From 125468deb3b1a598c297a19242bfd390fae00b8f Mon Sep 17 00:00:00 2001 From: Chanel Young Date: Thu, 9 Apr 2026 09:34:40 -0700 Subject: [PATCH 1/4] Add deprecated TLS/SSL version detection query for PowerShell Detects usage of SSL 3.0, TLS 1.0, and TLS 1.1 via SecurityProtocolType and SslProtocols enum references. Covers: Cryptography.10031 (CWE-327, CWE-757) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../queries/security/cwe-757/DeprecatedTls.ql | 98 +++++++++++++++++++ .../DeprecatedTls/DeprecatedTls.expected | 4 + .../cwe-757/DeprecatedTls/DeprecatedTls.qlref | 1 + .../security/cwe-757/DeprecatedTls/test.ps1 | 25 +++++ 4 files changed, 128 insertions(+) create mode 100644 powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql create mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected create mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref create mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 diff --git a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql new file mode 100644 index 000000000000..8b33d55c9548 --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql @@ -0,0 +1,98 @@ +/** + * @name Use of deprecated TLS/SSL version + * @description Using deprecated TLS/SSL versions (SSL3, TLS 1.0, TLS 1.1) weakens transport security. + * @kind problem + * @problem.severity error + * @security-severity 7.5 + * @precision high + * @id powershell/microsoft/security/deprecated-tls + * @tags security + * external/cwe/cwe-327 + * external/cwe/cwe-757 + */ + +import powershell +import semmle.code.powershell.ApiGraphs +import semmle.code.powershell.dataflow.DataFlow + +/** + * Holds if `protocolName` is a deprecated TLS/SSL protocol (lowercase). + */ +predicate isDeprecatedProtocol(string protocolName) { + protocolName = ["ssl3", "tls", "tls11"] +} + +/** + * Gets the human-readable name for a deprecated protocol. + */ +bindingset[protocolName] +string getProtocolDisplayName(string protocolName) { + protocolName = "ssl3" and result = "SSL 3.0" + or + protocolName = "tls" and result = "TLS 1.0" + or + protocolName = "tls11" and result = "TLS 1.1" +} + +/** + * A reference to a deprecated SecurityProtocolType enum value, e.g. + * [Net.SecurityProtocolType]::Ssl3 + */ +class DeprecatedSecurityProtocolType extends DataFlow::Node { + string protocolName; + + DeprecatedSecurityProtocolType() { + exists(API::Node node | + ( + node = + API::getTopLevelMember("system") + .getMember("net") + .getMember("securityprotocoltype") + .getMember(protocolName) + or + node = + API::getTopLevelMember("net") + .getMember("securityprotocoltype") + .getMember(protocolName) + ) and + this = node.asSource() and + isDeprecatedProtocol(protocolName) + ) + } + + string getProtocolName() { result = protocolName } +} + +/** + * A reference to a deprecated SslProtocols enum value, e.g. + * [System.Security.Authentication.SslProtocols]::Tls + */ +class DeprecatedSslProtocols extends DataFlow::Node { + string protocolName; + + DeprecatedSslProtocols() { + exists(API::Node node | + node = + API::getTopLevelMember("system") + .getMember("security") + .getMember("authentication") + .getMember("sslprotocols") + .getMember(protocolName) and + this = node.asSource() and + isDeprecatedProtocol(protocolName) + ) + } + + string getProtocolName() { result = protocolName } +} + +from DataFlow::Node node, string protocolName +where + exists(DeprecatedSecurityProtocolType d | + node = d and protocolName = d.getProtocolName() + ) + or + exists(DeprecatedSslProtocols d | node = d and protocolName = d.getProtocolName()) +select node, + "Use of deprecated protocol " + getProtocolDisplayName(protocolName) + + ". Use TLS 1.2 or TLS 1.3 instead." diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected new file mode 100644 index 000000000000..ecc4a82a7d4b --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected @@ -0,0 +1,4 @@ +| test.ps1:6:47:6:78 | ssl3 | Use of deprecated protocol SSL 3.0. Use TLS 1.2 or TLS 1.3 instead. | +| test.ps1:9:47:9:77 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. | +| test.ps1:12:47:12:79 | tls11 | Use of deprecated protocol TLS 1.1. Use TLS 1.2 or TLS 1.3 instead. | +| test.ps1:15:54:15:91 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. | diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref new file mode 100644 index 000000000000..6ef6aa8af337 --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref @@ -0,0 +1 @@ +queries/security/cwe-757/DeprecatedTls.ql diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 new file mode 100644 index 000000000000..49e2448be73d --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 @@ -0,0 +1,25 @@ +# =================================================================== +# ========== TRUE POSITIVES (should trigger alert) ================== +# =================================================================== + +# --- Case 1: SSL 3.0 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 # BAD + +# --- Case 2: TLS 1.0 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls # BAD + +# --- Case 3: TLS 1.1 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11 # BAD + +# --- Case 4: Full namespace TLS 1.0 --- +[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls # BAD + +# =================================================================== +# ========== TRUE NEGATIVES (should NOT trigger alert) ============== +# =================================================================== + +# --- Safe: TLS 1.2 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # GOOD + +# --- Safe: TLS 1.3 --- +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13 # GOOD From decbe387db9a1c2b0443eec5bef08dd5d8af47a8 Mon Sep 17 00:00:00 2001 From: Chanel Young Date: Mon, 13 Apr 2026 12:01:51 -0700 Subject: [PATCH 2/4] make abstract class, remove microsoft from id, add qhelp --- .../security/cwe-757/DeprecatedTls.qhelp | 42 +++++++++++++++++++ .../queries/security/cwe-757/DeprecatedTls.ql | 38 +++++++---------- .../DeprecatedTls/DeprecatedTlsBad.ps1 | 8 ++++ .../DeprecatedTls/DeprecatedTlsGood.ps1 | 5 +++ 4 files changed, 70 insertions(+), 23 deletions(-) create mode 100644 powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp create mode 100644 powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 create mode 100644 powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 diff --git a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp new file mode 100644 index 000000000000..30a69582ce43 --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp @@ -0,0 +1,42 @@ + + + +

+ TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols + used to secure network communications. Older versions of these protocols have known + vulnerabilities that can be exploited by attackers to compromise the confidentiality and + integrity of data in transit. +

+

+ The following versions are considered deprecated: +

+
    +
  • SSL 3.0 is vulnerable to the POODLE attack and other weaknesses.
    • +
  • TLS 1.0 has known vulnerabilities including the BEAST attack and weak cipher suites.
    • +
  • TLS 1.1 lacks support for modern cryptographic algorithms and is deprecated by RFC 8996.
    • +
+ + +

