added initial unsafe typenamehandling queries

Author: chanel-y

csharp/ql/lib/semmle/code/csharp/security/dataflow/TypeNameHandlingQuery.qll

@@ -0,0 +1,134 @@
+import csharp
+import semmle.code.csharp.security.dataflow.flowsources.Remote
+import semmle.code.csharp.serialization.Deserializers
+
+class BadTypeHandling extends Expr {
+  BadTypeHandling() {
+    exists(Enum e, EnumConstant c |
+      e.hasFullyQualifiedName("Newtonsoft.Json", "TypeNameHandling") and
+      c = e.getAnEnumConstant() and
+      this = c.getAnAccess() and
+      not c.hasName("None")
+    ) or 
+    this.(IntegerLiteral).getValue().toInt() > 0
+  }
+}
+
+class TypeNameHandlingProperty extends Property {
+    TypeNameHandlingProperty() {
+      this.hasFullyQualifiedName("Newtonsoft.Json", ["JsonSerializerSettings", "JsonSerializer"], "TypeNameHandling")
+    }
+}
+
+class TypeNameHandlingPropertyWrite extends PropertyWrite {
+  TypeNameHandlingPropertyWrite() { this.getProperty() instanceof TypeNameHandlingProperty }
+
+  Expr getAssignedValue() {
+    exists(AssignExpr a |
+      a.getLValue() = this and
+      result = a.getRValue()
+    )
+  }
+}
+
+class BadTypeHandlingPropertyWrite extends TypeNameHandlingPropertyWrite {
+  BadTypeHandlingPropertyWrite() {
+    exists(BadTypeHandling b | 
+      DataFlow::localExprFlow(b, getAssignedValue())  
+    )
+  }
+}
+
+class BinderPropertyWrite extends PropertyWrite {
+  BinderPropertyWrite() {
+    this.getProperty().hasFullyQualifiedName("Newtonsoft.Json", ["JsonSerializerSettings", "JsonSerializer"], ["SerializationBinder", "Binder"])
+  }
+}
+
+module UserInputToDeserializeObjectCallConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc | 
+      mc.getTarget().hasFullyQualifiedName("Newtonsoft.Json.JsonConvert", _) and 
+      mc.getTarget().hasUndecoratedName("DeserializeObject") and 
+      sink.asExpr() = mc.getAnArgument()
+    )
+  }
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ){
+    exists(MethodCall ma |
+      ma.getTarget().hasName("ToString") and
+      ma.getQualifier() = pred.asExpr() and
+      succ.asExpr() = ma
+    )
+  }
+}
+
+module UserInputToDeserializeObjectCallFlow = TaintTracking::Global<UserInputToDeserializeObjectCallConfig>;
+
+
+module UnsafeTypeNameHandlingFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof BadTypeHandling
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(TypeNameHandlingPropertyWrite prop | sink = DataFlow::exprNode(prop.getAssignedValue()))
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+}
+
+module UnsafeTypeNameHandlingFlow = DataFlow::Global<UnsafeTypeNameHandlingFlowConfig>;
+
+/**
+ * An ObjectCreation of type `Newtonson.Json.JsonSerializerSettings.JsonSerializerSettings` or  `Newtonson.Json.JsonSerializerSettings.JsonSerializer`.
+ */
+class JsonSerializerSettingsCreation extends ObjectCreation {
+  JsonSerializerSettingsCreation() {
+    this.getTarget()
+        .hasFullyQualifiedName("Newtonsoft.Json.JsonSerializerSettings", "JsonSerializerSettings") or 
+    this.getTarget()
+        .hasFullyQualifiedName("Newtonsoft.Json.JsonSerializer", "JsonSerializer")        
+  }
+  Class getAssignedBinderType(){
+    exists(AssignExpr ae | 
+      ae.getLValue() = this.getBinderPropertyWrite() and
+      ae.getRValue().getType() = result  
+    )
+  }
+
+  BinderPropertyWrite getBinderPropertyWrite() {
+    result = this.getPropertyWrite()
+  }
+
+  TypeNameHandlingPropertyWrite getTypeNameHandlingPropertyWrite() {
+    result = this.getPropertyWrite()
+  }
+
+  PropertyWrite getPropertyWrite(){
+    result = this.getInitializer().getAChild*()
+    or
+    // Direct local flow via some intermediary
+    DataFlow::localExprFlow(this, result.getQualifier())
+    or
+    // Local flow via property writes
+    hasPropertyWrite(result)
+  }
+
+  /**
+   * The qualifier to `pw` is a property, which this value flows into somewhere locally.
+   * Janky local DF. 
+   * */
+  bindingset[pw]
+  pragma[inline_late]
+  predicate hasPropertyWrite(PropertyWrite pw){
+    exists(Assignment a |
+      a.getRValue() = this
+      and a.getLValue().(PropertyAccess).getTarget() = pw.getQualifier().(PropertyAccess).getTarget()
+      and a.getEnclosingCallable() = pw.getEnclosingCallable()
+    )
+  }
+}

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandling.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Unsafe TypeNameHandling used with an insecure binder implementation
+ * @description Checks for when JsonSerializer that also uses an unsafe TypeNameHandling setting is used to deserialize user input
+ * @id cs/unsafe-type-name-handling
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-502
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.TypeNameHandlingQuery
+
+from
+  JsonSerializerSettingsCreation oc, TypeNameHandlingPropertyWrite pw, DataFlow::Node source,
+  DataFlow::Node sink
+where
+  pw = oc.getTypeNameHandlingPropertyWrite() and
+  sink = DataFlow::exprNode(pw.getAssignedValue()) and
+  UnsafeTypeNameHandlingFlow::flow(source, sink)
+select oc.getAssignedBinderType().getAMethod("BindToType"),
+  "This is the BindToType() implementation used in $@ with $@. Ensure that it checks the TypeName against an allow or deny list, and returns null or throws an exception when passed an unexpected type", oc, "JsonSerializerSettings",
+  pw.getAssignedValue(), "an unsafe TypeNameHandling value"

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandlingInDefaultSetting.ql

@@ -0,0 +1,48 @@
+/**
+ * @name Unsafe TypeNameHandling assigned to JsonConvert.DefaultSetting
+ * @description Using an unsafe TypeNameHandling constant is a security vulnerability.
+ * @kind problem
+ * @id cs/unsafe-type-name-handling-default-setting
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-502
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.TypeNameHandlingQuery
+import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+
+module TypeNameHandlingDefaultSettingsFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof JsonSerializerSettingsCreation
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(AssignExpr ae, PropertyWrite pw |
+      pw.getProperty().hasFullyQualifiedName("Newtonsoft.Json.JsonConvert", "DefaultSettings") and
+      sink.asExpr() = ae.getRValue() and
+      pw = ae.getLValue()
+    )
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    // Step from the dataflow node representing the return value of the lambda to the lambda itself.
+    exists(LambdaExpr le |
+      pred.(DataFlowPrivate::ReturnNode).getEnclosingCallable() = le and
+      le = succ.asExpr()
+    )
+  }
+}
+
+module TypeNameHandlingDefaultSettingsFlow =
+  TaintTracking::Global<TypeNameHandlingDefaultSettingsFlowConfig>;
+
+from DataFlow::Node badTypeNameHandling, DataFlow::Node typeNameHandlingPropertyWrite
+where
+  TypeNameHandlingDefaultSettingsFlow::flow(badTypeNameHandling, typeNameHandlingPropertyWrite) and
+  // Detecting if there exists some flow from user input to a call that could use the unsafe settings
+  // Not including the actual flow in the results because doing so a cartesian product as the two flows are unrelated
+  UserInputToDeserializeObjectCallFlow::flow(_, _)
+select badTypeNameHandling,
+  "Assignment of this TypeNameHandling constant to JsonConvert.DefaultSettings is unsafe"

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandlingInStartup.ql

@@ -0,0 +1,35 @@
+/**
+ * @name Unsafe TypeNameHandling in Startup
+ * @description Using an unsafe TypeNameHandling constant is a security vulnerability.
+ * @kind problem
+ * @id cs/unsafe-type-name-handling-in-startup
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-502
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.TypeNameHandlingQuery
+
+class AddJsonOptionsCall extends MethodCall {
+  AddJsonOptionsCall() {
+    this.getTarget()
+        .hasFullyQualifiedName("Microsoft.Extensions.DependencyInjection.NewtonsoftJsonMvcBuilderExtensions",
+          "AddNewtonsoftJson") or
+    this.getTarget()
+        .hasFullyQualifiedName("Microsoft.Extensions.DependencyInjection.MvcJsonMvcBuilderExtensions",
+          "AddJsonOptions")
+  }
+}
+
+from
+  TypeNameHandlingPropertyWrite pw, AddJsonOptionsCall addJsonOptions,
+  DataFlow::Node badTypeNameHandling, DataFlow::Node typeNameHandlingPropertyWrite
+where
+  addJsonOptions.getEnclosingCallable().hasName("ConfigureServices") and
+  addJsonOptions.getAChild*() = pw and
+  typeNameHandlingPropertyWrite = DataFlow::exprNode(pw.getAssignedValue()) and
+  UnsafeTypeNameHandlingFlow::flow(badTypeNameHandling, typeNameHandlingPropertyWrite) and
+  UserInputToDeserializeObjectCallFlow::flow(_, _)
+select badTypeNameHandling, "Use of this TypeNameHandling constant in Startup.cs is unsafe"

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandlingWithoutBinder.ql

@@ -0,0 +1,103 @@
+/**
+ * @name Unsafe TypeNameHandling without Binder to deserialize user input
+ * @description Using an unsafe TypeNameHandling constant is a security vulnerability.
+ * @kind path-problem
+ * @id cs/unsafe-type-name-handling-without-binder
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-502
+ */
+
+import csharp
+import semmle.code.csharp.serialization.Deserializers
+import semmle.code.csharp.security.dataflow.TypeNameHandlingQuery
+
+class DeserializeArg extends Expr {
+  MethodCall deserializeCall; 
+  DeserializeArg() {
+    deserializeCall.getTarget() instanceof NewtonsoftJsonConvertClassDeserializeObjectMethod and
+    deserializeCall.getAnArgument() = this
+  }
+  MethodCall getDeserializeCall() {
+    result = deserializeCall
+  }
+}
+
+class JsonSerializerSettingsArg extends DeserializeArg {
+  JsonSerializerSettingsArg() {
+    this.getType() instanceof JsonSerializerSettingsClass
+  }
+}
+
+predicate hasBinderSet(JsonSerializerSettingsArg arg) {
+  // //passed as argument to initializer
+  exists(BinderFlow::PathNode sink | 
+    sink.isSink() and
+    sink.getNode().asExpr() = arg
+  ) or
+  //set in later Propertywrite
+  exists(PropertyWrite pw |
+    pw.getProperty().hasName(["Binder", "SerializationBinder"]) and
+    pw.getQualifier().(Access).getTarget() = arg.(Access).getTarget()
+  )
+}
+
+module BinderConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source){
+    exists(ObjectCreation oc, MemberInitializer mi |
+      oc.getInitializer().(ObjectInitializer).getAMemberInitializer() = mi and
+      mi.getInitializedMember().hasName(["Binder", "SerializationBinder"]) and
+      source.asExpr() = oc
+    )
+  }
+  predicate isSink(DataFlow::Node sink){
+    sink.asExpr() instanceof JsonSerializerSettingsArg
+  }
+}
+module BinderFlow = DataFlow::Global<BinderConfig>;
+
+module TypeNameFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof BadTypeHandling
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(JsonSerializerSettingsArg arg |
+      not hasBinderSet(arg) and
+      sink.asExpr() = arg
+    )
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.asExpr() instanceof IntegerLiteral and
+    node2.asExpr().(CastExpr).getExpr() = node1.asExpr()
+    or
+    node1.getType() instanceof TypeNameHandlingEnum and
+    exists(TypeNameHandlingPropertyWrite pw, Assignment a |
+      a.getLValue() = pw and
+      (
+        node1.asExpr() = a.getRValue() and
+        node2.asExpr() = pw.getQualifier()
+        or
+        exists(ObjectInitializer oi |
+          node1.asExpr() = oi.getAMemberInitializer().getRValue() and
+          node2.asExpr() = oi
+        )
+      )
+    )
+  }
+}
+
+module TypeNameFlow = DataFlow::Global<TypeNameFlowConfig>;
+
+from 
+UserInputToDeserializeObjectCallFlow::PathNode userInput, UserInputToDeserializeObjectCallFlow::PathNode deserializeArg,
+DataFlow::Node badTypeNameHandling, DataFlow::Node typeNameHandlingSettingArg, 
+BadTypeHandling bth
+where 
+TypeNameFlow::flow(badTypeNameHandling, typeNameHandlingSettingArg) and 
+UserInputToDeserializeObjectCallFlow::flowPath(userInput, deserializeArg) and 
+deserializeArg.getNode().asExpr().(DeserializeArg).getDeserializeCall() =  typeNameHandlingSettingArg.asExpr().(JsonSerializerSettingsArg).getDeserializeCall() and
+bth = badTypeNameHandling.asExpr()
+select deserializeArg.getNode(), userInput, deserializeArg, "Use of $@ constant to deserialize user-controlled input is unsafe", bth, "this Json.net TypeNameHandling"