C#: Convert cs/uncontrolled-format-string tests to use test inline expectations.

2025-12-16 16:53:25 +01:00 · 2025-04-10 14:13:45 +02:00
parent 14ede4e0c5
commit c16be43f15
4 changed files with 11 additions and 9 deletions
--- a/Features/CWE-134/ConsoleUncontrolledFormatString.cs
+++ b/Features/CWE-134/ConsoleUncontrolledFormatString.cs
@@ -5,9 +5,9 @@ public class Program
 {
    public static void Main()
    {
-        var format = Console.ReadLine();
+        var format = Console.ReadLine(); // $ Source

        // BAD: Uncontrolled format string.
-        var x = string.Format(format, 1, 2);
+        var x = string.Format(format, 1, 2); // $ Alert
    }
 }
--- a/Features/CWE-134/UncontrolledFormatString.cs
+++ b/Features/CWE-134/UncontrolledFormatString.cs
@@ -6,13 +6,13 @@ public class TaintedPathHandler : IHttpHandler
 {
    public void ProcessRequest(HttpContext ctx)
    {
-        String path = ctx.Request.QueryString["page"];
+        String path = ctx.Request.QueryString["page"]; // $ Source

        // BAD: Uncontrolled format string.
-        String.Format(path, "Do not do this");
+        String.Format(path, "Do not do this"); // $ Alert

        // BAD: Using an IFormatProvider.
-        String.Format((IFormatProvider)null, path, "Do not do this");
+        String.Format((IFormatProvider)null, path, "Do not do this"); // $ Alert

        // GOOD: Not the format string.
        String.Format("Do not do this", path);
@@ -29,6 +29,6 @@ public class TaintedPathHandler : IHttpHandler
    void OnButtonClicked()
    {
        // BAD: Uncontrolled format string.
-        String.Format(box1.Text, "Do not do this");
+        String.Format(box1.Text, "Do not do this"); // $ Alert
    }
 }
--- a/Features/CWE-134/UncontrolledFormatString.qlref
+++ b/Features/CWE-134/UncontrolledFormatString.qlref
@@ -1,2 +1,4 @@
 query: Security Features/CWE-134/UncontrolledFormatString.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/Features/CWE-134/UncontrolledFormatStringBad.cs
+++ b/Features/CWE-134/UncontrolledFormatStringBad.cs
@@ -6,9 +6,9 @@ public class HttpHandler : IHttpHandler

    public void ProcessRequest(HttpContext ctx)
    {
-        string format = ctx.Request.QueryString["nameformat"];
+        string format = ctx.Request.QueryString["nameformat"]; // $ Source

        // BAD: Uncontrolled format string.
-        FormattedName = string.Format(format, Surname, Forenames);
+        FormattedName = string.Format(format, Surname, Forenames); // $ Alert
    }
 }