First round feedback

Author: Kwstubbs

csharp/ql/src/experimental/CWE-942/CorsMisconfiguration.ql

@@ -14,27 +14,7 @@
 import csharp
 private import DataFlow
 import semmle.code.csharp.frameworks.system.Web
-
-/**
- * Holds if SetIsOriginAllowed always returns true. This sets the Access-Control-Allow-Origin to the requester
- */
-private predicate functionAlwaysReturnsTrue(MethodCall mc) {
-  mc.getTarget()
-      .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder",
-        "SetIsOriginAllowed") and
-  alwaysReturnsTrue(mc.getArgument(0))
-}
-
-/**
- * Holds if `c` always returns `true`.
- */
-private predicate alwaysReturnsTrue(Callable c) {
-  forex(ReturnStmt rs | rs.getEnclosingCallable() = c |
-    rs.getExpr().(BoolLiteral).getBoolValue() = true
-  )
-  or
-  c.getBody().(BoolLiteral).getBoolValue() = true
-}
+import CorsMisconfigurationLib
 
 /**
  * Holds if the application allows an origin using "*" origin.
@@ -52,42 +32,29 @@ private predicate hasDangerousOrigins(MethodCall m) {
   m.getTarget()
       .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder",
         "WithOrigins") and
-  m.getAnArgument().getValue() = ["null", "*"]
-}
-
-/**
- * Holds if UseCors is called with the revlevant cors policy
- */
-private predicate configIsUsed(MethodCall add_policy) {
-  exists(MethodCall uc |
-    uc.getTarget()
-        .hasFullyQualifiedName("Microsoft.AspNetCore.Builder.CorsMiddlewareExtensions", "UseCors") and
-    (
-      uc.getArgument(1).getValue() = add_policy.getArgument(0).getValue() or
-      uc.getArgument(1).(VariableAccess).getTarget() =
-        add_policy.getArgument(0).(VariableAccess).getTarget() or
-      localFlow(DataFlow::exprNode(add_policy.getArgument(0)), DataFlow::exprNode(uc.getArgument(1)))
+  (
+    m.getAnArgument().getValue() = ["null", "*"]
+    or
+    exists(StringLiteral idStr |
+      idStr.getValue().toLowerCase().matches(["null", "*"]) and
+      DataFlow::localExprFlow(idStr, m.getAnArgument())
     )
   )
 }
 
-from MethodCall add_policy, MethodCall m, MethodCall allowsCredentials
+from MethodCall add_policy, MethodCall child
 where
   (
-    add_policy
-        .getTarget()
-        .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions", "AddPolicy") and
-    add_policy.getArgument(1) = m.getParent*() and
-    configIsUsed(add_policy) and
-    add_policy.getArgument(1) = allowsCredentials.getParent*()
+    usedPolicy(add_policy) and
+    // Misconfigured origin affects used policy
+    add_policy.getArgument(1) = child.getParent*()
     or
     add_policy
         .getTarget()
         .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions",
           "AddDefaultPolicy") and
-    add_policy.getArgument(0) = m.getParent*() and
-    add_policy.getArgument(0) = allowsCredentials.getParent*()
+    // Misconfigured origin affects added default policy
+    add_policy.getArgument(0) = child.getParent*()
   ) and
-  (hasDangerousOrigins(m) or allowAnyOrigin(m) or functionAlwaysReturnsTrue(m))
-select add_policy,
-  "The following CORS policy may allow credentialed requests from 3rd party websites"
+  (hasDangerousOrigins(child) or allowAnyOrigin(child))
+select add_policy, "The following CORS policy may allow requests from 3rd party websites"

csharp/ql/src/experimental/CWE-942/CorsMisconfigurationCredentials.ql

@@ -14,71 +14,33 @@
 import csharp
 private import DataFlow
 import semmle.code.csharp.frameworks.system.Web
+import CorsMisconfigurationLib
 
 /**
  * Holds if credentials are allowed
  */
-private predicate allowsCredentials(MethodCall credentials) {
-  credentials
-      .getTarget()
-      .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder",
-        "AllowCredentials")
+class AllowsCredentials extends MethodCall {
+  AllowsCredentials() {
+    this.getTarget()
+        .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder",
+          "AllowCredentials")
+  }
 }
 
