C#: Add some implicit toString data flow test cases.

csharp/ql/test/library-tests/dataflow/implicittostring/implicitToString.cs

@@ -0,0 +1,43 @@
+using System;
+
+public class TestClass
+{
+    public class MyClass()
+    {
+        public override string ToString()
+        {
+            return "tainted";
+        }
+    }
+
+    public static void Sink(object o) { }
+
+    public void M1()
+    {
+        var x1 = new MyClass();
+        var x2 = "Hello" + x1.ToString();
+        Sink(x2);
+    }
+
+    public void M2()
+    {
+        var x1 = new MyClass();
+        var x2 = "Hello" + x1;
+        Sink(x2); // MISSING
+    }
+
+    public void M3()
+    {
+        var x1 = new MyClass();
+        var x2 = $"Hello {x1.ToString()}";
+        Sink(x2);
+    }
+
+    public void M4()
+    {
+        var x1 = new MyClass();
+        var x2 = $"Hello {x1}";
+        Sink(x2); // Missing
+    }
+
+}

csharp/ql/test/library-tests/dataflow/implicittostring/implicitToString.expected

@@ -0,0 +1,20 @@
+models
+edges
+| implicitToString.cs:9:20:9:28 | "tainted" : String | implicitToString.cs:18:28:18:40 | call to method ToString : String | provenance |  |
+| implicitToString.cs:9:20:9:28 | "tainted" : String | implicitToString.cs:32:27:32:39 | call to method ToString : String | provenance |  |
+| implicitToString.cs:18:13:18:14 | access to local variable x2 : String | implicitToString.cs:19:14:19:15 | access to local variable x2 | provenance |  |
+| implicitToString.cs:18:28:18:40 | call to method ToString : String | implicitToString.cs:18:13:18:14 | access to local variable x2 : String | provenance |  |
+| implicitToString.cs:32:13:32:14 | access to local variable x2 : String | implicitToString.cs:33:14:33:15 | access to local variable x2 | provenance |  |
+| implicitToString.cs:32:27:32:39 | call to method ToString : String | implicitToString.cs:32:13:32:14 | access to local variable x2 : String | provenance |  |
+nodes
+| implicitToString.cs:9:20:9:28 | "tainted" : String | semmle.label | "tainted" : String |
+| implicitToString.cs:18:13:18:14 | access to local variable x2 : String | semmle.label | access to local variable x2 : String |
+| implicitToString.cs:18:28:18:40 | call to method ToString : String | semmle.label | call to method ToString : String |
+| implicitToString.cs:19:14:19:15 | access to local variable x2 | semmle.label | access to local variable x2 |
+| implicitToString.cs:32:13:32:14 | access to local variable x2 : String | semmle.label | access to local variable x2 : String |
+| implicitToString.cs:32:27:32:39 | call to method ToString : String | semmle.label | call to method ToString : String |
+| implicitToString.cs:33:14:33:15 | access to local variable x2 | semmle.label | access to local variable x2 |
+subpaths
+#select
+| implicitToString.cs:9:20:9:28 | "tainted" : String | implicitToString.cs:9:20:9:28 | "tainted" : String | implicitToString.cs:19:14:19:15 | access to local variable x2 | $@ | implicitToString.cs:19:14:19:15 | access to local variable x2 | access to local variable x2 |
+| implicitToString.cs:9:20:9:28 | "tainted" : String | implicitToString.cs:9:20:9:28 | "tainted" : String | implicitToString.cs:33:14:33:15 | access to local variable x2 | $@ | implicitToString.cs:33:14:33:15 | access to local variable x2 | access to local variable x2 |

csharp/ql/test/library-tests/dataflow/implicittostring/implicitToString.ql

@@ -0,0 +1,19 @@
+import csharp
+import utils.test.ProvenancePathGraph::ShowProvenance<Tt::PathNode, Tt::PathGraph>
+
+module TtConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr().(StringLiteral).getValue() = "tainted" }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc |
+      mc.getTarget().hasUndecoratedName("Sink") and
+      mc.getAnArgument() = sink.asExpr()
+    )
+  }
+}
+
+module Tt = TaintTracking::Global<TtConfig>;
+
+from Tt::PathNode source, Tt::PathNode sink
+where Tt::flowPath(source, sink)
+select source, source, sink, "$@", sink, sink.toString()