+ Use TLS 1.2 or TLS 1.3 for all secure communications. TLS 1.3 is preferred as it removes + support for legacy cryptographic features and provides improved performance. When configuring + SecurityProtocolType, use Tls12 or Tls13. +

+ + +

+ In the following example, the script enables the deprecated SSL 3.0 and TLS 1.0 protocols: +

+ +

+ The following example shows the corrected code using TLS 1.2: +

+ + + +
  • IETF, RFC 8996: Deprecating TLS 1.0 and TLS 1.1.
    • +
  • NIST, SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations.
    • +
  • OWASP: Transport Layer Security Cheat Sheet.
    • +
  • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade').
    • +     +     diff --git a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql index 8b33d55c9548..c4faa4a23a32 100644 --- a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql +++ b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql @@ -5,7 +5,7 @@ * @problem.severity error * @security-severity 7.5 * @precision high - * @id powershell/microsoft/security/deprecated-tls + * @id powershell/deprecated-tls * @tags security * external/cwe/cwe-327 * external/cwe/cwe-757 @@ -15,13 +15,6 @@ import powershell import semmle.code.powershell.ApiGraphs import semmle.code.powershell.dataflow.DataFlow -/** - * Holds if `protocolName` is a deprecated TLS/SSL protocol (lowercase). - */ -predicate isDeprecatedProtocol(string protocolName) { - protocolName = ["ssl3", "tls", "tls11"] -} - /** * Gets the human-readable name for a deprecated protocol. */ @@ -34,11 +27,15 @@ string getProtocolDisplayName(string protocolName) { protocolName = "tls11" and result = "TLS 1.1" } +abstract class SecurityProtocol extends Expr { + abstract string getProtocolName(); +} + /** * A reference to a deprecated SecurityProtocolType enum value, e.g. * [Net.SecurityProtocolType]::Ssl3 */ -class DeprecatedSecurityProtocolType extends DataFlow::Node { +class DeprecatedSecurityProtocolType extends SecurityProtocol { string protocolName; DeprecatedSecurityProtocolType() { @@ -55,19 +52,18 @@ class DeprecatedSecurityProtocolType extends DataFlow::Node { .getMember("securityprotocoltype") .getMember(protocolName) ) and - this = node.asSource() and - isDeprecatedProtocol(protocolName) + this = node.asSource().asExpr().getExpr() ) } - string getProtocolName() { result = protocolName } + override string getProtocolName() { result = protocolName } } /** * A reference to a deprecated SslProtocols enum value, e.g. * [System.Security.Authentication.SslProtocols]::Tls */ -class DeprecatedSslProtocols extends DataFlow::Node { +class DeprecatedSslProtocols extends SecurityProtocol { string protocolName; DeprecatedSslProtocols() { @@ -78,21 +74,17 @@ class DeprecatedSslProtocols extends DataFlow::Node { .getMember("authentication") .getMember("sslprotocols") .getMember(protocolName) and - this = node.asSource() and - isDeprecatedProtocol(protocolName) + this = node.asSource().asExpr().getExpr() ) } - string getProtocolName() { result = protocolName } + override string getProtocolName() { result = protocolName } } -from DataFlow::Node node, string protocolName +from SecurityProtocol sp, string protocolName where - exists(DeprecatedSecurityProtocolType d | - node = d and protocolName = d.getProtocolName() - ) - or - exists(DeprecatedSslProtocols d | node = d and protocolName = d.getProtocolName()) -select node, + protocolName = sp.getProtocolName() and + protocolName = ["ssl3", "tls", "tls11"] +select sp, "Use of deprecated protocol " + getProtocolDisplayName(protocolName) + ". Use TLS 1.2 or TLS 1.3 instead." diff --git a/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 new file mode 100644 index 000000000000..45a54ce3659a --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 @@ -0,0 +1,8 @@ +# BAD: Using deprecated SSL 3.0 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 + +# BAD: Using deprecated TLS 1.0 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls + +# BAD: Using deprecated TLS 1.1 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11 diff --git a/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 new file mode 100644 index 000000000000..2d4160e11412 --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 @@ -0,0 +1,5 @@ +# GOOD: Using TLS 1.2 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + +# GOOD: Using TLS 1.3 +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13 From bd5be0657f99c016592ef99eb1e5b16316bd8122 Mon Sep 17 00:00:00 2001 From: Chanel Young Date: Mon, 13 Apr 2026 12:48:37 -0700 Subject: [PATCH 3/4] added additional unsafe deserializers to powershell query --- .../UnsafeDeserializationCustomizations.qll | 155 ++++++++++++++- .../cwe-502/UnsafeDeserialization.expected | 184 ++++++++++++++++-- .../query-tests/security/cwe-502/test.ps1 | 82 ++++++++ 3 files changed, 399 insertions(+), 22 deletions(-) diff --git a/powershell/ql/lib/semmle/code/powershell/security/UnsafeDeserializationCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/UnsafeDeserializationCustomizations.qll index 25615acd77d7..006fb00e4140 100644 --- a/powershell/ql/lib/semmle/code/powershell/security/UnsafeDeserializationCustomizations.qll +++ b/powershell/ql/lib/semmle/code/powershell/security/UnsafeDeserializationCustomizations.qll @@ -8,10 +8,11 @@ private import semmle.code.powershell.dataflow.DataFlow import semmle.code.powershell.ApiGraphs private import semmle.code.powershell.dataflow.flowsources.FlowSources private import semmle.code.powershell.Cfg +private import powershell module UnsafeDeserialization { /** - * A data flow source for SQL-injection vulnerabilities. + * A data flow source for unsafe deserialization vulnerabilities. */ abstract class Source extends DataFlow::Node { /** Gets a string that describes the type of this flow source. */ @@ -19,12 +20,11 @@ module UnsafeDeserialization { } /** - * A data flow sink for SQL-injection vulnerabilities. + * A data flow sink for unsafe deserialization vulnerabilities. */ abstract class Sink extends DataFlow::Node { /** Gets a description of this sink. */ abstract string getSinkType(); - } /** @@ -37,17 +37,156 @@ module UnsafeDeserialization { override string getSourceType() { result = SourceNode.super.getSourceType() } } + /** + * Holds if the `ObjectCreationNode` `ocn` constructs a type whose fully qualified name + * (lowercase) matches `fullTypeName`. Handles both `New-Object TypeName` and + * `[TypeName]::new()` patterns. + */ + private predicate objectCreationMatchesType( + DataFlow::ObjectCreationNode ocn, string fullTypeName + ) { + // New-Object TypeName: getLowerCaseConstructedTypeName() returns the full qualified name + ocn.getLowerCaseConstructedTypeName() = fullTypeName + or + // [TypeName]::new(): access the qualifier TypeNameExpr for the full qualified name + ocn.getExprNode().getExpr().(ConstructorCall).getQualifier().(TypeNameExpr) + .getPossiblyQualifiedName() = fullTypeName + } + + /** + * Holds if `typeName` (lowercase, fully qualified) is a known unsafe deserializer type + * and `methodName` (lowercase) is an unsafe deserialization instance method on that type. + */ + private predicate unsafeInstanceDeserializer(string typeName, string methodName) { + typeName = "system.runtime.serialization.formatters.soap.soapformatter" and + methodName = "deserialize" + or + typeName = "system.web.ui.objectstateformatter" and + methodName = "deserialize" + or + typeName = "system.runtime.serialization.netdatacontractserializer" and + methodName = ["deserialize", "readobject"] + or + typeName = "system.web.ui.losformatter" and + methodName = "deserialize" + or + typeName = "system.data.dataset" and + methodName = "readxmlschema" + or + typeName = "system.data.datatable" and + methodName = ["readxmlschema", "readxml"] + or + typeName = "yamldotnet.serialization.deserializer" and + methodName = "deserialize" + } + + /** + * Holds if `typeName` (lowercase, fully qualified) has a static method + * `methodName` (lowercase) that is an unsafe deserializer. + */ + private predicate unsafeStaticDeserializer(string typeName, string methodName) { + typeName = "system.windows.markup.xamlreader" and + methodName = ["parse", "load", "loadasync"] + or + typeName = "system.workflow.componentmodel.activity" and + methodName = "load" + or + typeName = "memorypack.memorypackserializer" and + methodName = "deserialize" + } + + /** + * Holds if creating an instance of `typeName` (lowercase, fully qualified) with + * untrusted arguments is an unsafe deserialization. + */ + private predicate unsafeDeserializerConstructor(string typeName) { + typeName = "system.resources.resourcereader" + or + typeName = "system.resources.resxresourcereader" + } + + /** + * An argument to a BinaryFormatter deserialization method call, including + * Deserialize, UnsafeDeserialize, and UnsafeDeserializeMethodResponse. + */ class BinaryFormatterDeserializeSink extends Sink { BinaryFormatterDeserializeSink() { - exists(DataFlow::ObjectCreationNode ocn, DataFlow::CallNode cn | - cn.getQualifier().getALocalSource() = ocn and - ocn.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Runtime.Serialization.Formatters.Binary.BinaryFormatter" and - cn.getLowerCaseName() = "deserialize" and + exists(DataFlow::ObjectCreationNode ocn, DataFlow::CallNode cn | + cn.getQualifier().getALocalSource() = ocn and + objectCreationMatchesType(ocn, + "system.runtime.serialization.formatters.binary.binaryformatter") and + cn.getLowerCaseName() = + ["deserialize", "unsafedeserialize", "unsafedeserializemethodresponse"] and cn.getAnArgument() = this - ) + ) } override string getSinkType() { result = "call to BinaryFormatter.Deserialize" } + } + + /** + * An argument to an unsafe deserialization instance method call. + * Covers SoapFormatter, ObjectStateFormatter, NetDataContractSerializer, + * LosFormatter, DataSet, DataTable, and YamlDotNet deserializers. + */ + class InstanceDeserializerSink extends Sink { + string typeName; + string methodName; + + InstanceDeserializerSink() { + unsafeInstanceDeserializer(typeName, methodName) and + exists(DataFlow::ObjectCreationNode ocn, DataFlow::CallNode cn | + cn.getQualifier().getALocalSource() = ocn and + objectCreationMatchesType(ocn, typeName) and + cn.getLowerCaseName() = methodName and + cn.getAnArgument() = this + ) + } + + override string getSinkType() { result = "call to " + typeName + "." + methodName } + } + + /** + * An argument to an unsafe static deserialization method call. + * Covers XamlReader, Activity.Load, and MemoryPackSerializer. + */ + class StaticDeserializerSink extends Sink { + string typeName; + string methodName; + + StaticDeserializerSink() { + unsafeStaticDeserializer(typeName, methodName) and + exists(DataFlow::CallNode cn | + cn.getAnArgument() = this and + cn.getLowerCaseName() = methodName and + exists(InvokeMemberExpr ime | + ime = cn.getExprNode().getExpr() and + ime.isStatic() and + ime.getQualifier().(TypeNameExpr).getPossiblyQualifiedName() = typeName + ) + ) + } + + override string getSinkType() { + result = "call to [" + typeName + "]::" + methodName + } + } + + /** + * An argument to a constructor of an unsafe deserializer type. + * Covers ResourceReader and ResXResourceReader constructors. + */ + class UnsafeConstructorSink extends Sink { + string typeName; + + UnsafeConstructorSink() { + unsafeDeserializerConstructor(typeName) and + exists(DataFlow::ObjectCreationNode ocn | + objectCreationMatchesType(ocn, typeName) and + ocn.getAnArgument() = this + ) + } + override string getSinkType() { result = "constructor of " + typeName } } } diff --git a/powershell/ql/test/query-tests/security/cwe-502/UnsafeDeserialization.expected b/powershell/ql/test/query-tests/security/cwe-502/UnsafeDeserialization.expected index 1f4d0a846c98..7b11885a26f8 100644 --- a/powershell/ql/test/query-tests/security/cwe-502/UnsafeDeserialization.expected +++ b/powershell/ql/test/query-tests/security/cwe-502/UnsafeDeserialization.expected @@ -1,18 +1,174 @@ edges -| test.ps1:1:1:1:16 | untrustedBase64 | test.ps1:3:69:3:84 | untrustedBase64 | provenance | | -| test.ps1:1:20:1:47 | Call to read-host | test.ps1:1:1:1:16 | untrustedBase64 | provenance | Src:MaD:0 | -| test.ps1:3:1:3:7 | stream | test.ps1:4:31:4:37 | stream | provenance | | -| test.ps1:3:11:3:86 | Call to new | test.ps1:3:1:3:7 | stream | provenance | | -| test.ps1:3:41:3:85 | Call to frombase64string | test.ps1:3:11:3:86 | Call to new | provenance | Config | -| test.ps1:3:69:3:84 | untrustedBase64 | test.ps1:3:41:3:85 | Call to frombase64string | provenance | Config | +| test.ps1:2:1:2:16 | untrustedBase64 | test.ps1:4:69:4:84 | untrustedBase64 | provenance | | +| test.ps1:2:20:2:47 | Call to read-host | test.ps1:2:1:2:16 | untrustedBase64 | provenance | Src:MaD:0 | +| test.ps1:4:1:4:7 | stream | test.ps1:5:31:5:37 | stream | provenance | | +| test.ps1:4:11:4:86 | Call to new | test.ps1:4:1:4:7 | stream | provenance | | +| test.ps1:4:41:4:85 | Call to frombase64string | test.ps1:4:11:4:86 | Call to new | provenance | Config | +| test.ps1:4:69:4:84 | untrustedBase64 | test.ps1:4:41:4:85 | Call to frombase64string | provenance | Config | +| test.ps1:8:1:8:7 | input2 | test.ps1:10:70:10:76 | input2 | provenance | | +| test.ps1:8:11:8:32 | Call to read-host | test.ps1:8:1:8:7 | input2 | provenance | Src:MaD:0 | +| test.ps1:10:1:10:8 | stream2 | test.ps1:11:39:11:46 | stream2 | provenance | | +| test.ps1:10:12:10:78 | Call to new | test.ps1:10:1:10:8 | stream2 | provenance | | +| test.ps1:10:42:10:77 | Call to frombase64string | test.ps1:10:12:10:78 | Call to new | provenance | Config | +| test.ps1:10:70:10:76 | input2 | test.ps1:10:42:10:77 | Call to frombase64string | provenance | Config | +| test.ps1:14:1:14:7 | input3 | test.ps1:16:80:16:86 | input3 | provenance | | +| test.ps1:14:11:14:37 | Call to read-host | test.ps1:14:1:14:7 | input3 | provenance | Src:MaD:0 | +| test.ps1:16:1:16:8 | stream3 | test.ps1:17:36:17:43 | stream3 | provenance | | +| test.ps1:16:12:16:88 | Call to new | test.ps1:16:1:16:8 | stream3 | provenance | | +| test.ps1:16:42:16:87 | Call to getbytes | test.ps1:16:12:16:88 | Call to new | provenance | Config | +| test.ps1:16:80:16:86 | input3 | test.ps1:16:42:16:87 | Call to getbytes | provenance | Config | +| test.ps1:20:1:20:7 | input4 | test.ps1:22:26:22:32 | input4 | provenance | | +| test.ps1:20:11:20:38 | Call to read-host | test.ps1:20:1:20:7 | input4 | provenance | Src:MaD:0 | +| test.ps1:25:1:25:7 | input5 | test.ps1:27:80:27:86 | input5 | provenance | | +| test.ps1:25:11:25:43 | Call to read-host | test.ps1:25:1:25:7 | input5 | provenance | Src:MaD:0 | +| test.ps1:27:1:27:8 | stream5 | test.ps1:28:27:28:34 | stream5 | provenance | | +| test.ps1:27:12:27:88 | Call to new | test.ps1:27:1:27:8 | stream5 | provenance | | +| test.ps1:27:42:27:87 | Call to getbytes | test.ps1:27:12:27:88 | Call to new | provenance | Config | +| test.ps1:27:80:27:86 | input5 | test.ps1:27:42:27:87 | Call to getbytes | provenance | Config | +| test.ps1:31:1:31:7 | input6 | test.ps1:33:80:33:86 | input6 | provenance | | +| test.ps1:31:11:31:39 | Call to read-host | test.ps1:31:1:31:7 | input6 | provenance | Src:MaD:0 | +| test.ps1:33:1:33:8 | stream6 | test.ps1:34:27:34:34 | stream6 | provenance | | +| test.ps1:33:12:33:88 | Call to new | test.ps1:33:1:33:8 | stream6 | provenance | | +| test.ps1:33:42:33:87 | Call to getbytes | test.ps1:33:12:33:88 | Call to new | provenance | Config | +| test.ps1:33:80:33:86 | input6 | test.ps1:33:42:33:87 | Call to getbytes | provenance | Config | +| test.ps1:37:1:37:7 | input7 | test.ps1:39:35:39:41 | input7 | provenance | | +| test.ps1:37:11:37:36 | Call to read-host | test.ps1:37:1:37:7 | input7 | provenance | Src:MaD:0 | +| test.ps1:42:1:42:7 | input8 | test.ps1:43:51:43:57 | input8 | provenance | | +| test.ps1:42:11:42:32 | Call to read-host | test.ps1:42:1:42:7 | input8 | provenance | Src:MaD:0 | +| test.ps1:46:1:46:7 | input9 | test.ps1:47:80:47:86 | input9 | provenance | | +| test.ps1:46:11:46:44 | Call to read-host | test.ps1:46:1:46:7 | input9 | provenance | Src:MaD:0 | +| test.ps1:47:1:47:8 | stream9 | test.ps1:48:50:48:57 | stream9 | provenance | | +| test.ps1:47:12:47:88 | Call to new | test.ps1:47:1:47:8 | stream9 | provenance | | +| test.ps1:47:42:47:87 | Call to getbytes | test.ps1:47:12:47:88 | Call to new | provenance | Config | +| test.ps1:47:80:47:86 | input9 | test.ps1:47:42:47:87 | Call to getbytes | provenance | Config | +| test.ps1:51:1:51:8 | input10 | test.ps1:53:49:53:56 | input10 | provenance | | +| test.ps1:51:12:51:40 | Call to read-host | test.ps1:51:1:51:8 | input10 | provenance | Src:MaD:0 | +| test.ps1:53:49:53:56 | input10 | test.ps1:53:19:53:57 | Call to new | provenance | Config | +| test.ps1:56:1:56:8 | input11 | test.ps1:58:43:58:50 | input11 | provenance | | +| test.ps1:56:12:56:39 | Call to read-host | test.ps1:56:1:56:8 | input11 | provenance | Src:MaD:0 | +| test.ps1:58:43:58:50 | input11 | test.ps1:58:13:58:51 | Call to new | provenance | Config | +| test.ps1:61:1:61:8 | input12 | test.ps1:63:50:63:57 | input12 | provenance | | +| test.ps1:61:12:61:41 | Call to read-host | test.ps1:61:1:61:8 | input12 | provenance | Src:MaD:0 | +| test.ps1:63:50:63:57 | input12 | test.ps1:63:20:63:58 | Call to new | provenance | Config | +| test.ps1:66:1:66:8 | input13 | test.ps1:67:68:67:75 | input13 | provenance | | +| test.ps1:66:12:66:42 | Call to read-host | test.ps1:66:1:66:8 | input13 | provenance | Src:MaD:0 | +| test.ps1:70:1:70:8 | input14 | test.ps1:71:58:71:65 | input14 | provenance | | +| test.ps1:70:12:70:38 | Call to read-host | test.ps1:70:1:70:8 | input14 | provenance | Src:MaD:0 | +| test.ps1:74:1:74:8 | input15 | test.ps1:75:71:75:78 | input15 | provenance | | +| test.ps1:74:12:74:42 | Call to read-host | test.ps1:74:1:74:8 | input15 | provenance | Src:MaD:0 | +| test.ps1:75:1:75:9 | stream15 | test.ps1:76:49:76:57 | stream15 | provenance | | +| test.ps1:75:13:75:80 | Call to new | test.ps1:75:1:75:9 | stream15 | provenance | | +| test.ps1:75:43:75:79 | Call to frombase64string | test.ps1:75:13:75:80 | Call to new | provenance | Config | +| test.ps1:75:71:75:78 | input15 | test.ps1:75:43:75:79 | Call to frombase64string | provenance | Config | +| test.ps1:79:1:79:8 | input16 | test.ps1:81:40:81:47 | input16 | provenance | | +| test.ps1:79:12:79:33 | Call to read-host | test.ps1:79:1:79:8 | input16 | provenance | Src:MaD:0 | +| test.ps1:84:1:84:8 | input17 | test.ps1:85:40:85:47 | input17 | provenance | | +| test.ps1:84:12:84:40 | Call to read-host | test.ps1:84:1:84:8 | input17 | provenance | Src:MaD:0 | +| test.ps1:85:1:85:8 | bytes17 | test.ps1:86:48:86:55 | bytes17 | provenance | | +| test.ps1:85:12:85:48 | Call to frombase64string | test.ps1:85:1:85:8 | bytes17 | provenance | | +| test.ps1:85:40:85:47 | input17 | test.ps1:85:12:85:48 | Call to frombase64string | provenance | Config | nodes -| test.ps1:1:1:1:16 | untrustedBase64 | semmle.label | untrustedBase64 | -| test.ps1:1:20:1:47 | Call to read-host | semmle.label | Call to read-host | -| test.ps1:3:1:3:7 | stream | semmle.label | stream | -| test.ps1:3:11:3:86 | Call to new | semmle.label | Call to new | -| test.ps1:3:41:3:85 | Call to frombase64string | semmle.label | Call to frombase64string | -| test.ps1:3:69:3:84 | untrustedBase64 | semmle.label | untrustedBase64 | -| test.ps1:4:31:4:37 | stream | semmle.label | stream | +| test.ps1:2:1:2:16 | untrustedBase64 | semmle.label | untrustedBase64 | +| test.ps1:2:20:2:47 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:4:1:4:7 | stream | semmle.label | stream | +| test.ps1:4:11:4:86 | Call to new | semmle.label | Call to new | +| test.ps1:4:41:4:85 | Call to frombase64string | semmle.label | Call to frombase64string | +| test.ps1:4:69:4:84 | untrustedBase64 | semmle.label | untrustedBase64 | +| test.ps1:5:31:5:37 | stream | semmle.label | stream | +| test.ps1:8:1:8:7 | input2 | semmle.label | input2 | +| test.ps1:8:11:8:32 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:10:1:10:8 | stream2 | semmle.label | stream2 | +| test.ps1:10:12:10:78 | Call to new | semmle.label | Call to new | +| test.ps1:10:42:10:77 | Call to frombase64string | semmle.label | Call to frombase64string | +| test.ps1:10:70:10:76 | input2 | semmle.label | input2 | +| test.ps1:11:39:11:46 | stream2 | semmle.label | stream2 | +| test.ps1:14:1:14:7 | input3 | semmle.label | input3 | +| test.ps1:14:11:14:37 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:16:1:16:8 | stream3 | semmle.label | stream3 | +| test.ps1:16:12:16:88 | Call to new | semmle.label | Call to new | +| test.ps1:16:42:16:87 | Call to getbytes | semmle.label | Call to getbytes | +| test.ps1:16:80:16:86 | input3 | semmle.label | input3 | +| test.ps1:17:36:17:43 | stream3 | semmle.label | stream3 | +| test.ps1:20:1:20:7 | input4 | semmle.label | input4 | +| test.ps1:20:11:20:38 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:22:26:22:32 | input4 | semmle.label | input4 | +| test.ps1:25:1:25:7 | input5 | semmle.label | input5 | +| test.ps1:25:11:25:43 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:27:1:27:8 | stream5 | semmle.label | stream5 | +| test.ps1:27:12:27:88 | Call to new | semmle.label | Call to new | +| test.ps1:27:42:27:87 | Call to getbytes | semmle.label | Call to getbytes | +| test.ps1:27:80:27:86 | input5 | semmle.label | input5 | +| test.ps1:28:27:28:34 | stream5 | semmle.label | stream5 | +| test.ps1:31:1:31:7 | input6 | semmle.label | input6 | +| test.ps1:31:11:31:39 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:33:1:33:8 | stream6 | semmle.label | stream6 | +| test.ps1:33:12:33:88 | Call to new | semmle.label | Call to new | +| test.ps1:33:42:33:87 | Call to getbytes | semmle.label | Call to getbytes | +| test.ps1:33:80:33:86 | input6 | semmle.label | input6 | +| test.ps1:34:27:34:34 | stream6 | semmle.label | stream6 | +| test.ps1:37:1:37:7 | input7 | semmle.label | input7 | +| test.ps1:37:11:37:36 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:39:35:39:41 | input7 | semmle.label | input7 | +| test.ps1:42:1:42:7 | input8 | semmle.label | input8 | +| test.ps1:42:11:42:32 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:43:51:43:57 | input8 | semmle.label | input8 | +| test.ps1:46:1:46:7 | input9 | semmle.label | input9 | +| test.ps1:46:11:46:44 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:47:1:47:8 | stream9 | semmle.label | stream9 | +| test.ps1:47:12:47:88 | Call to new | semmle.label | Call to new | +| test.ps1:47:42:47:87 | Call to getbytes | semmle.label | Call to getbytes | +| test.ps1:47:80:47:86 | input9 | semmle.label | input9 | +| test.ps1:48:50:48:57 | stream9 | semmle.label | stream9 | +| test.ps1:51:1:51:8 | input10 | semmle.label | input10 | +| test.ps1:51:12:51:40 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:53:19:53:57 | Call to new | semmle.label | Call to new | +| test.ps1:53:49:53:56 | input10 | semmle.label | input10 | +| test.ps1:56:1:56:8 | input11 | semmle.label | input11 | +| test.ps1:56:12:56:39 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:58:13:58:51 | Call to new | semmle.label | Call to new | +| test.ps1:58:43:58:50 | input11 | semmle.label | input11 | +| test.ps1:61:1:61:8 | input12 | semmle.label | input12 | +| test.ps1:61:12:61:41 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:63:20:63:58 | Call to new | semmle.label | Call to new | +| test.ps1:63:50:63:57 | input12 | semmle.label | input12 | +| test.ps1:66:1:66:8 | input13 | semmle.label | input13 | +| test.ps1:66:12:66:42 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:67:68:67:75 | input13 | semmle.label | input13 | +| test.ps1:70:1:70:8 | input14 | semmle.label | input14 | +| test.ps1:70:12:70:38 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:71:58:71:65 | input14 | semmle.label | input14 | +| test.ps1:74:1:74:8 | input15 | semmle.label | input15 | +| test.ps1:74:12:74:42 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:75:1:75:9 | stream15 | semmle.label | stream15 | +| test.ps1:75:13:75:80 | Call to new | semmle.label | Call to new | +| test.ps1:75:43:75:79 | Call to frombase64string | semmle.label | Call to frombase64string | +| test.ps1:75:71:75:78 | input15 | semmle.label | input15 | +| test.ps1:76:49:76:57 | stream15 | semmle.label | stream15 | +| test.ps1:79:1:79:8 | input16 | semmle.label | input16 | +| test.ps1:79:12:79:33 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:81:40:81:47 | input16 | semmle.label | input16 | +| test.ps1:84:1:84:8 | input17 | semmle.label | input17 | +| test.ps1:84:12:84:40 | Call to read-host | semmle.label | Call to read-host | +| test.ps1:85:1:85:8 | bytes17 | semmle.label | bytes17 | +| test.ps1:85:12:85:48 | Call to frombase64string | semmle.label | Call to frombase64string | +| test.ps1:85:40:85:47 | input17 | semmle.label | input17 | +| test.ps1:86:48:86:55 | bytes17 | semmle.label | bytes17 | subpaths #select -| test.ps1:4:31:4:37 | stream | test.ps1:1:20:1:47 | Call to read-host | test.ps1:4:31:4:37 | stream | This unsafe deserializer deserializes on a $@. | test.ps1:1:20:1:47 | Call to read-host | read from stdin | +| test.ps1:5:31:5:37 | stream | test.ps1:2:20:2:47 | Call to read-host | test.ps1:5:31:5:37 | stream | This unsafe deserializer deserializes on a $@. | test.ps1:2:20:2:47 | Call to read-host | read from stdin | +| test.ps1:11:39:11:46 | stream2 | test.ps1:8:11:8:32 | Call to read-host | test.ps1:11:39:11:46 | stream2 | This unsafe deserializer deserializes on a $@. | test.ps1:8:11:8:32 | Call to read-host | read from stdin | +| test.ps1:17:36:17:43 | stream3 | test.ps1:14:11:14:37 | Call to read-host | test.ps1:17:36:17:43 | stream3 | This unsafe deserializer deserializes on a $@. | test.ps1:14:11:14:37 | Call to read-host | read from stdin | +| test.ps1:22:26:22:32 | input4 | test.ps1:20:11:20:38 | Call to read-host | test.ps1:22:26:22:32 | input4 | This unsafe deserializer deserializes on a $@. | test.ps1:20:11:20:38 | Call to read-host | read from stdin | +| test.ps1:28:27:28:34 | stream5 | test.ps1:25:11:25:43 | Call to read-host | test.ps1:28:27:28:34 | stream5 | This unsafe deserializer deserializes on a $@. | test.ps1:25:11:25:43 | Call to read-host | read from stdin | +| test.ps1:34:27:34:34 | stream6 | test.ps1:31:11:31:39 | Call to read-host | test.ps1:34:27:34:34 | stream6 | This unsafe deserializer deserializes on a $@. | test.ps1:31:11:31:39 | Call to read-host | read from stdin | +| test.ps1:39:35:39:41 | input7 | test.ps1:37:11:37:36 | Call to read-host | test.ps1:39:35:39:41 | input7 | This unsafe deserializer deserializes on a $@. | test.ps1:37:11:37:36 | Call to read-host | read from stdin | +| test.ps1:43:51:43:57 | input8 | test.ps1:42:11:42:32 | Call to read-host | test.ps1:43:51:43:57 | input8 | This unsafe deserializer deserializes on a $@. | test.ps1:42:11:42:32 | Call to read-host | read from stdin | +| test.ps1:48:50:48:57 | stream9 | test.ps1:46:11:46:44 | Call to read-host | test.ps1:48:50:48:57 | stream9 | This unsafe deserializer deserializes on a $@. | test.ps1:46:11:46:44 | Call to read-host | read from stdin | +| test.ps1:53:19:53:57 | Call to new | test.ps1:51:12:51:40 | Call to read-host | test.ps1:53:19:53:57 | Call to new | This unsafe deserializer deserializes on a $@. | test.ps1:51:12:51:40 | Call to read-host | read from stdin | +| test.ps1:58:13:58:51 | Call to new | test.ps1:56:12:56:39 | Call to read-host | test.ps1:58:13:58:51 | Call to new | This unsafe deserializer deserializes on a $@. | test.ps1:56:12:56:39 | Call to read-host | read from stdin | +| test.ps1:63:20:63:58 | Call to new | test.ps1:61:12:61:41 | Call to read-host | test.ps1:63:20:63:58 | Call to new | This unsafe deserializer deserializes on a $@. | test.ps1:61:12:61:41 | Call to read-host | read from stdin | +| test.ps1:67:68:67:75 | input13 | test.ps1:66:12:66:42 | Call to read-host | test.ps1:67:68:67:75 | input13 | This unsafe deserializer deserializes on a $@. | test.ps1:66:12:66:42 | Call to read-host | read from stdin | +| test.ps1:71:58:71:65 | input14 | test.ps1:70:12:70:38 | Call to read-host | test.ps1:71:58:71:65 | input14 | This unsafe deserializer deserializes on a $@. | test.ps1:70:12:70:38 | Call to read-host | read from stdin | +| test.ps1:76:49:76:57 | stream15 | test.ps1:74:12:74:42 | Call to read-host | test.ps1:76:49:76:57 | stream15 | This unsafe deserializer deserializes on a $@. | test.ps1:74:12:74:42 | Call to read-host | read from stdin | +| test.ps1:81:40:81:47 | input16 | test.ps1:79:12:79:33 | Call to read-host | test.ps1:81:40:81:47 | input16 | This unsafe deserializer deserializes on a $@. | test.ps1:79:12:79:33 | Call to read-host | read from stdin | +| test.ps1:86:48:86:55 | bytes17 | test.ps1:84:12:84:40 | Call to read-host | test.ps1:86:48:86:55 | bytes17 | This unsafe deserializer deserializes on a $@. | test.ps1:84:12:84:40 | Call to read-host | read from stdin | diff --git a/powershell/ql/test/query-tests/security/cwe-502/test.ps1 b/powershell/ql/test/query-tests/security/cwe-502/test.ps1 index d35ef352cd38..69bff48f74fe 100644 --- a/powershell/ql/test/query-tests/security/cwe-502/test.ps1 +++ b/powershell/ql/test/query-tests/security/cwe-502/test.ps1 @@ -1,4 +1,86 @@ +# Test 1: BinaryFormatter.Deserialize (existing) $untrustedBase64 = Read-Host "Enter user input" $formatter = New-Object System.Runtime.Serialization.Formatters.Binary.BinaryFormatter $stream = [System.IO.MemoryStream]::new([Convert]::FromBase64String($untrustedBase64)) $obj = $formatter.Deserialize($stream) + +# Test 2: BinaryFormatter.UnsafeDeserialize +$input2 = Read-Host "Enter data" +$formatter2 = New-Object System.Runtime.Serialization.Formatters.Binary.BinaryFormatter +$stream2 = [System.IO.MemoryStream]::new([Convert]::FromBase64String($input2)) +$obj2 = $formatter2.UnsafeDeserialize($stream2, $null) + +# Test 3: SoapFormatter.Deserialize +$input3 = Read-Host "Enter soap data" +$soapFormatter = New-Object System.Runtime.Serialization.Formatters.Soap.SoapFormatter +$stream3 = [System.IO.MemoryStream]::new([System.Text.Encoding]::UTF8.GetBytes($input3)) +$obj3 = $soapFormatter.Deserialize($stream3) + +# Test 4: ObjectStateFormatter.Deserialize +$input4 = Read-Host "Enter state data" +$osf = New-Object System.Web.UI.ObjectStateFormatter +$obj4 = $osf.Deserialize($input4) + +# Test 5: NetDataContractSerializer.Deserialize +$input5 = Read-Host "Enter serialized data" +$ndcs = New-Object System.Runtime.Serialization.NetDataContractSerializer +$stream5 = [System.IO.MemoryStream]::new([System.Text.Encoding]::UTF8.GetBytes($input5)) +$obj5 = $ndcs.Deserialize($stream5) + +# Test 6: NetDataContractSerializer.ReadObject +$input6 = Read-Host "Enter object data" +$ndcs2 = New-Object System.Runtime.Serialization.NetDataContractSerializer +$stream6 = [System.IO.MemoryStream]::new([System.Text.Encoding]::UTF8.GetBytes($input6)) +$obj6 = $ndcs2.ReadObject($stream6) + +# Test 7: LosFormatter.Deserialize +$input7 = Read-Host "Enter LOS data" +$losFormatter = New-Object System.Web.UI.LosFormatter +$obj7 = $losFormatter.Deserialize($input7) + +# Test 8: XamlReader.Parse (static) +$input8 = Read-Host "Enter XAML" +$obj8 = [System.Windows.Markup.XamlReader]::Parse($input8) + +# Test 9: XamlReader.Load (static) +$input9 = Read-Host "Enter XAML stream data" +$stream9 = [System.IO.MemoryStream]::new([System.Text.Encoding]::UTF8.GetBytes($input9)) +$obj9 = [System.Windows.Markup.XamlReader]::Load($stream9) + +# Test 10: DataSet.ReadXmlSchema +$input10 = Read-Host "Enter schema data" +$ds = New-Object System.Data.DataSet +$ds.ReadXmlSchema([System.IO.StringReader]::new($input10)) + +# Test 11: DataTable.ReadXml +$input11 = Read-Host "Enter table data" +$dt = New-Object System.Data.DataTable +$dt.ReadXml([System.IO.StringReader]::new($input11)) + +# Test 12: DataTable.ReadXmlSchema +$input12 = Read-Host "Enter table schema" +$dt2 = New-Object System.Data.DataTable +$dt2.ReadXmlSchema([System.IO.StringReader]::new($input12)) + +# Test 13: ResourceReader constructor (New-Object) +$input13 = Read-Host "Enter resource path" +$reader = New-Object System.Resources.ResourceReader -ArgumentList $input13 + +# Test 14: ResXResourceReader constructor ([Type]::new()) +$input14 = Read-Host "Enter resx path" +$resxReader = [System.Resources.ResXResourceReader]::new($input14) + +# Test 15: Activity.Load (static) +$input15 = Read-Host "Enter activity data" +$stream15 = [System.IO.MemoryStream]::new([Convert]::FromBase64String($input15)) +[System.Workflow.ComponentModel.Activity]::Load($stream15, $null) + +# Test 16: YamlDotNet.Serialization.Deserializer.Deserialize +$input16 = Read-Host "Enter YAML" +$yamlDeserializer = New-Object YamlDotNet.Serialization.Deserializer +$obj16 = $yamlDeserializer.Deserialize($input16) + +# Test 17: MemoryPackSerializer.Deserialize (static) +$input17 = Read-Host "Enter packed data" +$bytes17 = [Convert]::FromBase64String($input17) +[MemoryPack.MemoryPackSerializer]::Deserialize($bytes17) From f8fa93d753413ca5ffd8b1d5bb33be17a6138e6e Mon Sep 17 00:00:00 2001 From: Chanel Young Date: Mon, 13 Apr 2026 19:48:26 -0700 Subject: [PATCH 4/4] remove the tls query from this branch --- .../security/cwe-757/DeprecatedTls.qhelp | 42 --------- .../queries/security/cwe-757/DeprecatedTls.ql | 90 ------------------- .../DeprecatedTls/DeprecatedTlsBad.ps1 | 8 -- .../DeprecatedTls/DeprecatedTlsGood.ps1 | 5 -- .../DeprecatedTls/DeprecatedTls.expected | 4 - .../cwe-757/DeprecatedTls/DeprecatedTls.qlref | 1 - .../security/cwe-757/DeprecatedTls/test.ps1 | 25 ------ 7 files changed, 175 deletions(-) delete mode 100644 powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp delete mode 100644 powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql delete mode 100644 powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 delete mode 100644 powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 delete mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected delete mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref delete mode 100644 powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 diff --git a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp deleted file mode 100644 index 30a69582ce43..000000000000 --- a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp +++ /dev/null @@ -1,42 +0,0 @@ - - - -

    - TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols - used to secure network communications. Older versions of these protocols have known - vulnerabilities that can be exploited by attackers to compromise the confidentiality and - integrity of data in transit. -

    -

    - The following versions are considered deprecated: -

    -
      -
    • SSL 3.0 is vulnerable to the POODLE attack and other weaknesses.
      • -
    • TLS 1.0 has known vulnerabilities including the BEAST attack and weak cipher suites.
      • -
    • TLS 1.1 lacks support for modern cryptographic algorithms and is deprecated by RFC 8996.
      • -
    -     - -

    - Use TLS 1.2 or TLS 1.3 for all secure communications. TLS 1.3 is preferred as it removes - support for legacy cryptographic features and provides improved performance. When configuring - SecurityProtocolType, use Tls12 or Tls13. -

    -     - -

    - In the following example, the script enables the deprecated SSL 3.0 and TLS 1.0 protocols: -

    - -

    - The following example shows the corrected code using TLS 1.2: -

    - -     - -
  • IETF, RFC 8996: Deprecating TLS 1.0 and TLS 1.1.
    • -
  • NIST, SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations.
    • -
  • OWASP: Transport Layer Security Cheat Sheet.
    • -
  • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade').
    • -     -     diff --git a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql b/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql deleted file mode 100644 index c4faa4a23a32..000000000000 --- a/powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql +++ /dev/null @@ -1,90 +0,0 @@ -/** - * @name Use of deprecated TLS/SSL version - * @description Using deprecated TLS/SSL versions (SSL3, TLS 1.0, TLS 1.1) weakens transport security. - * @kind problem - * @problem.severity error - * @security-severity 7.5 - * @precision high - * @id powershell/deprecated-tls - * @tags security - * external/cwe/cwe-327 - * external/cwe/cwe-757 - */ - -import powershell -import semmle.code.powershell.ApiGraphs -import semmle.code.powershell.dataflow.DataFlow - -/** - * Gets the human-readable name for a deprecated protocol. - */ -bindingset[protocolName] -string getProtocolDisplayName(string protocolName) { - protocolName = "ssl3" and result = "SSL 3.0" - or - protocolName = "tls" and result = "TLS 1.0" - or - protocolName = "tls11" and result = "TLS 1.1" -} - -abstract class SecurityProtocol extends Expr { - abstract string getProtocolName(); -} - -/** - * A reference to a deprecated SecurityProtocolType enum value, e.g. - * [Net.SecurityProtocolType]::Ssl3 - */ -class DeprecatedSecurityProtocolType extends SecurityProtocol { - string protocolName; - - DeprecatedSecurityProtocolType() { - exists(API::Node node | - ( - node = - API::getTopLevelMember("system") - .getMember("net") - .getMember("securityprotocoltype") - .getMember(protocolName) - or - node = - API::getTopLevelMember("net") - .getMember("securityprotocoltype") - .getMember(protocolName) - ) and - this = node.asSource().asExpr().getExpr() - ) - } - - override string getProtocolName() { result = protocolName } -} - -/** - * A reference to a deprecated SslProtocols enum value, e.g. - * [System.Security.Authentication.SslProtocols]::Tls - */ -class DeprecatedSslProtocols extends SecurityProtocol { - string protocolName; - - DeprecatedSslProtocols() { - exists(API::Node node | - node = - API::getTopLevelMember("system") - .getMember("security") - .getMember("authentication") - .getMember("sslprotocols") - .getMember(protocolName) and - this = node.asSource().asExpr().getExpr() - ) - } - - override string getProtocolName() { result = protocolName } -} - -from SecurityProtocol sp, string protocolName -where - protocolName = sp.getProtocolName() and - protocolName = ["ssl3", "tls", "tls11"] -select sp, - "Use of deprecated protocol " + getProtocolDisplayName(protocolName) + - ". Use TLS 1.2 or TLS 1.3 instead." diff --git a/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 deleted file mode 100644 index 45a54ce3659a..000000000000 --- a/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1 +++ /dev/null @@ -1,8 +0,0 @@ -# BAD: Using deprecated SSL 3.0 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 - -# BAD: Using deprecated TLS 1.0 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls - -# BAD: Using deprecated TLS 1.1 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11 diff --git a/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 b/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 deleted file mode 100644 index 2d4160e11412..000000000000 --- a/powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1 +++ /dev/null @@ -1,5 +0,0 @@ -# GOOD: Using TLS 1.2 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - -# GOOD: Using TLS 1.3 -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13 diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected deleted file mode 100644 index ecc4a82a7d4b..000000000000 --- a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected +++ /dev/null @@ -1,4 +0,0 @@ -| test.ps1:6:47:6:78 | ssl3 | Use of deprecated protocol SSL 3.0. Use TLS 1.2 or TLS 1.3 instead. | -| test.ps1:9:47:9:77 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. | -| test.ps1:12:47:12:79 | tls11 | Use of deprecated protocol TLS 1.1. Use TLS 1.2 or TLS 1.3 instead. | -| test.ps1:15:54:15:91 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. | diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref deleted file mode 100644 index 6ef6aa8af337..000000000000 --- a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref +++ /dev/null @@ -1 +0,0 @@ -queries/security/cwe-757/DeprecatedTls.ql diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 deleted file mode 100644 index 49e2448be73d..000000000000 --- a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 +++ /dev/null @@ -1,25 +0,0 @@ -# =================================================================== -# ========== TRUE POSITIVES (should trigger alert) ================== -# =================================================================== - -# --- Case 1: SSL 3.0 --- -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 # BAD - -# --- Case 2: TLS 1.0 --- -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls # BAD - -# --- Case 3: TLS 1.1 --- -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11 # BAD - -# --- Case 4: Full namespace TLS 1.0 --- -[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls # BAD - -# =================================================================== -# ========== TRUE NEGATIVES (should NOT trigger alert) ============== -# =================================================================== - -# --- Safe: TLS 1.2 --- -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # GOOD - -# --- Safe: TLS 1.3 --- -[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13 # GOOD