C#: Allow implicit variables in properties to be taint sources

[maciejpirog]

The implicit variables field and value in property definitions can be considered a source of taint. In this PR we introduce a special syntax to write patterns that do that. It is possible by treating get and set as functions with field and value as arguments. The syntax is enabled by giving the [get] or [set] attribute to the function definition in the pattern:

For example, the rules:

rules:
- id: taint_prop_field
  languages: [csharp]
  message: "a function is called"
  severity: WARNING
  mode: taint
  pattern-sources:
    - patterns:
      - pattern-inside: |
          [get] $T $F($FIELD) { ... }
      - focus-metavariable: $FIELD
    - patterns:
      - pattern-inside: |
          [set] $T $F($VALUE, $FIELD) { ... }
      - focus-metavariable: $FIELD
  pattern-sinks:
    - pattern: |
        sink(...)
- id: taint_prop_value
  languages: [csharp]
  message: "a function is called"
  severity: WARNING
  mode: taint
  pattern-sources:
    - patterns:
      - pattern-inside: |
          [set] $T $F($VALUE, $FIELD) { ... }
      - focus-metavariable: $VALUE
  pattern-sinks:
    - pattern: |
        sink(...)

can be used to match

class C
{
    public string Message
    {
        // ruleid: taint_prop_field
        get => sink(field);
        //ruleid: taint_prop_field
        set => sink(field);
    }
    public string Message2
    {
        // ruleid: taint_prop_value
        set => sink(value);
    }
}

TODO

• Sources have to have real locations. The location of a parameter cannot overlap with the location of another parameter, because otherwise, when one is a source of taint, so is the other. The solution for now is to anchor the source to particular characters in the get and set keywords. This makes --dataflow-traces highlighting a bit weird, but a deeper refactoring is needed to solve this. :(

[dimitris-m]

In some sense this deviates from patterns-as-valid-syntax which held until now.
It would have to be documented clearly and still, will most users look for our wiki?

Can't we set just field and value as taint sources, in combination with pattern-inside that specifies that the names appear under get => ... and resp. set => ... ?

Something along these lines:

rules:
- id: taint_prop_field
  languages: [csharp]
  message: "a function is called"
  severity: WARNING
  mode: taint
  pattern-sources:
    - patterns:
      - pattern-inside: |
          class $C
          {
              public $T $M
              {
                  get => ...;
              }
          }
      - pattern:
        - pattern-either:
          - pattern: field
          - pattern: value
  pattern-sinks:
    - pattern: |
        sink(...)

What would make this easy is if pattern-inside: get => ... would work out of the box, which I have not tested but expect to fail.

[dimitris-m]

I think the premise It is possible by treating get and set as functions with field and value as arguments is not the only way right?

My comment above is to basically consider instances of field and value as sources of taint in specific contexts.

[maciejpirog]

Something along these lines:

Nope, this won't work because you will match any instance of value or field, even after you sanitize it, or ones that are shadowing variables, e.g.

get => value => sink(value)

which introduces a fresh var called value, which is inside the pattern