C#: Include exception property accesses in the exception information exposure query.

2026-04-18 21:44:02 +02:00 · 2024-10-07 13:48:34 +02:00
parent 197642c914
commit 062a2ad97d
1 changed files with 7 additions and 6 deletions
--- a/Features/CWE-209/ExceptionInformationExposure.ql
+++ b/Features/CWE-209/ExceptionInformationExposure.ql
@@ -23,16 +23,17 @@ import ExceptionInformationExposure::PathGraph
 */
 module ExceptionInformationExposureConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
-    exists(Expr exceptionExpr |
+    exists(Expr expr |
      // Writing an exception directly is bad
-      source.asExpr() = exceptionExpr
+      source.asExpr() = expr
+      or
+      // Writing a property of an exception is bad
+      source.asExpr().(PropertyAccess).getQualifier() = expr
    |
      // Expr has type `System.Exception`.
-      exceptionExpr.getType().(RefType).getABaseType*() instanceof SystemExceptionClass and
+      expr.getType().(RefType).getABaseType*() instanceof SystemExceptionClass and
      // And is not within an exception callable.
-      not exists(Callable enclosingCallable |
-        enclosingCallable = exceptionExpr.getEnclosingCallable()
-      |
+      not exists(Callable enclosingCallable | enclosingCallable = expr.getEnclosingCallable() |
        enclosingCallable.getDeclaringType().getABaseType*() instanceof SystemExceptionClass
      )
    )