C#: Address review comments

2026-04-30 11:15:13 +02:00 · 2019-05-15 14:10:42 +02:00
parent 89e60dc9bf
commit 949b3601d0
8 changed files with 36 additions and 46 deletions
--- a/Features/CWE-798/HardcodedCredentials.ql
+++ b/Features/CWE-798/HardcodedCredentials.ql
@@ -21,7 +21,7 @@ from
 where
  source = sourcePath.getNode() and
  sink = sinkPath.getNode() and
-  c.hasFlow(source, sink) and
+  c.hasFlowPath(sourcePath, sinkPath) and
  // Print the source value if it's available
  if exists(source.asExpr().getValue())
  then value = "The hard-coded value \"" + source.asExpr().getValue() + "\""
--- a/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
@@ -33,7 +33,7 @@ class CallContext extends TCallContext {
 class EmptyCallContext extends CallContext, TEmptyCallContext {
  override string toString() { result = "<empty>" }

-  override Location getLocation() { result instanceof EmptyLocation }
+  override EmptyLocation getLocation() { any() }
 }

 /**
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll
@@ -2,26 +2,34 @@ import csharp
 private import DataFlowPrivate
 private import DataFlowPublic

-private ControlFlowElement getAScope(boolean exactScope) {
-  exists(ControlFlowReachabilityConfiguration c |
-    c.candidate(_, _, result, exactScope, _) or
-    c.candidateDef(_, _, result, exactScope, _)
-  )
+private class ControlFlowScope extends ControlFlowElement {
+  private boolean exactScope;
+
+  ControlFlowScope() {
+    exists(ControlFlowReachabilityConfiguration c |
+      c.candidate(_, _, this, exactScope, _) or
+      c.candidateDef(_, _, this, exactScope, _)
+    )
+  }
+
+  predicate isExact() { exactScope = true }
+
+  predicate isNonExact() { exactScope = false }
 }

-private ControlFlowElement getANonExactScopeChild(ControlFlowElement scope) {
-  scope = getAScope(false) and
+private ControlFlowElement getANonExactScopeChild(ControlFlowScope scope) {
+  scope.isNonExact() and
  result = scope
  or
  result = getANonExactScopeChild(scope).getAChild()
 }

 pragma[noinline]
-private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowElement scope, boolean exactScope) {
+private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowScope scope, boolean exactScope) {
  result.getANode().getElement() = getANonExactScopeChild(scope) and
  exactScope = false
  or
-  scope = getAScope(true) and
+  scope.isExact() and
  result.getANode().getElement() = scope and
  exactScope = true
 }
--- a/csharp/ql/src/semmle/code/csharp/exprs/Creation.qll
+++ b/csharp/ql/src/semmle/code/csharp/exprs/Creation.qll
@@ -380,7 +380,11 @@ class AnonymousFunctionExpr extends Expr, Callable, @anonymous_function_expr {
  override string getName() { result = "<anonymous>" }

  override Type getReturnType() {
-    result = getType().(SystemLinqExpressions::DelegateExtType).getDelegateType().getReturnType()
+    result = this
+          .getType()
+          .(SystemLinqExpressions::DelegateExtType)
+          .getDelegateType()
+          .getReturnType()
  }

  override AnonymousFunctionExpr getSourceDeclaration() { result = this }
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentials.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentials.qll
@@ -55,21 +55,21 @@ module HardcodedCredentials {
      not any(ReturnedByMockObject mock).getAnArgument() = sink.asExpr()
    }

-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink) and
+    override predicate hasFlowPath(DataFlow::PathNode source, DataFlow::PathNode sink) {
+      super.hasFlowPath(source, sink) and
      // Exclude hard-coded credentials in tests if they only flow to calls to methods with a name
      // like "Add*" "Create*" or "Update*". The rationale is that hard-coded credentials within
      // tests that are only used for creating or setting values within tests are unlikely to
      // represent credentials to some accessible system.
      not (
-        source.asExpr().getFile() instanceof TestFile and
+        source.getNode().asExpr().getFile() instanceof TestFile and
        exists(MethodCall createOrAddCall, string createOrAddMethodName |
          createOrAddMethodName.matches("Update%") or
          createOrAddMethodName.matches("Create%") or
          createOrAddMethodName.matches("Add%")
        |
          createOrAddCall.getTarget().hasName(createOrAddMethodName) and
-          createOrAddCall.getAnArgument() = sink.asExpr()
+          createOrAddCall.getAnArgument() = sink.getNode().asExpr()
        )
      )
    }
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/ReDoS.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/ReDoS.qll
@@ -40,15 +40,15 @@ module ReDoS {
      // a sub class of `Sink`, as that results in bad aggregate
      // recursion. Therefore, we overestimate the sinks here
      // and make the restriction later by overriding
-      // `hasFlow()` below.
+      // `hasFlowPath()` below.
      sink.asExpr() = any(RegexOperation ro).getInput()
    }

    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink) and
-      (sink instanceof Sink or sink instanceof ExponentialRegexSink)
+    override predicate hasFlowPath(DataFlow::PathNode source, DataFlow::PathNode sink) {
+      super.hasFlowPath(source, sink) and
+      (sink.getNode() instanceof Sink or sink.getNode() instanceof ExponentialRegexSink)
    }
  }

--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjection.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/XMLEntityInjection.qll
@@ -39,7 +39,7 @@ module XMLEntityInjection {
      // in the charpred, as that results in bad aggregate
      // recursion. Therefore, we overestimate the sinks here
      // and make the restriction later by overriding
-      // `hasFlow()` below.
+      // `hasFlowPath()` below.
      this.getExpr() = any(MethodCall mc |
          mc.getTarget().hasQualifiedName("System.Xml.XmlReader.Create") or
          mc.getTarget().hasQualifiedName("System.Xml.XmlDocument.Load") or
@@ -75,9 +75,9 @@ module XMLEntityInjection {

    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

-    override predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) {
-      super.hasFlow(source, sink) and
-      exists(sink.(Sink).getReason())
+    override predicate hasFlowPath(DataFlow::PathNode source, DataFlow::PathNode sink) {
+      super.hasFlowPath(source, sink) and
+      exists(sink.getNode().(Sink).getReason())
    }
  }

--- a/Features/CWE-798/HardcodedCredentials.expected
+++ b/Features/CWE-798/HardcodedCredentials.expected
@@ -11,32 +11,10 @@ edges
 | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" |
 #select
 | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password |
-| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password |
-| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password |
-| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password |
 | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser |
-| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser |
-| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser |
-| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser |
-| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword |
-| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword |
-| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword |
 | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword |
 | HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
-| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
-| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
-| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
-| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
 | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
 | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
-| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
-| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
-| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
-| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
-| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
-| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
 | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
 | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser |
-| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser |
-| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser |
-| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser |