From 7dd88ddff647d809ab7b8d0f63cf168b7d64e684 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 13 Jun 2023 14:33:52 +0200 Subject: [PATCH 01/33] C#: Base tests for CWE-011 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-011/options | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-011/options diff --git a/csharp/ql/test/query-tests/Security Features/CWE-011/options b/csharp/ql/test/query-tests/Security Features/CWE-011/options new file mode 100644 index 00000000000..75c39b4541b --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-011/options @@ -0,0 +1,2 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj From 3e8102a0c867d78459748df69f2d7afea547d66a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 13 Jun 2023 14:40:14 +0200 Subject: [PATCH 02/33] C#: Base tests for CWE-016 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-016/options | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-016/options diff --git a/csharp/ql/test/query-tests/Security Features/CWE-016/options b/csharp/ql/test/query-tests/Security Features/CWE-016/options new file mode 100644 index 00000000000..a5ea8b797c5 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-016/options @@ -0,0 +1,2 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj From d0844bbe6e6f130567291747b3b037dfe76413eb Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 13 Jun 2023 15:02:57 +0200 Subject: [PATCH 03/33] C#: Base tests for CWE-020 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-020/options | 4 +++- csharp/ql/test/resources/stubs/System.Web.cs | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-020/options b/csharp/ql/test/query-tests/Security Features/CWE-020/options index 319fd18ddcc..96b0b028bdd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-020/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-020/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:${testdir}/../../../resources/assemblies/System.Web.dll /r:${testdir}/../../../resources/assemblies/System.Web.ApplicationServices.dll /r:${testdir}/../../../resources/assemblies/System.Data.dll /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Data.Common.dll /r:System.Security.Cryptography.X509Certificates.dll /r:System.Runtime.InteropServices.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/resources/stubs/System.Web.cs b/csharp/ql/test/resources/stubs/System.Web.cs index 725b672fbe8..58865f82e6a 100644 --- a/csharp/ql/test/resources/stubs/System.Web.cs +++ b/csharp/ql/test/resources/stubs/System.Web.cs @@ -156,6 +156,7 @@ namespace System.Web public class HttpResponse { public void Write(object o) { } + public void Write(string s) { } public void WriteFile(string s) { } public HttpCookieCollection Cookies => null; public void AddHeader(string name, string value) { } From 47621ca6027ba6679052fd06f7085385941fbe8a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 14 Jun 2023 09:07:58 +0200 Subject: [PATCH 04/33] C#: Base tests for CWE-022 on stubs. --- .../query-tests/Security Features/CWE-022/TaintedPath/options | 4 +++- .../query-tests/Security Features/CWE-022/ZipSlip/options | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/options b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/options index 17bfec6a531..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:System.IO.FileSystem.dll /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/options b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/options index acca6983965..a5ea8b797c5 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/options @@ -1 +1,2 @@ -semmle-extractor-options: /r:System.IO.Compression.dll /r:System.IO.Compression.FileSystem.dll /r:System.IO.Compression.ZipFile.dll /r:System.IO.FileSystem.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj From 0d10f5ca2acb5fcf9729cec4fdec1484af370c1c Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 14 Jun 2023 09:19:14 +0200 Subject: [PATCH 05/33] C#: Base tests for CWE-078 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-078/options | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-078/options b/csharp/ql/test/query-tests/Security Features/CWE-078/options index de7d3478af5..7faed1b92ed 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-078/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-078/options @@ -1 +1,2 @@ -semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.Diagnostics.Process.dll /r:System.Runtime.InteropServices.dll ${testdir}/../../../resources/stubs/System.Data.cs /r:System.Data.Common.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj From b674a8eab751808c949db690c14c026575b676ba Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 14 Jun 2023 12:03:11 +0200 Subject: [PATCH 06/33] C#: Split the StoredXss test from XSS Asp test. Make the former based on stubs. --- .../Security Features/CWE-079/StoredXSS/StoredXSS.cs | 2 -- .../CWE-079/StoredXSS/StoredXSS.expected | 8 ++++---- .../Security Features/CWE-079/StoredXSS/options | 4 +++- .../CWE-079/{StoredXSS => XSSAsp}/AspInline.expected | 4 ++-- .../CWE-079/{StoredXSS => XSSAsp}/AspInline.ql | 0 .../CWE-079/{StoredXSS => XSSAsp}/XSS.cs | 5 +++-- .../CWE-079/{StoredXSS => XSSAsp}/XSS.expected | 4 ++-- .../CWE-079/{StoredXSS => XSSAsp}/XSS.qlref | 0 .../query-tests/Security Features/CWE-079/XSSAsp/options | 1 + .../CWE-079/{StoredXSS => XSSAsp}/script.aspx | 0 10 files changed, 15 insertions(+), 13 deletions(-) rename csharp/ql/test/query-tests/Security Features/CWE-079/{StoredXSS => XSSAsp}/AspInline.expected (66%) rename csharp/ql/test/query-tests/Security Features/CWE-079/{StoredXSS => XSSAsp}/AspInline.ql (100%) rename csharp/ql/test/query-tests/Security Features/CWE-079/{StoredXSS => XSSAsp}/XSS.cs (93%) rename csharp/ql/test/query-tests/Security Features/CWE-079/{StoredXSS => XSSAsp}/XSS.expected (97%) rename csharp/ql/test/query-tests/Security Features/CWE-079/{StoredXSS => XSSAsp}/XSS.qlref (100%) create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/options rename csharp/ql/test/query-tests/Security Features/CWE-079/{StoredXSS => XSSAsp}/script.aspx (100%) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs index 24c4eb73912..1096634b690 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.cs @@ -1,5 +1,3 @@ -// semmle-extractor-options: /r:${testdir}/../../../../resources/assemblies/System.Data.dll /r:${testdir}/../../../../resources/assemblies/System.Web.dll /r:${testdir}/../../../../resources/assemblies/System.Web.Mvc.dll /r:System.ComponentModel.Primitives.dll /r:System.Collections.Specialized.dll /r:${testdir}/../../../../resources/assemblies/System.Net.Http.dll - using System; using System.Data.SqlClient; using System.Web; diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected index bafe7257095..beef5ec2968 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected @@ -1,8 +1,8 @@ edges -| StoredXSS.cs:24:60:24:86 | call to method GetString : String | StoredXSS.cs:24:44:24:86 | ... + ... | +| StoredXSS.cs:22:60:22:86 | call to method GetString : String | StoredXSS.cs:22:44:22:86 | ... + ... | nodes -| StoredXSS.cs:24:44:24:86 | ... + ... | semmle.label | ... + ... | -| StoredXSS.cs:24:60:24:86 | call to method GetString : String | semmle.label | call to method GetString : String | +| StoredXSS.cs:22:44:22:86 | ... + ... | semmle.label | ... + ... | +| StoredXSS.cs:22:60:22:86 | call to method GetString : String | semmle.label | call to method GetString : String | subpaths #select -| StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString : String | StoredXSS.cs:24:44:24:86 | ... + ... | This HTML or JavaScript write depends on a $@. | StoredXSS.cs:24:60:24:86 | call to method GetString | stored (potentially user-provided) value | +| StoredXSS.cs:22:44:22:86 | ... + ... | StoredXSS.cs:22:60:22:86 | call to method GetString : String | StoredXSS.cs:22:44:22:86 | ... + ... | This HTML or JavaScript write depends on a $@. | StoredXSS.cs:22:60:22:86 | call to method GetString | stored (potentially user-provided) value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/options b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/options index a95668cbc59..34d9e62e93c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Net.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.expected similarity index 66% rename from csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.expected rename to csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.expected index d296914aba7..66468b41a68 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.expected @@ -1,5 +1,5 @@ -| script.aspx:4:1:4:23 | <%= ... %> | XSS.cs:114:16:114:29 | someJavascript | -| script.aspx:8:1:8:12 | <%= ... %> | XSS.cs:121:24:121:28 | Field | +| script.aspx:4:1:4:23 | <%= ... %> | XSS.cs:115:16:115:29 | someJavascript | +| script.aspx:8:1:8:12 | <%= ... %> | XSS.cs:122:24:122:28 | Field | | script.aspx:12:1:12:14 | <%= ... %> | | Request | | script.aspx:16:1:16:34 | <%= ... %> | | QueryString | | script.aspx:20:1:20:41 | <%= ... %> | | QueryString | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.ql b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.ql similarity index 100% rename from csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/AspInline.ql rename to csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/AspInline.ql diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.cs b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs similarity index 93% rename from csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.cs rename to csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs index da82672c6df..1fc8a99e61b 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.cs +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.cs @@ -1,4 +1,4 @@ - +// semmle-extractor-options: /r:${testdir}/../../../../resources/assemblies/System.Web.dll /r:${testdir}/../../../../resources/assemblies/System.Web.Mvc.dll /r:System.Collections.Specialized.dll /r:${testdir}/../../../../resources/assemblies/System.Net.Http.dll using System; using System.Net; using System.Net.Http; @@ -102,7 +102,8 @@ namespace Test new StringContent(HttpUtility.HtmlEncode(name)); } - public void UrlEncoded(HttpContextBase context) { + public void UrlEncoded(HttpContextBase context) + { // GOOD: URL encoding string name = context.Request.QueryString["name"]; new StringContent(HttpUtility.UrlEncode(name)); diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.expected b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.expected similarity index 97% rename from csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.expected rename to csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.expected index f1f4c631769..4b1440cee4a 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.expected +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.expected @@ -56,7 +56,7 @@ nodes | XSS.cs:94:27:94:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection | | XSS.cs:94:27:94:61 | access to indexer : String | semmle.label | access to indexer : String | | XSS.cs:95:31:95:34 | access to local variable name | semmle.label | access to local variable name | -| XSS.cs:134:20:134:33 | access to property RawUrl | semmle.label | access to property RawUrl | +| XSS.cs:135:20:135:33 | access to property RawUrl | semmle.label | access to property RawUrl | | script.aspx:12:1:12:14 | <%= ... %> | semmle.label | <%= ... %> | | script.aspx:16:1:16:34 | <%= ... %> | semmle.label | <%= ... %> | | script.aspx:20:1:20:41 | <%= ... %> | semmle.label | <%= ... %> | @@ -72,7 +72,7 @@ subpaths | XSS.cs:86:28:86:31 | access to local variable name | XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | XSS.cs:86:28:86:31 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | User-provided value | | XSS.cs:87:31:87:34 | access to local variable name | XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | XSS.cs:87:31:87:34 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:85:27:85:53 | access to property QueryString : NameValueCollection | User-provided value | | XSS.cs:95:31:95:34 | access to local variable name | XSS.cs:94:27:94:53 | access to property QueryString : NameValueCollection | XSS.cs:95:31:95:34 | access to local variable name | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:94:27:94:53 | access to property QueryString : NameValueCollection | User-provided value | -| XSS.cs:134:20:134:33 | access to property RawUrl | XSS.cs:134:20:134:33 | access to property RawUrl | XSS.cs:134:20:134:33 | access to property RawUrl | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:134:20:134:33 | access to property RawUrl | User-provided value | +| XSS.cs:135:20:135:33 | access to property RawUrl | XSS.cs:135:20:135:33 | access to property RawUrl | XSS.cs:135:20:135:33 | access to property RawUrl | $@ flows to here and is written to HTML or JavaScript. | XSS.cs:135:20:135:33 | access to property RawUrl | User-provided value | | script.aspx:12:1:12:14 | <%= ... %> | script.aspx:12:1:12:14 | <%= ... %> | script.aspx:12:1:12:14 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:12:1:12:14 | <%= ... %> | User-provided value | | script.aspx:16:1:16:34 | <%= ... %> | script.aspx:16:1:16:34 | <%= ... %> | script.aspx:16:1:16:34 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:16:1:16:34 | <%= ... %> | User-provided value | | script.aspx:20:1:20:41 | <%= ... %> | script.aspx:20:1:20:41 | <%= ... %> | script.aspx:20:1:20:41 | <%= ... %> | $@ flows to here and is a remote source accessed inline in an ASPX page. | script.aspx:20:1:20:41 | <%= ... %> | User-provided value | diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.qlref b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref similarity index 100% rename from csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/XSS.qlref rename to csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.qlref diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/options b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/options new file mode 100644 index 00000000000..a95668cbc59 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/options @@ -0,0 +1 @@ +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Net.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/script.aspx b/csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx similarity index 100% rename from csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/script.aspx rename to csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/script.aspx From 8e36a880f2a20b14645b2a83c1fe9d241fbfebb3 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 14 Jun 2023 15:36:11 +0200 Subject: [PATCH 07/33] C#: Adjust paths relative to the test directory for CWE-089 test dependencies. --- .../ql/test/query-tests/Security Features/CWE-089/options | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/options b/csharp/ql/test/query-tests/Security Features/CWE-089/options index 036514ceb74..b1124d05dcd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-089/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-089/options @@ -1,6 +1,6 @@ semmle-extractor-options: /nostdlib /noconfig -semmle-extractor-options: --load-sources-from-project:../../../resources/stubs/Dapper/2.0.90/Dapper.csproj -semmle-extractor-options: --load-sources-from-project:../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj -semmle-extractor-options: --load-sources-from-project:../../../resources/stubs/System.Data.SQLite/1.0.116/System.Data.SQLite.csproj +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Dapper/2.0.90/Dapper.csproj +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SQLite/1.0.116/System.Data.SQLite.csproj semmle-extractor-options: ${testdir}/../../../resources/stubs/EntityFramework.cs semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs From f4b5cbf7eb586a61a5f0eeeccf9cafdbdff14e7c Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 14 Jun 2023 14:31:28 +0200 Subject: [PATCH 08/33] C#: Base tests for CWE-090 on stubs. --- .../ql/test/query-tests/Security Features/CWE-090/options | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-090/options b/csharp/ql/test/query-tests/Security Features/CWE-090/options index dfc3914bb98..1a54f1e9c36 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-090/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-090/options @@ -1,2 +1,4 @@ -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs ${testdir}/../../../resources/stubs/System.DirectoryServices.cs /r:System.ComponentModel.Primitives.dll /r:System.Collections.Specialized.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Private.Xml.dll -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Data.cs /r:System.Data.Common.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.DirectoryServices.cs From 7d58a9c3d391e02e1fb9472f33e42211fc52290b Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 14 Jun 2023 15:23:44 +0200 Subject: [PATCH 09/33] C#: Base tests for CWE-091 on stubs. --- .../Security Features/CWE-091/XMLInjection/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/options b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/options index 5194fddbe4d..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-091/XMLInjection/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:System.Private.Xml.dll /r:System.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs From 95fddaebef3ef29cbf722b6942220713d5815c14 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 14 Jun 2023 15:27:25 +0200 Subject: [PATCH 10/33] C#: Base tests for CWE-094 on stubs. --- .../ql/test/query-tests/Security Features/CWE-094/options | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/options b/csharp/ql/test/query-tests/Security Features/CWE-094/options index 97b9301f4dc..cce2f114af6 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-094/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-094/options @@ -1 +1,5 @@ -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/Microsoft.CSharp.cs /r:System.ComponentModel.Primitives.dll ${testdir}/../../../resources/stubs/System.Windows.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs +semmle-extractor-options: ${testdir}/../../../resources/stubs/Microsoft.CSharp.cs From 981468f64e48012d5cfbb97ef4a274c8fdaafd82 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 14 Jun 2023 15:31:00 +0200 Subject: [PATCH 11/33] C#: Base tests for CWE-099 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-099/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-099/options b/csharp/ql/test/query-tests/Security Features/CWE-099/options index 2878eb40d52..6f56ddfc468 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-099/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-099/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/System.Web.cs /r:${testdir}/../../../resources/assemblies/System.Data.dll /r:System.Data.Common.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs From 6028f4b76ff0e8ab3c878108ab156d605560ce98 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:28:46 +0200 Subject: [PATCH 12/33] C#: Base tests for CWE-112 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-112/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-112/options b/csharp/ql/test/query-tests/Security Features/CWE-112/options index c72ec0605ab..96b0b028bdd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-112/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-112/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:System.Collections.Specialized.dll /r:System.Runtime.Extensions.dll ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Xml.ReaderWriter.dll /r:System.Private.Xml.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs From b726fe8735b897be426e1b2516c2dc228f9fc69a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:31:25 +0200 Subject: [PATCH 13/33] C#: Base tests for CWE-114 on stubs. --- .../Security Features/CWE-114/AssemblyPathInjection/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/options b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/options index 2fe55538006..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs From d1b704fb453375a5c9ef3c4a062affbcd6b0eade Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:34:22 +0200 Subject: [PATCH 14/33] C#: Base tests for CWE-119 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-119/options | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-119/options diff --git a/csharp/ql/test/query-tests/Security Features/CWE-119/options b/csharp/ql/test/query-tests/Security Features/CWE-119/options new file mode 100644 index 00000000000..75c39b4541b --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-119/options @@ -0,0 +1,2 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj From e0b661c5553fef650296e3fb3ab37db98e70460b Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:36:37 +0200 Subject: [PATCH 15/33] C#: Base tests for CWE-134 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-134/options | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/options b/csharp/ql/test/query-tests/Security Features/CWE-134/options index 54d2098bf4e..ab08ee323e2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-134/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-134/options @@ -1 +1,4 @@ -semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/System.Web.cs ${testdir}/../../../resources/stubs/System.Windows.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs From 596a8ecf970f6dcfb3713987b604f1132b576418 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:40:53 +0200 Subject: [PATCH 16/33] C#: Base tests for CWE-201 on stubs. --- .../CWE-201/ExposureInTransmittedData/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/options b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/options index 3d76f691ef2..34d9e62e93c 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs ${testdir}/../../../../resources/stubs/System.Data.cs ${testdir}/../../../../resources/stubs/System.Net.cs /r:System.Data.Common.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs From 680762572abe55a57de4f8663d6da43781c29d31 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:43:01 +0200 Subject: [PATCH 17/33] C#: Base tests for CWE-209 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-209/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-209/options b/csharp/ql/test/query-tests/Security Features/CWE-209/options index 326ff69528b..96b0b028bdd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-209/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-209/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs From 02dbc600a4f5113355aab10aa0bdd918e3076ac3 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:47:26 +0200 Subject: [PATCH 18/33] C#: Base tests for CWE-248 on stubs. --- .../MissingASPNETGlobalErrorHandler/WebConfigOff/options | 4 +++- .../WebConfigOffButGlobal/options | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/options b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/options index 96837650998..9d05f9bf06d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOff/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/options b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/options index 96837650998..9d05f9bf06d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-248/MissingASPNETGlobalErrorHandler/WebConfigOffButGlobal/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs From 4500170bb4f4997f71aac5d7ab7532333bdd631a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:50:21 +0200 Subject: [PATCH 19/33] C#: Base tests for CWE-312 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-312/options | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/options b/csharp/ql/test/query-tests/Security Features/CWE-312/options index 4b3bf418201..ab08ee323e2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-312/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-312/options @@ -1 +1,4 @@ -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll /r:System.Security.Cryptography.dll {testdir}/../../../../resources/stubs/System.Windows.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs From ae5c149150fec1b52a4b338330e6401432d1ddf7 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:53:38 +0200 Subject: [PATCH 20/33] C#: Base tests for CWE-338 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-338/options | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-338/options b/csharp/ql/test/query-tests/Security Features/CWE-338/options index 1225f3c0220..bd9f6e49ece 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-338/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-338/options @@ -1,2 +1,3 @@ -semmle-extractor-options: /r:System.Security.Cryptography.Csp.dll /r:System.Security.Cryptography.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj semmle-extractor-options: ${testdir}/../../../resources/stubs/Microsoft.VisualStudio.TestTools.UnitTesting.cs From b35af64a9d38a8e6c797165556bf15710a0f2ff1 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 15:59:22 +0200 Subject: [PATCH 21/33] C#: Base tests for CWE-352 on stubs. --- .../test/query-tests/Security Features/CWE-352/global/options | 4 +++- .../query-tests/Security Features/CWE-352/missing/options | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/global/options b/csharp/ql/test/query-tests/Security Features/CWE-352/global/options index 5ce3b321a94..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/global/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/global/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-352/missing/options b/csharp/ql/test/query-tests/Security Features/CWE-352/missing/options index 5ce3b321a94..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-352/missing/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-352/missing/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs From 6ec4338cca0a51da38a7c45c477d66536e1be57e Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 16:09:14 +0200 Subject: [PATCH 22/33] C#: Base tests for CWE-359 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-359/options | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/options b/csharp/ql/test/query-tests/Security Features/CWE-359/options index aa088071c5d..ab08ee323e2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-359/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-359/options @@ -1 +1,4 @@ -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll /r:System.Security.Cryptography.dll ${testdir}/../../../resources/stubs/System.Windows.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs From 33e798418eb2c31ce92b68d0040f710787c60e8a Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 16:12:09 +0200 Subject: [PATCH 23/33] C#: Base tests for CWE-384 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-384/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-384/options b/csharp/ql/test/query-tests/Security Features/CWE-384/options index 326ff69528b..96b0b028bdd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-384/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-384/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs From faaf26157bb7d36b82b30136e7f3507987af9b71 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 16:16:44 +0200 Subject: [PATCH 24/33] C#: Base tests for CWE-451 on stubs. --- .../CWE-451/MissingXFrameOptions/CodeAddedHeader/options | 4 +++- .../CWE-451/MissingXFrameOptions/NoHeader/options | 4 +++- .../CWE-451/MissingXFrameOptions/WebConfigAddedHeader/options | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/options b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/options index 96837650998..9d05f9bf06d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/CodeAddedHeader/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/options b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/options index 96837650998..9d05f9bf06d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/NoHeader/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/options b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/options index 96837650998..9d05f9bf06d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-451/MissingXFrameOptions/WebConfigAddedHeader/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs From 5e4d31c10d29af5e8af913b182c3c681b7a890a4 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 16:24:40 +0200 Subject: [PATCH 25/33] C#: Base tests for CWE-502 on stubs. --- .../Security Features/CWE-502/DeserializedDelegate/options | 3 ++- .../Security Features/CWE-502/UnsafeDeserialization/options | 4 +++- .../CWE-502/UnsafeDeserializationUntrustedInput/options | 4 +++- .../UnsafeDeserializationUntrustedInputNewtonsoftJson/options | 4 +++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/options b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/options index bd4d77c7377..a5ea8b797c5 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/options @@ -1 +1,2 @@ -semmle-extractor-options: /r:System.Runtime.Serialization.Formatters.dll /r:System.IO.FileSystem.dll /r:System.Linq.Expressions.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/options b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/options index 182f92f8d84..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:System.Private.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Private.DataContractSerialization.dll /r:System.Runtime.Serialization.Formatters.dll /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/options b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/options index 182f92f8d84..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/options @@ -1 +1,3 @@ -semmle-extractor-options: /r:System.Private.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Private.DataContractSerialization.dll /r:System.Runtime.Serialization.Formatters.dll /r:System.Runtime.Extensions.dll /r:System.IO.FileSystem.dll /r:System.Collections.Specialized.dll ${testdir}/../../../../resources/stubs/System.Web.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/options b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/options index bd183f95f5c..81ebad48b0d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/options @@ -1 +1,3 @@ -semmle-extractor-options: /nostdlib /noconfig --load-sources-from-project:${testdir}/../../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.csproj ${testdir}/../../../../resources/stubs/System.Web.cs +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs From 7766aaeb1e4d1b31c8cc5ccd60e3150da105fde7 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 16:26:46 +0200 Subject: [PATCH 26/33] C#: Base tests for CWE-539 on stubs. --- .../Security Features/CWE-539/PersistentCookie/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/options b/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/options index 5ce3b321a94..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-539/PersistentCookie/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs From d414ce046fa27dfbf0e03a32c8dc511fd3d61055 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 16:30:33 +0200 Subject: [PATCH 27/33] C#: Base tests for CWE-548 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-548/options | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-548/options diff --git a/csharp/ql/test/query-tests/Security Features/CWE-548/options b/csharp/ql/test/query-tests/Security Features/CWE-548/options new file mode 100644 index 00000000000..75c39b4541b --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-548/options @@ -0,0 +1,2 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj From 58d469b93237a1eb1df8ad97a2472e3fb3ed3671 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 16:33:06 +0200 Subject: [PATCH 28/33] C#: Make path relative to testdir explicit in CWE-601 testcase. --- .../query-tests/Security Features/CWE-601/UrlRedirect/options | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/options b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/options index fb116749418..daca5d73f55 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/options @@ -1,4 +1,4 @@ semmle-extractor-options: /nostdlib /noconfig semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj -semmle-extractor-options: --load-sources-from-project:../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs From 2857145bba014581b09a70c43bc85433f928891e Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 19:38:40 +0200 Subject: [PATCH 29/33] C#: Base tests for CWE-614 on stubs. --- .../Security Features/CWE-614/RequireSSL/AddedInCode/options | 4 +++- .../Security Features/CWE-614/RequireSSL/AddedInForms/options | 2 ++ .../CWE-614/RequireSSL/HttpCookiesCorrect/options | 2 ++ .../CWE-614/RequireSSL/RequireSSLMissing/options | 2 ++ 4 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/options create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/options create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/options diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/options b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/options index 96837650998..9d05f9bf06d 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInCode/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/options b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/options new file mode 100644 index 00000000000..f4586e95ef0 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/AddedInForms/options @@ -0,0 +1,2 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/options b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/options new file mode 100644 index 00000000000..f4586e95ef0 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/HttpCookiesCorrect/options @@ -0,0 +1,2 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj diff --git a/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/options b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/options new file mode 100644 index 00000000000..f4586e95ef0 --- /dev/null +++ b/csharp/ql/test/query-tests/Security Features/CWE-614/RequireSSL/RequireSSLMissing/options @@ -0,0 +1,2 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj From 5483756f17017752203e133a349a8dece14c8b4c Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 19:44:04 +0200 Subject: [PATCH 30/33] C#: Base tests for CWE-643 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-643/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-643/options b/csharp/ql/test/query-tests/Security Features/CWE-643/options index 9ab01d95193..6f56ddfc468 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-643/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-643/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/System.Data.cs /r:System.Private.Xml.dll /r:System.Xml.XPath.dll /r:System.Data.Common.dll /r:System.Runtime.Extensions.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs From 6058cfc037829a2785b8fa2f51a0288b17523c9b Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Thu, 15 Jun 2023 19:48:51 +0200 Subject: [PATCH 31/33] C#: Base tests for CWE-730 on stubs. --- .../test/query-tests/Security Features/CWE-730/ReDoS/options | 4 +++- .../Security Features/CWE-730/ReDoSGlobalTimeout/options | 4 +++- .../Security Features/CWE-730/RegexInjection/options | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/options b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/options index 84463712411..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/options b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/options index 1a4a26ba9ed..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Runtime.Extensions.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs diff --git a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/options b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/options index 84463712411..9290f65d5b2 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs From 52c4a47a6159039d5f6570f5fcd0bbcd6dd645d1 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 16 Jun 2023 10:03:29 +0200 Subject: [PATCH 32/33] C#: Base tests for CWE-798 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-798/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-798/options b/csharp/ql/test/query-tests/Security Features/CWE-798/options index 3145ab2441c..a361e4fde29 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-798/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-798/options @@ -1,2 +1,4 @@ +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs semmle-extractor-options: ${testdir}/../../../resources/stubs/Microsoft.VisualStudio.TestTools.UnitTesting.cs -semmle-extractor-options: /r:${testdir}/../../../resources/assemblies/System.Web.dll /r:${testdir}/../../../resources/assemblies/System.Web.ApplicationServices.dll /r:${testdir}/../../../resources/assemblies/System.Data.dll /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Data.Common.dll /r:System.Security.Cryptography.dll /r:System.Runtime.InteropServices.dll From f4f195c837f4df59b1f5d1db7b73bf3af86911b8 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Fri, 16 Jun 2023 10:06:34 +0200 Subject: [PATCH 33/33] C#: Base tests for CWE-807 on stubs. --- csharp/ql/test/query-tests/Security Features/CWE-807/options | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/csharp/ql/test/query-tests/Security Features/CWE-807/options b/csharp/ql/test/query-tests/Security Features/CWE-807/options index e2ddeb7dac8..96b0b028bdd 100644 --- a/csharp/ql/test/query-tests/Security Features/CWE-807/options +++ b/csharp/ql/test/query-tests/Security Features/CWE-807/options @@ -1 +1,3 @@ -semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Net.cs ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll +semmle-extractor-options: /nostdlib /noconfig +semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj +semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs