added queries + unit tests

Author: chanel-y

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandling.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>This query checks for flow from a user input source to a Newtonsoft.Json DeserializeObject call that uses an unsafe TypeNameHandling setting and has a SerializationBinder set.</p>
+
+<p> The <a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm"> Newtonsoft.Json.TypeNameHandling </a> enumeration value of <code>Auto</code> or <code>All</code> is vulnerable when deserializing untrusted data. 
+    An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. 
+    An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.</p>
+</overview>
+
+<recommendation>
+<p>Use the <a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm">TypeNameHandling</a> value of <code>None</code>, or use a custom ISerializationBinder.</p>
+</recommendation>
+
+<example>
+
+<p>Violation:</p>
+
+<sample src="examples/UnsafeTypeNameHandlingBad.cs" />
+
+<p>Solution using TypeNameHandling.None:</p>
+
+<sample src="examples/UnsafeTypeNameHandlingGood.cs" />
+
+<p>Solution using custom ISerializationBinder: </p>
+
+<sample src="examples/UnsafeTypeNameHandlingWithBinderGood.cs" />
+
+</example>
+
+<references>
+<li>Microsoft: <a href="https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2326">Do Not Use TypeNameHandling Values Other Than None</a>.</li>
+</references>
+
+</qhelp>

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandlingInDefaultSetting.qhelp

@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p> The <a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm"> Newtonsoft.Json.TypeNameHandling </a> enumeration value of other than <code>None</code> is vulnerable when deserializing untrusted data. 
+    An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. 
+    An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.</p>
+
+<p>This query detects assignment of unsafe <code>TypeNameHandling</code> values to <code>JsonConvert.DefaultSettings</code>, and where these settings are used to deserialize user input</p>
+
+</overview>
+
+<recommendation>
+<p>Use the <a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm">TypeNameHandling</a> value of <code>None</code>, or use a custom ISerializationBinder.</p>
+</recommendation>
+
+<example>
+
+<p>Violation:</p>
+
+<sample src="examples/UnsafeTypeNameHandlingBad.cs" />
+
+<p>Solution using <code>TypeNameHandling.None</code>:</p>
+
+<sample src="examples/UnsafeTypeNameHandlingGood.cs" />
+
+<p>Solution using custom <code>ISerializationBinder</code>: </p>
+
+<sample src="examples/UnsafeTypeNameHandlingWithBinderGood.cs" />
+
+</example>
+
+<references>
+<li>Microsoft: <a href="https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2326">Do Not Use TypeNameHandling Values Other Than None</a>.</li>
+</references>
+
+</qhelp>

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandlingInStartup.qhelp

@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p> The <a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm"> Newtonsoft.Json.TypeNameHandling </a> enumeration value of other than <code>None</code> is vulnerable when deserializing untrusted data. 
+    An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. 
+    An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.</p>
+
+<p>This query detects assignment of unsafe <code>TypeNameHandling</code> values in <code>Startup.cs</code> using <code>AddJsonOptions</code> or <code>AddNewtonsoftJson</code>, and where these settings are used to deserialize user input</p>
+
+</overview>
+
+<recommendation>
+<p>Use the <a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm">TypeNameHandling</a> value of <code>None</code>, or use a custom ISerializationBinder.</p>
+</recommendation>
+
+<example>
+
+<p>Violation:</p>
+
+<sample src="examples/UnsafeTypeNameHandlingBad.cs" />
+
+<p>Solution using <code>TypeNameHandling.None</code>:</p>
+
+<sample src="examples/UnsafeTypeNameHandlingGood.cs" />
+
+<p>Solution using custom <code>ISerializationBinder</code>: </p>
+
+<sample src="examples/UnsafeTypeNameHandlingWithBinderGood.cs" />
+
+</example>
+
+<references>
+<li>Microsoft: <a href="https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2326">Do Not Use TypeNameHandling Values Other Than None</a>.</li>
+</references>
+
+</qhelp>

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandlingWithoutBinder.qhelp

@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>This query checks for flow from a user input source to a Newtonsoft.Json DeserializeObject call that uses an unsafe TypeNameHandling setting and has no SerializationBinder set.</p>
+
+
+<p> The <a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm"> Newtonsoft.Json.TypeNameHandling </a> enumeration value of <code>Auto</code> or <code>All</code> is vulnerable when deserializing untrusted data. 
+    An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. 
+    An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.</p>
+</overview>
+
+<recommendation>
+<p>Use the <a href="https://www.newtonsoft.com/json/help/html/T_Newtonsoft_Json_TypeNameHandling.htm">TypeNameHandling</a> value of <code>None</code>, or use a custom ISerializationBinder.</p>
+</recommendation>
+
+<example>
+
+<p>Violation:</p>
+
+<sample src="examples/UnsafeTypeNameHandlingBad.cs" />
+
+<p>Solution using TypeNameHandling.None:</p>
+
+<sample src="examples/UnsafeTypeNameHandlingGood.cs" />
+
+<p>Solution using custom ISerializationBinder: </p>
+
+<sample src="examples/UnsafeTypeNameHandlingWithBinderGood.cs" />
+
+</example>
+
+<references>
+<li>Microsoft: <a href="https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2326">Do Not Use TypeNameHandling Values Other Than None</a>.</li>
+</references>
+
+</qhelp>

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandlingWithoutBinder.ql

@@ -91,6 +91,8 @@ module TypeNameFlowConfig implements DataFlow::ConfigSig {
 
 module TypeNameFlow = DataFlow::Global<TypeNameFlowConfig>;
 
+import UserInputToDeserializeObjectCallFlow::PathGraph
+
 from 
 UserInputToDeserializeObjectCallFlow::PathNode userInput, UserInputToDeserializeObjectCallFlow::PathNode deserializeArg,
 DataFlow::Node badTypeNameHandling, DataFlow::Node typeNameHandlingSettingArg, 

csharp/ql/src/Security Features/CWE-502/examples/UnsafeTypeNameHandlingBad.cs

@@ -0,0 +1,10 @@
+using Newtonsoft.Json;
+public class ExampleClass
+{
+    public JsonSerializerSettings Settings { get; }
+    public ExampleClass()
+    {
+        Settings = new JsonSerializerSettings();
+        Settings.TypeNameHandling = TypeNameHandling.All; // BAD
+    }
+}

csharp/ql/src/Security Features/CWE-502/examples/UnsafeTypeNameHandlingGood.cs

@@ -0,0 +1,9 @@
+using Newtonsoft.Json;
+public class ExampleClass
+{
+    public JsonSerializerSettings Settings { get; }
+    public ExampleClass()
+    {
+        Settings = new JsonSerializerSettings(); // GOOD: The default value of Settings.TypeNameHandling is TypeNameHandling.None.
+    }
+}

csharp/ql/src/Security Features/CWE-502/examples/UnsafeTypeNameHandlingWithBinderGood.cs

@@ -0,0 +1,43 @@
+using Newtonsoft.Json;
+using Newtonsoft.Json.Serialization;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace TypeHandlingSample
+{
+    public class KnownTypesBinder : ISerializationBinder
+    {
+        public IList<Type> KnownTypes { get; set; }
+
+        public Type BindToType(string assemblyName, string typeName)
+        {
+            return KnownTypes.SingleOrDefault(t => t.Name == typeName);
+        }
+
+        public void BindToName(Type serializedType, out string assemblyName, out string typeName)
+        {
+            assemblyName = null;
+            typeName = serializedType.Name;
+        }
+    }
+    public class SomeClass
+    {
+        public string Name { get; set; }
+    }
+
+    internal class Okay
+    {
+        public JsonSerializerSettings Settings { get; }
+        public KnownTypesBinder Binder { get; }
+        public Okay()
+        {
+            Settings = new JsonSerializerSettings();
+            Binder = new KnownTypesBinder { KnownTypes = new List<Type> { typeof(SomeClass) } };
+            Settings.SerializationBinder = Binder; 
+            Settings.TypeNameHandling = TypeNameHandling.All; // Okay, because SerializationBinder set to custom ISerializationBinder
+        }
+    }
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeTypeNameHandling/Test.cs

