mirror of
https://github.com/github/codeql.git
synced 2025-12-18 01:33:15 +01:00
C#: Add missing data-flow for switch expressions
This commit is contained in:
Tom Hvitved
@@ -171,6 +171,10 @@ module LocalFlow {
|
|||||||
e1 = e2.(ArrayCreation).getInitializer() and
|
e1 = e2.(ArrayCreation).getInitializer() and
|
||||||
scope = e2 and
|
scope = e2 and
|
||||||
isSuccessor = false
|
isSuccessor = false
|
||||||
|
or
|
||||||
|
e1 = e2.(SwitchExpr).getACase().getBody() and
|
||||||
|
scope = e2 and
|
||||||
|
isSuccessor = false
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -60,3 +60,5 @@
|
|||||||
| Splitting.cs:34:19:34:19 | access to local variable x |
|
| Splitting.cs:34:19:34:19 | access to local variable x |
|
||||||
| Splitting.cs:41:19:41:19 | access to local variable s |
|
| Splitting.cs:41:19:41:19 | access to local variable s |
|
||||||
| Splitting.cs:43:19:43:19 | access to local variable s |
|
| Splitting.cs:43:19:43:19 | access to local variable s |
|
||||||
|
| Splitting.cs:50:19:50:19 | access to local variable s |
|
||||||
|
| Splitting.cs:52:19:52:19 | access to local variable s |
|
||||||
|
|||||||
@@ -242,6 +242,8 @@ edges
|
|||||||
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
|
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
|
||||||
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s |
|
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s |
|
||||||
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s |
|
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s |
|
||||||
|
| Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s |
|
||||||
|
| Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s |
|
||||||
nodes
|
nodes
|
||||||
| Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
|
| Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
|
||||||
| Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
|
| Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
|
||||||
@@ -448,6 +450,9 @@ nodes
|
|||||||
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | semmle.label | [b (line 37): true] "taint source" : String |
|
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | semmle.label | [b (line 37): true] "taint source" : String |
|
||||||
| Splitting.cs:41:19:41:19 | access to local variable s | semmle.label | access to local variable s |
|
| Splitting.cs:41:19:41:19 | access to local variable s | semmle.label | access to local variable s |
|
||||||
| Splitting.cs:43:19:43:19 | access to local variable s | semmle.label | access to local variable s |
|
| Splitting.cs:43:19:43:19 | access to local variable s | semmle.label | access to local variable s |
|
||||||
|
| Splitting.cs:48:36:48:49 | "taint source" : String | semmle.label | "taint source" : String |
|
||||||
|
| Splitting.cs:50:19:50:19 | access to local variable s | semmle.label | access to local variable s |
|
||||||
|
| Splitting.cs:52:19:52:19 | access to local variable s | semmle.label | access to local variable s |
|
||||||
#select
|
#select
|
||||||
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
|
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
|
||||||
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
|
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
|
||||||
@@ -456,6 +461,8 @@ nodes
|
|||||||
| GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | access to field SinkField0 |
|
| GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | access to field SinkField0 |
|
||||||
| Splitting.cs:41:19:41:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s | access to local variable s |
|
| Splitting.cs:41:19:41:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s | access to local variable s |
|
||||||
| Splitting.cs:43:19:43:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s | access to local variable s |
|
| Splitting.cs:43:19:43:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s | access to local variable s |
|
||||||
|
| Splitting.cs:50:19:50:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s | access to local variable s |
|
||||||
|
| Splitting.cs:52:19:52:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s | access to local variable s |
|
||||||
| GlobalDataFlow.cs:72:15:72:19 | access to local variable sink0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:72:15:72:19 | access to local variable sink0 | access to local variable sink0 |
|
| GlobalDataFlow.cs:72:15:72:19 | access to local variable sink0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:72:15:72:19 | access to local variable sink0 | access to local variable sink0 |
|
||||||
| GlobalDataFlow.cs:74:15:74:19 | access to local variable sink1 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:74:15:74:19 | access to local variable sink1 | access to local variable sink1 |
|
| GlobalDataFlow.cs:74:15:74:19 | access to local variable sink1 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:74:15:74:19 | access to local variable sink1 | access to local variable sink1 |
|
||||||
| GlobalDataFlow.cs:191:15:191:20 | access to local variable sink10 | GlobalDataFlow.cs:338:16:338:29 | "taint source" : String | GlobalDataFlow.cs:191:15:191:20 | access to local variable sink10 | access to local variable sink10 |
|
| GlobalDataFlow.cs:191:15:191:20 | access to local variable sink10 | GlobalDataFlow.cs:338:16:338:29 | "taint source" : String | GlobalDataFlow.cs:191:15:191:20 | access to local variable sink10 | access to local variable sink10 |
|
||||||
|
|||||||
@@ -47,8 +47,8 @@ class Splitting
|
|||||||
{
|
{
|
||||||
var s = b switch { true => "taint source", false => "not tainted" };
|
var s = b switch { true => "taint source", false => "not tainted" };
|
||||||
if (b)
|
if (b)
|
||||||
Check(s); // flow [MISSING]
|
Check(s); // flow
|
||||||
else
|
else
|
||||||
Check(s); // no flow
|
Check(s); // no flow [FALSE POSITIVE]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -64,3 +64,5 @@
|
|||||||
| Splitting.cs:34:19:34:19 | access to local variable x |
|
| Splitting.cs:34:19:34:19 | access to local variable x |
|
||||||
| Splitting.cs:41:19:41:19 | access to local variable s |
|
| Splitting.cs:41:19:41:19 | access to local variable s |
|
||||||
| Splitting.cs:43:19:43:19 | access to local variable s |
|
| Splitting.cs:43:19:43:19 | access to local variable s |
|
||||||
|
| Splitting.cs:50:19:50:19 | access to local variable s |
|
||||||
|
| Splitting.cs:52:19:52:19 | access to local variable s |
|
||||||
|
|||||||
@@ -249,6 +249,8 @@ edges
|
|||||||
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
|
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
|
||||||
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s |
|
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s |
|
||||||
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s |
|
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s |
|
||||||
|
| Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s |
|
||||||
|
| Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s |
|
||||||
nodes
|
nodes
|
||||||
| Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
|
| Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
|
||||||
| Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
|
| Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
|
||||||
@@ -462,6 +464,9 @@ nodes
|
|||||||
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | semmle.label | [b (line 37): true] "taint source" : String |
|
| Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | semmle.label | [b (line 37): true] "taint source" : String |
|
||||||
| Splitting.cs:41:19:41:19 | access to local variable s | semmle.label | access to local variable s |
|
| Splitting.cs:41:19:41:19 | access to local variable s | semmle.label | access to local variable s |
|
||||||
| Splitting.cs:43:19:43:19 | access to local variable s | semmle.label | access to local variable s |
|
| Splitting.cs:43:19:43:19 | access to local variable s | semmle.label | access to local variable s |
|
||||||
|
| Splitting.cs:48:36:48:49 | "taint source" : String | semmle.label | "taint source" : String |
|
||||||
|
| Splitting.cs:50:19:50:19 | access to local variable s | semmle.label | access to local variable s |
|
||||||
|
| Splitting.cs:52:19:52:19 | access to local variable s | semmle.label | access to local variable s |
|
||||||
#select
|
#select
|
||||||
| Capture.cs:12:19:12:24 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 |
|
| Capture.cs:12:19:12:24 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 |
|
||||||
| Capture.cs:21:23:21:28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 |
|
| Capture.cs:21:23:21:28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 |
|
||||||
@@ -529,3 +534,5 @@ nodes
|
|||||||
| Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |
|
| Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |
|
||||||
| Splitting.cs:41:19:41:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s | access to local variable s |
|
| Splitting.cs:41:19:41:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s | access to local variable s |
|
||||||
| Splitting.cs:43:19:43:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s | access to local variable s |
|
| Splitting.cs:43:19:43:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s | access to local variable s |
|
||||||
|
| Splitting.cs:50:19:50:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s | access to local variable s |
|
||||||
|
| Splitting.cs:52:19:52:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s | access to local variable s |
|
||||||
|
|||||||
Reference in New Issue
Block a user