hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

C#: Only track taint through conversion operators defined in libraries

Browse Source
This commit is contained in:
Tom Hvitved
2019-11-28 15:21:04 +01:00
parent ce16bc553a
commit af453d081e
6 changed files with 40 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
View File

@@ -115,7 +115,7 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon
)
or
e2 = any(OperatorCall oc |
oc.getTarget() instanceof ConversionOperator and
oc.getTarget().(ConversionOperator).fromLibrary() and
e1 = oc.getAnArgument() and
isSuccessor = true
)

2
csharp/ql/test/library-tests/dataflow/local/DataFlow.expected
View File

@@ -10,7 +10,7 @@
| LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
| LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 |
| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 |
| LocalDataFlow.cs:478:15:478:21 | access to parameter tainted |
| LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
| SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
| SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
| SSA.cs:43:15:43:22 | access to local variable ssaSink2 |

29
csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

@@ -498,8 +498,6 @@
| LocalDataFlow.cs:373:13:373:33 | SSA def(sink66) | LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 |
| LocalDataFlow.cs:373:22:373:27 | access to local variable sink65 | LocalDataFlow.cs:373:22:373:33 | access to property Value |
| LocalDataFlow.cs:373:22:373:33 | access to property Value | LocalDataFlow.cs:373:13:373:33 | SSA def(sink66) |
| LocalDataFlow.cs:374:15:374:20 | [post] access to local variable sink66 | LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 |
| LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 | LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 |
| LocalDataFlow.cs:377:22:377:30 | SSA def(nonSink17) | LocalDataFlow.cs:378:19:378:27 | access to local variable nonSink17 |
| LocalDataFlow.cs:377:35:377:42 | access to local variable nonSink4 | LocalDataFlow.cs:379:33:379:40 | access to local variable nonSink4 |
| LocalDataFlow.cs:379:21:379:56 | SSA def(nonSink18) | LocalDataFlow.cs:380:15:380:23 | access to local variable nonSink18 |
@@ -579,21 +577,18 @@
| LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
| LocalDataFlow.cs:444:22:444:38 | ... ?? ... | LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) |
| LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
| LocalDataFlow.cs:446:15:446:20 | [post] access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 |
| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 |
| LocalDataFlow.cs:448:23:448:37 | SSA def(sink75) | LocalDataFlow.cs:449:15:449:20 | access to local variable sink75 |
| LocalDataFlow.cs:448:32:448:37 | call to operator implicit conversion | LocalDataFlow.cs:448:23:448:37 | SSA def(sink75) |
| LocalDataFlow.cs:451:23:451:52 | SSA def(sink76) | LocalDataFlow.cs:452:15:452:20 | access to local variable sink76 |
| LocalDataFlow.cs:451:32:451:52 | call to operator implicit conversion | LocalDataFlow.cs:451:23:451:52 | SSA def(sink76) |
| LocalDataFlow.cs:470:28:470:30 | this | LocalDataFlow.cs:470:41:470:45 | this access |
| LocalDataFlow.cs:470:50:470:52 | this | LocalDataFlow.cs:470:56:470:60 | this access |
| LocalDataFlow.cs:470:50:470:52 | value | LocalDataFlow.cs:470:64:470:68 | access to parameter value |
| LocalDataFlow.cs:476:41:476:47 | tainted | LocalDataFlow.cs:478:15:478:21 | access to parameter tainted |
| LocalDataFlow.cs:481:44:481:53 | nonTainted | LocalDataFlow.cs:483:15:483:24 | access to parameter nonTainted |
| LocalDataFlow.cs:486:44:486:44 | x | LocalDataFlow.cs:489:21:489:21 | access to parameter x |
| LocalDataFlow.cs:486:67:486:68 | os | LocalDataFlow.cs:492:32:492:33 | access to parameter os |
| LocalDataFlow.cs:489:21:489:21 | access to parameter x | LocalDataFlow.cs:489:16:489:21 | ... = ... |
| LocalDataFlow.cs:492:32:492:33 | access to parameter os | LocalDataFlow.cs:492:26:492:33 | ... = ... |
| LocalDataFlow.cs:464:28:464:30 | this | LocalDataFlow.cs:464:41:464:45 | this access |
| LocalDataFlow.cs:464:50:464:52 | this | LocalDataFlow.cs:464:56:464:60 | this access |
| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:64:464:68 | access to parameter value |
| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:477:15:477:24 | access to parameter nonTainted |
| LocalDataFlow.cs:480:44:480:44 | x | LocalDataFlow.cs:483:21:483:21 | access to parameter x |
| LocalDataFlow.cs:480:67:480:68 | os | LocalDataFlow.cs:486:32:486:33 | access to parameter os |
| LocalDataFlow.cs:483:21:483:21 | access to parameter x | LocalDataFlow.cs:483:16:483:21 | ... = ... |
| LocalDataFlow.cs:486:32:486:33 | access to parameter os | LocalDataFlow.cs:486:26:486:33 | ... = ... |
| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:493:29:493:32 | access to parameter args |
| LocalDataFlow.cs:493:29:493:32 | [post] access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
| SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
| SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
| SSA.cs:5:26:5:32 | tainted | SSA.cs:8:24:8:30 | access to parameter tainted |

