Skip to content

Commit 7492dab

Browse files
author
Denis Levin
committed
cs: Don't Install Root Certificate (CWE-327)
1 parent 9d2dd97 commit 7492dab

File tree

7 files changed

+98
-0
lines changed

7 files changed

+98
-0
lines changed

csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
/**
2+
* @name Do not add certificates to the system root store.
3+
* @description Application- or user-specific certificates placed in the system root store could
4+
* weaken security for other processing running on the same system.
5+
* @kind problem
6+
* @id cs/do-not-add-certs-to-root-store
7+
* @problem.severity error
8+
* @precision high
9+
* @tags security
10+
* external/cwe/cwe-327
11+
*/
12+
import csharp
13+
import semmle.code.csharp.dataflow.DataFlow::DataFlow
14+
15+
class AddCertToRootStoreConfig extends DataFlow::Configuration {
16+
AddCertToRootStoreConfig() { this = "Adding Certificate To Root Store" }
17+
18+
override predicate isSource(DataFlow::Node source) {
19+
exists(ObjectCreation oc | oc = source.asExpr().(ObjectCreation) |
20+
oc.getType().(RefType).hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store")
21+
and oc.getArgument(0).(Access).getTarget().hasName("Root")
22+
)
23+
}
24+
25+
override predicate isSink(DataFlow::Node sink) {
26+
exists(MethodCall mc |
27+
mc.getTarget().hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store", "Add")
28+
and sink.asExpr() = mc.getQualifier()
29+
)
30+
}
31+
}
32+
33+
from Expr oc, Expr mc, AddCertToRootStoreConfig config
34+
where config.hasFlow(DataFlow::exprNode(oc), DataFlow::exprNode(mc))
35+
select mc, "Do not add certificates to root certificate store"
36+

csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
| Test.cs:19:13:19:17 | access to local variable store | Do not add certificates to root certificate store |
2+
| Test.cs:28:13:28:17 | access to local variable store | Do not add certificates to root certificate store |

csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Security Features/CWE-327/DontInstallRootCert.ql

csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/Test.cs

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
// semmle-extractor-options: /r:System.Security.Cryptography.X509Certificates.dll
2+
3+
using System;
4+
using System.Collections.Generic;
5+
using System.Linq;
6+
using System.Security.Cryptography.X509Certificates;
7+
using System.Text;
8+
using System.Threading.Tasks;
9+
10+
namespace RootCert
11+
{
12+
public class Class1
13+
{
14+
public void InstallRoorCert()
15+
{
16+
string file = "mytest.pfx"; // Contains name of certificate file
17+
X509Store store = new X509Store(StoreName.Root);
18+
store.Open(OpenFlags.ReadWrite);
19+
store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(file)));
20+
store.Close();
21+
}
22+
23+
public void InstallRoorCert2()
24+
{
25+
string file = "mytest.pfx"; // Contains name of certificate file
26+
X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
27+
store.Open(OpenFlags.ReadWrite);
28+
store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(file)));
29+
store.Close();
30+
}
31+
32+
public void InstallUserCert()
33+
{
34+
string file = "mytest.pfx"; // Contains name of certificate file
35+
X509Store store = new X509Store(StoreName.My);
36+
store.Open(OpenFlags.ReadWrite);
37+
store.Add(new X509Certificate2(X509Certificate2.CreateFromCertFile(file)));
38+
store.Close();
39+
}
40+
41+
public void RemoveUserCert()
42+
{
43+
string file = "mytest.pfx"; // Contains name of certificate file
44+
X509Store store = new X509Store(StoreName.My);
45+
store.Open(OpenFlags.ReadWrite);
46+
store.Remove(new X509Certificate2(X509Certificate2.CreateFromCertFile(file)));
47+
store.Close();
48+
}
49+
50+
public void RemoveRootCert()
51+
{
52+
string file = "mytest.pfx"; // Contains name of certificate file
53+
X509Store store = new X509Store(StoreName.Root);
54+
store.Open(OpenFlags.ReadWrite);
55+
store.Remove(new X509Certificate2(X509Certificate2.CreateFromCertFile(file)));
56+
store.Close();
57+
}
58+
}
59+
}

csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize.cs renamed to csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.cs

File renamed without changes.

csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize.expected renamed to csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.expected

File renamed without changes.

csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize.qlref renamed to csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.qlref

File renamed without changes.

0 commit comments

Comments
 (0)