[csharp] PartialDataflow/Dataflow Path Detection Issue with Byte Array Taint #20123
-
|
When using PartialDataflow, it displays a path that DataFlow is unable to identify. This issue may be related to taint being applied to an element within a byte array, rather than the array itself. Here is my partial DataFlow query: /**
* @name Forward Partial Dataflow
* @description Forward Partial Dataflow
* @kind path-problem
* @precision low
* @problem.severity error
* @id githubsecuritylab/forward-partial-dataflow
* @tags template
*/
import csharp
import semmle.code.csharp.dataflow.TaintTracking
import PartialFlow::PartialPathGraph
private module MyConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
(
source.asParameter().getCallable().hasName("FileIStream")
)
}
predicate isSink(DataFlow::Node sink) { none() }
}
private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
int explorationLimit() { result = 3 }
private module PartialFlow = MyFlow::FlowExplorationFwd<explorationLimit/0>;
from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
where PartialFlow::partialFlow(source, sink, _)
select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(), "this source"Here is the path that I want to find: 
In the previous screenshot the Here is my DataFlow query: /**
* @name DataFlow configuration
* @description DataFlow TaintTracking configuration
* @kind path-problem
* @precision low
* @problem.severity error
* @id githubsecuritylab/dataflow-query
* @tags template
*/
import csharp
import DataFlow
import semmle.code.csharp.dataflow.TaintTracking
private import semmle.code.csharp.security.dataflow.flowsinks.FlowSinks
import MyFlow::PathGraph
private module MyConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
(
source.asParameter().getCallable().hasName("FileIStream")
)
}
predicate isSink(DataFlow::Node sink) {
sink instanceof MySink
}
}
class MySink extends ApiSinkExprNode {
MySink(){
exists(MethodCall c, Method m |
c.getTarget() = m and
m.hasName("Write") and
c.getAnArgument() = this.asExpr()
)
}
}
module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Sample TaintTracking query"The previous query does not yield any result even if the quick eval of my sink does: My guess is that codeql taint the element of the byte array not the array itself as discussed here. I did not find the issue mentioned in the thread so I've opened this discussion. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
You are exactly right. And the linked discussion on the PR is exactly the issue here. We need the |
Beta Was this translation helpful? Give feedback.
-
|
In the interim, you can add to your configuration. That should allow it to implicitly read the element content at the sink and thereby find the flow. |
Beta Was this translation helpful? Give feedback.
-
|
Perfect it works with this, I'll wait until peoples come back, thank you so much. |
Beta Was this translation helpful? Give feedback.
In the interim, you can add
to your configuration. That should allow it to implicitly read the element content at the sink and thereby find the flow.