hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

C#: Adopt shared data flow implementation

Browse Source 
- General refactoring to fit with the shared data flow implementation.
- Move CFG splitting logic into `ControlFlowReachability.qll`.
- Replace `isAdditionalFlowStepIntoCall()` with `TaintedParameterNode`.
- Redefine `ReturnNode` to be the actual values that are returned, which should
  yield better path information.
- No longer consider overrides in CIL calls.
This commit is contained in:
Tom Hvitved
2019-05-02 13:50:50 +02:00
parent a6fa6dfd74
commit c6a471e4b6
56 changed files with 7874 additions and 4420 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
csharp/ql/src/semmle/code/csharp/dataflow/CallContext.qll
View File

@@ -4,14 +4,15 @@
import csharp
private import semmle.code.csharp.dataflow.DelegateDataFlow
private import semmle.code.csharp.dispatch.Dispatch
private import dotnet
// Internal representation of call contexts
cached
private newtype TCallContext =
TEmptyCallContext() or
TArgCallContext(DotNet::Call c, int i) { exists(c.getArgument(i)) } or
TDynamicAccessorArgCallContext(DynamicAccessorCall dac, int i) { exists(dac.getArgument(i)) } or
TArgNonDelegateCallContext(DispatchCall dc, int i) { exists(dc.getArgument(i)) } or
TArgDelegateCallContext(DelegateCall dc, int i) { exists(dc.getArgument(i)) } or
TDelegateToLibraryCallableArgCallContext(DelegateArgumentToLibraryCallable arg, int i) {
exists(arg.getDelegateType().getParameter(i))
}
@@ -32,6 +33,8 @@ class CallContext extends TCallContext {
/** An empty call context. */
class EmptyCallContext extends CallContext, TEmptyCallContext {
override string toString() { result = "<empty>" }
override Location getLocation() { result instanceof EmptyLocation }
}
/**
@@ -46,40 +49,40 @@ abstract class ArgumentCallContext extends CallContext {
abstract predicate isArgument(DotNet::Expr call, int i);
}
/** An argument of an ordinary call. */
class CallArgumentCallContext extends ArgumentCallContext, TArgCallContext {
DotNet::Call c;
/** An argument of a non-delegate call. */
class NonDelegateCallArgumentCallContext extends ArgumentCallContext, TArgNonDelegateCallContext {
DispatchCall dc;
int arg;
CallArgumentCallContext() { this = TArgCallContext(c, arg) }
NonDelegateCallArgumentCallContext() { this = TArgNonDelegateCallContext(dc, arg) }
override predicate isArgument(DotNet::Expr call, int i) {
call = c and
call = dc.getCall() and
i = arg
}
override string toString() { result = c.getArgument(arg).toString() }
override string toString() { result = dc.getArgument(arg).toString() }
override Location getLocation() { result = c.getArgument(arg).getLocation() }
override Location getLocation() { result = dc.getArgument(arg).getLocation() }
}
/** An argument of a dynamic accessor call. */
class DynamicAccessorArgumentCallContext extends ArgumentCallContext, TDynamicAccessorArgCallContext {
DynamicAccessorCall dac;
/** An argument of a delegate call. */
class DelegateCallArgumentCallContext extends ArgumentCallContext, TArgDelegateCallContext {
DelegateCall dc;
int arg;
DynamicAccessorArgumentCallContext() { this = TDynamicAccessorArgCallContext(dac, arg) }
DelegateCallArgumentCallContext() { this = TArgDelegateCallContext(dc, arg) }
override predicate isArgument(DotNet::Expr call, int i) {
call = dac and
call = dc and
i = arg
}
override string toString() { result = dac.getArgument(arg).toString() }
override string toString() { result = dc.getArgument(arg).toString() }
override Location getLocation() { result = dac.getArgument(arg).getLocation() }
override Location getLocation() { result = dc.getArgument(arg).getLocation() }
}
/**

2195
csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll Executable file → Normal file
View File

File diff suppressed because it is too large Load Diff

81
csharp/ql/src/semmle/code/csharp/dataflow/DelegateDataFlow.qll
View File

@@ -5,8 +5,11 @@
*/
import csharp
private import dotnet
private import semmle.code.csharp.dataflow.CallContext
private import semmle.code.csharp.dataflow.DataFlow::DataFlow::Internal
private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
private import semmle.code.csharp.dataflow.internal.DataFlowPublic
private import semmle.code.csharp.dispatch.Dispatch
private import semmle.code.csharp.frameworks.system.linq.Expressions
@@ -147,6 +150,27 @@ library class AddEventSource extends DelegateFlowSink {
Event getEvent() { result = ae.getTarget() }
}
/** A non-delegate call. */
private class NonDelegateCall extends Expr {
private DispatchCall dc;
NonDelegateCall() { this = dc.getCall() }
/**
* Gets a run-time target of this call. A target is always a source
* declaration, and if the callable has both CIL and source code, only
* the source code version is returned.
*/
Callable getARuntimeTarget() { result = getCallableForDataFlow(dc.getADynamicTarget()) }
/** Gets the `i`th argument of this call. */
Expr getArgument(int i) { result = dc.getArgument(i) }
}
private class NormalReturnNode extends Node {
NormalReturnNode() { this.(ReturnNode).getKind() instanceof NormalReturnKind }
}
/**
* Holds if data can flow (inter-procedurally) to delegate `sink` from
* `node`. This predicate searches backwards from `sink` to `node`.
@@ -172,40 +196,38 @@ private predicate flowsFrom(
// Flow through static field or property
exists(DataFlow::Node mid |
flowsFrom(sink, mid, _, _) and
Cached::jumpStepNoConfig(node, mid) and
jumpStep(node, mid) and
isReturned = false and
lastCall instanceof EmptyCallContext
)
or
// Flow into a callable (non-delegate call)
exists(
DataFlow::Internal::ExplicitParameterNode mid, CallContext prevLastCall, Expr call, Parameter p
|
exists(ExplicitParameterNode mid, CallContext prevLastCall, NonDelegateCall call, Parameter p |
flowsFrom(sink, mid, isReturned, prevLastCall) and
isReturned = false and
p = mid.getParameter() and
flowIntoCallableNonDelegateCall(call, node.asExpr(), p) and
flowIntoNonDelegateCall(call, node.asExpr(), p) and
lastCall = getLastCall(prevLastCall, call, p.getPosition())
)
or
// Flow into a callable (delegate call)
exists(
DataFlow::Internal::ExplicitParameterNode mid, CallContext prevLastCall, DelegateCall dc,
Callable c, Parameter p, int i
ExplicitParameterNode mid, CallContext prevLastCall, DelegateCall call, Callable c, Parameter p,
int i
|
flowsFrom(sink, mid, isReturned, prevLastCall) and
isReturned = false and
flowIntoDelegateCall(dc, c, node.asExpr(), i) and
flowIntoDelegateCall(call, c, node.asExpr(), i) and
c.getParameter(i) = p and
p = mid.getParameter() and
lastCall = getLastCall(prevLastCall, dc, i)
lastCall = getLastCall(prevLastCall, call, i)
)
or
// Flow out of a callable (non-delegate call).
exists(DataFlow::Node mid |
exists(DataFlow::ExprNode mid |
flowsFrom(sink, mid, _, lastCall) and
isReturned = true and
flowOutOfCallableNonDelegateCall(_, node, mid)
flowOutOfNonDelegateCall(mid.getExpr(), node)
)
or
// Flow out of a callable (delegate call).
@@ -231,21 +253,34 @@ private CallContext getLastCall(CallContext prevLastCall, Expr call, int i) {
}
pragma[noinline]
private predicate flowIntoDelegateCall(DelegateCall dc, Callable c, Expr e, int i) {
exists(DelegateFlowSource dfs, DelegateCallExpr dce |
// the call context is irrelevant because the delegate call
// itself will be the context
flowsFrom(dce, dfs, _, _) and
e = dc.getArgument(i) and
c = dfs.getCallable() and
dc = dce.getDelegateCall()
private predicate flowIntoNonDelegateCall(NonDelegateCall call, Expr arg, DotNet::Parameter p) {
exists(DotNet::Callable callable, int i |
callable = call.getARuntimeTarget() and
p = callable.getAParameter() and
arg = call.getArgument(i) and
i = p.getPosition()
)
}
pragma[noinline]
private predicate flowOutOfDelegateCall(
DelegateCall dc, DataFlow::Internal::NormalReturnNode ret, CallContext lastCall
) {
private predicate flowIntoDelegateCall(DelegateCall call, Callable c, Expr arg, int i) {
exists(DelegateFlowSource dfs, DelegateCallExpr dce |
// the call context is irrelevant because the delegate call
// itself will be the context
flowsFrom(dce, dfs, _, _) and
arg = call.getArgument(i) and
c = dfs.getCallable() and
call = dce.getDelegateCall()
)
}
pragma[noinline]
private predicate flowOutOfNonDelegateCall(NonDelegateCall call, NormalReturnNode ret) {
call.getARuntimeTarget() = ret.getEnclosingCallable()
}
pragma[noinline]
private predicate flowOutOfDelegateCall(DelegateCall dc, NormalReturnNode ret, CallContext lastCall) {
exists(DelegateFlowSource dfs, DelegateCallExpr dce, Callable c |
flowsFrom(dce, dfs, _, lastCall) and
ret.getEnclosingCallable() = c and

132
csharp/ql/src/semmle/code/csharp/dataflow/SSA.qll
View File

@@ -1465,18 +1465,23 @@ module Ssa {
/**
* Holds if `call` may change the value of captured variable `v`. The actual
* update occurs in `writer`. That is, `writer` can be reached from `call`
* using zero or more additional calls. One of the intermediate callables
* may be the callable that introduces `v`, in which case `call` is not an
* actual update.
* using zero or more additional calls (as indicated by `additionalCalls`).
* One of the intermediate callables may be the callable that introduces `v`,
* in which case `call` is not an actual update.
*/
pragma[noopt]
private predicate updatesCapturedVariableWriter(
Call call, CapturedWrittenLocalScopeSourceVariable v, PrunedCallable writer
Call call, CapturedWrittenLocalScopeSourceVariable v, PrunedCallable writer,
boolean additionalCalls
) {
exists(PrunedCallable c, CapturedWrittenLocalScopeVariable captured |
updatesCapturedVariablePrefix(call, v, c, captured) and
relevantDefinitionProj(writer, captured) and
(c = writer or callEdgePrunedPlus(c, writer))
(
c = writer and additionalCalls = false
or
callEdgePrunedPlus(c, writer) and additionalCalls = true
)
)
}
@@ -1485,16 +1490,17 @@ module Ssa {
* update occurs in `def`.
*/
private predicate updatesCapturedVariablePossiblyLive(
BasicBlock bb, int i, Call call, LocalScopeSourceVariable v, AssignableDefinition def
BasicBlock bb, int i, Call call, LocalScopeSourceVariable v, AssignableDefinition def,
boolean additionalCalls
) {
updateCandidate(bb, i, v, call) and
exists(Callable writer | relevantDefinition(writer, v.getAssignable(), def) |
updatesCapturedVariableWriter(call, v, writer)
updatesCapturedVariableWriter(call, v, writer, additionalCalls)
)
}
private int firstRefAfter(BasicBlock bb, int i, CapturedWrittenLocalScopeSourceVariable v) {
updatesCapturedVariablePossiblyLive(bb, i, _, v, _) and
updatesCapturedVariablePossiblyLive(bb, i, _, v, _, _) and
result = min(int k | k > i and ref(bb, k, v, _))
}
@@ -1504,10 +1510,12 @@ module Ssa {
*/
cached
predicate updatesCapturedVariable(
Call call, LocalScopeSourceVariable v, AssignableDefinition def
Call call, LocalScopeSourceVariable v, AssignableDefinition def, boolean additionalCalls
) {
forceCachingInSameStage() and
exists(BasicBlock bb, int i | updatesCapturedVariablePossiblyLive(bb, i, call, v, def) |
exists(BasicBlock bb, int i |
updatesCapturedVariablePossiblyLive(bb, i, call, v, def, additionalCalls)
|
not exists(firstRefAfter(bb, i, v)) and
liveAtExit(bb, v, _)
or
@@ -1582,9 +1590,11 @@ module Ssa {
* block `bb` may be read by a callable reachable from the call `c`.
*/
private predicate implicitReadCandidate(
BasicBlock bb, int i, Call c, CapturedReadLocalScopeSourceVariable v
BasicBlock bb, int i, ControlFlow::Nodes::ElementNode c,
CapturedReadLocalScopeSourceVariable v
) {
exists(BasicBlock bb0, int i0 | bb0.getNode(i0) = c.getAControlFlowNode() |
c.getElement() instanceof Call and
exists(BasicBlock bb0, int i0 | bb0.getNode(i0) = c |
// `c` is in basic block `bb`
capturedVariableWrite(bb0, i, v) and
i < i0 and
@@ -1624,7 +1634,7 @@ module Ssa {
*/
private predicate pruneFromLeft(Callable c) {
exists(Call call, CapturedReadLocalScopeSourceVariable v |
implicitReadCandidate(_, _, call, v) and
implicitReadCandidate(_, _, call.getAControlFlowNode(), v) and
c = getARuntimeTarget(call)
)
or
@@ -1659,30 +1669,35 @@ module Ssa {
pragma[noinline]
private predicate readsCapturedVariablePrefix(
Call call, CapturedReadLocalScopeSourceVariable v, PrunedCallable c,
ControlFlow::Node call, CapturedReadLocalScopeSourceVariable v, PrunedCallable c,
CapturedReadLocalScopeVariable captured
) {
implicitReadCandidate(_, _, call, v) and
captured = v.getAssignable() and
capturerReads(_, captured) and
c = getARuntimeTarget(call)
c = getARuntimeTarget(call.getElement())
}
/**
* Holds if `call` may read the value of captured variable `v`. The actual
* read occurs in `reader`. That is, `reader` can be reached from `call`
