-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathDontInstallRootCert.ql
More file actions
44 lines (39 loc) · 1.55 KB
/
DontInstallRootCert.ql
File metadata and controls
44 lines (39 loc) · 1.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
/**
* @name Do not add certificates to the system root store.
* @description Application- or user-specific certificates placed in the system root store could
* weaken security for other processing running on the same system.
* @kind path-problem
* @id cs/adding-cert-to-root-store
* @problem.severity error
* @security-severity 7.5
* @tags security
* external/cwe/cwe-327
*/
import csharp
import semmle.code.csharp.dataflow.DataFlow::DataFlow
import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
class AddCertToRootStoreConfig extends DataFlow::Configuration {
AddCertToRootStoreConfig() { this = "Adding Certificate To Root Store" }
override predicate isSource(DataFlow::Node source) {
exists(ObjectCreation oc | oc = source.asExpr() |
oc.getType()
.(RefType)
.hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store") and
oc.getArgument(0).(Access).getTarget().hasName("Root")
)
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc |
(
mc.getTarget()
.hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store", "Add") or
mc.getTarget()
.hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store", "AddRange")
) and
sink.asExpr() = mc.getQualifier()
)
}
}
from DataFlow::PathNode oc, DataFlow::PathNode mc, AddCertToRootStoreConfig config
where config.hasFlowPath(oc, mc)
select mc.getNode(), oc, mc, "Certificate added to the root certificate store."