From b618ae06e82f50464682d0afdc78fef469aeccb6 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 18 Dec 2024 21:07:38 -0500 Subject: [PATCH 1/5] Model Blazor attributes as marking sources The attributes - `[Parameter]` - `[SupplyParameterFromFormAttribute]` - `[SupplyParameterFromQueryAttribute]` Tell Blazor to initialize the variables with parameters defined by the route/form values/query parameters/etc. Values derived from the URI or form should be classified as `remote` flow sources. --- csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml index e0609a8fcb8c..28206f5a19ef 100644 --- a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml +++ b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml @@ -5,6 +5,9 @@ extensions: data: - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_BaseUri", "", "", "ReturnValue", "remote", "manual"] - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_Uri", "", "", "ReturnValue", "remote", "manual"] + - ["Microsoft.AspNetCore.Components", "ParameterAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"] + - ["Microsoft.AspNetCore.Components", "SupplyParameterFromFormAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"] + - ["Microsoft.AspNetCore.Components", "SupplyParameterFromQueryAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"] - addsTo: pack: codeql/csharp-all extensible: summaryModel From 84936c0fc069ace55148498dff42bc908123d3cd Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 18 Dec 2024 16:48:54 -0500 Subject: [PATCH 2/5] Change note --- .../change-notes/2024-12-18-blazor-attribute-sources.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md diff --git a/csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md b/csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md new file mode 100644 index 000000000000..34fabfdd2311 --- /dev/null +++ b/csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md @@ -0,0 +1,7 @@ +--- +category: minorAnalysis +--- +* Added `remote` flow source models for properties of Blazor components annotated with any of the following attributes from `Microsoft.AspNetCore.Components`: + - `[Parameter]` + - `[SupplyParameterFromForm]` + - `[SupplyParameterFromQuery]` From ae6752adf7e93d9448254fd68cbbd77d3083f176 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 18 Dec 2024 17:40:30 -0500 Subject: [PATCH 3/5] Update tests --- .../test/library-tests/dataflow/library/FlowSummaries.expected | 1 + .../dataflow/library/FlowSummariesFiltered.expected | 1 + 2 files changed, 2 insertions(+) diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected index 6c5524bfd2d9..89d102fc4c0a 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected @@ -986,6 +986,7 @@ summary | Microsoft.AspNetCore.Components.RenderTree;Renderer;add_UnhandledSynchronizationException;(System.UnhandledExceptionEventHandler);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.RenderTree;Renderer;remove_UnhandledSynchronizationException;(System.UnhandledExceptionEventHandler);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;ComponentState;DisposeAsync;();Argument[this];ReturnValue;taint;df-generated | +| Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddComponentParameter;(System.Int32,System.String,System.Object);Argument[2];Argument[1];taint;manual | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddComponentReferenceCapture;(System.Int32,System.Action);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddContent;(System.Int32,Microsoft.AspNetCore.Components.RenderFragment);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddContent;(System.Int32,Microsoft.AspNetCore.Components.RenderFragment,TValue);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected index f6fe3b940435..1c597b3cc5a4 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected @@ -191,6 +191,7 @@ | Microsoft.AspNetCore.Components.Forms;ValidationMessageStore;get_Item;(System.Linq.Expressions.Expression>);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.RenderTree;Renderer;add_UnhandledSynchronizationException;(System.UnhandledExceptionEventHandler);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.RenderTree;Renderer;remove_UnhandledSynchronizationException;(System.UnhandledExceptionEventHandler);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | +| Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddComponentParameter;(System.Int32,System.String,System.Object);Argument[2];Argument[1];taint;manual | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddComponentReferenceCapture;(System.Int32,System.Action);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddContent;(System.Int32,Microsoft.AspNetCore.Components.RenderFragment);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddContent;(System.Int32,Microsoft.AspNetCore.Components.RenderFragment,TValue);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | From d0c9ba19d7ffcddb2f542796026e4feb9c8655a0 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Wed, 18 Dec 2024 21:34:23 -0500 Subject: [PATCH 4/5] Fix test results --- .../test/library-tests/dataflow/library/FlowSummaries.expected | 1 - .../dataflow/library/FlowSummariesFiltered.expected | 1 - 2 files changed, 2 deletions(-) diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected index 89d102fc4c0a..6c5524bfd2d9 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected @@ -986,7 +986,6 @@ summary | Microsoft.AspNetCore.Components.RenderTree;Renderer;add_UnhandledSynchronizationException;(System.UnhandledExceptionEventHandler);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.RenderTree;Renderer;remove_UnhandledSynchronizationException;(System.UnhandledExceptionEventHandler);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;ComponentState;DisposeAsync;();Argument[this];ReturnValue;taint;df-generated | -| Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddComponentParameter;(System.Int32,System.String,System.Object);Argument[2];Argument[1];taint;manual | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddComponentReferenceCapture;(System.Int32,System.Action);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddContent;(System.Int32,Microsoft.AspNetCore.Components.RenderFragment);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddContent;(System.Int32,Microsoft.AspNetCore.Components.RenderFragment,TValue);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected index 1c597b3cc5a4..f6fe3b940435 100644 --- a/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected +++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected @@ -191,7 +191,6 @@ | Microsoft.AspNetCore.Components.Forms;ValidationMessageStore;get_Item;(System.Linq.Expressions.Expression>);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.RenderTree;Renderer;add_UnhandledSynchronizationException;(System.UnhandledExceptionEventHandler);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.RenderTree;Renderer;remove_UnhandledSynchronizationException;(System.UnhandledExceptionEventHandler);Argument[0];Argument[0].Parameter[delegate-self];value;hq-generated | -| Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddComponentParameter;(System.Int32,System.String,System.Object);Argument[2];Argument[1];taint;manual | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddComponentReferenceCapture;(System.Int32,System.Action);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddContent;(System.Int32,Microsoft.AspNetCore.Components.RenderFragment);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | | Microsoft.AspNetCore.Components.Rendering;RenderTreeBuilder;AddContent;(System.Int32,Microsoft.AspNetCore.Components.RenderFragment,TValue);Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated | From 453913cd9fc9b20c9adff64dab5d38e5b9abba59 Mon Sep 17 00:00:00 2001 From: Edward Minnix III Date: Thu, 19 Dec 2024 23:11:07 -0500 Subject: [PATCH 5/5] Remove `Parameter` from this PR --- .../ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md | 1 - csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md b/csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md index 34fabfdd2311..5a48753b259f 100644 --- a/csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md +++ b/csharp/ql/lib/change-notes/2024-12-18-blazor-attribute-sources.md @@ -2,6 +2,5 @@ category: minorAnalysis --- * Added `remote` flow source models for properties of Blazor components annotated with any of the following attributes from `Microsoft.AspNetCore.Components`: - - `[Parameter]` - `[SupplyParameterFromForm]` - `[SupplyParameterFromQuery]` diff --git a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml index 28206f5a19ef..396fca44dd37 100644 --- a/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml +++ b/csharp/ql/lib/ext/Microsoft.AspNetCore.Components.model.yml @@ -5,7 +5,6 @@ extensions: data: - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_BaseUri", "", "", "ReturnValue", "remote", "manual"] - ["Microsoft.AspNetCore.Components", "NavigationManager", True, "get_Uri", "", "", "ReturnValue", "remote", "manual"] - - ["Microsoft.AspNetCore.Components", "ParameterAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"] - ["Microsoft.AspNetCore.Components", "SupplyParameterFromFormAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"] - ["Microsoft.AspNetCore.Components", "SupplyParameterFromQueryAttribute", False, "", "", "Attribute.Getter", "ReturnValue", "remote", "manual"] - addsTo: