hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

C#: Upgrade libraries and queries to use the new Operation classes.

Browse Source
This commit is contained in:
Michael Nebel
2026-03-20 13:00:33 +01:00
parent 149df86ce2
commit 51673312c5
27 changed files with 138 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
csharp/ql/campaigns/Solorigate/src/ModifiedFnvFunctionDetection.ql
View File

@@ -16,16 +16,9 @@ import experimental.code.csharp.Cryptography.NonCryptographicHashes
from Variable v, Literal l, LoopStmt loop, Expr additional_xor
where
maybeUsedInFnvFunction(v, _, _, loop) and
(
exists(BitwiseXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
xor2.getAnOperand() = v.getAnAccess()
)
or
exists(AssignXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
xor2.getAnOperand() = v.getAnAccess()
)
exists(BitwiseXorOperation xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
xor2.getAnOperand() = v.getAnAccess()
)
select l, "This literal is used in an $@ after an FNV-like hash calculation with variable $@.",
additional_xor, "additional xor", v, v.toString()

2
csharp/ql/lib/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
View File

@@ -48,7 +48,7 @@ private predicate maybeUsedInElfHashFunction(Variable v, Operation xor, Operatio
Expr e1, Expr e2, AssignExpr addAssign, AssignExpr xorAssign, Operation notOp,
AssignExpr notAssign
|
(add instanceof AddExpr or add instanceof AssignAddExpr) and
add instanceof AddOperation and
e1.getAChild*() = add.getAnOperand() and
e1 instanceof BinaryBitwiseOperation and
e2 = e1.(BinaryBitwiseOperation).getLeftOperand() and

5
csharp/ql/lib/semmle/code/csharp/commons/Strings.qll
View File

@@ -49,6 +49,11 @@ class ImplicitToStringExpr extends Expr {
this = add.getOtherOperand(o).stripImplicit()
)
or
exists(AssignAddExpr add, Expr o | o = add.getLeftOperand() |
o.stripImplicit().getType() instanceof StringType and
this = add.getRightOperand().stripImplicit()
)
or
this = any(InterpolatedStringExpr ise).getAnInsert().stripImplicit()
}
}

37
csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
View File

@@ -119,14 +119,14 @@ private module GuardsInput implements
class AndExpr extends BinExpr {
AndExpr() {
this instanceof LogicalAndExpr or
this instanceof BitwiseAndExpr
this instanceof BitwiseAndOperation
}
}
class OrExpr extends BinExpr {
OrExpr() {
this instanceof LogicalOrExpr or
this instanceof BitwiseOrExpr
this instanceof BitwiseOrOperation
}
}
@@ -292,7 +292,7 @@ private module LogicInput implements GuardsImpl::LogicInputSig {
v1.isNonNullValue() and
v2 = v1
or
g2 = g1.(NullCoalescingExpr).getAnOperand() and
g2 = g1.(NullCoalescingOperation).getAnOperand() and
v1.isNullValue() and
v2 = v1
or
@@ -840,14 +840,14 @@ module Internal {
or
e1 = e2.(Cast).getExpr()
or
e2 = e1.(NullCoalescingExpr).getAnOperand()
e2 = e1.(NullCoalescingOperation).getAnOperand()
}
/** Holds if expression `e3` is a `null` value whenever `e1` and `e2` are. */
predicate nullValueImpliedBinary(Expr e1, Expr e2, Expr e3) {
e3 = any(ConditionalExpr ce | e1 = ce.getThen() and e2 = ce.getElse())
or
e3 = any(NullCoalescingExpr nce | e1 = nce.getLeftOperand() and e2 = nce.getRightOperand())
e3 = any(NullCoalescingOperation no | e1 = no.getLeftOperand() and e2 = no.getRightOperand())
}
predicate nullValueImplied(Expr e) {
@@ -907,7 +907,7 @@ module Internal {
or
// "In string concatenation operations, the C# compiler treats a null string the same as an empty string."
// (https://docs.microsoft.com/en-us/dotnet/csharp/how-to/concatenate-multiple-strings)
e instanceof AddExpr and
e instanceof AddOperation and
e.getType() instanceof StringType
or
e.(DefaultValueExpr).getType().isValueType()
@@ -922,11 +922,9 @@ module Internal {
/** Holds if expression `e2` is a non-`null` value whenever `e1` is. */
predicate nonNullValueImpliedUnary(Expr e1, Expr e2) {
e1 = e2.(CastExpr).getExpr()
or
e1 = e2.(AssignExpr).getRValue()
or
e1 = e2.(NullCoalescingExpr).getAnOperand()
e1 = e2.(CastExpr).getExpr() or
e1 = e2.(AssignExpr).getRValue() or
e1 = e2.(NullCoalescingOperation).getAnOperand()
}
/**
@@ -953,10 +951,13 @@ module Internal {
)
or
// In C#, `null + 1` has type `int?` with value `null`
exists(BinaryArithmeticOperation bao, Expr o |
result = bao and
bao.getAnOperand() = e and
bao.getAnOperand() = o and
exists(BinaryOperation bo, Expr o |
bo instanceof BinaryArithmeticOperation or
bo instanceof AssignArithmeticOperation
|
result = bo and
bo.getAnOperand() = e and
bo.getAnOperand() = o and
// The other operand must be provably non-null in order
// for `only if` to hold
nonNullValueImplied(o) and
@@ -972,10 +973,10 @@ module Internal {
any(QualifiableExpr qe |
qe.isConditional() and
result = qe.getQualifier()
)
or
) or
// In C#, `null + 1` has type `int?` with value `null`
e = any(BinaryArithmeticOperation bao | result = bao.getAnOperand())
e = any(BinaryArithmeticOperation bao | result = bao.getAnOperand()) or
e = any(AssignArithmeticOperation aao | result = aao.getAnOperand())
}
deprecated predicate isGuard(Expr e, GuardValue val) {

16
csharp/ql/lib/semmle/code/csharp/controlflow/internal/Completion.qll
View File

@@ -344,7 +344,7 @@ private class TriedControlFlowElement extends ControlFlowElement {
result instanceof SystemOutOfMemoryExceptionClass
or
this =
any(AddExpr ae |
any(AddOperation ae |
ae.getType() instanceof StringType and
result instanceof SystemOutOfMemoryExceptionClass
or
@@ -353,24 +353,24 @@ private class TriedControlFlowElement extends ControlFlowElement {
)
or
this =
any(SubExpr se |
any(SubOperation se |
se.getType() instanceof IntegralType and
result instanceof SystemOverflowExceptionClass
)
or
this =
any(MulExpr me |
any(MulOperation me |
me.getType() instanceof IntegralType and
result instanceof SystemOverflowExceptionClass
)
or
this =
any(DivExpr de |
any(DivOperation de |
not de.getDenominator().getValue().toFloat() != 0 and
result instanceof SystemDivideByZeroExceptionClass
)
or
this instanceof RemExpr and
this instanceof RemOperation and
result instanceof SystemDivideByZeroExceptionClass
or
this instanceof DynamicExpr and
@@ -447,7 +447,7 @@ private predicate inBooleanContext(Expr e) {
e in [ce.getThen(), ce.getElse()]
)
or
e = any(NullCoalescingExpr nce | inBooleanContext(nce)).getAnOperand()
e = any(NullCoalescingOperation nce | inBooleanContext(nce)).getAnOperand()
or
e = any(SwitchExpr se | inBooleanContext(se)).getACase()
or
@@ -467,13 +467,13 @@ private predicate mustHaveNullnessCompletion(Expr e) {
* that `e` evaluates to determines a `null`/non-`null` branch successor.
*/
private predicate inNullnessContext(Expr e) {
e = any(NullCoalescingExpr nce).getLeftOperand()
e = any(NullCoalescingOperation nce).getLeftOperand()
or
exists(QualifiableExpr qe | qe.isConditional() | e = qe.getChildExpr(-1))
or
exists(ConditionalExpr ce | inNullnessContext(ce) | (e = ce.getThen() or e = ce.getElse()))
or
exists(NullCoalescingExpr nce | inNullnessContext(nce) | e = nce.getRightOperand())
exists(NullCoalescingOperation nce | inNullnessContext(nce) | e = nce.getRightOperand())
or
e = any(SwitchExpr se | inNullnessContext(se)).getACase()
or

2
csharp/ql/lib/semmle/code/csharp/controlflow/internal/Splitting.qll
View File

@@ -95,7 +95,7 @@ module ConditionalCompletionSplitting {
child = parent.(SwitchCaseExpr).getBody()
or
parent =
any(NullCoalescingExpr nce |
any(NullCoalescingOperation nce |
if childCompletion instanceof NullnessCompletion
then child = nce.getRightOperand()
else child = nce.getAnOperand()

2
csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll
View File

@@ -42,7 +42,7 @@ private Expr maybeNullExpr(Expr reason) {
ce.getElse() = maybeNullExpr(reason)
)
or
result.(NullCoalescingExpr).getRightOperand() = maybeNullExpr(reason)
result.(NullCoalescingOperation).getRightOperand() = maybeNullExpr(reason)
or
result =
any(QualifiableExpr qe |

4
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -512,7 +512,7 @@ module LocalFlow {
predicate localExprStep(Expr e1, Expr e2) {
e1 = e2.(ParenthesizedExpr).getExpr()
or
e1 = e2.(NullCoalescingExpr).getAnOperand()
e1 = e2.(NullCoalescingOperation).getAnOperand()
or
e1 = e2.(SuppressNullableWarningExpr).getExpr()
or
@@ -623,7 +623,7 @@ module LocalFlow {
(
e instanceof ConditionalExpr or
e instanceof Cast or
e instanceof NullCoalescingExpr or
e instanceof NullCoalescingOperation or
e instanceof SwitchExpr or
e instanceof SuppressNullableWarningExpr or
e instanceof AssignExpr

2
csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
View File

@@ -47,7 +47,7 @@ predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c)
private predicate localTaintExprStep(Expr e1, Expr e2) {
e1 = e2.(ElementAccess).getQualifier()
or
e1 = e2.(AddExpr).getAnOperand()
e1 = e2.(AddOperation).getAnOperand()
or
// A comparison expression where taint can flow from one of the
// operands if the other operand is a constant value.

12
csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll
View File

@@ -20,17 +20,17 @@ module Private {
class ConditionalExpr = RU::ExprNode::ConditionalExpr;
class AddExpr = RU::ExprNode::AddExpr;
class AddExpr = RU::ExprNode::AddOperation;
class SubExpr = RU::ExprNode::SubExpr;
class SubExpr = RU::ExprNode::SubOperation;
class RemExpr = RU::ExprNode::RemExpr;
class RemExpr = RU::ExprNode::RemOperation;
class BitwiseAndExpr = RU::ExprNode::BitwiseAndExpr;
class BitwiseAndExpr = RU::ExprNode::BitwiseAndOperation;
class MulExpr = RU::ExprNode::MulExpr;
class MulExpr = RU::ExprNode::MulOperation;
class LeftShiftExpr = RU::ExprNode::LeftShiftExpr;
class LeftShiftExpr = RU::ExprNode::LeftShiftOperation;
predicate guardControlsSsaRead = RU::guardControlsSsaRead/3;

