hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #813 from calumgrant/cs/sb-append-chars

Browse Source 
C#: Fix FP in cs/call-to-object-tostring
This commit is contained in:
jf205
2019-01-24 09:12:55 +00:00
committed by GitHub
parent 63ed0c5f21 c213cd451e
commit 0a4f2e8376
3 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
change-notes/1.20/analysis-csharp.md
View File

@@ -15,7 +15,8 @@
| Dereferenced variable is always null (cs/dereferenced-value-is-always-null) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. |
| Dereferenced variable may be null (cs/dereferenced-value-may-be-null) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. |
| SQL query built from user-controlled sources (cs/sql-injection), Improper control of generation of code (cs/code-injection), Uncontrolled format string (cs/uncontrolled-format-string), Clear text storage of sensitive information (cs/cleartext-storage-of-sensitive-information), Exposure of private information (cs/exposure-of-sensitive-information) | More results | Data sources have been added from user controls in `System.Windows.Forms`. |
| Use of default ToString() (cs/call-to-object-tostring) | Fewer false positives | Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. |
## Changes to code extraction
* Fix extraction of `for` statements where the condition declares new variables using `is`.

3
csharp/ql/src/semmle/code/csharp/commons/Strings.qll
View File

@@ -28,7 +28,8 @@ class ImplicitToStringExpr extends Expr {
m = p.getCallable()
|
m = any(SystemTextStringBuilderClass c).getAMethod() and
m.getName().regexpMatch("Append(Line)?")
m.getName().regexpMatch("Append(Line)?") and
not p.getType() instanceof ArrayType
or
p instanceof StringFormatItemParameter and
not p.getType() = any(ArrayType at |

3
csharp/ql/test/query-tests/Useless Code/DefaultToString/DefaultToString.cs
View File

@@ -26,6 +26,9 @@ class DefaultToString
C c = new D();
Console.WriteLine(c); // GOOD
var sb = new StringBuilder();
sb.Append(new char[] { 'a', 'b', 'c' }, 0, 3); // GOOD
}
class A