C#: Add MaD models for Microsoft.Data.SqlClient.

michaelnebel · michaelnebel · commit 9eded70b6e20 · 2025-06-25T15:17:49.000+02:00
diff --git a/csharp/ql/lib/ext/Microsoft.Data.SqlClient.model.yml b/csharp/ql/lib/ext/Microsoft.Data.SqlClient.model.yml
@@ -0,0 +1,20 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sinkModel
+    data:
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction,Microsoft.Data.SqlClient.SqlCommandColumnEncryptionSetting)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(Microsoft.Data.SqlClient.SqlCommand)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlDataAdapter", False, "SqlDataAdapter", "(System.String,System.String)", "", "Argument[0]", "sql-injection", "manual"]
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: summaryModel
+    data:
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["Microsoft.Data.SqlClient", "SqlCommand", False, "SqlCommand", "(System.String,Microsoft.Data.SqlClient.SqlConnection,Microsoft.Data.SqlClient.SqlTransaction,Microsoft.Data.SqlClient.SqlCommandColumnEncryptionSetting)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected
@@ -1,11 +1,39 @@
 #select
+| SqlInjection.cs:26:42:26:52 | access to local variable queryString | SqlInjection.cs:25:21:25:29 | access to property Text : String | SqlInjection.cs:26:42:26:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:25:21:25:29 | access to property Text : String | this TextBox text |
+| SqlInjection.cs:27:50:27:52 | access to local variable cmd | SqlInjection.cs:25:21:25:29 | access to property Text : String | SqlInjection.cs:27:50:27:52 | access to local variable cmd | This query depends on $@. | SqlInjection.cs:25:21:25:29 | access to property Text : String | this TextBox text |
+| SqlInjection.cs:35:42:35:52 | access to local variable queryString | SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | SqlInjection.cs:35:42:35:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | this read from stdin |
+| SqlInjection.cs:36:50:36:52 | access to local variable cmd | SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | SqlInjection.cs:36:50:36:52 | access to local variable cmd | This query depends on $@. | SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | this read from stdin |
 edges
+| SqlInjection.cs:24:21:24:31 | access to local variable queryString : String | SqlInjection.cs:26:42:26:52 | access to local variable queryString | provenance | Sink:MaD:1 |
+| SqlInjection.cs:24:21:24:31 | access to local variable queryString : String | SqlInjection.cs:26:42:26:52 | access to local variable queryString : String | provenance |  |
+| SqlInjection.cs:25:21:25:29 | access to property Text : String | SqlInjection.cs:24:21:24:31 | access to local variable queryString : String | provenance |  |
+| SqlInjection.cs:26:21:26:23 | access to local variable cmd : SqlCommand | SqlInjection.cs:27:50:27:52 | access to local variable cmd | provenance | Sink:MaD:2 |
+| SqlInjection.cs:26:27:26:53 | object creation of type SqlCommand : SqlCommand | SqlInjection.cs:26:21:26:23 | access to local variable cmd : SqlCommand | provenance |  |
+| SqlInjection.cs:26:42:26:52 | access to local variable queryString : String | SqlInjection.cs:26:27:26:53 | object creation of type SqlCommand : SqlCommand | provenance | MaD:4 |
+| SqlInjection.cs:33:21:33:31 | access to local variable queryString : String | SqlInjection.cs:35:42:35:52 | access to local variable queryString | provenance | Sink:MaD:1 |
+| SqlInjection.cs:33:21:33:31 | access to local variable queryString : String | SqlInjection.cs:35:42:35:52 | access to local variable queryString : String | provenance |  |
+| SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | SqlInjection.cs:33:21:33:31 | access to local variable queryString : String | provenance | Src:MaD:3  |
+| SqlInjection.cs:35:21:35:23 | access to local variable cmd : SqlCommand | SqlInjection.cs:36:50:36:52 | access to local variable cmd | provenance | Sink:MaD:2 |
+| SqlInjection.cs:35:27:35:53 | object creation of type SqlCommand : SqlCommand | SqlInjection.cs:35:21:35:23 | access to local variable cmd : SqlCommand | provenance |  |
+| SqlInjection.cs:35:42:35:52 | access to local variable queryString : String | SqlInjection.cs:35:27:35:53 | object creation of type SqlCommand : SqlCommand | provenance | MaD:4 |
+models
+| 1 | Sink: Microsoft.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String); ; Argument[0]; sql-injection; manual |
+| 2 | Sink: Microsoft.Data.SqlClient; SqlDataAdapter; false; SqlDataAdapter; (Microsoft.Data.SqlClient.SqlCommand); ; Argument[0]; sql-injection; manual |
+| 3 | Source: System; Console; false; ReadLine; ; ; ReturnValue; stdin; manual |
+| 4 | Summary: Microsoft.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String); ; Argument[0]; Argument[this]; taint; manual |
 nodes
+| SqlInjection.cs:24:21:24:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:25:21:25:29 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjection.cs:26:21:26:23 | access to local variable cmd : SqlCommand | semmle.label | access to local variable cmd : SqlCommand |
+| SqlInjection.cs:26:27:26:53 | object creation of type SqlCommand : SqlCommand | semmle.label | object creation of type SqlCommand : SqlCommand |
+| SqlInjection.cs:26:42:26:52 | access to local variable queryString | semmle.label | access to local variable queryString |
+| SqlInjection.cs:26:42:26:52 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:27:50:27:52 | access to local variable cmd | semmle.label | access to local variable cmd |
+| SqlInjection.cs:33:21:33:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:34:21:34:38 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
+| SqlInjection.cs:35:21:35:23 | access to local variable cmd : SqlCommand | semmle.label | access to local variable cmd : SqlCommand |
+| SqlInjection.cs:35:27:35:53 | object creation of type SqlCommand : SqlCommand | semmle.label | object creation of type SqlCommand : SqlCommand |
+| SqlInjection.cs:35:42:35:52 | access to local variable queryString | semmle.label | access to local variable queryString |
+| SqlInjection.cs:35:42:35:52 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
+| SqlInjection.cs:36:50:36:52 | access to local variable cmd | semmle.label | access to local variable cmd |
 subpaths
-testFailures
-| SqlInjection.cs:25:53:25:81 | // ... | Missing result: Source[cs/sql-injection] |
-| SqlInjection.cs:26:56:26:83 | // ... | Missing result: Alert[cs/sql-injection] |
-| SqlInjection.cs:27:56:27:83 | // ... | Missing result: Alert[cs/sql-injection] |
-| SqlInjection.cs:34:62:34:90 | // ... | Missing result: Source[cs/sql-injection] |
-| SqlInjection.cs:35:56:35:83 | // ... | Missing result: Alert[cs/sql-injection] |
-| SqlInjection.cs:36:56:36:83 | // ... | Missing result: Alert[cs/sql-injection] |
