hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C#: Add more data flow tests

Browse Source 
Add tests that exhibit missing type pruning.
This commit is contained in:
Tom Hvitved
2019-09-10 21:13:54 +02:00
committed by Tom Hvitved
parent 78ddb37a8c
commit a344707baa
5 changed files with 358 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
csharp/ql/test/library-tests/cil/dataflow/DataFlow.expected
View File

@@ -1,19 +1,80 @@
| dataflow.cs:18:18:18:26 | "tainted" | dataflow.cs:18:18:18:37 | call to method ToString |
| dataflow.cs:20:27:20:27 | 2 | dataflow.cs:20:18:20:31 | call to method Max |
| dataflow.cs:20:30:20:30 | 3 | dataflow.cs:20:18:20:31 | call to method Max |
| dataflow.cs:21:29:21:31 | 0.5 | dataflow.cs:21:18:21:32 | call to method Round |
| dataflow.cs:22:45:22:53 | "tainted" | dataflow.cs:22:18:22:54 | call to method GetFullPath |
| dataflow.cs:29:44:29:46 | 1 | dataflow.cs:29:18:29:52 | call to method IEEERemainder |
| dataflow.cs:29:49:29:51 | 2 | dataflow.cs:29:18:29:52 | call to method IEEERemainder |
| dataflow.cs:40:34:40:37 | "d1" | dataflow.cs:40:18:40:38 | call to method Taint1 |
| dataflow.cs:41:34:41:37 | "d2" | dataflow.cs:41:18:41:38 | call to method Taint2 |
| dataflow.cs:42:34:42:37 | "d3" | dataflow.cs:42:18:42:38 | call to method Taint3 |
| dataflow.cs:46:28:46:32 | "t1a" | dataflow.cs:46:18:46:40 | call to method Taint1 |
| dataflow.cs:46:35:46:39 | "t1b" | dataflow.cs:46:18:46:40 | call to method Taint1 |
| dataflow.cs:49:35:49:38 | "t6" | dataflow.cs:49:18:49:45 | call to method TaintIndirect |
| dataflow.cs:49:41:49:44 | "t6" | dataflow.cs:49:18:49:45 | call to method TaintIndirect |
| dataflow.cs:102:30:102:33 | null | dataflow.cs:74:21:74:52 | ... ?? ... |
| dataflow.cs:102:30:102:33 | null | dataflow.cs:89:24:89:51 | ... ? ... : ... |
| dataflow.cs:102:30:102:33 | null | dataflow.cs:108:20:108:33 | call to method IndirectNull |
| dataflow.cs:109:23:109:26 | null | dataflow.cs:74:21:74:52 | ... ?? ... |
| dataflow.cs:109:23:109:26 | null | dataflow.cs:89:24:89:51 | ... ? ... : ... |
edges
| dataflow.cs:18:18:18:26 | "tainted" : String | dataflow.cs:18:18:18:37 | call to method ToString |
| dataflow.cs:20:27:20:27 | 2 : Int32 | dataflow.cs:20:18:20:31 | call to method Max |
| dataflow.cs:20:30:20:30 | 3 : Int32 | dataflow.cs:20:18:20:31 | call to method Max |
| dataflow.cs:21:29:21:31 | 0.5 : Double | dataflow.cs:21:18:21:32 | call to method Round |
| dataflow.cs:22:45:22:53 | "tainted" : String | dataflow.cs:22:18:22:54 | call to method GetFullPath |
| dataflow.cs:29:44:29:46 | 1 : Double | dataflow.cs:29:18:29:52 | call to method IEEERemainder |
| dataflow.cs:29:49:29:51 | 2 : Double | dataflow.cs:29:18:29:52 | call to method IEEERemainder |
| dataflow.cs:40:34:40:37 | "d1" : String | dataflow.cs:40:18:40:38 | call to method Taint1 |
| dataflow.cs:41:34:41:37 | "d2" : String | dataflow.cs:41:18:41:38 | call to method Taint2 |
| dataflow.cs:42:34:42:37 | "d3" : String | dataflow.cs:42:18:42:38 | call to method Taint3 |
| dataflow.cs:46:28:46:32 | "t1a" : String | dataflow.cs:46:18:46:40 | call to method Taint1 |
| dataflow.cs:46:35:46:39 | "t1b" : String | dataflow.cs:46:18:46:40 | call to method Taint1 |
| dataflow.cs:49:35:49:38 | "t6" : String | dataflow.cs:49:18:49:45 | call to method TaintIndirect |
