reorganize without-binder query to use the existing typenamehandling -> typenamehanlding property flow in the shared qll

Author: chanel-y

csharp/ql/lib/semmle/code/csharp/security/dataflow/TypeNameHandlingQuery.qll

@@ -34,7 +34,7 @@ class TypeNameHandlingPropertyWrite extends PropertyWrite {
 class BadTypeHandlingPropertyWrite extends TypeNameHandlingPropertyWrite {
   BadTypeHandlingPropertyWrite() {
     exists(BadTypeHandling b | 
-      DataFlow::localExprFlow(b, getAssignedValue())  
+      DataFlow::localExprFlow(b, this.getAssignedValue())  
     )
   }
 }
@@ -68,17 +68,101 @@ module UserInputToDeserializeObjectCallConfig implements DataFlow::ConfigSig {
 
 module UserInputToDeserializeObjectCallFlow = TaintTracking::Global<UserInputToDeserializeObjectCallConfig>;
 
+module BinderConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source){
+    exists(ObjectCreation oc, MemberInitializer mi |
+      oc.getInitializer().(ObjectInitializer).getAMemberInitializer() = mi and
+      mi.getInitializedMember().hasName(["Binder", "SerializationBinder"]) and
+      source.asExpr() = oc
+    )
+  }
+  predicate isSink(DataFlow::Node sink){
+    sink.asExpr() instanceof JsonSerializerSettingsArg
+  }
+}
+module BinderFlow = DataFlow::Global<BinderConfig>;
+
+class DeserializeArg extends Expr {
+  MethodCall deserializeCall; 
+  DeserializeArg() {
+    deserializeCall.getTarget() instanceof NewtonsoftJsonConvertClassDeserializeObjectMethod and
+    deserializeCall.getAnArgument() = this
+  }
+  MethodCall getDeserializeCall() {
+    result = deserializeCall
+  }
+}
+
+class JsonSerializerSettingsArg extends DeserializeArg {
+  JsonSerializerSettingsArg() {
+    this.getType() instanceof JsonSerializerSettingsClass
+  }
+}
+
+predicate hasBinderSet(JsonSerializerSettingsArg arg) {
+  // //passed as argument to initializer
+  exists(BinderFlow::PathNode sink | 
+    sink.isSink() and
+    sink.getNode().asExpr() = arg
+  ) or
+  //set in later Propertywrite
+  exists(PropertyWrite pw |
+    pw.getProperty().hasName(["Binder", "SerializationBinder"]) and
+    pw.getQualifier().(Access).getTarget() = arg.(Access).getTarget()
+  )
+}
+
+class TypeNameHandlingPropertySink extends DataFlow::Node {
+  TypeNameHandlingPropertySink() {
+    exists(TypeNameHandlingPropertyWrite pw |
+      this.asExpr() = pw.getAssignedValue()
+    )
+  }
+
+  predicate hasBinderSet() {
+    exists(JsonSerializerSettingsArg arg |
+      this.asExpr() = arg and
+      hasBinderSet(arg)
+    )
+  }
+
+}
 
 module UnsafeTypeNameHandlingFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source.asExpr() instanceof BadTypeHandling
   }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(TypeNameHandlingPropertyWrite prop | sink = DataFlow::exprNode(prop.getAssignedValue()))
+    sink.asExpr() instanceof JsonSerializerSettingsArg
   }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.asExpr() instanceof IntegerLiteral and
+    node2.asExpr().(CastExpr).getExpr() = node1.asExpr()
+    or
+    node1.getType() instanceof TypeNameHandlingEnum and
+    exists(TypeNameHandlingPropertyWrite pw, Assignment a |
+      a.getLValue() = pw and
+      (
+        // Explicit property write: flow from the assigned value to the JsonSerializerSettingsArg
+        // that accesses the same settings variable
+        node1.asExpr() = a.getRValue() and
+        node2.asExpr().(JsonSerializerSettingsArg).(VariableAccess).getTarget() =
+          pw.getQualifier().(VariableAccess).getTarget()
+        or
+        // ObjectInitializer case: flow from the member initializer value to the
+        // ObjectCreation, which then flows locally to the JsonSerializerSettingsArg
+        exists(ObjectInitializer oi, ObjectCreation oc |
+          node1.asExpr() = oi.getAMemberInitializer().getRValue() and
+          oc.getInitializer() = oi and
+          DataFlow::localExprFlow(oc, node2.asExpr().(JsonSerializerSettingsArg))
+        )
+      )
+    )
+  }
 }
 
 module UnsafeTypeNameHandlingFlow = DataFlow::Global<UnsafeTypeNameHandlingFlowConfig>;

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandling.ql

@@ -1,6 +1,6 @@
 /**
- * @name Unsafe TypeNameHandling used with an insecure binder implementation
- * @description Checks for when JsonSerializer that also uses an unsafe TypeNameHandling setting is used to deserialize user input
+ * @name Unsafe TypeNameHandling value
+ * @description Checks for when JsonSerializer that also uses an unsafe TypeNameHandling setting
  * @id cs/unsafe-type-name-handling
  * @kind problem
  * @problem.severity warning

csharp/ql/src/Security Features/CWE-502/UnsafeTypeNameHandlingWithoutBinder.ql

@@ -13,92 +13,15 @@ import csharp
 import semmle.code.csharp.serialization.Deserializers
 import semmle.code.csharp.security.dataflow.TypeNameHandlingQuery
 
-class DeserializeArg extends Expr {
-  MethodCall deserializeCall; 
-  DeserializeArg() {
-    deserializeCall.getTarget() instanceof NewtonsoftJsonConvertClassDeserializeObjectMethod and
-    deserializeCall.getAnArgument() = this
-  }
-  MethodCall getDeserializeCall() {
-    result = deserializeCall
-  }
-}
-
-class JsonSerializerSettingsArg extends DeserializeArg {
-  JsonSerializerSettingsArg() {
-    this.getType() instanceof JsonSerializerSettingsClass
-  }
-}
-
-predicate hasBinderSet(JsonSerializerSettingsArg arg) {
-  // //passed as argument to initializer
-  exists(BinderFlow::PathNode sink | 
-    sink.isSink() and
-    sink.getNode().asExpr() = arg
-  ) or
-  //set in later Propertywrite
-  exists(PropertyWrite pw |
-    pw.getProperty().hasName(["Binder", "SerializationBinder"]) and
-    pw.getQualifier().(Access).getTarget() = arg.(Access).getTarget()
-  )
-}
-
-module BinderConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source){
-    exists(ObjectCreation oc, MemberInitializer mi |
-      oc.getInitializer().(ObjectInitializer).getAMemberInitializer() = mi and
-      mi.getInitializedMember().hasName(["Binder", "SerializationBinder"]) and
-      source.asExpr() = oc
-    )
-  }
-  predicate isSink(DataFlow::Node sink){
-    sink.asExpr() instanceof JsonSerializerSettingsArg
-  }
-}
-module BinderFlow = DataFlow::Global<BinderConfig>;
-
-module TypeNameFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof BadTypeHandling
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(JsonSerializerSettingsArg arg |
-      not hasBinderSet(arg) and
-      sink.asExpr() = arg
-    )
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node1.asExpr() instanceof IntegerLiteral and
-    node2.asExpr().(CastExpr).getExpr() = node1.asExpr()
-    or
-    node1.getType() instanceof TypeNameHandlingEnum and
-    exists(TypeNameHandlingPropertyWrite pw, Assignment a |
-      a.getLValue() = pw and
-      (
-        node1.asExpr() = a.getRValue() and
-        node2.asExpr() = pw.getQualifier()
-        or
-        exists(ObjectInitializer oi |
-          node1.asExpr() = oi.getAMemberInitializer().getRValue() and
-          node2.asExpr() = oi
-        )
-      )
-    )
-  }
-}
-
-module TypeNameFlow = DataFlow::Global<TypeNameFlowConfig>;
-
 import UserInputToDeserializeObjectCallFlow::PathGraph
 
 from 
 UserInputToDeserializeObjectCallFlow::PathNode userInput, UserInputToDeserializeObjectCallFlow::PathNode deserializeArg,
 DataFlow::Node badTypeNameHandling, DataFlow::Node typeNameHandlingSettingArg, 
 BadTypeHandling bth
 where 
-TypeNameFlow::flow(badTypeNameHandling, typeNameHandlingSettingArg) and 
+UnsafeTypeNameHandlingFlow::flow(badTypeNameHandling, typeNameHandlingSettingArg) and 
+not hasBinderSet(typeNameHandlingSettingArg.asExpr().(JsonSerializerSettingsArg)) and
 UserInputToDeserializeObjectCallFlow::flowPath(userInput, deserializeArg) and 
 deserializeArg.getNode().asExpr().(DeserializeArg).getDeserializeCall() =  typeNameHandlingSettingArg.asExpr().(JsonSerializerSettingsArg).getDeserializeCall() and
 bth = badTypeNameHandling.asExpr()