@@ -0,0 +1,94 @@
+using System;
+using System.Web;
+using System.Text;
+using System.Collections.Generic;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Serialization;
+using System.Threading.Tasks;
+
+namespace TypeHandlingSample
+{
+    public class BadBinder : ISerializationBinder
+    {
+        public void BindToName(Type serializedType, out string assemblyName, out string typeName)
+        {
+            assemblyName = serializedType.Assembly.FullName;
+            typeName = serializedType.Name;
+        }
+
+        public Type BindToType(string assemblyName, string typeName) // $ Alert
+        {
+            return Type.GetType(typeName);
+        }
+    }
+
+    public class OkayBinder : DefaultSerializationBinder
+    {
+        public List<string> okayTypes;
+        public override Type BindToType(string? assemblyName, string typeName) // $ Alert
+        {
+            if (okayTypes.Contains(typeName))
+            {
+                return Type.GetType(typeName);
+
+            }
+            else
+            {
+                throw new Exception("unexpected type");
+            }
+        }
+    }
+
+    public class OkayBinder2 : ISerializationBinder
+    {
+        private readonly ISerializationBinder innerBinder;
+
+        public void BindToName(Type serializedType, out string? assemblyName, out string? typeName)
+        {
+            this.innerBinder.BindToName(serializedType, out assemblyName, out typeName);
+        }
+        public Type BindToType(string? assemblyName, string typeName) // $ Alert
+        {
+            return this.innerBinder.BindToType(assemblyName, typeName);
+        }
+    }
+
+    public class Test
+    {
+        public JsonSerializerSettings SettingsBad { get; }
+
+        public JsonSerializerSettings SettingsOkay { get; }
+
+        public JsonSerializerSettings SettingsOkay2 { get; }
+
+        public BadBinder badBinder { get; }
+
+        public OkayBinder okayBinder { get; }
+
+        public OkayBinder2 okayBinder2 { get; }
+        public Test()
+        {
+            //Bad, custom binder that does not check type
+            SettingsBad = new JsonSerializerSettings()
+            {
+                SerializationBinder = badBinder,
+                TypeNameHandling = TypeNameHandling.All
+            };
+
+            //OKAY, custom binder that checks type
+            SettingsOkay = new JsonSerializerSettings()
+            {
+                SerializationBinder = okayBinder,
+                TypeNameHandling = TypeNameHandling.All
+            };
+
+             //OKAY, custom binder that returns BindToType() from a member binder
+            SettingsOkay2 = new JsonSerializerSettings()
+            {
+                SerializationBinder = okayBinder2,
+                TypeNameHandling = TypeNameHandling.All
+            };
+        }
+    }
+
+}

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeTypeNameHandling/UnsafeTypeNameHandling.expected

@@ -0,0 +1,3 @@
+| Test.cs:19:21:19:30 | BindToType | This is the BindToType() implementation used in $@ with $@. Ensure that it checks the TypeName against an allow or deny list, and returns null or throws an exception when passed an unexpected type | Test.cs:72:27:76:13 | object creation of type JsonSerializerSettings | JsonSerializerSettings | Test.cs:75:36:75:55 | access to constant All | an unsafe TypeNameHandling value |
+| Test.cs:28:30:28:39 | BindToType | This is the BindToType() implementation used in $@ with $@. Ensure that it checks the TypeName against an allow or deny list, and returns null or throws an exception when passed an unexpected type | Test.cs:79:28:83:13 | object creation of type JsonSerializerSettings | JsonSerializerSettings | Test.cs:82:36:82:55 | access to constant All | an unsafe TypeNameHandling value |
+| Test.cs:50:21:50:30 | BindToType | This is the BindToType() implementation used in $@ with $@. Ensure that it checks the TypeName against an allow or deny list, and returns null or throws an exception when passed an unexpected type | Test.cs:86:29:90:13 | object creation of type JsonSerializerSettings | JsonSerializerSettings | Test.cs:89:36:89:55 | access to constant All | an unsafe TypeNameHandling value |