C#: Add cs/sql-injection tests for APIs in Microsoft.Data.SqlClient.

michaelnebel · michaelnebel · commit 23ee0489c48a · 2025-06-25T14:53:11.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.cs
@@ -0,0 +1,42 @@
+using System;
+
+namespace System.Web.UI.WebControls
+{
+    public class TextBox { public string Text { get; set; } }
+}
+
+namespace Test
+{
+    using Microsoft.Data;
+    using Microsoft.Data.SqlClient;
+    using System.Web.UI.WebControls;
+
+    class SqlInjection
+    {
+        TextBox categoryTextBox;
+        string connectionString;
+
+        public void MakeSqlCommand()
+        {
+            // BAD: Text from a local textbox
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
+            }
+
+            // BAD: Input from the command line.
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + Console.ReadLine() + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
+            }
+        }
+
+        System.Windows.Forms.TextBox box1;
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected
@@ -0,0 +1,21 @@
+#select
+| SqlInjection.cs:26:42:26:52 | access to local variable queryString | SqlInjection.cs:25:21:25:29 | access to property Text : String | SqlInjection.cs:26:42:26:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:25:21:25:29 | access to property Text : String | this TextBox text |
+| SqlInjection.cs:35:42:35:52 | access to local variable queryString | SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | SqlInjection.cs:35:42:35:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | this read from stdin |
+edges
+| SqlInjection.cs:24:21:24:31 | access to local variable queryString : String | SqlInjection.cs:26:42:26:52 | access to local variable queryString | provenance |  |
+| SqlInjection.cs:25:21:25:29 | access to property Text : String | SqlInjection.cs:24:21:24:31 | access to local variable queryString : String | provenance |  |
+| SqlInjection.cs:33:21:33:31 | access to local variable queryString : String | SqlInjection.cs:35:42:35:52 | access to local variable queryString | provenance |  |
+| SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | SqlInjection.cs:33:21:33:31 | access to local variable queryString : String | provenance | Src:MaD:1  |
+models
+| 1 | Source: System; Console; false; ReadLine; ; ; ReturnValue; stdin; manual |
+nodes
+| SqlInjection.cs:24:21:24:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:25:21:25:29 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjection.cs:26:42:26:52 | access to local variable queryString | semmle.label | access to local variable queryString |
+| SqlInjection.cs:33:21:33:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
+| SqlInjection.cs:35:42:35:52 | access to local variable queryString | semmle.label | access to local variable queryString |
+subpaths
+testFailures
+| SqlInjection.cs:27:56:27:83 | // ... | Missing result: Alert[cs/sql-injection] |
+| SqlInjection.cs:36:56:36:83 | // ... | Missing result: Alert[cs/sql-injection] |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.ext.yml b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.qlref
@@ -0,0 +1,4 @@
+query: Security Features/CWE-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/options b/csharp/ql/test/query-tests/Security Features/CWE-089-2/options
@@ -0,0 +1,4 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Microsoft.Data.SqlClient/6.0.2/Microsoft.Data.SqlClient.csproj
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
