-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathDontInstallRootCert.ql
More file actions
36 lines (31 loc) · 1.31 KB
/
DontInstallRootCert.ql
File metadata and controls
36 lines (31 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
/**
* @name Do not add certificates to the system root store.
* @description Application- or user-specific certificates placed in the system root store could
* weaken security for other processing running on the same system.
* @kind problem
* @id cs/do-not-add-certs-to-root-store
* @problem.severity error
* @precision high
* @tags security
* external/cwe/cwe-327
*/
import csharp
import semmle.code.csharp.dataflow.DataFlow::DataFlow
class AddCertToRootStoreConfig extends DataFlow::Configuration {
AddCertToRootStoreConfig() { this = "Adding Certificate To Root Store" }
override predicate isSource(DataFlow::Node source) {
exists(ObjectCreation oc | oc = source.asExpr().(ObjectCreation) |
oc.getType().(RefType).hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store")
and oc.getArgument(0).(Access).getTarget().hasName("Root")
)
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc |
mc.getTarget().hasQualifiedName("System.Security.Cryptography.X509Certificates.X509Store", "Add")
and sink.asExpr() = mc.getQualifier()
)
}
}
from Expr oc, Expr mc, AddCertToRootStoreConfig config
where config.hasFlow(DataFlow::exprNode(oc), DataFlow::exprNode(mc))
select mc, "Do not add certificates to root certificate store"