C#: Fix more tests.

2026-05-01 03:35:13 +02:00 · 2019-10-23 15:34:05 +01:00
parent e331a24dbb
commit 0427b1eb3f
8 changed files with 16 additions and 64 deletions
--- a/Features/CWE-114/AssemblyPathInjection/AssembltyPathInjection.expected
+++ b/Features/CWE-114/AssemblyPathInjection/AssembltyPathInjection.expected
@@ -1 +0,0 @@
-| Test.cs:12:36:12:46 | access to local variable libraryName | $@ flows to here and is used as the path to dynamically load an assembly. | Test.cs:9:26:9:48 | access to property QueryString | User-provided value |
--- a/Features/CWE-114/AssemblyPathInjection/Test.cs
+++ b/Features/CWE-114/AssemblyPathInjection/Test.cs
@@ -8,7 +8,7 @@ public class DLLInjectionHandler : IHttpHandler {
  public void ProcessRequest(HttpContext ctx) {
    string libraryName = ctx.Request.QueryString["libraryName"];

-    // BAD: Load DLL based on user input
+    // BAD: Load DLL based on user input [NOT DETECTED]
    var badDLL = Assembly.LoadFile(libraryName);

    // GOOD: Load DLL using fixed string
--- a/Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs
+++ b/Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs
@@ -38,16 +38,16 @@ namespace HardcodedSymmetricEncryptionKey

            var iv = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 };

-            // BAD: hard-coded key passed to Encrypt
+            // BAD: hard-coded key passed to Encrypt [NOT DETECTED]
            var ct = Encrypt("Test string here", c, iv);

-            // BAD: hard-coded key converted from string and passed to Encrypt
+            // BAD: hard-coded key converted from string and passed to Encrypt [NOT DETECTED]
            var ct1 = Encrypt("Test string here", byteArrayFromString, iv);

            // GOOD (this function hashes password)
            var de = DecryptWithPassword(ct, c, iv);

-            // Bad
+            // BAD [NOT DETECTED]
            CreateCryptographicKey(null, byteArrayFromString);

            // GOOD
--- a/Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.expected
+++ b/Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.expected
@@ -1,40 +1,6 @@
-edges
-| HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d |
-| HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:37:37:37:37 | access to local variable d |
-| HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:42:50:42:50 | access to local variable c |
-| HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | HardcodedSymmetricEncryptionKey.cs:45:51:45:69 | access to local variable byteArrayFromString |
-| HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | HardcodedSymmetricEncryptionKey.cs:51:42:51:60 | access to local variable byteArrayFromString |
-| HardcodedSymmetricEncryptionKey.cs:37:37:37:37 | access to local variable d | HardcodedSymmetricEncryptionKey.cs:81:57:81:59 | key |
-| HardcodedSymmetricEncryptionKey.cs:42:50:42:50 | access to local variable c | HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key |
-| HardcodedSymmetricEncryptionKey.cs:45:51:45:69 | access to local variable byteArrayFromString | HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key |
-| HardcodedSymmetricEncryptionKey.cs:51:42:51:60 | access to local variable byteArrayFromString | HardcodedSymmetricEncryptionKey.cs:111:96:111:100 | bytes |
-| HardcodedSymmetricEncryptionKey.cs:81:57:81:59 | key | HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key |
-| HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key | HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key |
-| HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key | HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key |
-| HardcodedSymmetricEncryptionKey.cs:111:96:111:100 | bytes | HardcodedSymmetricEncryptionKey.cs:114:41:114:46 | access to local variable buffer |
-nodes
-| HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] |
-| HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] |
-| HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] |
-| HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" |
-| HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d |
-| HardcodedSymmetricEncryptionKey.cs:37:37:37:37 | access to local variable d |
-| HardcodedSymmetricEncryptionKey.cs:42:50:42:50 | access to local variable c |
-| HardcodedSymmetricEncryptionKey.cs:45:51:45:69 | access to local variable byteArrayFromString |
-| HardcodedSymmetricEncryptionKey.cs:51:42:51:60 | access to local variable byteArrayFromString |
-| HardcodedSymmetricEncryptionKey.cs:81:57:81:59 | key |
-| HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key |
-| HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key |
-| HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key |
-| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key |
-| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key |
-| HardcodedSymmetricEncryptionKey.cs:111:96:111:100 | bytes |
-| HardcodedSymmetricEncryptionKey.cs:114:41:114:46 | access to local variable buffer |
-#select
-| HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in 'Key' property assignment. | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | key |
-| HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in 'Key' property assignment. | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | key |
-| HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d | Hard-coded symmetric $@ is used in symmetric algorithm in 'Key' property assignment. | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
-| HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in 'Key' property assignment. | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
-| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV). | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
-| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV). | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | key |
-| HardcodedSymmetricEncryptionKey.cs:114:41:114:46 | access to local variable buffer | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | HardcodedSymmetricEncryptionKey.cs:114:41:114:46 | access to local variable buffer | Hard-coded symmetric $@ is used in symmetric algorithm in CreateSymmetricKey(IBuffer keyMaterial). | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | key |
+| HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | key |
+| HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | key |
+| HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
+| HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
+| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
+| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | key |
--- a/Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs
+++ b/Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs
@@ -34,7 +34,7 @@ namespace InsecureSQLConnection

        public void TriggerThis()
        {
-            // BAD, Encrypt not specified
+            // BAD, Encrypt not specified [NOT DETECTED]
            SqlConnection conn = new SqlConnection("Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;");
        }

@@ -42,7 +42,7 @@ namespace InsecureSQLConnection
        {
            string connectString =
                "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd";
-            // BAD, Encrypt not specified
+            // BAD, Encrypt not specified [NOT DETECTED]
            SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString);
            var conn = new SqlConnection(builder.ConnectionString);
        }
@@ -51,7 +51,7 @@ namespace InsecureSQLConnection
        {
            string connectString =
                "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false";
-            // BAD, Encrypt set to false
+            // BAD, Encrypt set to false [NOT DETECTED]
            SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString);
            var conn = new SqlConnection(builder.ConnectionString);
        }
--- a/Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected
+++ b/Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected
@@ -1,13 +0,0 @@
-edges
-| InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString |
-| InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString |
-nodes
-| InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" |
-| InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" |
-| InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString |
-| InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" |
-| InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString |
-#select
-| InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to here and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string |
-| InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | $@ flows to here and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string |
-| InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | $@ flows to here and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | Connection string |
--- a/Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref
+++ b/Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref
@@ -1 +1 @@
-../../../../../queries/csharp/Security/Serialization/DeserializedDelegate.ql
+Security Features/CWE-502/DeserializedDelegate.ql
--- a/Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected
+++ b/Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected
@@ -1,7 +1,7 @@
 edges
 | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text |
 nodes
-| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox |
-| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text |
+| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | semmle.label | access to parameter textBox |
+| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | semmle.label | access to property Text |
 #select
 | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | $@ flows to unsafe deserializer. | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | User-provided data |
				`@@ -1 +0,0 @@`
				`\| Test.cs:12:36:12:46 \| access to local variable libraryName \| $@ flows to here and is used as the path to dynamically load an assembly. \| Test.cs:9:26:9:48 \| access to property QueryString \| User-provided value \|`