CodeQL library for C#
codeql/csharp-all 0.4.4 (changelog, source)
Search

Module ExternalFlow

INTERNAL use only. This is an experimental API subject to change without notice.

Provides classes and predicates for dealing with MaD flow models specified in data extensions and CSV format.

The CSV specification has the following columns:

  • Sources: namespace; type; subtypes; name; signature; ext; output; kind; provenance
  • Sinks: namespace; type; subtypes; name; signature; ext; input; kind; provenance
  • Summaries: namespace; type; subtypes; name; signature; ext; input; output; kind; provenance
  • Negative Summaries: namespace; type; name; signature; provenance A negative summary is used to indicate that there is no flow via a callable.

The interpretation of a row is similar to API-graphs with a left-to-right reading.

  1. The namespace column selects a namespace.

  2. The type column selects a type within that namespace.

  3. The subtypes is a boolean that indicates whether to jump to an arbitrary subtype of that type.

  4. The name column optionally selects a specific named member of the type.

  5. The signature column optionally restricts the named member. If signature is blank then no such filtering is done. The format of the signature is a comma-separated list of types enclosed in parentheses. The types can be short names or fully qualified names (mixing these two options is not allowed within a single signature).

  6. The ext column specifies additional API-graph-like edges. Currently there are only two valid values: "" and “Attribute”. The empty string has no effect. “Attribute” applies if name and signature were left blank and acts by selecting an element that is attributed with the attribute type selected by the first 4 columns. This can be another member such as a field, property, method, or parameter.

  7. The input column specifies how data enters the element selected by the first 6 columns, and the output column specifies how data leaves the element selected by the first 6 columns. For sinks, an input can be either "", “Argument[n]”, “Argument[n1..n2]”, or “ReturnValue”:

    • "": Selects a write to the selected element in case this is a field or property.
    • “Argument[n]”: Selects an argument in a call to the selected element. The arguments are zero-indexed, and -1 specifies the qualifier.
    • “Argument[n1..n2]”: Similar to “Argument[n]” but select any argument in the given range. The range is inclusive at both ends.
    • “ReturnValue”: Selects a value being returned by the selected element. This requires that the selected element is a method with a body.

    For sources, an output can be either "", “Argument[n]”, “Argument[n1..n2]”, “Parameter”, “Parameter[n]”, “Parameter[n1..n2]”, or “ReturnValue”:

    • "": Selects a read of a selected field, property, or parameter.
    • “Argument[n]”: Selects the post-update value of an argument in a call to the selected element. That is, the value of the argument after the call returns. The arguments are zero-indexed, and -1 specifies the qualifier.
    • “Argument[n1..n2]”: Similar to “Argument[n]” but select any argument in the given range. The range is inclusive at both ends.
    • “Parameter”: Selects the value of a parameter of the selected element. “Parameter” is also allowed in case the selected element is already a parameter itself.
    • “Parameter[n]”: Similar to “Parameter” but restricted to a specific numbered parameter (zero-indexed, and -1 specifies the value of this).
    • “Parameter[n1..n2]”: Similar to “Parameter[n]” but selects any parameter in the given range. The range is inclusive at both ends.
    • “ReturnValue”: Selects the return value of a call to the selected element.

    For summaries, input and output may be prefixed by one of the following, separated by the “of” keyword:

    • “Element”: Selects an element in a collection.
    • “Field[f]”: Selects the contents of field f.
    • “Property[p]”: Selects the contents of property p.
  8. The kind column is a tag that can be referenced from QL to determine to which classes the interpreted elements should be added. For example, for sources “remote” indicates a default remote flow source, and for summaries “taint” indicates a default additional taint step and “value” indicates a globally applicable value-preserving step.

  9. The provenance column is a tag to indicate the origin of the summary. There are two supported values: “generated” and “manual”. “generated” means that the model has been emitted by the model generator tool and “manual” means that the model has been written by hand. This information is used in a heuristic for dataflow analysis to determine, if a model or source code should be used for determining flow.

Import path

import semmle.code.csharp.dataflow.ExternalFlow

Imports

Cached
csharp

The default C# QL library.

Predicates

extNegativeSummaryModel

Holds if a summary model exists indicating there is no flow for the given parameters.

extSinkModel

Holds if a sink model exists for the given parameters.

extSourceModel

Holds if a source model exists for the given parameters.

extSummaryModel

Holds if a summary model exists for the given parameters.

hasSummary

Holds if c has a generated summary.

interpretElement

Gets the source/sink/summary/negativesummary element corresponding to the supplied parameters.

modelCoverage

Holds if MaD framework coverage of namespace is n api endpoints of the kind (kind, part).

negativeSummaryModel

Holds if a summary model exists indicating there is no flow for the given parameters.

sinkModel

Holds if a sink model exists for the given parameters.

sourceModel

Holds if a source model exists for the given parameters.

summaryModel

Holds if a summary model exists for the given parameters.

Classes

UnboundCallable

An unbound callable.

Modules

ModelValidation

Provides a query predicate to check the MaD models for validation errors.

Aliases

NegativeSummaryModelCsv

DEPRECATED: Define negative summary models as data extensions instead.

SinkModelCsv

DEPRECATED: Define sink models as data extensions instead.

SourceModelCsv

DEPRECATED: Define source models as data extensions instead.

SummaryModelCsv

DEPRECATED: Define summary models as data extensions instead.