X Tutup
The Wayback Machine - https://web.archive.org/web/20240121063348/https://github.com/github/codeql/pull/15359
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C#: Threat Modeling - Introduce ThreatModelFlowSource #15359

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

C#: Threat Modeling - Introduce ThreatModelFlowSource #15359

wants to merge 10 commits into from

Conversation

egregius313
Copy link
Contributor

Introduces the semmle.code.csharp.security.dataflow.flowsources.FlowSources library, which introduces the ThreatModelFlowSource class.

Like Java's, ThreatModelFlowSource provides a class representing source nodes which respect the current threat model.

@egregius313 egregius313 requested a review from a team as a code owner January 17, 2024 20:49
michaelnebel
michaelnebel reviewed Jan 18, 2024
View reviewed changes
csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll
DbDataReaderPropertyStoredFlowSource() {
this.asExpr().(PropertyAccess).getTarget().getDeclaringType() =
any(SystemDataCommon::DbDataReader dataReader).getASubType*()
}
}

/** A read of a mapped property. */
class ORMMappedProperty extends StoredFlowSource {
class ORMMappedProperty extends DatabaseInputSource {
ORMMappedProperty() {
this instanceof EntityFramework::StoredFlowSource or
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should consider to let EntityFramework::StoredFlowSource extends Stored::DatabaseInputSource instead (the same for NHibernate::StoredFlowSource). Then we have the same pattern like for java for different frameworks.
Then OrmMappedProperty should just extend DataFlow::Node (is it used anywhere? If not we can consider to deprecate it).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Converting EntityFramework::StoredFlowSource and NHibernate::StoredFlowSource to extend DatabaseInputSource makes sense. They are also defined in ways where as I understand it, they cannot be converted to models-as-data.

ORMMappedProperty is not used anywhere directly within our codebase or from what I can find on https://github.com/search. I think it would be reasonable to deprecate it.

michaelnebel
michaelnebel reviewed Jan 18, 2024
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @egregius313 !
Only a couple of minor comments.
We also need to run DCA before merging.

@egregius313
Add dependency on codeql/threat-models shared library
56e3f6b
@egregius313
Introduce the SourceNode and ThreatModelFlowSource classes
7989be4 
1. Introduces the `SourceNode` class which allows dataflow nodes
   representing sources to indicate the threat model they are associated
   with.
2. Introduces the `ThreatModelFlowSource` class which represents a
   source node which respects the threat model configuration
@egregius313
Refactor source node classes to use SourceNode superclass
fe01226 
Refactor the existing flowsource classes to use the `SourceNode` class
to specify which threat model they support.
@egregius313
Rename SourceNode.qll to FlowSources.qll
f712255
@egregius313
C# Threat Modeling Tests
0f37d04
@egregius313
Change note
19059fd
@egregius313
Documentation for FlowSources library
7641936
@egregius313
Remove commented-out code
45589bb
@egregius313
Convert existing mapped-property classes to directly extend `Database…
549d046 
…InputSource`
@egregius313 egregius313 force-pushed the egregius313/csharp/dataflow/threat-modeling/add-threatmodelflowsource branch from 0d1a078 to 549d046 Compare January 18, 2024 21:28
@michaelnebel
Copy link
Contributor

@egregius313 : I have started a DCA run.

@michaelnebel
Copy link
Contributor

DCA looks good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C# documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@egregius313 @michaelnebel
X Tutup