-/**
- * Holds if SetIsOriginAllowed always returns true. This sets the Access-Control-Allow-Origin to the requester
- */
-private predicate functionAlwaysReturnsTrue(MethodCall mc) {
-  mc.getTarget()
-      .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder",
-        "SetIsOriginAllowed") and
-  alwaysReturnsTrue(mc.getArgument(0))
-}
-
-/**
- * Holds if `c` always returns `true`.
- */
-private predicate alwaysReturnsTrue(Callable c) {
-  forex(ReturnStmt rs | rs.getEnclosingCallable() = c |
-    rs.getExpr().(BoolLiteral).getBoolValue() = true
-  )
-  or
-  c.getBody().(BoolLiteral).getBoolValue() = true
-}
-
-/**
- * Holds if UseCors is called with the revlevant cors policy
- */
-private predicate configIsUsed(MethodCall add_policy) {
-  exists(MethodCall uc |
-    uc.getTarget()
-        .hasFullyQualifiedName("Microsoft.AspNetCore.Builder.CorsMiddlewareExtensions", "UseCors") and
-    (
-      uc.getArgument(1).getValue() = add_policy.getArgument(0).getValue() or
-      uc.getArgument(1).(VariableAccess).getTarget() =
-        add_policy.getArgument(0).(VariableAccess).getTarget() or
-      localFlow(DataFlow::exprNode(add_policy.getArgument(0)), DataFlow::exprNode(uc.getArgument(1)))
-    )
-  )
-}
-
-from MethodCall add_policy, MethodCall m, MethodCall allowsCredentials
+from MethodCall add_policy, MethodCall setIsOriginAllowed, AllowsCredentials allowsCredentials
 where
   (
-    add_policy
-        .getTarget()
-        .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions", "AddPolicy") and
-    add_policy.getArgument(1) = m.getParent*() and
-    configIsUsed(add_policy) and
+    add_policy.getArgument(1) = setIsOriginAllowed.getParent*() and
+    usedPolicy(add_policy) and
     add_policy.getArgument(1) = allowsCredentials.getParent*()
     or
     add_policy
         .getTarget()
         .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions",
           "AddDefaultPolicy") and
-    add_policy.getArgument(0) = m.getParent*() and
+    add_policy.getArgument(0) = setIsOriginAllowed.getParent*() and
     add_policy.getArgument(0) = allowsCredentials.getParent*()
   ) and
-  (allowsCredentials(allowsCredentials) and functionAlwaysReturnsTrue(m))
+  setIsOriginAllowedReturnsTrue(setIsOriginAllowed)
 select add_policy,
   "The following CORS policy may allow credentialed requests from 3rd party websites"

csharp/ql/src/experimental/CWE-942/CorsMisconfigurationLib.qll

@@ -0,0 +1,99 @@
+import csharp
+import DataFlow
+
+/**
+ * Holds if the `Callable` c throws any exception other than `ThrowsArgumentNullException`
+ */
+predicate callableMayThrowException(Callable c) {
+  exists(ThrowStmt thre | c = thre.getEnclosingCallable()) and
+  not callableOnlyThrowsArgumentNullException(c)
+}
+
+/**
+ * Holds if any exception being thrown by the callable is of type `System.ArgumentNullException`
+ * It will also hold if no exceptions are thrown by the callable
+ */
+predicate callableOnlyThrowsArgumentNullException(Callable c) {
+  forall(ThrowElement thre | c = thre.getEnclosingCallable() |
+    thre.getThrownExceptionType().hasFullyQualifiedName("System", "ArgumentNullException")
+  )
+}
+
+/**
+ * Hold if the `Expr` e is a `BoolLiteral` with value true,
+ * the expression has a predictable value == `true`,
+ * or if it is a `ConditionalExpr` where the `then` and `else` expressions meet `isExpressionAlwaysTrue` criteria
+ */
+predicate isExpressionAlwaysTrue(Expr e) {
+  e.(BoolLiteral).getBoolValue() = true
+  or
+  e.getValue() = "true"
+  or
+  e instanceof ConditionalExpr and
+  isExpressionAlwaysTrue(e.(ConditionalExpr).getThen()) and
+  isExpressionAlwaysTrue(e.(ConditionalExpr).getElse())
+  or
+  exists(Callable callable |
+    callableHasAReturnStmtAndAlwaysReturnsTrue(callable) and
+    callable.getACall() = e
+  )
+}
+
+/**
+ * Holds if the lambda expression `le` always returns true
+ */
+predicate lambdaExprReturnsOnlyLiteralTrue(AnonymousFunctionExpr le) {
+  isExpressionAlwaysTrue(le.getExpressionBody())
+}
+
+/**
+ * Holds if the callable has a return statement and it always returns true for all such statements
+ */
+predicate callableHasAReturnStmtAndAlwaysReturnsTrue(Callable c) {
+  c.getReturnType() instanceof BoolType and
+  not callableMayThrowException(c) and
+  forex(ReturnStmt rs | rs.getEnclosingCallable() = c |
+    rs.getNumberOfChildren() = 1 and
+    isExpressionAlwaysTrue(rs.getChildExpr(0))
+  )
+}
+
+/**
+ * Holds if `c` always returns `true`.
+ */
+private predicate alwaysReturnsTrue(Callable c) {
+  callableHasAReturnStmtAndAlwaysReturnsTrue(c)
+  or
+  lambdaExprReturnsOnlyLiteralTrue(c)
+}
+
+/**
+ * Holds if SetIsOriginAllowed always returns true. This sets the Access-Control-Allow-Origin to the requester
+ */
+predicate setIsOriginAllowedReturnsTrue(MethodCall mc) {
+  mc.getTarget()
+      .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder",
+        "SetIsOriginAllowed") and
+  alwaysReturnsTrue(mc.getArgument(0))
+}
+
+/**
+ * Holds if UseCors is called with the relevant cors policy
+ */
+predicate usedPolicy(MethodCall add_policy) {
+  exists(MethodCall uc |
+    uc.getTarget()
+        .hasFullyQualifiedName("Microsoft.AspNetCore.Builder.CorsMiddlewareExtensions", "UseCors") and
+    (
+      // Same hardcoded name
+      uc.getArgument(1).getValue() = add_policy.getArgument(0).getValue() or
+      // Same variable access
+      uc.getArgument(1).(VariableAccess).getTarget() =
+        add_policy.getArgument(0).(VariableAccess).getTarget() or
+      DataFlow::localExprFlow(add_policy.getArgument(0), uc.getArgument(1))
+    )
+  ) and
+  add_policy
+      .getTarget()
+      .hasFullyQualifiedName("Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions", "AddPolicy")
+}

csharp/ql/test/experimental/CWE-942/CorsMisconfiguration.cs

@@ -3,32 +3,23 @@
 using System;
 using Microsoft.Extensions.DependencyInjection;
 
+public class Test {
+  public void ConfigureServices(string[] args) {
+    var builder = WebApplication.CreateBuilder(args);
+    var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
 
+    builder.Services.AddCors(options => {
+      options.AddPolicy(MyAllowSpecificOrigins,
+        policy => {
+          policy.AllowAnyOrigin().AllowCredentials().AllowAnyHeader().AllowAnyMethod();
+        });
+    });
 
-public class Test
-{
-    public void ConfigureServices(string[] args)
-    {
-var builder = WebApplication.CreateBuilder(args);
-var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
+    var app = builder.Build();
 
+    app.MapGet("/", () => "Hello World!");
+    app.UseCors(MyAllowSpecificOrigins);
 
-builder.Services.AddCors(options =>
-{
-    options.AddPolicy(MyAllowSpecificOrigins,
-                      policy =>
-                      {
-                          policy.AllowAnyOrigin().AllowCredentials().AllowAnyHeader().AllowAnyMethod();
-                      });
-});
-
-var app = builder.Build();
-
-
-
-app.MapGet("/", () => "Hello World!");
-app.UseCors(MyAllowSpecificOrigins);
-
-app.Run();
-    }
+    app.Run();
+  }
 }

csharp/ql/test/experimental/CWE-942/CorsMisconfiguration.expected

@@ -1,2 +1 @@
-| CorsMiconfigurationCredentials.cs:18:5:22:24 | call to method AddPolicy | The following CORS policy may allow credentialed requests from 3rd party websites |
-| CorsMisconfiguration.cs:18:5:22:24 | call to method AddPolicy | The following CORS policy may allow credentialed requests from 3rd party websites |
+| CorsMisconfiguration.cs:12:7:15:10 | call to method AddPolicy | The following CORS policy may allow requests from 3rd party websites |