* using zero or more additional calls. One of the intermediate callables
* may be a callable that writes to `v`, in which case `call` is not an
* actual read.
* using zero or more additional calls (as indicated by `additionalCalls`).
* One of the intermediate callables may be a callable that writes to `v`,
* in which case `call` is not an actual read.
*/
pragma[noopt]
private predicate readsCapturedVariable(
Call call, CapturedReadLocalScopeSourceVariable v, Callable reader
ControlFlow::Nodes::ElementNode call, CapturedReadLocalScopeSourceVariable v, Callable reader,
boolean additionalCalls
) {
exists(PrunedCallable c, CapturedReadLocalScopeVariable captured |
readsCapturedVariablePrefix(call, v, c, captured) and
capturerReads(reader, captured) and
(c = reader or callEdgePrunedPlus(c, reader))
(
c = reader and additionalCalls = false
or
callEdgePrunedPlus(c, reader) and additionalCalls = true
)
)
}
@@ -1691,8 +1706,8 @@ module Ssa {
* write at index `i` inside basic block `bb`.
*
* The write is live because of the implicit call definition `def`, which reaches
* the write using zero or more additional calls. That is, data can flow from the
* write at index `i` out to the call `def`.
* the write using zero or more additional calls (as indicated by `additionalCalls`).
* That is, data can flow from the write at index `i` out to the call `def`.
*
* Example:
*
@@ -1711,11 +1726,16 @@ module Ssa {
* definition on line 5.
*/
predicate liveAfterWriteCapturedOut(
BasicBlock bb, int i, LocalScopeSourceVariable v, ImplicitCallDefinition def
BasicBlock bb, int i, LocalScopeSourceVariable v, ImplicitCallDefinition def,
boolean additionalCalls
) {
exists(LocalScopeVariable lsv | def.getSourceVariable().getAssignable() = lsv |
exists(LocalScopeVariable lsv, AssignableDefinition adef |
def.getSourceVariable().getAssignable() = lsv
|
lsv = v.getAssignable() and
bb.getNode(i) = def.getAPossibleDefinition().getAControlFlowNode()
adef = def.getAPossibleDefinition() and
bb.getNode(i) = adef.getAControlFlowNode() and
updatesCapturedVariable(def.getCall(), _, adef, additionalCalls)
)
}
@@ -1724,8 +1744,9 @@ module Ssa {
* write at index `i` inside basic block `bb`.
*
* The write is live because of the implicit entry definition `def`, which can be
* reached using one or more calls, starting from call `c`. That is, data can flow from
* the write at index `i` into the the callable containing `def`.
* reached using one or more calls (as indicated by `additionalCalls`), starting
* from call `c`. That is, data can flow from the write at index `i` into the the
* callable containing `def`.
*
* Example:
*
@@ -1744,11 +1765,12 @@ module Ssa {
* reaches the entry definition for `i` in `M2` on line 4.
*/
predicate liveAfterWriteCapturedIn(
BasicBlock bb, int i, LocalScopeSourceVariable v, ImplicitEntryDefinition def, Call c
BasicBlock bb, int i, LocalScopeSourceVariable v, ImplicitEntryDefinition def,
ControlFlow::Nodes::ElementNode c, boolean additionalCalls
) {
exists(Callable reader |
implicitReadCandidate(bb, i, c, v) and
readsCapturedVariable(c, v, reader) and
readsCapturedVariable(c, v, reader, additionalCalls) and
def.getCallable() = reader and
def.getSourceVariable().getAssignable() = v.getAssignable()
)
@@ -1759,8 +1781,8 @@ module Ssa {
* write at index `i` inside basic block `bb`.
*/
predicate liveAfterWriteCaptured(BasicBlock bb, int i, LocalScopeSourceVariable v) {
liveAfterWriteCapturedOut(bb, i, v, _) or
liveAfterWriteCapturedIn(bb, i, v, _, _)
liveAfterWriteCapturedOut(bb, i, v, _, _) or
liveAfterWriteCapturedIn(bb, i, v, _, _, _)
}
}
private import CapturedVariableLivenessImpl
@@ -1837,7 +1859,7 @@ module Ssa {
updatesNamedFieldOrProp(c, v, _)
or
// Liveness of `v` after `c` is guaranteed by `updatesCapturedVariable`
updatesCapturedVariable(c, v, _)
updatesCapturedVariable(c, v, _, _)
)
} or
TSsaImplicitQualifierDef(TrackedVar v, Definition qdef) {
@@ -1892,10 +1914,11 @@ module Ssa {
cached
predicate isCapturedVariableDefinitionFlowIn(
ExplicitDefinition def, ImplicitEntryDefinition edef, Call c
ExplicitDefinition def, ImplicitEntryDefinition edef, ControlFlow::Nodes::ElementNode c,
boolean additionalCalls
) {
exists(BasicBlock bb, int i, LocalScopeSourceVariable v | definesAt(def, bb, i, v) |
liveAfterWriteCapturedIn(bb, i, v, edef, c)
liveAfterWriteCapturedIn(bb, i, v, edef, c, additionalCalls)
)
}
@@ -1912,10 +1935,10 @@ module Ssa {
cached
predicate isCapturedVariableDefinitionFlowOut(
ExplicitDefinition def, ImplicitCallDefinition cdef
ExplicitDefinition def, ImplicitCallDefinition cdef, boolean additionalCalls
) {
exists(BasicBlock bb, int i, LocalScopeSourceVariable v | definesAt(def, bb, i, v) |
liveAfterWriteCapturedOut(bb, i, v, cdef) and
liveAfterWriteCapturedOut(bb, i, v, cdef, additionalCalls) and
isLiveCapturedVariableDefinition(def)
)
}
@@ -2210,14 +2233,24 @@ module Ssa {
/** Gets the basic block to which this SSA definition belongs. */
BasicBlock getBasicBlock() { this.definesAt(result, _) }
/**
* Gets the control flow node of this SSA definition, if any. Phi nodes are examples
* of SSA definitions without a control flow node, as they are modelled at index
* `-1` in the relevant basic block.
*/
ControlFlow::Node getControlFlowNode() {
exists(BasicBlock bb, int i | this.definesAt(bb, i) | result = bb.getNode(i))
}
/**
* Gets the syntax element associated with this SSA definition, if any.
* This is either an expression, for example `x = 0`, a parameter, or a
* callable. Pseudo nodes have no associated syntax element.
*/
Element getElement() {
exists(BasicBlock bb, int i | this.definesAt(bb, i) | result = bb.getNode(i).getElement())
}
Element getElement() { result = this.getControlFlowNode().getElement() }
/** Gets the callable to which this SSA definition belongs. */
Callable getEnclosingCallable() { result = this.getSourceVariable().getEnclosingCallable() }
/**
* Holds if this SSA definition assigns to `out`/`ref` parameter `p`, and the
@@ -2258,8 +2291,8 @@ module Ssa {
/**
* Holds if this definition updates a captured local scope variable, and the updated
* value may be read from the implicit entry definition `def` using one or more calls,
* starting from call `c`.
* value may be read from the implicit entry definition `def` using one or more calls
* (as indicated by `additionalCalls`), starting from call `c`.
*
* Example:
*
@@ -2277,13 +2310,16 @@ module Ssa {
* If this definition is the update of `i` on line 5, then the value may be read inside
* `M2` via the the call on line 6.
*/
predicate isCapturedVariableDefinitionFlowIn(ImplicitEntryDefinition def, Call c) {
isCapturedVariableDefinitionFlowIn(this, def, c)
predicate isCapturedVariableDefinitionFlowIn(
ImplicitEntryDefinition def, ControlFlow::Nodes::ElementNode c, boolean additionalCalls
) {
isCapturedVariableDefinitionFlowIn(this, def, c, additionalCalls)
}
/**
* Holds if this definition updates a captured local scope variable, and the updated
* value may be read from the implicit call definition `cdef` using one or more calls.
* value may be read from the implicit call definition `cdef` using one or more calls
* (as indicated by `additionalCalls`).
*
* Example:
*
@@ -2301,8 +2337,10 @@ module Ssa {
* If this definition is the update of `i` on line 4, then the value may be read outside
* of `M2` via the the call on line 5.
*/
predicate isCapturedVariableDefinitionFlowOut(ImplicitCallDefinition cdef) {
isCapturedVariableDefinitionFlowOut(this, cdef)
predicate isCapturedVariableDefinitionFlowOut(
ImplicitCallDefinition cdef, boolean additionalCalls
) {
isCapturedVariableDefinitionFlowOut(this, cdef, additionalCalls)
}
override Element getElement() { result = ad.getElement() }
@@ -2377,7 +2415,7 @@ module Ssa {
result.getTarget() = this.getSourceVariable().getAssignable()
)
or
updatesCapturedVariable(getCall(), _, result) and
updatesCapturedVariable(getCall(), _, result, _) and
result.getTarget() = this.getSourceVariable().getAssignable()
}

