From 8807217e492bd46475f5bd624276e8364dda149e Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Tue, 3 Mar 2026 14:26:07 +0100
Subject: [PATCH] C#: Add implicit conversion operator taint example.

---
 .../operators/ImplicitConversionOperator.cs   | 14 +++++++++
 .../implicitConversionOperatorFlow.expected   |  4 +++
 .../implicitConversionOperatorFlow.ql         | 29 +++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs
 create mode 100644 csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected
 create mode 100644 csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql

diff --git a/csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs b/csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs
new file mode 100644
index 00000000000..05be934ecb3
--- /dev/null
+++ b/csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs
@@ -0,0 +1,14 @@
+using System;
+
+public class TestImplicitConversionOperator
+{
+    static void Sink(object o) { }
+    static void TaintArgument(ArraySegment<byte> segment) { }
+
+    public void M1()
+    {
+        byte[] bytes = new byte[1];
+        TaintArgument(bytes);
+        Sink(bytes);
+    }
+}
diff --git a/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected b/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected
new file mode 100644
index 00000000000..e217064d1df
--- /dev/null
+++ b/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected
@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select
diff --git a/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql b/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql
new file mode 100644
index 00000000000..74f7947a7c8
--- /dev/null
+++ b/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql
@@ -0,0 +1,29 @@
+/**
+ * @kind path-problem
+ */
+
+import csharp
+import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+import Taint::PathGraph
+
+module TaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
+    exists(MethodCall mc |
+      mc.getTarget().hasName("TaintArgument") and
+      mc.getAnArgument() = src.(DataFlowPrivate::PostUpdateNode).getPreUpdateNode().asExpr()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc |
+      mc.getTarget().hasName("Sink") and
+      mc.getAnArgument() = sink.asExpr()
+    )
+  }
+}
+
+module Taint = TaintTracking::Global<TaintConfig>;
+
+from Taint::PathNode source, Taint::PathNode sink
+where Taint::flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()