63
csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
View File

@@ -21,7 +21,11 @@ private module Impl {
/** Holds if SSA definition `def` equals `e + delta`. */
predicate ssaUpdateStep(ExplicitDefinition def, ExprNode e, int delta) {
exists(ControlFlow::Node cfn | cfn = def.getControlFlowNode() |
e = cfn.(ExprNode::Assignment).getRValue() and delta = 0
e = cfn.(ExprNode::Assignment).getRValue() and
delta = 0 and
not cfn instanceof ExprNode::AssignOperation
or
e = cfn.(ExprNode::AssignOperation) and delta = 0
or
e = cfn.(ExprNode::PostIncrExpr).getOperand() and delta = 1
or
@@ -48,15 +52,15 @@ private module Impl {
e2.(ExprNode::PreDecrExpr).getOperand() = e1 and delta = -1
or
exists(ConstantIntegerExpr x |
e2.(ExprNode::AddExpr).getAnOperand() = e1 and
e2.(ExprNode::AddExpr).getAnOperand() = x and
e2.(ExprNode::AddOperation).getAnOperand() = e1 and
e2.(ExprNode::AddOperation).getAnOperand() = x and
e1 != x and
x.getIntValue() = delta
)
or
exists(ConstantIntegerExpr x |
e2.(ExprNode::SubExpr).getLeftOperand() = e1 and
e2.(ExprNode::SubExpr).getRightOperand() = x and
e2.(ExprNode::SubOperation).getLeftOperand() = e1 and
e2.(ExprNode::SubOperation).getRightOperand() = x and
x.getIntValue() = -delta
)
or
@@ -218,6 +222,11 @@ module ExprNode {
override CS::AssignExpr e;
}
/** A compound assignment operation. */
class AssignOperation extends Assignment, BinaryOperation {
override CS::AssignOperation e;
}
/** A unary operation. */
class UnaryOperation extends ExprNode {
override CS::UnaryOperation e;
@@ -309,78 +318,78 @@ module ExprNode {
}
/** An addition operation. */
class AddExpr extends BinaryOperation {
override CS::AddExpr e;
class AddOperation extends BinaryOperation {
override CS::AddOperation e;
override TAddOp getOp() { any() }
}
/** A subtraction operation. */
class SubExpr extends BinaryOperation {
override CS::SubExpr e;
class SubOperation extends BinaryOperation {
override CS::SubOperation e;
override TSubOp getOp() { any() }
}
/** A multiplication operation. */
class MulExpr extends BinaryOperation {
override CS::MulExpr e;
class MulOperation extends BinaryOperation {
override CS::MulOperation e;
override TMulOp getOp() { any() }
}
/** A division operation. */
class DivExpr extends BinaryOperation {
override CS::DivExpr e;
class DivOperation extends BinaryOperation {
override CS::DivOperation e;
override TDivOp getOp() { any() }
}
/** A remainder operation. */
class RemExpr extends BinaryOperation {
override CS::RemExpr e;
class RemOperation extends BinaryOperation {
override CS::RemOperation e;
override TRemOp getOp() { any() }
}
/** A bitwise-and operation. */
class BitwiseAndExpr extends BinaryOperation {
override CS::BitwiseAndExpr e;
class BitwiseAndOperation extends BinaryOperation {
override CS::BitwiseAndOperation e;
override TBitAndOp getOp() { any() }
}
/** A bitwise-or operation. */
class BitwiseOrExpr extends BinaryOperation {
override CS::BitwiseOrExpr e;
class BitwiseOrOperation extends BinaryOperation {
override CS::BitwiseOrOperation e;
override TBitOrOp getOp() { any() }
}
/** A bitwise-xor operation. */
class BitwiseXorExpr extends BinaryOperation {
override CS::BitwiseXorExpr e;
class BitwiseXorOperation extends BinaryOperation {
override CS::BitwiseXorOperation e;
override TBitXorOp getOp() { any() }
}
/** A left-shift operation. */
class LeftShiftExpr extends BinaryOperation {
override CS::LeftShiftExpr e;
class LeftShiftOperation extends BinaryOperation {
override CS::LeftShiftOperation e;
override TLeftShiftOp getOp() { any() }
}
/** A right-shift operation. */
class RightShiftExpr extends BinaryOperation {
override CS::RightShiftExpr e;
class RightShiftOperation extends BinaryOperation {
override CS::RightShiftOperation e;
override TRightShiftOp getOp() { any() }
}
/** An unsigned right-shift operation. */
class UnsignedRightShiftExpr extends BinaryOperation {
override CS::UnsignedRightShiftExpr e;
class UnsignedRightShiftOperation extends BinaryOperation {
override CS::UnsignedRightShiftOperation e;
override TUnsignedRightShiftOp getOp() { any() }
}

7
csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll
View File

@@ -41,7 +41,7 @@ module Private {
class RealLiteral = RU::ExprNode::RealLiteral;
class DivExpr = RU::ExprNode::DivExpr;
class DivExpr = RU::ExprNode::DivOperation;
class UnaryOperation = RU::ExprNode::UnaryOperation;
@@ -130,6 +130,11 @@ private module Impl {
adef = def.getADefinition() and
hasChild(adef.getExpr(), adef.getSource(), def.getControlFlowNode(), result)
)
or
exists(AssignableDefinitions::AssignOperationDefinition adef |
adef = def.getADefinition() and
result.getExpr() = adef.getSource()
)
}
/** Holds if `def` can have any sign. */

4
csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll
View File

@@ -29,7 +29,7 @@ ExprNode getAnExplicitDefinitionRead(ExprNode src) {
ExprNode ssaRead(Definition v, int delta) {
exists(v.getAReadAtNode(result)) and delta = 0
or
exists(ExprNode::AddExpr add, int d1, ConstantIntegerExpr c |
exists(ExprNode::AddOperation add, int d1, ConstantIntegerExpr c |
result = add and
delta = d1 - c.getIntValue()
|
@@ -38,7 +38,7 @@ ExprNode ssaRead(Definition v, int delta) {
add.getRightOperand() = ssaRead(v, d1) and add.getLeftOperand() = c
)
or
exists(ExprNode::SubExpr sub, int d1, ConstantIntegerExpr c |
exists(ExprNode::SubOperation sub, int d1, ConstantIntegerExpr c |
result = sub and
sub.getLeftOperand() = ssaRead(v, d1) and
sub.getRightOperand() = c and

2
csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll
View File

@@ -131,7 +131,7 @@ class SystemXmlSchemaXmlSchemaValidationFlags extends EnumConstant {
}
}
private Expr getBitwiseOrOperand(Expr e) { result = e.(BitwiseOrExpr).getAnOperand() }
private Expr getBitwiseOrOperand(Expr e) { result = e.(BitwiseOrOperation).getAnOperand() }
/** A creation of an instance of `System.Xml.XmlReaderSettings`. */
class XmlReaderSettingsCreation extends ObjectCreation {

2
csharp/ql/lib/semmle/code/csharp/metrics/Complexity.qll
View File

@@ -32,7 +32,7 @@ private predicate branchingExpr(Expr expr) {
expr instanceof ConditionalExpr or
expr instanceof LogicalAndExpr or
expr instanceof LogicalOrExpr or
expr instanceof NullCoalescingExpr
expr instanceof NullCoalescingOperation
}
/**

4
csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql
View File

@@ -43,7 +43,7 @@ module ConstCondImpl = ConstCond::Make<Location, Cfg, ConstCondInput>;
predicate nullCheck(Expr e, boolean direct) {
exists(QualifiableExpr qe | qe.isConditional() and qe.getQualifier() = e and direct = true)
or
exists(NullCoalescingExpr nce | nce.getLeftOperand() = e and direct = true)
exists(NullCoalescingOperation nce | nce.getLeftOperand() = e and direct = true)
or
exists(ConditionalExpr ce | ce.getThen() = e or ce.getElse() = e |
nullCheck(ce, _) and direct = false
@@ -114,7 +114,7 @@ class ConstantBooleanCondition extends ConstantCondition {
override predicate isWhiteListed() {
// E.g. `x ?? false`
this.(BoolLiteral) = any(NullCoalescingExpr nce).getRightOperand() or
this.(BoolLiteral) = any(NullCoalescingOperation nce).getRightOperand() or
// No need to flag logical operations when the operands are constant
isConstantCondition(this.(LogicalNotExpr).getOperand(), _) or
this =

29
csharp/ql/src/Complexity/ComplexCondition.ql
View File

@@ -12,19 +12,38 @@
import csharp
predicate nontrivialLogicalOperator(BinaryLogicalOperation e) {
not exists(BinaryLogicalOperation parent |
abstract class RelevantBinaryOperations extends Operation { }
private class AddBinaryLogicalOperationRelevantBinaryOperations extends RelevantBinaryOperations,
BinaryLogicalOperation
{ }
private class AddAssignCoalesceExprRelevantBinaryOperations extends RelevantBinaryOperations,
AssignCoalesceExpr
{ }
abstract class RelevantOperations extends Operation { }
private class AddLogicalOperationRelevantOperations extends RelevantOperations, LogicalOperation { }
private class AddAssignCoalesceExprRelevantOperations extends RelevantOperations, AssignCoalesceExpr
{ }
predicate nontrivialLogicalOperator(RelevantBinaryOperations e) {
not exists(RelevantBinaryOperations parent |
parent = e.getParent() and
parent.getOperator() = e.getOperator()
)
}
predicate logicalParent(LogicalOperation op, LogicalOperation parent) { parent = op.getParent() }
predicate logicalParent(RelevantOperations op, RelevantOperations parent) {
parent = op.getParent()
}
from Expr e, int operators
where
not e.getParent() instanceof LogicalOperation and
not e.getParent() instanceof RelevantOperations and
operators =
count(BinaryLogicalOperation op | logicalParent*(op, e) and nontrivialLogicalOperator(op)) and
count(RelevantBinaryOperations op | logicalParent*(op, e) and nontrivialLogicalOperator(op)) and
operators > 3
select e, "Complex condition: too many logical operations in this expression."

2
csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
View File

@@ -84,6 +84,8 @@ class RelevantDefinition extends AssignableDefinition {
)
or
this instanceof AssignableDefinitions::PatternDefinition
or
this instanceof AssignableDefinitions::AssignOperationDefinition
}
/** Holds if this assignment may be live. */

12
csharp/ql/src/Language Abuse/UselessNullCoalescingExpression.ql
View File

@@ -17,20 +17,20 @@ import semmle.code.csharp.commons.StructuralComparison
pragma[noinline]
private predicate same(AssignableAccess x, AssignableAccess y) {
exists(NullCoalescingExpr nce |
x = nce.getLeftOperand() and
y = nce.getRightOperand().getAChildExpr*()
exists(NullCoalescingOperation nc |
x = nc.getLeftOperand() and
y = nc.getRightOperand().getAChildExpr*()
) and
sameGvn(x, y)
}
private predicate uselessNullCoalescingExpr(NullCoalescingExpr nce) {
private predicate uselessNullCoalescingOperation(NullCoalescingOperation nce) {
exists(AssignableAccess x |
nce.getLeftOperand() = x and
forex(AssignableAccess y | same(x, y) | y instanceof AssignableRead and not y.isRefArgument())
)
}
from NullCoalescingExpr nce
where uselessNullCoalescingExpr(nce)
from NullCoalescingOperation nce
where uselessNullCoalescingOperation(nce)
select nce, "Both operands of this null-coalescing expression access the same variable or property."

4
csharp/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
View File

@@ -23,7 +23,9 @@ where
) and
forex(Access a | a = v.getAnAccess() |
a = any(ModifierMethodCall m).getQualifier() or
a = any(Assignment ass | ass.getRValue() instanceof ObjectCreation).getLValue()
a = any(AssignExpr ass | ass.getRValue() instanceof ObjectCreation).getLValue() or
a =
any(LocalVariableDeclAndInitExpr ass | ass.getRValue() instanceof ObjectCreation).getLValue()
) and
not v = any(ForeachStmt fs).getVariable() and
not v = any(BindingPatternExpr vpe).getVariableDeclExpr().getVariable() and

1
csharp/ql/src/Likely Bugs/DangerousNonShortCircuitLogic.ql
View File

@@ -23,7 +23,6 @@ class NonShortCircuit extends BinaryBitwiseOperation {
or
this instanceof BitwiseOrExpr
) and
not exists(AssignBitwiseOperation abo | abo.getExpandedAssignment().getRValue() = this) and
this.getLeftOperand().getType() instanceof BoolType and
this.getRightOperand().getType() instanceof BoolType
}

8
csharp/ql/src/Likely Bugs/PossibleLossOfPrecision.ql
View File

@@ -27,13 +27,13 @@ predicate convertedToFloatOrDecimal(Expr e, Type t) {
t instanceof DecimalType
)
or
exists(BinaryArithmeticOperation op |
exists(BinaryOperation op |
op.getAnOperand() = e and
convertedToFloatOrDecimal(op, t)
|
op instanceof AddExpr or
op instanceof SubExpr or
op instanceof MulExpr
op instanceof AddOperation or
op instanceof SubOperation or
op instanceof MulOperation
)
}

1
csharp/ql/src/Performance/StringConcatenationInLoop.ql
View File

@@ -23,7 +23,6 @@ class StringCat extends AddExpr {
* where `v` is a simple variable (and not, for example, a property).
*/
predicate isSelfConcatAssignExpr(AssignExpr e, Variable v) {
not e = any(AssignAddExpr a).getExpandedAssignment() and
exists(VariableAccess use |
stringCatContains(e.getRValue(), use) and
use.getTarget() = e.getTargetVariable() and

2
csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
View File

@@ -18,7 +18,7 @@
import csharp
import semmle.code.csharp.controlflow.Guards
from AddExpr add, VirtualMethodCall taintSrc
from AddOperation add, VirtualMethodCall taintSrc
where
// `add` is performing pointer arithmetic
add.getType() instanceof PointerType and

6
csharp/ql/src/Security Features/InsecureRandomness.ql
View File

@@ -89,11 +89,7 @@ module Random {
e = any(SensitiveLibraryParameter v).getAnAssignedArgument()
or
// Assignment operation, e.g. += or similar
exists(AssignOperation ao |
ao.getRValue() = e and
// "expanded" assignments will be covered by simple assignment
not ao.hasExpandedAssignment()
|
exists(AssignOperation ao | ao.getRValue() = e |
ao.getLValue() = any(SensitiveVariable v).getAnAccess() or
ao.getLValue() = any(SensitiveProperty v).getAnAccess() or
ao.getLValue() = any(SensitiveLibraryParameter v).getAnAccess()

2
csharp/ql/src/experimental/CWE-918/RequestForgery.qll
View File

@@ -211,7 +211,7 @@ module RequestForgery {
}
private predicate stringConcatStep(DataFlow::Node prev, DataFlow::Node succ) {
exists(AddExpr a |
exists(AddOperation a |
a.getLeftOperand() = prev.asExpr()
or
a.getRightOperand() = prev.asExpr() and

2
csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
View File

@@ -174,7 +174,7 @@ module HashWithoutSaltConfig implements DataFlow::ConfigSig {
mc.getAnArgument() = node.asExpr()
)
or
exists(AddExpr e | node.asExpr() = e.getAnOperand()) // password+salt
exists(AddOperation e | node.asExpr() = e.getAnOperand()) // password+salt
or
exists(InterpolatedStringExpr e | node.asExpr() = e.getAnInsert())
or