| dataflow.cs:49:41:49:44 | "t6" : String | dataflow.cs:49:18:49:45 | call to method TaintIndirect |
| dataflow.cs:74:21:74:34 | call to method NullFunction : null | dataflow.cs:74:21:74:52 | ... ?? ... |
| dataflow.cs:74:39:74:52 | call to method IndirectNull : null | dataflow.cs:74:21:74:52 | ... ?? ... |
| dataflow.cs:89:31:89:44 | call to method NullFunction : null | dataflow.cs:89:24:89:51 | ... ? ... : ... |
| dataflow.cs:102:30:102:33 | null : null | dataflow.cs:74:39:74:52 | call to method IndirectNull : null |
| dataflow.cs:102:30:102:33 | null : null | dataflow.cs:108:20:108:33 | call to method IndirectNull |
| dataflow.cs:102:30:102:33 | null : null | dataflow.cs:108:20:108:33 | call to method IndirectNull : null |
| dataflow.cs:108:20:108:33 | call to method IndirectNull : null | dataflow.cs:110:16:110:16 | access to local variable x : null |
| dataflow.cs:109:23:109:26 | null : null | dataflow.cs:110:16:110:16 | access to local variable x : null |
| dataflow.cs:110:16:110:16 | access to local variable x : null | dataflow.cs:74:21:74:34 | call to method NullFunction : null |
| dataflow.cs:110:16:110:16 | access to local variable x : null | dataflow.cs:89:31:89:44 | call to method NullFunction : null |
nodes
| dataflow.cs:18:18:18:26 | "tainted" : String | semmle.label | "tainted" : String |
| dataflow.cs:18:18:18:37 | call to method ToString | semmle.label | call to method ToString |
| dataflow.cs:20:18:20:31 | call to method Max | semmle.label | call to method Max |
| dataflow.cs:20:27:20:27 | 2 : Int32 | semmle.label | 2 : Int32 |
| dataflow.cs:20:30:20:30 | 3 : Int32 | semmle.label | 3 : Int32 |
| dataflow.cs:21:18:21:32 | call to method Round | semmle.label | call to method Round |
| dataflow.cs:21:29:21:31 | 0.5 : Double | semmle.label | 0.5 : Double |
| dataflow.cs:22:18:22:54 | call to method GetFullPath | semmle.label | call to method GetFullPath |
| dataflow.cs:22:45:22:53 | "tainted" : String | semmle.label | "tainted" : String |
| dataflow.cs:29:18:29:52 | call to method IEEERemainder | semmle.label | call to method IEEERemainder |
| dataflow.cs:29:44:29:46 | 1 : Double | semmle.label | 1 : Double |
| dataflow.cs:29:49:29:51 | 2 : Double | semmle.label | 2 : Double |
| dataflow.cs:40:18:40:38 | call to method Taint1 | semmle.label | call to method Taint1 |
| dataflow.cs:40:34:40:37 | "d1" : String | semmle.label | "d1" : String |
| dataflow.cs:41:18:41:38 | call to method Taint2 | semmle.label | call to method Taint2 |
| dataflow.cs:41:34:41:37 | "d2" : String | semmle.label | "d2" : String |
| dataflow.cs:42:18:42:38 | call to method Taint3 | semmle.label | call to method Taint3 |
| dataflow.cs:42:34:42:37 | "d3" : String | semmle.label | "d3" : String |
| dataflow.cs:46:18:46:40 | call to method Taint1 | semmle.label | call to method Taint1 |
| dataflow.cs:46:28:46:32 | "t1a" : String | semmle.label | "t1a" : String |
| dataflow.cs:46:35:46:39 | "t1b" : String | semmle.label | "t1b" : String |
| dataflow.cs:49:18:49:45 | call to method TaintIndirect | semmle.label | call to method TaintIndirect |
| dataflow.cs:49:35:49:38 | "t6" : String | semmle.label | "t6" : String |
| dataflow.cs:49:41:49:44 | "t6" : String | semmle.label | "t6" : String |
| dataflow.cs:74:21:74:34 | call to method NullFunction : null | semmle.label | call to method NullFunction : null |
| dataflow.cs:74:21:74:52 | ... ?? ... | semmle.label | ... ?? ... |
| dataflow.cs:74:39:74:52 | call to method IndirectNull : null | semmle.label | call to method IndirectNull : null |
| dataflow.cs:89:24:89:51 | ... ? ... : ... | semmle.label | ... ? ... : ... |
| dataflow.cs:89:31:89:44 | call to method NullFunction : null | semmle.label | call to method NullFunction : null |
| dataflow.cs:102:30:102:33 | null : null | semmle.label | null : null |
| dataflow.cs:108:20:108:33 | call to method IndirectNull | semmle.label | call to method IndirectNull |
| dataflow.cs:108:20:108:33 | call to method IndirectNull : null | semmle.label | call to method IndirectNull : null |
| dataflow.cs:109:23:109:26 | null : null | semmle.label | null : null |
| dataflow.cs:110:16:110:16 | access to local variable x : null | semmle.label | access to local variable x : null |
#select
| dataflow.cs:18:18:18:26 | "tainted" : String | dataflow.cs:18:18:18:37 | call to method ToString | dataflow.cs:18:18:18:37 | call to method ToString | $@ | dataflow.cs:18:18:18:37 | call to method ToString | call to method ToString |
| dataflow.cs:20:27:20:27 | 2 : Int32 | dataflow.cs:20:18:20:31 | call to method Max | dataflow.cs:20:18:20:31 | call to method Max | $@ | dataflow.cs:20:18:20:31 | call to method Max | call to method Max |
| dataflow.cs:20:30:20:30 | 3 : Int32 | dataflow.cs:20:18:20:31 | call to method Max | dataflow.cs:20:18:20:31 | call to method Max | $@ | dataflow.cs:20:18:20:31 | call to method Max | call to method Max |
| dataflow.cs:21:29:21:31 | 0.5 : Double | dataflow.cs:21:18:21:32 | call to method Round | dataflow.cs:21:18:21:32 | call to method Round | $@ | dataflow.cs:21:18:21:32 | call to method Round | call to method Round |
| dataflow.cs:22:45:22:53 | "tainted" : String | dataflow.cs:22:18:22:54 | call to method GetFullPath | dataflow.cs:22:18:22:54 | call to method GetFullPath | $@ | dataflow.cs:22:18:22:54 | call to method GetFullPath | call to method GetFullPath |
| dataflow.cs:29:44:29:46 | 1 : Double | dataflow.cs:29:18:29:52 | call to method IEEERemainder | dataflow.cs:29:18:29:52 | call to method IEEERemainder | $@ | dataflow.cs:29:18:29:52 | call to method IEEERemainder | call to method IEEERemainder |
| dataflow.cs:29:49:29:51 | 2 : Double | dataflow.cs:29:18:29:52 | call to method IEEERemainder | dataflow.cs:29:18:29:52 | call to method IEEERemainder | $@ | dataflow.cs:29:18:29:52 | call to method IEEERemainder | call to method IEEERemainder |
| dataflow.cs:40:34:40:37 | "d1" : String | dataflow.cs:40:18:40:38 | call to method Taint1 | dataflow.cs:40:18:40:38 | call to method Taint1 | $@ | dataflow.cs:40:18:40:38 | call to method Taint1 | call to method Taint1 |
| dataflow.cs:41:34:41:37 | "d2" : String | dataflow.cs:41:18:41:38 | call to method Taint2 | dataflow.cs:41:18:41:38 | call to method Taint2 | $@ | dataflow.cs:41:18:41:38 | call to method Taint2 | call to method Taint2 |
| dataflow.cs:42:34:42:37 | "d3" : String | dataflow.cs:42:18:42:38 | call to method Taint3 | dataflow.cs:42:18:42:38 | call to method Taint3 | $@ | dataflow.cs:42:18:42:38 | call to method Taint3 | call to method Taint3 |
| dataflow.cs:46:28:46:32 | "t1a" : String | dataflow.cs:46:18:46:40 | call to method Taint1 | dataflow.cs:46:18:46:40 | call to method Taint1 | $@ | dataflow.cs:46:18:46:40 | call to method Taint1 | call to method Taint1 |
| dataflow.cs:46:35:46:39 | "t1b" : String | dataflow.cs:46:18:46:40 | call to method Taint1 | dataflow.cs:46:18:46:40 | call to method Taint1 | $@ | dataflow.cs:46:18:46:40 | call to method Taint1 | call to method Taint1 |
| dataflow.cs:49:35:49:38 | "t6" : String | dataflow.cs:49:18:49:45 | call to method TaintIndirect | dataflow.cs:49:18:49:45 | call to method TaintIndirect | $@ | dataflow.cs:49:18:49:45 | call to method TaintIndirect | call to method TaintIndirect |
| dataflow.cs:49:41:49:44 | "t6" : String | dataflow.cs:49:18:49:45 | call to method TaintIndirect | dataflow.cs:49:18:49:45 | call to method TaintIndirect | $@ | dataflow.cs:49:18:49:45 | call to method TaintIndirect | call to method TaintIndirect |
| dataflow.cs:102:30:102:33 | null : null | dataflow.cs:74:21:74:52 | ... ?? ... | dataflow.cs:74:21:74:52 | ... ?? ... | $@ | dataflow.cs:74:21:74:52 | ... ?? ... | ... ?? ... |
| dataflow.cs:102:30:102:33 | null : null | dataflow.cs:89:24:89:51 | ... ? ... : ... | dataflow.cs:89:24:89:51 | ... ? ... : ... | $@ | dataflow.cs:89:24:89:51 | ... ? ... : ... | ... ? ... : ... |
| dataflow.cs:102:30:102:33 | null : null | dataflow.cs:108:20:108:33 | call to method IndirectNull | dataflow.cs:108:20:108:33 | call to method IndirectNull | $@ | dataflow.cs:108:20:108:33 | call to method IndirectNull | call to method IndirectNull |
| dataflow.cs:109:23:109:26 | null : null | dataflow.cs:74:21:74:52 | ... ?? ... | dataflow.cs:74:21:74:52 | ... ?? ... | $@ | dataflow.cs:74:21:74:52 | ... ?? ... | ... ?? ... |
| dataflow.cs:109:23:109:26 | null : null | dataflow.cs:89:24:89:51 | ... ? ... : ... | dataflow.cs:89:24:89:51 | ... ? ... : ... | $@ | dataflow.cs:89:24:89:51 | ... ? ... : ... | ... ? ... : ... |

13
csharp/ql/test/library-tests/cil/dataflow/DataFlow.ql
View File

@@ -1,5 +1,10 @@
/**
* @kind path-problem
*/
import csharp
import semmle.code.csharp.dataflow.DataFlow::DataFlow
import DataFlow
import DataFlow::PathGraph
class FlowConfig extends Configuration {
FlowConfig() { this = "FlowConfig" }
@@ -11,6 +16,6 @@ class FlowConfig extends Configuration {
}
}
from FlowConfig config, Node source, Node sink
where config.hasFlow(source, sink)
select source, sink
from DataFlow::PathNode source, DataFlow::PathNode sink, FlowConfig config
where config.hasFlowPath(source, sink)
select source, sink, sink, "$@", sink, sink.toString()

119
csharp/ql/test/library-tests/dataflow/types/Types.cs Normal file
View File

@@ -0,0 +1,119 @@
class Types
{
class A
{
public virtual void M() { }
public void CallM() => this.M();
}
class B<T> : A { }
class C : B<int> { }
class D : B<string>
{
public override void M() => Sink(this);
}
static void M1()
{
new C().M(); // no flow
new C().CallM(); // no flow (FALSE POSITIVE)
M2(new C()); // flow
M3(new C()); // no flow (FALSE POSITIVE)
M4(new C()); // flow
M5(new C()); // flow
M6(new C()); // flow
M7(new C()); // flow
M8(new C()); // no flow (FALSE POSITIVE)
M9(new C()); // flow
new D().M(); // flow
new D().CallM(); // flow
M2(new D()); // no flow (FALSE POSITIVE)
M3(new D()); // flow
M4(new D()); // no flow (FALSE POSITIVE)
M5(new D()); // flow
M6(new D()); // flow
M7(new D()); // flow
M8(new D()); // flow
M9(new D()); // no flow (FALSE POSITIVE)
object o = null; // flow
Sink(o);
}
static void M2(A a)
{
if (a is C c)
Sink(c);
}
static void M3(A a)
{
switch (a)
{
case D d:
Sink(d);
break;
}
}
