hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8628 from michaelnebel/csharp/generatedkind

Browse Source 
C#: Introduce generated flag as a part of the kind column for flow summaries
This commit is contained in:
Michael Nebel
2022-04-07 08:43:30 +02:00
committed by GitHub
parent 879b8a1200 2562910b94
commit 72d4c97463
27 changed files with 467 additions and 299 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
View File

@@ -162,10 +162,17 @@ private predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
private predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
bindingset[input]
private predicate getKind(string input, string kind, boolean generated) {
input.splitAt(":", 0) = "generated" and kind = input.splitAt(":", 1) and generated = true
or
not input.matches("%:%") and kind = input and generated = false
}
/** Holds if a source model exists for the given parameters. */
predicate sourceModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind
string output, string kind, boolean generated
) {
exists(string row |
sourceModel(row) and
@@ -177,14 +184,14 @@ predicate sourceModel(
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = output and
row.splitAt(";", 7) = kind
exists(string k | row.splitAt(";", 7) = k and getKind(k, kind, generated))
)
}
/** Holds if a sink model exists for the given parameters. */
predicate sinkModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string kind
string input, string kind, boolean generated
) {
exists(string row |
sinkModel(row) and
@@ -196,14 +203,14 @@ predicate sinkModel(
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = kind
exists(string k | row.splitAt(";", 7) = k and getKind(k, kind, generated))
)
}
/** Holds if a summary model exists for the given parameters. */
predicate summaryModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind
string input, string output, string kind, boolean generated
) {
exists(string row |
summaryModel(row) and
@@ -216,14 +223,14 @@ predicate summaryModel(
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = output and
row.splitAt(";", 8) = kind
exists(string k | row.splitAt(";", 8) = k and getKind(k, kind, generated))
)
}
private predicate relevantNamespace(string namespace) {
sourceModel(namespace, _, _, _, _, _, _, _) or
sinkModel(namespace, _, _, _, _, _, _, _) or
summaryModel(namespace, _, _, _, _, _, _, _, _)
sourceModel(namespace, _, _, _, _, _, _, _, _) or
sinkModel(namespace, _, _, _, _, _, _, _, _) or
summaryModel(namespace, _, _, _, _, _, _, _, _, _)
}
private predicate namespaceLink(string shortns, string longns) {
@@ -251,25 +258,25 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
part = "source" and
n =
strictcount(string subns, string type, boolean subtypes, string name, string signature,
string ext, string output |
string ext, string output, boolean generated |
canonicalNamespaceLink(namespace, subns) and
sourceModel(subns, type, subtypes, name, signature, ext, output, kind)
sourceModel(subns, type, subtypes, name, signature, ext, output, kind, generated)
)
or
part = "sink" and
n =
strictcount(string subns, string type, boolean subtypes, string name, string signature,
string ext, string input |
string ext, string input, boolean generated |
canonicalNamespaceLink(namespace, subns) and
sinkModel(subns, type, subtypes, name, signature, ext, input, kind)
sinkModel(subns, type, subtypes, name, signature, ext, input, kind, generated)
)
or
part = "summary" and
n =
strictcount(string subns, string type, boolean subtypes, string name, string signature,
string ext, string input, string output |
string ext, string input, string output, boolean generated |
canonicalNamespaceLink(namespace, subns) and
summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind)
summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, generated)
)
)
}
@@ -279,11 +286,11 @@ module CsvValidation {
/** Holds if some row in a CSV-based flow model appears to contain typos. */
query predicate invalidModelRow(string msg) {
exists(string pred, string namespace, string type, string name, string signature, string ext |
sourceModel(namespace, type, _, name, signature, ext, _, _) and pred = "source"
sourceModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "source"
or
sinkModel(namespace, type, _, name, signature, ext, _, _) and pred = "sink"
sinkModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "sink"
or
summaryModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "summary"
summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
|
not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
msg = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
@@ -302,9 +309,9 @@ module CsvValidation {
)
or
exists(string pred, AccessPath input, string part |
sinkModel(_, _, _, _, _, _, input, _) and pred = "sink"
sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
or
summaryModel(_, _, _, _, _, _, input, _, _) and pred = "summary"
summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
|
(
invalidSpecComponent(input, part) and
@@ -319,9 +326,9 @@ module CsvValidation {
)
or
exists(string pred, string output, string part |
sourceModel(_, _, _, _, _, _, output, _) and pred = "source"
sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
or
summaryModel(_, _, _, _, _, _, _, output, _) and pred = "summary"
summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
|
invalidSpecComponent(output, part) and
not part = "" and
@@ -351,20 +358,23 @@ module CsvValidation {
)
)
or
exists(string row, string kind | summaryModel(row) |
kind = row.splitAt(";", 8) and
exists(string row, string k, string kind | summaryModel(row) |
k = row.splitAt(";", 8) and
getKind(k, kind, _) and
not kind = ["taint", "value"] and
msg = "Invalid kind \"" + kind + "\" in summary model."
)
or
exists(string row, string kind | sinkModel(row) |
kind = row.splitAt(";", 7) and
exists(string row, string k, string kind | sinkModel(row) |
k = row.splitAt(";", 7) and
getKind(k, kind, _) and
not kind = ["code", "sql", "xss", "remote", "html"] and
msg = "Invalid kind \"" + kind + "\" in sink model."
)
or
exists(string row, string kind | sourceModel(row) |
kind = row.splitAt(";", 7) and
exists(string row, string k, string kind | sourceModel(row) |
k = row.splitAt(";", 7) and
getKind(k, kind, _) and
not kind = "local" and
msg = "Invalid kind \"" + kind + "\" in source model."
)
@@ -374,9 +384,9 @@ module CsvValidation {
private predicate elementSpec(
string namespace, string type, boolean subtypes, string name, string signature, string ext
) {
sourceModel(namespace, type, subtypes, name, signature, ext, _, _) or
sinkModel(namespace, type, subtypes, name, signature, ext, _, _) or
summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _)
sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
}
private predicate elementSpec(
@@ -502,6 +512,13 @@ Element interpretElement(
)
}
/**
* Holds if `c` has a `generated` summary.
*/
predicate hasSummary(DataFlowCallable c, boolean generated) {
summaryElement(c, _, _, _, generated)
}
cached
private module Cached {
/**

23
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -806,10 +806,10 @@ module Private {
module External {
/** Holds if `spec` is a relevant external specification. */
private predicate relevantSpec(string spec) {
summaryElement(_, spec, _, _) or
summaryElement(_, _, spec, _) or
sourceElement(_, spec, _) or
sinkElement(_, spec, _)
summaryElement(_, spec, _, _, _) or
summaryElement(_, _, spec, _, _) or
sourceElement(_, spec, _, _) or
sinkElement(_, spec, _, _)
}
private class AccessPathRange extends AccessPath::Range {
@@ -875,13 +875,20 @@ module Private {
}
private class SummarizedCallableExternal extends SummarizedCallable {
SummarizedCallableExternal() { summaryElement(this, _, _, _) }
SummarizedCallableExternal() { summaryElement(this, _, _, _, _) }
private predicate relevantSummaryElement(AccessPath inSpec, AccessPath outSpec, string kind) {
summaryElement(this, inSpec, outSpec, kind, false)
or
summaryElement(this, inSpec, outSpec, kind, true) and
not summaryElement(this, _, _, _, false)
}
override predicate propagatesFlow(
SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
) {
exists(AccessPath inSpec, AccessPath outSpec, string kind |
summaryElement(this, inSpec, outSpec, kind) and
this.relevantSummaryElement(inSpec, outSpec, kind) and
interpretSpec(inSpec, input) and
interpretSpec(outSpec, output)
|
@@ -910,7 +917,7 @@ module Private {
private predicate sourceElementRef(InterpretNode ref, AccessPath output, string kind) {
exists(SourceOrSinkElement e |
sourceElement(e, output, kind) and
sourceElement(e, output, kind, _) and
if outputNeedsReference(output.getToken(0))
then e = ref.getCallTarget()
else e = ref.asElement()
@@ -919,7 +926,7 @@ module Private {
private predicate sinkElementRef(InterpretNode ref, AccessPath input, string kind) {
exists(SourceOrSinkElement e |
sinkElement(e, input, kind) and
sinkElement(e, input, kind, _) and
if inputNeedsReference(input.getToken(0))
then e = ref.getCallTarget()
else e = ref.asElement()

25
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
View File

@@ -85,39 +85,44 @@ DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {
/**
* Holds if an external flow summary exists for `c` with input specification
* `input`, output specification `output`, and kind `kind`.
* `input`, output specification `output`, kind `kind`, and a flag `generated`
* stating whether the summary is autogenerated.
*/
predicate summaryElement(DataFlowCallable c, string input, string output, string kind) {
predicate summaryElement(
DataFlowCallable c, string input, string output, string kind, boolean generated
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind) and
summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, generated) and
c = interpretElement(namespace, type, subtypes, name, signature, ext)
)
}
/**
* Holds if an external source specification exists for `e` with output specification
* `output` and kind `kind`.
* `output`, kind `kind`, and a flag `generated` stating whether the source specification is
* autogenerated.
*/
predicate sourceElement(Element e, string output, string kind) {
predicate sourceElement(Element e, string output, string kind, boolean generated) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
sourceModel(namespace, type, subtypes, name, signature, ext, output, kind) and
sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, generated) and
e = interpretElement(namespace, type, subtypes, name, signature, ext)
)
}
/**
* Holds if an external sink specification exists for `n` with input specification
* `input` and kind `kind`.
* Holds if an external sink specification exists for `e` with input specification
* `input`, kind `kind` and a flag `generated` stating whether the sink specification is
* autogenerated.
*/
predicate sinkElement(Element e, string input, string kind) {
predicate sinkElement(Element e, string input, string kind, boolean generated) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
sinkModel(namespace, type, subtypes, name, signature, ext, input, kind) and
sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, generated) and
e = interpretElement(namespace, type, subtypes, name, signature, ext)
)
}

13
csharp/ql/src/utils/model-generator/CaptureDiscardedSummaryModels.ql Normal file
View File

@@ -0,0 +1,13 @@
/**
* @name Capture discarded summary models.
* @description Finds summary models that are discarded as handwritten counterparts exist.
* @id csharp/utils/model-generator/discarded-summary-models
*/
private import semmle.code.csharp.dataflow.ExternalFlow
private import internal.CaptureModels
private import internal.CaptureFlow
from TargetApi api, string flow
where flow = captureFlow(api) and hasSummary(api, false)
select flow order by flow

84
csharp/ql/src/utils/model-generator/CaptureSummaryModels.ql
View File

@@ -4,88 +4,10 @@
* @id cs/utils/model-generator/summary-models
*/
private import semmle.code.csharp.dataflow.ExternalFlow
private import internal.CaptureModels
/**
* Capture fluent APIs that return `this`.
* Example of a fluent API:
* ```csharp
* public class BasicFlow {
* public BasicFlow ReturnThis(object input)
* {
* // some side effect
* return this;
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;ReturnThis;(System.Object);Argument[Qualifier];ReturnValue;value```
* Capture APIs that transfer taint from an input parameter to an output return
* value or parameter.
* Allows a sequence of read steps followed by a sequence of store steps.
*
* Examples:
*
* ```csharp
* public class BasicFlow {
* private string tainted;
*
* public String ReturnField()
* {
* return tainted;
* }
*
* public void AssignFieldToArray(object[] target)
* {
* target[0] = tainted;
* }
* }
* ```
* Captured Models:
* ```
* Summaries;BasicFlow;false;ReturnField;();Argument[Qualifier];ReturnValue;taint |
* Summaries;BasicFlow;false;AssignFieldToArray;(System.Object[]);Argument[Qualifier];Argument[0].Element;taint
* ```
*
* ```csharp
* public class BasicFlow {
* private string tainted;
*
* public void SetField(string s)
* {
* tainted = s;
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;SetField;(System.String);Argument[0];Argument[Qualifier];taint```
*
* ```csharp
* public class BasicFlow {
* public void ReturnSubstring(string s)
* {
* return s.Substring(0, 1);
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;ReturnSubstring;(System.String);Argument[0];ReturnValue;taint```
*
* ```csharp
* public class BasicFlow {
* public void AssignToArray(int data, int[] target)
* {
* target[0] = data;
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;AssignToArray;(System.Int32,System.Int32[]);Argument[0];Argument[1].Element;taint```
*/
private string captureFlow(TargetApi api) {
result = captureQualifierFlow(api) or
result = captureThroughFlow(api)
}
private import internal.CaptureFlow
from TargetApi api, string flow
where flow = captureFlow(api)
where flow = captureFlow(api) and not hasSummary(api, false)
select flow order by flow

81
csharp/ql/src/utils/model-generator/internal/CaptureFlow.qll Normal file
View File

@@ -0,0 +1,81 @@
private import CaptureModels
/**
* Capture fluent APIs that return `this`.
* Example of a fluent API:
* ```csharp
* public class BasicFlow {
* public BasicFlow ReturnThis(object input)
* {
* // some side effect
* return this;
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;ReturnThis;(System.Object);Argument[Qualifier];ReturnValue;value```
* Capture APIs that transfer taint from an input parameter to an output return
* value or parameter.
* Allows a sequence of read steps followed by a sequence of store steps.
*
* Examples:
*
* ```csharp
* public class BasicFlow {
* private string tainted;
*
* public String ReturnField()
* {
* return tainted;
* }
*
* public void AssignFieldToArray(object[] target)
* {
* target[0] = tainted;
* }
* }
* ```
* Captured Models:
* ```
* Summaries;BasicFlow;false;ReturnField;();Argument[Qualifier];ReturnValue;taint |
* Summaries;BasicFlow;false;AssignFieldToArray;(System.Object[]);Argument[Qualifier];Argument[0].Element;taint
* ```
*
* ```csharp
* public class BasicFlow {
* private string tainted;
*
* public void SetField(string s)
* {
* tainted = s;
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;SetField;(System.String);Argument[0];Argument[Qualifier];taint```
*
* ```csharp
* public class BasicFlow {
* public void ReturnSubstring(string s)
* {
* return s.Substring(0, 1);
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;ReturnSubstring;(System.String);Argument[0];ReturnValue;taint```
*
* ```csharp
* public class BasicFlow {
* public void AssignToArray(int data, int[] target)
* {
* target[0] = data;
* }
* }
* ```
* Captured Model:
* ```Summaries;BasicFlow;false;AssignToArray;(System.Int32,System.Int32[]);Argument[0];Argument[1].Element;taint```
*/
string captureFlow(TargetApi api) {
result = captureQualifierFlow(api) or
result = captureThroughFlow(api)
}

6
csharp/ql/src/utils/model-generator/internal/CaptureModels.qll
View File

@@ -44,7 +44,7 @@ private string asSummaryModel(TargetApi api, string input, string output, string
result =
asPartialModel(api) + input + ";" //
+ output + ";" //
+ kind
+ "generated:" + kind
}
/**
@@ -68,7 +68,7 @@ private string asTaintModel(TargetApi api, string input, string output) {
*/
bindingset[input, kind]
private string asSinkModel(TargetApi api, string input, string kind) {
result = asPartialModel(api) + input + ";" + kind
result = asPartialModel(api) + input + ";" + "generated:" + kind
}
/**
@@ -76,7 +76,7 @@ private string asSinkModel(TargetApi api, string input, string kind) {
*/
bindingset[output, kind]
private string asSourceModel(TargetApi api, string output, string kind) {
result = asPartialModel(api) + output + ";" + kind
result = asPartialModel(api) + output + ";" + "generated:" + kind
}
/**

35
csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs
View File

@@ -169,4 +169,39 @@ namespace My.Qltest
set { throw null; }
}
}
public class G
{
void M1()
{
var o = new object();
Sink(GeneratedFlow(o));
}
void M2()
{
var o1 = new object();
Sink(GeneratedFlowArgs(o1, null));
var o2 = new object();
Sink(GeneratedFlowArgs(null, o2));
}
void M3()
{
var o1 = new object();
Sink(MixedFlowArgs(o1, null));
var o2 = new object();
Sink(MixedFlowArgs(null, o2));
}
object GeneratedFlow(object o) => throw null;
object GeneratedFlowArgs(object o1, object o2) => throw null;
object MixedFlowArgs(object o1, object o2) => throw null;
static void Sink(object o) { }
}
}

24
csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
View File

@@ -56,6 +56,14 @@ edges
| ExternalFlow.cs:111:13:111:13 | [post] access to local variable f [field MyField] : Object | ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object |
| ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:111:13:111:13 | [post] access to local variable f [field MyField] : Object |
| ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp |
| ExternalFlow.cs:177:21:177:32 | object creation of type Object : Object | ExternalFlow.cs:178:32:178:32 | access to local variable o : Object |
| ExternalFlow.cs:178:32:178:32 | access to local variable o : Object | ExternalFlow.cs:178:18:178:33 | call to method GeneratedFlow |
| ExternalFlow.cs:183:22:183:33 | object creation of type Object : Object | ExternalFlow.cs:184:36:184:37 | access to local variable o1 : Object |
| ExternalFlow.cs:184:36:184:37 | access to local variable o1 : Object | ExternalFlow.cs:184:18:184:44 | call to method GeneratedFlowArgs |
| ExternalFlow.cs:186:22:186:33 | object creation of type Object : Object | ExternalFlow.cs:187:42:187:43 | access to local variable o2 : Object |
| ExternalFlow.cs:187:42:187:43 | access to local variable o2 : Object | ExternalFlow.cs:187:18:187:44 | call to method GeneratedFlowArgs |
| ExternalFlow.cs:195:22:195:33 | object creation of type Object : Object | ExternalFlow.cs:196:38:196:39 | access to local variable o2 : Object |
| ExternalFlow.cs:196:38:196:39 | access to local variable o2 : Object | ExternalFlow.cs:196:18:196:40 | call to method MixedFlowArgs |
nodes
| ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | semmle.label | call to method StepArgRes |
@@ -130,6 +138,18 @@ nodes
| ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object | semmle.label | access to local variable f [field MyField] : Object |
| ExternalFlow.cs:112:18:112:25 | access to property MyProp | semmle.label | access to property MyProp |
| ExternalFlow.cs:177:21:177:32 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:178:18:178:33 | call to method GeneratedFlow | semmle.label | call to method GeneratedFlow |
| ExternalFlow.cs:178:32:178:32 | access to local variable o : Object | semmle.label | access to local variable o : Object |
| ExternalFlow.cs:183:22:183:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:184:18:184:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
| ExternalFlow.cs:184:36:184:37 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
| ExternalFlow.cs:186:22:186:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:187:18:187:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
| ExternalFlow.cs:187:42:187:43 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
| ExternalFlow.cs:195:22:195:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
| ExternalFlow.cs:196:18:196:40 | call to method MixedFlowArgs | semmle.label | call to method MixedFlowArgs |
| ExternalFlow.cs:196:38:196:39 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
subpaths
invalidModelRow
#select
@@ -152,3 +172,7 @@ invalidModelRow
| ExternalFlow.cs:102:22:102:22 | access to parameter d | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:178:18:178:33 | call to method GeneratedFlow | ExternalFlow.cs:177:21:177:32 | object creation of type Object : Object | ExternalFlow.cs:178:18:178:33 | call to method GeneratedFlow | $@ | ExternalFlow.cs:177:21:177:32 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:184:18:184:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:183:22:183:33 | object creation of type Object : Object | ExternalFlow.cs:184:18:184:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:183:22:183:33 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:187:18:187:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:186:22:186:33 | object creation of type Object : Object | ExternalFlow.cs:187:18:187:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:186:22:186:33 | object creation of type Object : Object | object creation of type Object : Object |
| ExternalFlow.cs:196:18:196:40 | call to method MixedFlowArgs | ExternalFlow.cs:195:22:195:33 | object creation of type Object : Object | ExternalFlow.cs:196:18:196:40 | call to method MixedFlowArgs | $@ | ExternalFlow.cs:195:22:195:33 | object creation of type Object : Object | object creation of type Object : Object |

7
csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ql
View File

@@ -30,7 +30,12 @@ class SummaryModelTest extends SummaryModelCsv {
"My.Qltest;D;false;Map<,>;(S[],System.Func<S,T>);;Argument[1].ReturnValue;ReturnValue.Element;value",
"My.Qltest;D;false;Parse;(System.String,System.Int32);;Argument[0];Argument[1];taint",
"My.Qltest;E;true;get_MyProp;();;Argument[Qualifier].Field[My.Qltest.E.MyField];ReturnValue;value",
"My.Qltest;E;true;set_MyProp;(System.Object);;Argument[0];Argument[Qualifier].Field[My.Qltest.E.MyField];value"
"My.Qltest;E;true;set_MyProp;(System.Object);;Argument[0];Argument[Qualifier].Field[My.Qltest.E.MyField];value",
"My.Qltest;G;false;GeneratedFlow;(System.Object);;Argument[0];ReturnValue;generated:value",
"My.Qltest;G;false;GeneratedFlowArgs;(System.Object,System.Object);;Argument[0];ReturnValue;generated:value",
"My.Qltest;G;false;GeneratedFlowArgs;(System.Object,System.Object);;Argument[1];ReturnValue;generated:value",
"My.Qltest;G;false;MixedFlowArgs;(System.Object,System.Object);;Argument[0];ReturnValue;generated:value",
"My.Qltest;G;false;MixedFlowArgs;(System.Object,System.Object);;Argument[1];ReturnValue;value",
]
}
}

8
csharp/ql/test/utils/model-generator/CaptureSinkModels.expected
View File

@@ -1,4 +1,4 @@
| Sinks;NewSinks;false;WrapFieldResponseWriteFile;();;Argument[Qualifier];html |
| Sinks;NewSinks;false;WrapPropResponseWriteFile;();;Argument[Qualifier];html |
| Sinks;NewSinks;false;WrapResponseWrite;(System.Object);;Argument[0];html |
| Sinks;NewSinks;false;WrapResponseWriteFile;(System.String);;Argument[0];html |
| Sinks;NewSinks;false;WrapFieldResponseWriteFile;();;Argument[Qualifier];generated:html |
| Sinks;NewSinks;false;WrapPropResponseWriteFile;();;Argument[Qualifier];generated:html |
| Sinks;NewSinks;false;WrapResponseWrite;(System.Object);;Argument[0];generated:html |
| Sinks;NewSinks;false;WrapResponseWriteFile;(System.String);;Argument[0];generated:html |

6
csharp/ql/test/utils/model-generator/CaptureSourceModels.expected
View File

@@ -1,3 +1,3 @@
| Sources;NewSources;false;WrapConsoleReadKey;();;ReturnValue;local |
| Sources;NewSources;false;WrapConsoleReadLine;();;ReturnValue;local |
| Sources;NewSources;false;WrapConsoleReadLineAndProcees;(System.String);;ReturnValue;local |
| Sources;NewSources;false;WrapConsoleReadKey;();;ReturnValue;generated:local |
| Sources;NewSources;false;WrapConsoleReadLine;();;ReturnValue;generated:local |
| Sources;NewSources;false;WrapConsoleReadLineAndProcees;(System.String);;ReturnValue;generated:local |

66
csharp/ql/test/utils/model-generator/CaptureSummaryModels.expected
View File

@@ -1,33 +1,33 @@
| NoSummaries;PublicClassFlow;false;PublicReturn;(System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;BaseClassFlow;true;ReturnParam;(System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnField;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnParam0;(System.String,System.Object);;Argument[0];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnParam1;(System.String,System.Object);;Argument[1];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnParamMultiple;(System.Object,System.Object);;Argument[0];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnParamMultiple;(System.Object,System.Object);;Argument[1];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnSubstring;(System.String);;Argument[0];ReturnValue;taint |
| Summaries;BasicFlow;false;ReturnThis;(System.Object);;Argument[Qualifier];ReturnValue;value |
| Summaries;BasicFlow;false;SetField;(System.String);;Argument[0];Argument[Qualifier];taint |
| Summaries;CollectionFlow;false;AddFieldToList;(System.Collections.Generic.List<System.String>);;Argument[Qualifier];Argument[0].Element;taint |
| Summaries;CollectionFlow;false;AddToList;(System.Collections.Generic.List<System.Object>,System.Object);;Argument[1];Argument[0].Element;taint |
| Summaries;CollectionFlow;false;AssignFieldToArray;(System.Object[]);;Argument[Qualifier];Argument[0].Element;taint |
| Summaries;CollectionFlow;false;AssignToArray;(System.Int32,System.Int32[]);;Argument[0];Argument[1].Element;taint |
| Summaries;CollectionFlow;false;ReturnArrayElement;(System.Int32[]);;Argument[0].Element;ReturnValue;taint |
| Summaries;CollectionFlow;false;ReturnFieldInAList;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;CollectionFlow;false;ReturnListElement;(System.Collections.Generic.List<System.Object>);;Argument[0].Element;ReturnValue;taint |
| Summaries;DerivedClass1Flow;false;ReturnParam1;(System.Int32,System.Int32);;Argument[1];ReturnValue;taint |
| Summaries;DerivedClass2Flow;false;ReturnParam0;(System.Int32,System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;DerivedClass2Flow;false;ReturnParam;(System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;EqualsGetHashCodeNoFlow;false;Equals;(System.Int32);;Argument[0];ReturnValue;taint |
| Summaries;GenericFlow<>;false;AddFieldToGenericList;(System.Collections.Generic.List<T>);;Argument[Qualifier];Argument[0].Element;taint |
| Summaries;GenericFlow<>;false;AddToGenericList<>;(System.Collections.Generic.List<S>,S);;Argument[1];Argument[0].Element;taint |
| Summaries;GenericFlow<>;false;ReturnFieldInGenericList;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;GenericFlow<>;false;ReturnGenericElement<>;(System.Collections.Generic.List<S>);;Argument[0].Element;ReturnValue;taint |
| Summaries;GenericFlow<>;false;ReturnGenericField;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;GenericFlow<>;false;ReturnGenericParam<>;(S);;Argument[0];ReturnValue;taint |
| Summaries;GenericFlow<>;false;SetGenericField;(T);;Argument[0];Argument[Qualifier];taint |
| Summaries;IEnumerableFlow;false;ReturnFieldInIEnumerable;();;Argument[Qualifier];ReturnValue;taint |
| Summaries;IEnumerableFlow;false;ReturnIEnumerable;(System.Collections.Generic.IEnumerable<System.String>);;Argument[0].Element;ReturnValue;taint |
| Summaries;IEnumerableFlow;false;ReturnIEnumerableElement;(System.Collections.Generic.IEnumerable<System.Object>);;Argument[0].Element;ReturnValue;taint |
| Summaries;OperatorFlow;false;OperatorFlow;(System.Object);;Argument[0];Argument[Qualifier];taint |
| Summaries;OperatorFlow;false;op_Addition;(Summaries.OperatorFlow,Summaries.OperatorFlow);;Argument[0];ReturnValue;taint |
| NoSummaries;PublicClassFlow;false;PublicReturn;(System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;BaseClassFlow;true;ReturnParam;(System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnField;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnParam0;(System.String,System.Object);;Argument[0];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnParam1;(System.String,System.Object);;Argument[1];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnParamMultiple;(System.Object,System.Object);;Argument[0];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnParamMultiple;(System.Object,System.Object);;Argument[1];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnSubstring;(System.String);;Argument[0];ReturnValue;generated:taint |
| Summaries;BasicFlow;false;ReturnThis;(System.Object);;Argument[Qualifier];ReturnValue;generated:value |
| Summaries;BasicFlow;false;SetField;(System.String);;Argument[0];Argument[Qualifier];generated:taint |
| Summaries;CollectionFlow;false;AddFieldToList;(System.Collections.Generic.List<System.String>);;Argument[Qualifier];Argument[0].Element;generated:taint |
| Summaries;CollectionFlow;false;AddToList;(System.Collections.Generic.List<System.Object>,System.Object);;Argument[1];Argument[0].Element;generated:taint |
| Summaries;CollectionFlow;false;AssignFieldToArray;(System.Object[]);;Argument[Qualifier];Argument[0].Element;generated:taint |
| Summaries;CollectionFlow;false;AssignToArray;(System.Int32,System.Int32[]);;Argument[0];Argument[1].Element;generated:taint |
| Summaries;CollectionFlow;false;ReturnArrayElement;(System.Int32[]);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;CollectionFlow;false;ReturnFieldInAList;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;CollectionFlow;false;ReturnListElement;(System.Collections.Generic.List<System.Object>);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;DerivedClass1Flow;false;ReturnParam1;(System.Int32,System.Int32);;Argument[1];ReturnValue;generated:taint |
| Summaries;DerivedClass2Flow;false;ReturnParam0;(System.Int32,System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;DerivedClass2Flow;false;ReturnParam;(System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;EqualsGetHashCodeNoFlow;false;Equals;(System.Int32);;Argument[0];ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;AddFieldToGenericList;(System.Collections.Generic.List<T>);;Argument[Qualifier];Argument[0].Element;generated:taint |
| Summaries;GenericFlow<>;false;AddToGenericList<>;(System.Collections.Generic.List<S>,S);;Argument[1];Argument[0].Element;generated:taint |
| Summaries;GenericFlow<>;false;ReturnFieldInGenericList;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;ReturnGenericElement<>;(System.Collections.Generic.List<S>);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;ReturnGenericField;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;ReturnGenericParam<>;(S);;Argument[0];ReturnValue;generated:taint |
| Summaries;GenericFlow<>;false;SetGenericField;(T);;Argument[0];Argument[Qualifier];generated:taint |
| Summaries;IEnumerableFlow;false;ReturnFieldInIEnumerable;();;Argument[Qualifier];ReturnValue;generated:taint |
| Summaries;IEnumerableFlow;false;ReturnIEnumerable;(System.Collections.Generic.IEnumerable<System.String>);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;IEnumerableFlow;false;ReturnIEnumerableElement;(System.Collections.Generic.IEnumerable<System.Object>);;Argument[0].Element;ReturnValue;generated:taint |
| Summaries;OperatorFlow;false;OperatorFlow;(System.Object);;Argument[0];Argument[Qualifier];generated:taint |
| Summaries;OperatorFlow;false;op_Addition;(Summaries.OperatorFlow,Summaries.OperatorFlow);;Argument[0];ReturnValue;generated:taint |