hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

C#: Convert Deserialization tests to use inline expectations.

Browse Source
This commit is contained in:
Michael Nebel
2025-07-03 14:50:19 +02:00
parent 8f8b0428ab
commit 70bf61dc57
21 changed files with 37 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.cs
View File

@@ -11,11 +11,11 @@ class DeserializedDelegate
{
var formatter = new BinaryFormatter();
// BAD
var a = (Func<int>)formatter.Deserialize(fs);
var a = (Func<int>)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]
// BAD
var b = (Expression<Func<int>>)formatter.Deserialize(fs);
var b = (Expression<Func<int>>)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]
// BAD
var c = (D)formatter.Deserialize(fs);
var c = (D)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]
// GOOD
var d = (int)formatter.Deserialize(fs);
}

5
csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref
View File

@@ -1 +1,4 @@
Security Features/CWE-502/DeserializedDelegate.ql
query: Security Features/CWE-502/DeserializedDelegate.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

2
csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegateBad.cs
View File

@@ -8,7 +8,7 @@ class Bad
{
var formatter = new BinaryFormatter();
// BAD
var f = (Func<int>)formatter.Deserialize(fs);
var f = (Func<int>)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]
return f();
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/BinaryFormatterBad.cs
View File

@@ -7,6 +7,6 @@ class BadBinaryFormatter
{
var ds = new BinaryFormatter();
// BAD
return ds.Deserialize(s);
return ds.Deserialize(s); // $ Alert[cs/unsafe-deserialization]
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractJsonSerializerBad.cs
View File

@@ -8,6 +8,6 @@ class BadDataContractJsonSerializer
{
var ds = new DataContractJsonSerializer(type);
// BAD
return ds.ReadObject(s);
return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractSerializerBad.cs
View File

@@ -8,6 +8,6 @@ class BadDataContractSerializer
{
var ds = new DataContractSerializer(type);
// BAD
return ds.ReadObject(s);
return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]
}
}

4
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ResourceReaderBad.cs
View File

@@ -6,11 +6,11 @@ class BadResourceReader
{
public static void Deserialize(Stream s)
{
var ds = new ResourceReader(s);
var ds = new ResourceReader(s); // $ Alert[cs/unsafe-deserialization]
// BAD
var dict = ds.GetEnumerator();
while (dict.MoveNext())
Console.WriteLine(" {0}: '{1}' (Type {2})",
Console.WriteLine(" {0}: '{1}' (Type {2})",
dict.Key, dict.Value, dict.Value.GetType().Name);
ds.Close();
}

5
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.qlref
View File

@@ -1 +1,4 @@
Security Features/CWE-502/UnsafeDeserialization.ql
query: Security Features/CWE-502/UnsafeDeserialization.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationBad.cs
View File

@@ -6,6 +6,6 @@ class Bad
{
JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());
// BAD
return sr.DeserializeObject(s);
return sr.DeserializeObject(s); // $ Alert[cs/unsafe-deserialization]
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlObjectSerializerBad.cs
View File

@@ -8,6 +8,6 @@ class BadXmlObjectSerializer
{
XmlObjectSerializer ds = new DataContractSerializer(type);
// BAD
return ds.ReadObject(s);
return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlSerializerBad.cs
View File

@@ -8,6 +8,6 @@ class BadXmlSerializer
{
var ds = new XmlSerializer(type);
// BAD
return ds.Deserialize(s);
return ds.Deserialize(s); // $ Alert[cs/unsafe-deserialization]
}
}

4
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/BinaryFormatterUntrustedInputBad.cs
View File

@@ -10,7 +10,7 @@ class BadBinaryFormatter1
{
var ds = new BinaryFormatter();
// BAD
return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(textBox.Text)));
return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(textBox.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
}
}
@@ -20,6 +20,6 @@ class BadBinaryFormatter2
{
var ds = new BinaryFormatter();
// BAD
return ds.Deserialize(new MemoryStream(Convert.FromBase64String(data.Text)));
return ds.Deserialize(new MemoryStream(Convert.FromBase64String(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractJsonSerializerUntrustedInputBad.cs
View File

@@ -10,6 +10,6 @@ class BadDataContractJsonSerializer
{
var ds = new DataContractJsonSerializer(Type.GetType(type.Text));
// BAD
return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractSerializerUntrustedInputBad.cs
View File

@@ -10,6 +10,6 @@ class BadDataContractSerializer
{
var ds = new DataContractSerializer(Type.GetType(type.Text));
// BAD
return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
}
}

4
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ResourceReaderUntrustedInputBad.cs
View File

@@ -8,11 +8,11 @@ class BadResourceReader
{
public static void Deserialize(TextBox data)
{
var ds = new ResourceReader(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
var ds = new ResourceReader(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
// BAD
var dict = ds.GetEnumerator();
while (dict.MoveNext())
Console.WriteLine(" {0}: '{1}' (Type {2})",
Console.WriteLine(" {0}: '{1}' (Type {2})",
dict.Key, dict.Value, dict.Value.GetType().Name);
ds.Close();
}

4
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.qlref
View File

@@ -1,2 +1,4 @@
query: Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
postprocess: utils/test/PrettyPrintModels.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputBad.cs
View File

@@ -7,6 +7,6 @@ class Bad
{
JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());
// BAD
return sr.DeserializeObject(textBox.Text);
return sr.DeserializeObject(textBox.Text); // $ Alert[cs/unsafe-deserialization-untrusted-input]
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlObjectSerializerUntrustedInputBad.cs
View File

@@ -10,6 +10,6 @@ class BadXmlObjectSerializer
{
XmlObjectSerializer ds = new DataContractSerializer(Type.GetType(type.Text));
// BAD
return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
}
}

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlSerializerUntrustedInputBad.cs
View File

@@ -10,6 +10,6 @@ class BadXmlSerializer
{
var ds = new XmlSerializer(Type.GetType(type.Text));
// BAD
return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
}
}

4
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/Test.cs
View File

@@ -14,9 +14,9 @@ class Test
public static object Deserialize2(TextBox data)
{
return JsonConvert.DeserializeObject(data.Text, new JsonSerializerSettings
return JsonConvert.DeserializeObject(data.Text, new JsonSerializerSettings // $ Alert[cs/unsafe-deserialization-untrusted-input]
{
TypeNameHandling = TypeNameHandling.Auto // BAD
TypeNameHandling = TypeNameHandling.Auto
});
}

4
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.qlref
View File

@@ -1,2 +1,4 @@
query: Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
postprocess: utils/test/PrettyPrintModels.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql