C#: Teach data flow library about CFG splitting

Data flow nodes for expressions do not take CFG splitting into account. Example: ``` if (b) x = tainted; x = x.ToLower(); if (!b) Use(x); ``` Flow is incorrectly reported from `tainted` to `x` in `Use(x)`, because the step from `tainted` to `x.ToLower()` throws away the information that `b = true`. The solution is to remember the splitting in data flow expression nodes, that is, to represent the exact control flow node instead of just the expression. With that we get flow from `tainted` to `[b = true] x.ToLower()`, but not from `tainted` to `[b = false] x.ToLower()`. The data flow API remains unchanged, but in order for analyses to fully benefit from CFG splitting, sanitizers in particular should be CFG-based instead of expression-based: ``` if (b) x = tainted; if (IsInvalid(x)) return; Use(x); ``` If the call to `IsInvalid()` is a sanitizer, then defining an expression node to be a sanitizer using `GuardedExpr` will be too conservative (`x` in `Use(x)` is in fact not guarded). However, `[b = true] x` in `[b = true] Use(x)` is guarded, and to help defining guard-based sanitizers, the class `GuardedDataFlowNode` has been introduced.
2026-05-01 19:55:15 +02:00 · 2019-01-03 15:28:15 +01:00
parent f768abb0e6
commit b2f99dbbc7
27 changed files with 811 additions and 344 deletions
--- a/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
+++ b/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
@@ -185,14 +185,8 @@
 | CSharp7.cs:284:41:284:48 | access to property Key | CSharp7.cs:284:40:284:61 | (..., ...) |
 | CSharp7.cs:284:51:284:54 | access to parameter item | CSharp7.cs:284:51:284:60 | access to property Value |
 | CSharp7.cs:284:51:284:60 | access to property Value | CSharp7.cs:284:40:284:61 | (..., ...) |
-| CSharp7.cs:286:23:286:23 | Int32 a | CSharp7.cs:286:18:286:34 | (..., ...) |
-| CSharp7.cs:286:33:286:33 | String b | CSharp7.cs:286:18:286:34 | (..., ...) |
 | CSharp7.cs:286:39:286:42 | access to local variable list | CSharp7.cs:288:36:288:39 | access to local variable list |
-| CSharp7.cs:288:23:288:23 | Int32 a | CSharp7.cs:288:18:288:31 | (..., ...) |
-| CSharp7.cs:288:30:288:30 | String b | CSharp7.cs:288:18:288:31 | (..., ...) |
 | CSharp7.cs:288:36:288:39 | access to local variable list | CSharp7.cs:290:32:290:35 | access to local variable list |
-| CSharp7.cs:290:23:290:23 | Int32 a | CSharp7.cs:290:18:290:27 | (..., ...) |
-| CSharp7.cs:290:26:290:26 | String b | CSharp7.cs:290:18:290:27 | (..., ...) |
 | CSharp7.cs:298:17:298:19 | SSA def(x) | CSharp7.cs:298:22:298:39 | SSA phi(x) |
 | CSharp7.cs:298:19:298:19 | 0 | CSharp7.cs:298:17:298:19 | SSA def(x) |
 | CSharp7.cs:298:22:298:22 | access to local variable x | CSharp7.cs:298:22:298:25 | ... < ... |
--- a/csharp/ql/test/library-tests/csharp7/TupleAccess.expected
+++ b/csharp/ql/test/library-tests/csharp7/TupleAccess.expected
@@ -40,6 +40,6 @@
 | CSharp7.cs:224:9:224:18 | (..., ...) | write |
 | CSharp7.cs:225:9:225:18 | (..., ...) | write |
 | CSharp7.cs:284:40:284:61 | (..., ...) | read |
-| CSharp7.cs:286:18:286:34 | (..., ...) | read |
-| CSharp7.cs:288:18:288:31 | (..., ...) | read |
-| CSharp7.cs:290:18:290:27 | (..., ...) | read |
+| CSharp7.cs:286:18:286:34 | (..., ...) | write |
+| CSharp7.cs:288:18:288:31 | (..., ...) | write |
+| CSharp7.cs:290:18:290:27 | (..., ...) | write |