static void M4(A a) => Sink((C)a);
static void M5<T>(T x) => Sink(x);
static void M6<T>(T x) where T : A => Sink(x);
static void M7<T>(T x) where T : class => Sink(x);
static void M8<T>(T x)
{
dynamic d = x;
d.M();
}
static void M9(A a)
{
if (a is B<int> b)
Sink(b);
}
static void Sink<T>(T x) { }
abstract class E<T>
{
E<T> Field;
public abstract void M();
void M2(E<T> e)
{
this.Field = e;
this.M();
}
class E1 : E<C>
{
void M3()
{
this.M2(new E1()); // no flow
}
public override void M() { }
}
class E2 : E<D>
{
void M3()
{
this.M2(new E2()); // flow (FALSE NEGATIVE)
}
public override void M()
{
Sink(this.Field);
}
}
}
}

124
csharp/ql/test/library-tests/dataflow/types/Types.expected Normal file
View File

@@ -0,0 +1,124 @@
edges
| Types.cs:7:21:7:25 | this : C | Types.cs:7:32:7:35 | this access : C |
| Types.cs:7:21:7:25 | this : D | Types.cs:7:32:7:35 | this access : D |
| Types.cs:7:32:7:35 | this access : C | Types.cs:16:30:16:30 | this : C |
| Types.cs:7:32:7:35 | this access : D | Types.cs:16:30:16:30 | this : D |
| Types.cs:16:30:16:30 | this : C | Types.cs:16:42:16:45 | this access |
| Types.cs:16:30:16:30 | this : D | Types.cs:16:42:16:45 | this access |
| Types.cs:22:9:22:15 | object creation of type C : C | Types.cs:7:21:7:25 | this : C |
| Types.cs:23:12:23:18 | object creation of type C : C | Types.cs:47:22:47:22 | a : C |
| Types.cs:24:12:24:18 | object creation of type C : C | Types.cs:53:22:53:22 | a : C |
| Types.cs:25:12:25:18 | object creation of type C : C | Types.cs:63:22:63:22 | a : C |
| Types.cs:26:12:26:18 | object creation of type C : C | Types.cs:65:25:65:25 | x : C |
| Types.cs:27:12:27:18 | object creation of type C : C | Types.cs:67:25:67:25 | x : C |
| Types.cs:28:12:28:18 | object creation of type C : C | Types.cs:69:25:69:25 | x : C |
| Types.cs:29:12:29:18 | object creation of type C : C | Types.cs:71:25:71:25 | x : C |
| Types.cs:30:12:30:18 | object creation of type C : C | Types.cs:77:22:77:22 | a : C |
| Types.cs:32:9:32:15 | object creation of type D : D | Types.cs:16:30:16:30 | this : D |
| Types.cs:33:9:33:15 | object creation of type D : D | Types.cs:7:21:7:25 | this : D |
| Types.cs:34:12:34:18 | object creation of type D : D | Types.cs:47:22:47:22 | a : D |
| Types.cs:35:12:35:18 | object creation of type D : D | Types.cs:53:22:53:22 | a : D |
| Types.cs:36:12:36:18 | object creation of type D : D | Types.cs:63:22:63:22 | a : D |
| Types.cs:37:12:37:18 | object creation of type D : D | Types.cs:65:25:65:25 | x : D |
| Types.cs:38:12:38:18 | object creation of type D : D | Types.cs:67:25:67:25 | x : D |
| Types.cs:39:12:39:18 | object creation of type D : D | Types.cs:69:25:69:25 | x : D |
| Types.cs:40:12:40:18 | object creation of type D : D | Types.cs:71:25:71:25 | x : D |
| Types.cs:41:12:41:18 | object creation of type D : D | Types.cs:77:22:77:22 | a : D |
| Types.cs:43:20:43:23 | null : null | Types.cs:44:14:44:14 | access to local variable o |
| Types.cs:47:22:47:22 | a : C | Types.cs:50:18:50:18 | access to local variable c |
| Types.cs:47:22:47:22 | a : D | Types.cs:50:18:50:18 | access to local variable c |
| Types.cs:53:22:53:22 | a : C | Types.cs:58:22:58:22 | access to local variable d |
| Types.cs:53:22:53:22 | a : D | Types.cs:58:22:58:22 | access to local variable d |
| Types.cs:63:22:63:22 | a : C | Types.cs:63:33:63:36 | (...) ... |
| Types.cs:63:22:63:22 | a : D | Types.cs:63:33:63:36 | (...) ... |
| Types.cs:65:25:65:25 | x : C | Types.cs:65:36:65:36 | access to parameter x |
| Types.cs:65:25:65:25 | x : D | Types.cs:65:36:65:36 | access to parameter x |
| Types.cs:67:25:67:25 | x : C | Types.cs:67:48:67:48 | access to parameter x |
| Types.cs:67:25:67:25 | x : D | Types.cs:67:48:67:48 | access to parameter x |
| Types.cs:69:25:69:25 | x : C | Types.cs:69:52:69:52 | access to parameter x |
| Types.cs:69:25:69:25 | x : D | Types.cs:69:52:69:52 | access to parameter x |
| Types.cs:71:25:71:25 | x : C | Types.cs:73:21:73:21 | (...) ... : C |
| Types.cs:71:25:71:25 | x : D | Types.cs:73:21:73:21 | (...) ... : D |
| Types.cs:73:21:73:21 | (...) ... : C | Types.cs:74:9:74:9 | access to local variable d : C |
| Types.cs:73:21:73:21 | (...) ... : D | Types.cs:74:9:74:9 | access to local variable d : D |
| Types.cs:74:9:74:9 | access to local variable d : C | Types.cs:16:30:16:30 | this : C |
| Types.cs:74:9:74:9 | access to local variable d : D | Types.cs:16:30:16:30 | this : D |
| Types.cs:77:22:77:22 | a : C | Types.cs:80:18:80:18 | access to local variable b |
| Types.cs:77:22:77:22 | a : D | Types.cs:80:18:80:18 | access to local variable b |
nodes
| Types.cs:7:21:7:25 | this : C | semmle.label | this : C |
| Types.cs:7:21:7:25 | this : D | semmle.label | this : D |
| Types.cs:7:32:7:35 | this access : C | semmle.label | this access : C |
| Types.cs:7:32:7:35 | this access : D | semmle.label | this access : D |
| Types.cs:16:30:16:30 | this : C | semmle.label | this : C |
| Types.cs:16:30:16:30 | this : D | semmle.label | this : D |
| Types.cs:16:42:16:45 | this access | semmle.label | this access |
| Types.cs:22:9:22:15 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:23:12:23:18 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:24:12:24:18 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:25:12:25:18 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:26:12:26:18 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:27:12:27:18 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:28:12:28:18 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:29:12:29:18 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:30:12:30:18 | object creation of type C : C | semmle.label | object creation of type C : C |
| Types.cs:32:9:32:15 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:33:9:33:15 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:34:12:34:18 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:35:12:35:18 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:36:12:36:18 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:37:12:37:18 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:38:12:38:18 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:39:12:39:18 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:40:12:40:18 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:41:12:41:18 | object creation of type D : D | semmle.label | object creation of type D : D |
| Types.cs:43:20:43:23 | null : null | semmle.label | null : null |
| Types.cs:44:14:44:14 | access to local variable o | semmle.label | access to local variable o |
| Types.cs:47:22:47:22 | a : C | semmle.label | a : C |
| Types.cs:47:22:47:22 | a : D | semmle.label | a : D |
| Types.cs:50:18:50:18 | access to local variable c | semmle.label | access to local variable c |
| Types.cs:53:22:53:22 | a : C | semmle.label | a : C |
| Types.cs:53:22:53:22 | a : D | semmle.label | a : D |
| Types.cs:58:22:58:22 | access to local variable d | semmle.label | access to local variable d |
| Types.cs:63:22:63:22 | a : C | semmle.label | a : C |
| Types.cs:63:22:63:22 | a : D | semmle.label | a : D |
| Types.cs:63:33:63:36 | (...) ... | semmle.label | (...) ... |
| Types.cs:65:25:65:25 | x : C | semmle.label | x : C |
| Types.cs:65:25:65:25 | x : D | semmle.label | x : D |
| Types.cs:65:36:65:36 | access to parameter x | semmle.label | access to parameter x |
| Types.cs:67:25:67:25 | x : C | semmle.label | x : C |
| Types.cs:67:25:67:25 | x : D | semmle.label | x : D |
| Types.cs:67:48:67:48 | access to parameter x | semmle.label | access to parameter x |
| Types.cs:69:25:69:25 | x : C | semmle.label | x : C |
| Types.cs:69:25:69:25 | x : D | semmle.label | x : D |
| Types.cs:69:52:69:52 | access to parameter x | semmle.label | access to parameter x |
| Types.cs:71:25:71:25 | x : C | semmle.label | x : C |
| Types.cs:71:25:71:25 | x : D | semmle.label | x : D |
| Types.cs:73:21:73:21 | (...) ... : C | semmle.label | (...) ... : C |
| Types.cs:73:21:73:21 | (...) ... : D | semmle.label | (...) ... : D |
| Types.cs:74:9:74:9 | access to local variable d : C | semmle.label | access to local variable d : C |
| Types.cs:74:9:74:9 | access to local variable d : D | semmle.label | access to local variable d : D |
| Types.cs:77:22:77:22 | a : C | semmle.label | a : C |
| Types.cs:77:22:77:22 | a : D | semmle.label | a : D |
| Types.cs:80:18:80:18 | access to local variable b | semmle.label | access to local variable b |
#select
| Types.cs:22:9:22:15 | object creation of type C : C | Types.cs:16:42:16:45 | this access | Types.cs:16:42:16:45 | this access | $@ | Types.cs:16:42:16:45 | this access | this access |
| Types.cs:23:12:23:18 | object creation of type C : C | Types.cs:50:18:50:18 | access to local variable c | Types.cs:50:18:50:18 | access to local variable c | $@ | Types.cs:50:18:50:18 | access to local variable c | access to local variable c |
| Types.cs:24:12:24:18 | object creation of type C : C | Types.cs:58:22:58:22 | access to local variable d | Types.cs:58:22:58:22 | access to local variable d | $@ | Types.cs:58:22:58:22 | access to local variable d | access to local variable d |
| Types.cs:25:12:25:18 | object creation of type C : C | Types.cs:63:33:63:36 | (...) ... | Types.cs:63:33:63:36 | (...) ... | $@ | Types.cs:63:33:63:36 | (...) ... | (...) ... |
| Types.cs:26:12:26:18 | object creation of type C : C | Types.cs:65:36:65:36 | access to parameter x | Types.cs:65:36:65:36 | access to parameter x | $@ | Types.cs:65:36:65:36 | access to parameter x | access to parameter x |
| Types.cs:27:12:27:18 | object creation of type C : C | Types.cs:67:48:67:48 | access to parameter x | Types.cs:67:48:67:48 | access to parameter x | $@ | Types.cs:67:48:67:48 | access to parameter x | access to parameter x |
| Types.cs:28:12:28:18 | object creation of type C : C | Types.cs:69:52:69:52 | access to parameter x | Types.cs:69:52:69:52 | access to parameter x | $@ | Types.cs:69:52:69:52 | access to parameter x | access to parameter x |
| Types.cs:29:12:29:18 | object creation of type C : C | Types.cs:16:42:16:45 | this access | Types.cs:16:42:16:45 | this access | $@ | Types.cs:16:42:16:45 | this access | this access |
| Types.cs:30:12:30:18 | object creation of type C : C | Types.cs:80:18:80:18 | access to local variable b | Types.cs:80:18:80:18 | access to local variable b | $@ | Types.cs:80:18:80:18 | access to local variable b | access to local variable b |
| Types.cs:32:9:32:15 | object creation of type D : D | Types.cs:16:42:16:45 | this access | Types.cs:16:42:16:45 | this access | $@ | Types.cs:16:42:16:45 | this access | this access |
| Types.cs:33:9:33:15 | object creation of type D : D | Types.cs:16:42:16:45 | this access | Types.cs:16:42:16:45 | this access | $@ | Types.cs:16:42:16:45 | this access | this access |
| Types.cs:34:12:34:18 | object creation of type D : D | Types.cs:50:18:50:18 | access to local variable c | Types.cs:50:18:50:18 | access to local variable c | $@ | Types.cs:50:18:50:18 | access to local variable c | access to local variable c |
| Types.cs:35:12:35:18 | object creation of type D : D | Types.cs:58:22:58:22 | access to local variable d | Types.cs:58:22:58:22 | access to local variable d | $@ | Types.cs:58:22:58:22 | access to local variable d | access to local variable d |
| Types.cs:36:12:36:18 | object creation of type D : D | Types.cs:63:33:63:36 | (...) ... | Types.cs:63:33:63:36 | (...) ... | $@ | Types.cs:63:33:63:36 | (...) ... | (...) ... |
| Types.cs:37:12:37:18 | object creation of type D : D | Types.cs:65:36:65:36 | access to parameter x | Types.cs:65:36:65:36 | access to parameter x | $@ | Types.cs:65:36:65:36 | access to parameter x | access to parameter x |
| Types.cs:38:12:38:18 | object creation of type D : D | Types.cs:67:48:67:48 | access to parameter x | Types.cs:67:48:67:48 | access to parameter x | $@ | Types.cs:67:48:67:48 | access to parameter x | access to parameter x |
| Types.cs:39:12:39:18 | object creation of type D : D | Types.cs:69:52:69:52 | access to parameter x | Types.cs:69:52:69:52 | access to parameter x | $@ | Types.cs:69:52:69:52 | access to parameter x | access to parameter x |
| Types.cs:40:12:40:18 | object creation of type D : D | Types.cs:16:42:16:45 | this access | Types.cs:16:42:16:45 | this access | $@ | Types.cs:16:42:16:45 | this access | this access |
| Types.cs:41:12:41:18 | object creation of type D : D | Types.cs:80:18:80:18 | access to local variable b | Types.cs:80:18:80:18 | access to local variable b | $@ | Types.cs:80:18:80:18 | access to local variable b | access to local variable b |
| Types.cs:43:20:43:23 | null : null | Types.cs:44:14:44:14 | access to local variable o | Types.cs:44:14:44:14 | access to local variable o | $@ | Types.cs:44:14:44:14 | access to local variable o | access to local variable o |

26
csharp/ql/test/library-tests/dataflow/types/Types.ql Normal file
View File

@@ -0,0 +1,26 @@
/**
* @kind path-problem
*/
import csharp
import DataFlow::PathGraph
class Conf extends DataFlow::Configuration {
Conf() { this = "TypesConf" }
override predicate isSource(DataFlow::Node src) {
src.asExpr() instanceof ObjectCreation or
src.asExpr() instanceof NullLiteral
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc |
mc.getTarget().hasName("Sink") and
mc.getAnArgument() = sink.asExpr()
)
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, Conf conf
where conf.hasFlowPath(source, sink)
select source, sink, sink, "$@", sink, sink.toString()