hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

C#: Update test expected output.

Browse Source
This commit is contained in:
Michael Nebel
2025-07-01 13:13:59 +02:00
parent 13b40bbab4
commit 8ee16f68a7
2 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/BinaryFormatterUntrustedInputBad.cs
View File

@@ -19,7 +19,7 @@ class BadBinaryFormatter2
public static object Deserialize(TextBox type, TextBox data)
{
var ds = new BinaryFormatter();
// BAD - BUT NOT DETECTED
// BAD
return ds.Deserialize(new MemoryStream(Convert.FromBase64String(data.Text)));
}
}

11
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected
View File

@@ -1,5 +1,6 @@
#select
| BinaryFormatterUntrustedInputBad.cs:13:31:13:84 | object creation of type MemoryStream | BinaryFormatterUntrustedInputBad.cs:13:71:13:77 | access to parameter textBox : TextBox | BinaryFormatterUntrustedInputBad.cs:13:31:13:84 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | BinaryFormatterUntrustedInputBad.cs:13:71:13:77 | access to parameter textBox : TextBox | User-provided data |
| BinaryFormatterUntrustedInputBad.cs:23:31:23:83 | object creation of type MemoryStream | BinaryFormatterUntrustedInputBad.cs:23:73:23:76 | access to parameter data : TextBox | BinaryFormatterUntrustedInputBad.cs:23:31:23:83 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | BinaryFormatterUntrustedInputBad.cs:23:73:23:76 | access to parameter data : TextBox | User-provided data |
| DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | User-provided data |
| DataContractSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | DataContractSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | DataContractSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | DataContractSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | User-provided data |
| ResourceReaderUntrustedInputBad.cs:11:37:11:87 | object creation of type MemoryStream | ResourceReaderUntrustedInputBad.cs:11:77:11:80 | access to parameter data : TextBox | ResourceReaderUntrustedInputBad.cs:11:37:11:87 | object creation of type MemoryStream | $@ flows to unsafe deserializer. | ResourceReaderUntrustedInputBad.cs:11:77:11:80 | access to parameter data : TextBox | User-provided data |
@@ -10,6 +11,9 @@ edges
| BinaryFormatterUntrustedInputBad.cs:13:48:13:83 | call to method GetBytes : Byte[] | BinaryFormatterUntrustedInputBad.cs:13:31:13:84 | object creation of type MemoryStream | provenance | MaD:1 |
| BinaryFormatterUntrustedInputBad.cs:13:71:13:77 | access to parameter textBox : TextBox | BinaryFormatterUntrustedInputBad.cs:13:71:13:82 | access to property Text : String | provenance | MaD:3 |
| BinaryFormatterUntrustedInputBad.cs:13:71:13:82 | access to property Text : String | BinaryFormatterUntrustedInputBad.cs:13:48:13:83 | call to method GetBytes : Byte[] | provenance | MaD:2 |
| BinaryFormatterUntrustedInputBad.cs:23:48:23:82 | call to method FromBase64String : Byte[] [element] : Object | BinaryFormatterUntrustedInputBad.cs:23:31:23:83 | object creation of type MemoryStream | provenance | MaD:1 |
| BinaryFormatterUntrustedInputBad.cs:23:73:23:76 | access to parameter data : TextBox | BinaryFormatterUntrustedInputBad.cs:23:73:23:81 | access to property Text : String | provenance | MaD:3 |
| BinaryFormatterUntrustedInputBad.cs:23:73:23:81 | access to property Text : String | BinaryFormatterUntrustedInputBad.cs:23:48:23:82 | call to method FromBase64String : Byte[] [element] : Object | provenance | MaD:4 |
| DataContractJsonSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | provenance | MaD:1 |
| DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String | provenance | MaD:3 |
| DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:78 | access to property Text : String | DataContractJsonSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | provenance | MaD:2 |
@@ -27,14 +31,19 @@ edges
| XmlSerializerUntrustedInputBad.cs:13:71:13:74 | access to parameter data : TextBox | XmlSerializerUntrustedInputBad.cs:13:71:13:79 | access to property Text : String | provenance | MaD:3 |
| XmlSerializerUntrustedInputBad.cs:13:71:13:79 | access to property Text : String | XmlSerializerUntrustedInputBad.cs:13:48:13:80 | call to method GetBytes : Byte[] | provenance | MaD:2 |
models
| 1 | Summary: System.IO; MemoryStream; false; MemoryStream; (System.Byte[]); ; Argument[0]; Argument[this]; taint; manual |
| 1 | Summary: System.IO; MemoryStream; false; MemoryStream; (System.Byte[]); ; Argument[0].Element; Argument[this]; taint; manual |
| 2 | Summary: System.Text; Encoding; true; GetBytes; (System.String); ; Argument[0]; ReturnValue; taint; manual |
| 3 | Summary: System.Web.UI.WebControls; TextBox; false; get_Text; (); ; Argument[this]; ReturnValue; taint; manual |
| 4 | Summary: System; Convert; false; FromBase64String; (System.String); ; Argument[0]; ReturnValue.Element; taint; manual |
nodes
| BinaryFormatterUntrustedInputBad.cs:13:31:13:84 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
| BinaryFormatterUntrustedInputBad.cs:13:48:13:83 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
| BinaryFormatterUntrustedInputBad.cs:13:71:13:77 | access to parameter textBox : TextBox | semmle.label | access to parameter textBox : TextBox |
| BinaryFormatterUntrustedInputBad.cs:13:71:13:82 | access to property Text : String | semmle.label | access to property Text : String |
| BinaryFormatterUntrustedInputBad.cs:23:31:23:83 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
| BinaryFormatterUntrustedInputBad.cs:23:48:23:82 | call to method FromBase64String : Byte[] [element] : Object | semmle.label | call to method FromBase64String : Byte[] [element] : Object |
| BinaryFormatterUntrustedInputBad.cs:23:73:23:76 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |
| BinaryFormatterUntrustedInputBad.cs:23:73:23:81 | access to property Text : String | semmle.label | access to property Text : String |
| DataContractJsonSerializerUntrustedInputBad.cs:13:30:13:80 | object creation of type MemoryStream | semmle.label | object creation of type MemoryStream |
| DataContractJsonSerializerUntrustedInputBad.cs:13:47:13:79 | call to method GetBytes : Byte[] | semmle.label | call to method GetBytes : Byte[] |
| DataContractJsonSerializerUntrustedInputBad.cs:13:70:13:73 | access to parameter data : TextBox | semmle.label | access to parameter data : TextBox |