codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

C# Dataflow limited heavily by lack of support for ServiceProvider and Dependency Injection tracking

Open ShiningMassXAcc opened this issue 2 years ago • 3 comments

Description of the issue Dependency injection and service provider building are some of the core concepts of .net / C# architecture that really define the characteristics of the platform. In some of my initial query authoring, it appears CodeQL dataflow has limited to no out-of-box flow through these entities, leaving any potential query susceptible.

Below is a psuedo-code example showcasing a flow example that would be missing. This example has some explicit calls for simplicity, that would often be less direct through a fuller dependency injection implementation.

Curious what level of support in expected for this today and perhaps what we should aspire to be able to cover in the future?

Thanks!

public interface IADependency
{
	public string AMember();
}

public interface IADependent
{
	public void SensitiveAction();
}

public class MyDependency : IADependency
{
	private string _src;

	public MyDependency(string foo)
	{
		_src = foo;
	}
	
	public string AMember()
	{
		return _src;
	}
}

public class MyDependent : IADependent
{
	private IADependency _localDependency;
	
	public MyDependent(IADependency bar)
	{
		_localDependency = bar;
	}
	
	public void SensitiveAction()
	{
		// Sensitive Action
		Console.WriteLine($"A sensitive sink has { _localDependency.AMember() }")
	}
}

void main()
{
	IServiceCollection services;
	
	IADependency dependency = MyDependencyFactory.CreateADependency("taint");
	
	services.AddSingleton<IADependency>(s => dependency);
	services.AddSingleton<IADependent, MyDependent>();
	
	var thing = services.GetRequiredService<IADependent>();
	
	thing.SensitiveAction();
}

ShiningMassXAcc avatar Dec 04 '23 18:12 ShiningMassXAcc

Calls to interface methods should dispatch to all possible implementations in data flow/taint tracking. How is MyDependencyFactory.CreateADependency defined in your example; is it defined in source code or in a library?

hvitved avatar Dec 06 '23 11:12 hvitved

@hvitved - good call, in my attempts to simplify my example, I overlooked detail there. In this case, IADependency and ADependency source code is not in the snapshot. It is understood that parameters to ADependency constructors will taint member calls of the constructed object -> thus why I am trying to follow construction.

Even if source code was here, I don't believe data flow would follow "taint" through MyDependencyFactory.CreateADependency() and out to ADependent construction for thing. There would have to be some implementation aroundAddSingleton() and IServiceCollection to setup something like NonLocalJumpNode, as far as I can tell.

ShiningMassXAcc avatar Dec 06 '23 20:12 ShiningMassXAcc

Hi @ShiningMassXAcc,

It has been a while since your question. Do you still need us to look into it?

rvermeulen avatar Oct 16 '24 00:10 rvermeulen

This issue is stale because it has been open 14 days with no activity. Comment or remove the Stale label in order to avoid having this issue closed in 7 days.

github-actions[bot] avatar Oct 30 '24 01:10 github-actions[bot]

This issue was closed because it has been inactive for 7 days.

github-actions[bot] avatar Nov 07 '24 01:11 github-actions[bot]