff --git a/csharp/ql/lib/ext/System.model.yml b/csharp/ql/lib/ext/System.model.yml index 5e94dfcbf083..3853f03dc2fc 100644 --- a/csharp/ql/lib/ext/System.model.yml +++ b/csharp/ql/lib/ext/System.model.yml @@ -778,9 +778,23 @@ extensions: - ["System", "TupleExtensions", False, "Deconstruct", "(System.Tuple,T1,T2)", "", "Argument[0].Property[System.Tuple`2.Item2]", "Argument[2]", "value", "manual"] - ["System", "TupleExtensions", False, "Deconstruct", "(System.Tuple,T1)", "", "Argument[0].Property[System.Tuple`1.Item1]", "Argument[1]", "value", "manual"] - ["System", "Uri", False, "ToString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] + - ["System", "Uri", False, "TryCreate", "(System.String,System.UriCreationOptions,System.Uri)", "", "Argument[0]", "Argument[2]", "taint", "manual"] + - ["System", "Uri", False, "TryCreate", "(System.String,System.UriKind,System.Uri)", "", "Argument[0]", "Argument[2]", "taint", "manual"] + - ["System", "Uri", False, "TryCreate", "(System.Uri,System.String,System.Uri)", "", "Argument[0]", "Argument[2]", "taint", "manual"] + - ["System", "Uri", False, "TryCreate", "(System.Uri,System.String,System.Uri)", "", "Argument[1]", "Argument[2]", "taint", "manual"] + - ["System", "Uri", False, "TryCreate", "(System.Uri,System.Uri,System.Uri)", "", "Argument[0]", "Argument[2]", "taint", "manual"] + - ["System", "Uri", False, "TryCreate", "(System.Uri,System.Uri,System.Uri)", "", "Argument[1]", "Argument[2]", "taint", "manual"] - ["System", "Uri", False, "Uri", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"] - ["System", "Uri", False, "Uri", "(System.String,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"] - ["System", "Uri", False, "Uri", "(System.String,System.UriKind)", "", "Argument[0]", "Argument[this]", "taint", "manual"] + - ["System", "Uri", False, "Uri", "(System.String,System.UriCreationOptions)", "", "Argument[0]", "Argument[this]", "taint", "manual"] + - ["System", "Uri", False, "Uri", "(System.Uri,System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"] + - ["System", "Uri", False, "Uri", "(System.Uri,System.String)", "", "Argument[1]", "Argument[this]", "taint", "manual"] + - ["System", "Uri", False, "Uri", "(System.Uri,System.String,System.Boolean)", "", "Argument[0]", "Argument[this]", "taint", "manual"] + - ["System", "Uri", False, "Uri", "(System.Uri,System.String,System.Boolean)", "", "Argument[1]", "Argument[this]", "taint", "manual"] + - ["System", "Uri", False, "get_AbsoluteUri", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] + - ["System", "Uri", False, "get_DnsSafeHost", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] + - ["System", "Uri", False, "get_LocalPath", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] - ["System", "Uri", False, "get_OriginalString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] - ["System", "Uri", False, "get_PathAndQuery", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] - ["System", "Uri", False, "get_Query", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"] diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected index a336988a713e..4b7dc533819c 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected @@ -23466,29 +23466,33 @@ summary | System;Uri;ToString;();Argument[this];ReturnValue;taint;manual | | System;Uri;ToString;(System.String,System.IFormatProvider);Argument[this].SyntheticField[System.Uri._string];ReturnValue;value;dfc-generated | | System;Uri;ToString;(System.String,System.IFormatProvider);Argument[this];ReturnValue;taint;dfc-generated | -| System;Uri;TryCreate;(System.String,System.UriCreationOptions,System.Uri);Argument[0];ReturnValue.SyntheticField[System.Uri._string];value;dfc-generated | -| System;Uri;TryCreate;(System.String,System.UriKind,System.Uri);Argument[0];ReturnValue.SyntheticField[System.Uri._string];value;dfc-generated | -| System;Uri;TryCreate;(System.Uri,System.String,System.Uri);Argument[1];ReturnValue.SyntheticField[System.Uri._string];value;dfc-generated | -| System;Uri;TryCreate;(System.Uri,System.Uri,System.Uri);Argument[0];ReturnValue;taint;df-generated | -| System;Uri;TryCreate;(System.Uri,System.Uri,System.Uri);Argument[1];ReturnValue;taint;df-generated | +| System;Uri;TryCreate;(System.String,System.UriCreationOptions,System.Uri);Argument[0];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.String,System.UriKind,System.Uri);Argument[0];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.Uri,System.String,System.Uri);Argument[0];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.Uri,System.String,System.Uri);Argument[1];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.Uri,System.Uri,System.Uri);Argument[0];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.Uri,System.Uri,System.Uri);Argument[1];Argument[2];taint;manual | | System;Uri;TryEscapeDataString;(System.ReadOnlySpan,System.Span,System.Int32);Argument[0].Element;Argument[1].Element;value;dfc-generated | | System;Uri;TryUnescapeDataString;(System.ReadOnlySpan,System.Span,System.Int32);Argument[0].Element;Argument[1].Element;value;dfc-generated | | System;Uri;UnescapeDataString;(System.ReadOnlySpan);Argument[0].Element;ReturnValue;taint;dfc-generated | | System;Uri;UnescapeDataString;(System.String);Argument[0];ReturnValue;value;dfc-generated | | System;Uri;Uri;(System.String);Argument[0];Argument[this];taint;manual | | System;Uri;Uri;(System.String,System.Boolean);Argument[0];Argument[this];taint;manual | -| System;Uri;Uri;(System.String,System.UriCreationOptions);Argument[0];Argument[this].SyntheticField[System.Uri._string];value;dfc-generated | +| System;Uri;Uri;(System.String,System.UriCreationOptions);Argument[0];Argument[this];taint;manual | | System;Uri;Uri;(System.String,System.UriKind);Argument[0];Argument[this];taint;manual | -| System;Uri;Uri;(System.Uri,System.String);Argument[1];Argument[this].SyntheticField[System.Uri._string];value;dfc-generated | -| System;Uri;Uri;(System.Uri,System.String,System.Boolean);Argument[1];Argument[this].SyntheticField[System.Uri._string];value;dfc-generated | +| System;Uri;Uri;(System.Uri,System.String);Argument[0];Argument[this];taint;manual | +| System;Uri;Uri;(System.Uri,System.String);Argument[1];Argument[this];taint;manual | +| System;Uri;Uri;(System.Uri,System.String,System.Boolean);Argument[0];Argument[this];taint;manual | +| System;Uri;Uri;(System.Uri,System.String,System.Boolean);Argument[1];Argument[this];taint;manual | | System;Uri;Uri;(System.Uri,System.Uri);Argument[0];Argument[this];taint;df-generated | | System;Uri;Uri;(System.Uri,System.Uri);Argument[1];Argument[this];taint;df-generated | | System;Uri;get_AbsolutePath;();Argument[this];ReturnValue;taint;df-generated | +| System;Uri;get_AbsoluteUri;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_Authority;();Argument[this];ReturnValue;taint;df-generated | -| System;Uri;get_DnsSafeHost;();Argument[this].Property[System.Uri.IdnHost];ReturnValue;value;dfc-generated | +| System;Uri;get_DnsSafeHost;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_Host;();Argument[this];ReturnValue;taint;df-generated | | System;Uri;get_IdnHost;();Argument[this];ReturnValue;taint;df-generated | -| System;Uri;get_LocalPath;();Argument[this].SyntheticField[System.Uri._string];ReturnValue;value;dfc-generated | +| System;Uri;get_LocalPath;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_OriginalString;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_PathAndQuery;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_Query;();Argument[this];ReturnValue;taint;manual | diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected index a426b2428454..f5b48a00292f 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected @@ -18122,29 +18122,33 @@ | System;Uri;MakeRelativeUri;(System.Uri);Argument[0];ReturnValue;taint;df-generated | | System;Uri;ToString;();Argument[this];ReturnValue;taint;manual | | System;Uri;ToString;(System.String,System.IFormatProvider);Argument[this].SyntheticField[System.Uri._string];ReturnValue;value;dfc-generated | -| System;Uri;TryCreate;(System.String,System.UriCreationOptions,System.Uri);Argument[0];ReturnValue.SyntheticField[System.Uri._string];value;dfc-generated | -| System;Uri;TryCreate;(System.String,System.UriKind,System.Uri);Argument[0];ReturnValue.SyntheticField[System.Uri._string];value;dfc-generated | -| System;Uri;TryCreate;(System.Uri,System.String,System.Uri);Argument[1];ReturnValue.SyntheticField[System.Uri._string];value;dfc-generated | -| System;Uri;TryCreate;(System.Uri,System.Uri,System.Uri);Argument[0];ReturnValue;taint;df-generated | -| System;Uri;TryCreate;(System.Uri,System.Uri,System.Uri);Argument[1];ReturnValue;taint;df-generated | +| System;Uri;TryCreate;(System.String,System.UriCreationOptions,System.Uri);Argument[0];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.String,System.UriKind,System.Uri);Argument[0];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.Uri,System.String,System.Uri);Argument[0];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.Uri,System.String,System.Uri);Argument[1];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.Uri,System.Uri,System.Uri);Argument[0];Argument[2];taint;manual | +| System;Uri;TryCreate;(System.Uri,System.Uri,System.Uri);Argument[1];Argument[2];taint;manual | | System;Uri;TryEscapeDataString;(System.ReadOnlySpan,System.Span,System.Int32);Argument[0].Element;Argument[1].Element;value;dfc-generated | | System;Uri;TryUnescapeDataString;(System.ReadOnlySpan,System.Span,System.Int32);Argument[0].Element;Argument[1].Element;value;dfc-generated | | System;Uri;UnescapeDataString;(System.ReadOnlySpan);Argument[0].Element;ReturnValue;taint;dfc-generated | | System;Uri;UnescapeDataString;(System.String);Argument[0];ReturnValue;value;dfc-generated | | System;Uri;Uri;(System.String);Argument[0];Argument[this];taint;manual | | System;Uri;Uri;(System.String,System.Boolean);Argument[0];Argument[this];taint;manual | -| System;Uri;Uri;(System.String,System.UriCreationOptions);Argument[0];Argument[this].SyntheticField[System.Uri._string];value;dfc-generated | +| System;Uri;Uri;(System.String,System.UriCreationOptions);Argument[0];Argument[this];taint;manual | | System;Uri;Uri;(System.String,System.UriKind);Argument[0];Argument[this];taint;manual | -| System;Uri;Uri;(System.Uri,System.String);Argument[1];Argument[this].SyntheticField[System.Uri._string];value;dfc-generated | -| System;Uri;Uri;(System.Uri,System.String,System.Boolean);Argument[1];Argument[this].SyntheticField[System.Uri._string];value;dfc-generated | +| System;Uri;Uri;(System.Uri,System.String);Argument[0];Argument[this];taint;manual | +| System;Uri;Uri;(System.Uri,System.String);Argument[1];Argument[this];taint;manual | +| System;Uri;Uri;(System.Uri,System.String,System.Boolean);Argument[0];Argument[this];taint;manual | +| System;Uri;Uri;(System.Uri,System.String,System.Boolean);Argument[1];Argument[this];taint;manual | | System;Uri;Uri;(System.Uri,System.Uri);Argument[0];Argument[this];taint;df-generated | | System;Uri;Uri;(System.Uri,System.Uri);Argument[1];Argument[this];taint;df-generated | | System;Uri;get_AbsolutePath;();Argument[this];ReturnValue;taint;df-generated | +| System;Uri;get_AbsoluteUri;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_Authority;();Argument[this];ReturnValue;taint;df-generated | -| System;Uri;get_DnsSafeHost;();Argument[this].Property[System.Uri.IdnHost];ReturnValue;value;dfc-generated | +| System;Uri;get_DnsSafeHost;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_Host;();Argument[this];ReturnValue;taint;df-generated | | System;Uri;get_IdnHost;();Argument[this];ReturnValue;taint;df-generated | -| System;Uri;get_LocalPath;();Argument[this].SyntheticField[System.Uri._string];ReturnValue;value;dfc-generated | +| System;Uri;get_LocalPath;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_OriginalString;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_PathAndQuery;();Argument[this];ReturnValue;taint;manual | | System;Uri;get_Query;();Argument[this];ReturnValue;taint;manual | From cc76cdb79550b54f92e8f4e11d44023fd38afacc Mon Sep 17 00:00:00 2001 From: Lindsay Simpkins Date: Fri, 28 Mar 2025 00:27:34 -0400 Subject: [PATCH 2/2] rename change note file --- .../{2025-03-27.md => 2025-03-27-update-system.uri-model.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename csharp/ql/lib/change-notes/{2025-03-27.md => 2025-03-27-update-system.uri-model.md} (100%) diff --git a/csharp/ql/lib/change-notes/2025-03-27.md b/csharp/ql/lib/change-notes/2025-03-27-update-system.uri-model.md similarity index 100% rename from csharp/ql/lib/change-notes/2025-03-27.md rename to csharp/ql/lib/change-notes/2025-03-27-update-system.uri-model.md