C#: Treat GetFileName method call as sanitizer

Use the GetFileName call as a sanitizer, rather than an argument to that call. It is the _result_ of the GetFileName call which should be considered sanitized. By using the argument, we can spuriously suppress use-use flow. Consider: ``` var path = Path.Combine(destDir, entry.GetFullName()); var fileName = Path.GetFileName(path); log("Extracting " + fileName); entry.ExtractToFile(path); ``` Previously, the `ExtractToFile(path)` call would not have been flagged, because the `path` argument to `GetFileName` was considered sanitized, and that argument formed a use-use pair with the `path` argument to `ExtractToFile`. Now, this result would be flagged because only the result of the `GetFileName` call is considered sanitized.
2026-04-30 11:15:13 +02:00 · 2018-08-20 12:46:50 +01:00
parent d4551e5897
commit 43d7e598a5
1 changed files with 1 additions and 1 deletions
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll
@@ -104,7 +104,7 @@ module ZipSlip {
    GetFileNameSanitizer() {
      exists(MethodCall mc |
        mc.getTarget().hasQualifiedName("System.IO.Path", "GetFileName") |
-        this.asExpr() = mc.getAnArgument()
+        this.asExpr() = mc
      )
    }
  }