14
csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs
View File

@@ -444,12 +444,6 @@ public class LocalDataFlow
var sink74 = sink0 ?? nonSink0;
Check(sink73);
Check(sink74);
LocalDataFlow sink75 = sink74;
Check(sink75);
LocalDataFlow sink76 = (LocalDataFlow)sink66;
Check(sink76);
}
static void Check<T>(T x) { }
@@ -492,7 +486,11 @@ public class LocalDataFlow
foreach(var o in os2 = os) { }
}
public static implicit operator LocalDataFlow(string s) => null;
public static implicit operator LocalDataFlow(string[] args) => null;
public static explicit operator LocalDataFlow(int x) => null;
public void ConversionFlow(string[] args)
{
Span<object> span = args; // flow (library operator)
LocalDataFlow x = args; // no flow (source code operator)
}
}

4
csharp/ql/test/library-tests/dataflow/local/TaintTracking.expected
View File

@@ -64,9 +64,7 @@
| LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
| LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 |
| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 |
| LocalDataFlow.cs:449:15:449:20 | access to local variable sink75 |
| LocalDataFlow.cs:452:15:452:20 | access to local variable sink76 |
| LocalDataFlow.cs:478:15:478:21 | access to parameter tainted |
| LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
| SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
| SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
| SSA.cs:43:15:43:22 | access to local variable ssaSink2 |

43
csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
View File

@@ -636,8 +636,6 @@
| LocalDataFlow.cs:373:13:373:33 | SSA def(sink66) | LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 |
| LocalDataFlow.cs:373:22:373:27 | access to local variable sink65 | LocalDataFlow.cs:373:22:373:33 | access to property Value |
| LocalDataFlow.cs:373:22:373:33 | access to property Value | LocalDataFlow.cs:373:13:373:33 | SSA def(sink66) |
| LocalDataFlow.cs:374:15:374:20 | [post] access to local variable sink66 | LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 |
| LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 | LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 |
| LocalDataFlow.cs:377:22:377:30 | SSA def(nonSink17) | LocalDataFlow.cs:378:19:378:27 | access to local variable nonSink17 |
| LocalDataFlow.cs:377:35:377:42 | access to local variable nonSink4 | LocalDataFlow.cs:377:22:377:30 | SSA def(nonSink17) |
| LocalDataFlow.cs:377:35:377:42 | access to local variable nonSink4 | LocalDataFlow.cs:379:33:379:40 | access to local variable nonSink4 |
@@ -724,28 +722,25 @@
| LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
| LocalDataFlow.cs:444:22:444:38 | ... ?? ... | LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) |
| LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
| LocalDataFlow.cs:446:15:446:20 | [post] access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 |
| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 |
| LocalDataFlow.cs:448:23:448:37 | SSA def(sink75) | LocalDataFlow.cs:449:15:449:20 | access to local variable sink75 |
| LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | call to operator implicit conversion |
| LocalDataFlow.cs:448:32:448:37 | call to operator implicit conversion | LocalDataFlow.cs:448:23:448:37 | SSA def(sink75) |
| LocalDataFlow.cs:451:23:451:52 | SSA def(sink76) | LocalDataFlow.cs:452:15:452:20 | access to local variable sink76 |
| LocalDataFlow.cs:451:32:451:52 | call to operator implicit conversion | LocalDataFlow.cs:451:23:451:52 | SSA def(sink76) |
| LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 | LocalDataFlow.cs:451:32:451:52 | call to operator implicit conversion |
| LocalDataFlow.cs:470:28:470:30 | this | LocalDataFlow.cs:470:41:470:45 | this access |
| LocalDataFlow.cs:470:50:470:52 | this | LocalDataFlow.cs:470:56:470:60 | this access |
| LocalDataFlow.cs:470:50:470:52 | value | LocalDataFlow.cs:470:50:470:52 | value |
| LocalDataFlow.cs:470:50:470:52 | value | LocalDataFlow.cs:470:64:470:68 | access to parameter value |
| LocalDataFlow.cs:476:41:476:47 | tainted | LocalDataFlow.cs:476:41:476:47 | tainted |
| LocalDataFlow.cs:476:41:476:47 | tainted | LocalDataFlow.cs:478:15:478:21 | access to parameter tainted |
| LocalDataFlow.cs:481:44:481:53 | nonTainted | LocalDataFlow.cs:481:44:481:53 | nonTainted |
| LocalDataFlow.cs:481:44:481:53 | nonTainted | LocalDataFlow.cs:483:15:483:24 | access to parameter nonTainted |
| LocalDataFlow.cs:486:44:486:44 | x | LocalDataFlow.cs:486:44:486:44 | x |
| LocalDataFlow.cs:486:44:486:44 | x | LocalDataFlow.cs:489:21:489:21 | access to parameter x |
| LocalDataFlow.cs:486:67:486:68 | os | LocalDataFlow.cs:486:67:486:68 | os |
| LocalDataFlow.cs:486:67:486:68 | os | LocalDataFlow.cs:492:32:492:33 | access to parameter os |
| LocalDataFlow.cs:489:21:489:21 | access to parameter x | LocalDataFlow.cs:489:16:489:21 | ... = ... |
| LocalDataFlow.cs:492:32:492:33 | access to parameter os | LocalDataFlow.cs:492:26:492:33 | ... = ... |
| LocalDataFlow.cs:464:28:464:30 | this | LocalDataFlow.cs:464:41:464:45 | this access |
| LocalDataFlow.cs:464:50:464:52 | this | LocalDataFlow.cs:464:56:464:60 | this access |
| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:50:464:52 | value |
| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:64:464:68 | access to parameter value |
| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:470:41:470:47 | tainted |
| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:475:44:475:53 | nonTainted |
| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:477:15:477:24 | access to parameter nonTainted |
| LocalDataFlow.cs:480:44:480:44 | x | LocalDataFlow.cs:480:44:480:44 | x |
| LocalDataFlow.cs:480:44:480:44 | x | LocalDataFlow.cs:483:21:483:21 | access to parameter x |
| LocalDataFlow.cs:480:67:480:68 | os | LocalDataFlow.cs:480:67:480:68 | os |
| LocalDataFlow.cs:480:67:480:68 | os | LocalDataFlow.cs:486:32:486:33 | access to parameter os |
| LocalDataFlow.cs:483:21:483:21 | access to parameter x | LocalDataFlow.cs:483:16:483:21 | ... = ... |
| LocalDataFlow.cs:486:32:486:33 | access to parameter os | LocalDataFlow.cs:486:26:486:33 | ... = ... |
| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:491:41:491:44 | args |
| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:493:29:493:32 | access to parameter args |
| LocalDataFlow.cs:493:29:493:32 | [post] access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:493:29:493:32 | call to operator implicit conversion |
| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
| SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
| SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
| SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | tainted |