securitylab/CodeQL_Queries/csharp/ZipSlip/06_GlobalFlow.ql at small_changes · JarLob/securitylab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import csharp
import semmle.code.csharp.dataflow.TaintTracking

class ZipSlipTaintTracking extends TaintTracking::Configuration {
  ZipSlipTaintTracking() { this = "Zip Slip taint tracking" }

  override predicate isSource(DataFlow::Node node) {
    exists(Property p |
      p.hasName("FullName") and
      p.getDeclaringType().hasName("ZipArchiveEntry") and
      node.asExpr() = p.getAnAccess()
    )
  }

  override predicate isSink(DataFlow::Node node) {
    exists(MethodCall call | call.getTarget().hasName("ExtractToFile") |
      node.asExpr() = call.getAnArgument()
    )
  }
}

from ZipSlipTaintTracking config, DataFlow::Node source, DataFlow::Node sink
where config.hasFlow(source, sink)
select sink, "Zip Slip vulnerability from $@.", source, source.toString()