hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add test cases for missing flow with interpolated strings and StringBuilder

Browse Source
This commit is contained in:
Tamas Vajk
2023-12-07 09:19:12 +01:00
parent 9f24b026fb
commit 2c624c23ed
4 changed files with 46 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
View File

@@ -166,10 +166,18 @@
| GlobalDataFlow.cs:545:17:545:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:545:17:545:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:558:44:558:47 | delegate call | normal | GlobalDataFlow.cs:558:44:558:47 | delegate call |
| GlobalDataFlowStringBuilder.cs:19:9:19:20 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:19:9:19:20 | call to method Append |
| GlobalDataFlowStringBuilder.cs:24:18:24:36 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:24:18:24:36 | object creation of type StringBuilder |
| GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:29:9:29:18 | call to method Clear | normal | GlobalDataFlowStringBuilder.cs:29:9:29:18 | call to method Clear |
| GlobalDataFlowStringBuilder.cs:30:23:30:35 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:30:23:30:35 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:24:9:24:27 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:24:9:24:27 | call to method Append |
| GlobalDataFlowStringBuilder.cs:29:18:29:36 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:29:18:29:36 | object creation of type StringBuilder |
| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:34:19:34:37 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:34:19:34:37 | object creation of type StringBuilder |
| GlobalDataFlowStringBuilder.cs:35:9:35:22 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:35:9:35:22 | call to method Append |
| GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:39:19:39:37 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:39:19:39:37 | object creation of type StringBuilder |
| GlobalDataFlowStringBuilder.cs:40:9:40:27 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:40:9:40:27 | call to method Append |
| GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:44:9:44:18 | call to method Clear | normal | GlobalDataFlowStringBuilder.cs:44:9:44:18 | call to method Clear |
| GlobalDataFlowStringBuilder.cs:45:23:45:35 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:45:23:45:35 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> | normal | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> | normal | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> |
| Splitting.cs:20:22:20:30 | call to method Return<String> | normal | Splitting.cs:20:22:20:30 | call to method Return<String> |

23
csharp/ql/test/library-tests/dataflow/global/GlobalDataFlowStringBuilder.cs
View File

@@ -19,15 +19,34 @@ public class DataFlowStringBuilder
sb.Append(s);
}
static void AppendToStringBuilderInterpolated(StringBuilder sb, string s)
{
sb.Append($"a{s}b");
}
void TestStringBuilderFlow()
{
var sb = new StringBuilder();
AppendToStringBuilder(sb, "taint source");
var sink43 = sb.ToString();
Check(sink43);
var sink0 = sb.ToString();
Check(sink0);
var sb1 = new StringBuilder();
sb1.Append(sb);
var sink1 = sb1.ToString();
Check(sink1);
var sb2 = new StringBuilder();
sb2.Append($"{sb}");
var sink2 = sb2.ToString();
Check(sink2);
sb.Clear();
var nonSink = sb.ToString();
Check(nonSink);
AppendToStringBuilderInterpolated(sb, "taint source");
var sink3 = sb.ToString();
Check(sink3);
}
}

2
csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected
View File

@@ -72,7 +72,7 @@
| GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:539:15:539:22 | access to field field |
| GlobalDataFlow.cs:547:15:547:21 | access to field field |
| GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 |
| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |

24
csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
View File

@@ -328,11 +328,11 @@ edges
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String |
| GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String |
| GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:25:31:25:32 | [post] access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:26:22:26:23 | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String |
| GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:25:31:25:32 | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:26:22:26:23 | access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString : String | GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 |
| GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String |
| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String | GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@@ -657,11 +657,11 @@ nodes
| GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | semmle.label | s : String |
| GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder | semmle.label | [post] access to parameter sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String | semmle.label | access to parameter s : String |
| GlobalDataFlowStringBuilder.cs:25:31:25:32 | [post] access to local variable sb : StringBuilder | semmle.label | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlowStringBuilder.cs:26:22:26:23 | access to local variable sb : StringBuilder | semmle.label | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString : String | semmle.label | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 | semmle.label | access to local variable sink43 |
| GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder | semmle.label | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder | semmle.label | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String | semmle.label | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | semmle.label | access to local variable sink0 |
| Splitting.cs:3:28:3:34 | tainted : String | semmle.label | tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | semmle.label | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | semmle.label | [b (line 3): true] call to method Return<String> : String |
@@ -708,7 +708,7 @@ subpaths
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String |
| GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder | GlobalDataFlowStringBuilder.cs:25:31:25:32 | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder | GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
@@ -790,7 +790,7 @@ subpaths
| GlobalDataFlow.cs:533:15:533:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | access to field field |
| GlobalDataFlow.cs:539:15:539:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:539:15:539:22 | access to field field | access to field field |
| GlobalDataFlow.cs:547:15:547:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:547:15:547:21 | access to field field | access to field field |
| GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 | GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 | access to local variable sink43 |
| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | access to local variable sink0 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |