[dotnet] Missing Taint Flow from [WebMethod] Parameter Objects to Properties/Fields
#21567
-
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 15 replies
This comment was marked as duplicate.
This comment was marked as duplicate.
-
|
Hello, I think you just quoted my answer without any comment is it normal ? |
Beta Was this translation helpful? Give feedback.
-
|
I think I found the issue but I don't know how to fix it, here this class does not have associated I found an example for ASP.NET Core here but it's not transitive. It's possible to have something like this: public class AddresDto
{
public string City {get; set;}
}
public class UserDto
{
public AddresDto Address {get; set;}
} Also the I tried to make a fix but it need some recursion to get a property of a property. So I think it would be easier to taint outputs of getters like in spring and Java. It's internal CodeQL code so I don't know how to approach this. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the question. You are right,
It is worth noting that all uses of types used as eg. a parameter type for an ASP.NET action method will have their members tainted with this logic. That is, introducing taint members logic can yield results other places in the code - as it is the use of the type in the ASP.NET context that decides whether we consider the members tainted (in all use-cases in a given database). I don't think the I will try and draft a PR for generally tainting members on types used in ASP.NET, but I am not sure that we will be able to merge it - as it might be considered a bit to controversial to introduce in general (in case we don't merge it, you are than welcome to use the code in your own query). |
Beta Was this translation helpful? Give feedback.
-
|
I think that the ASP.NET Core equivalent should also be affected by this change, what do you think ? private class AspNetCoreRemoteFlowSourceMember extends TaintTracking::TaintedMember, Property {
AspNetCoreRemoteFlowSourceMember() {
this.getDeclaringType() = any(AspNetCoreRemoteFlowSource source).getType() and
this.isPublic() and
not this.isStatic() and
this.isAutoImplemented() and
this.getGetter().isPublic() and
this.getSetter().isPublic()
}
} |
Beta Was this translation helpful? Give feedback.
-
For instance (from the test case in the PR), we have [WebMethod]
public void MyMethod(MyData data) { ... }This means that in all other places where use the type public void M() {
MyData d = GetTaintedMyData();
// All properties and fields of `d` are now recursively tainted as well, because the type `MyData` is used as a parameter type in `MyMethod`
} Even though |
Beta Was this translation helpful? Give feedback.
-
|
Btw. would it make sense to require that a type is |
Beta Was this translation helpful? Give feedback.
-
Yes, if we end up merging it, then that is probably a good idea! |
Beta Was this translation helpful? Give feedback.
-
I think the requirement is only on Getter/Setters.
So why taint Properties and not output of Getters in this case ? How is it handled in other languages ? |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the input. The PR has been merged and can be found here. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you so much for your time and for this PR 🚀 |
Beta Was this translation helpful? Give feedback.
-
|
I really appreciate the input and sorry for the delay (other stuff came up, which caused the delay). |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
Thank you for the input. The PR has been merged and can be found here.