91
csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking.qll
View File

@@ -6,6 +6,9 @@
import csharp
module TaintTracking {
private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
private import semmle.code.csharp.dataflow.internal.ControlFlowReachability
private import semmle.code.csharp.dataflow.LibraryTypeDataFlow
private import semmle.code.csharp.dispatch.Dispatch
private import semmle.code.csharp.commons.ComparisonTest
@@ -87,12 +90,6 @@ module TaintTracking {
succ = pred.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
}
final override predicate isAdditionalFlowStepIntoCall(
DataFlow::Node call, DataFlow::Node arg, DotNet::Parameter p, CallContext::CallContext cc
) {
DataFlow::Internal::flowIntoCallableLibraryCall(_, arg, call, p, false, cc)
}
/**
* Holds if taint may flow from `source` to `sink` for this configuration.
*/
@@ -116,97 +113,96 @@ module TaintTracking {
/** Gets the qualifier of element access `ea`. */
private Expr getElementAccessQualifier(ElementAccess ea) { result = ea.getQualifier() }
private class LocalTaintExprStepConfiguration extends DataFlow::Internal::ExprStepConfiguration {
private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityConfiguration {
LocalTaintExprStepConfiguration() { this = "LocalTaintExprStepConfiguration" }
override predicate stepsToExpr(
Expr exprFrom, Expr exprTo, ControlFlowElement scope, boolean exactScope,
boolean isSuccessor
override predicate candidate(
Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
) {
exactScope = false and
(
// Taint propagation using library code
DataFlow::Internal::LocalFlow::libraryFlow(exprFrom, exprTo, scope, isSuccessor, false)
LocalFlow::libraryFlow(e1, e2, scope, isSuccessor, false)
or
// Taint from assigned value to element qualifier (`x[i] = 0`)
exists(AssignExpr ae |
exprFrom = ae.getRValue() and
exprTo.(AssignableRead) = getElementAccessQualifier+(ae.getLValue()) and
e1 = ae.getRValue() and
e2.(AssignableRead) = getElementAccessQualifier+(ae.getLValue()) and
scope = ae and
isSuccessor = false
)
or
// Taint from array initializer
exprFrom = exprTo.(ArrayCreation).getInitializer().getAnElement() and
scope = exprTo and
e1 = e2.(ArrayCreation).getInitializer().getAnElement() and
scope = e2 and
isSuccessor = false
or
// Taint from object initializer
exists(ElementInitializer ei |
ei = exprTo
ei = e2
.(ObjectCreation)
.getInitializer()
.(CollectionInitializer)
.getAnElementInitializer() and
exprFrom = ei.getArgument(ei.getNumberOfArguments() - 1) and // assume the last argument is the value (i.e., not a key)
scope = exprTo and
e1 = ei.getArgument(ei.getNumberOfArguments() - 1) and // assume the last argument is the value (i.e., not a key)
scope = e2 and
isSuccessor = false
)
or
// Taint from element qualifier
exprFrom = exprTo.(ElementAccess).getQualifier() and
scope = exprTo and
e1 = e2.(ElementAccess).getQualifier() and
scope = e2 and
isSuccessor = true
or
exprFrom = exprTo.(AddExpr).getAnOperand() and
scope = exprTo and
e1 = e2.(AddExpr).getAnOperand() and
scope = e2 and
isSuccessor = true
or
// A comparison expression where taint can flow from one of the
// operands if the other operand is a constant value.
exists(ComparisonTest ct, Expr other |
ct.getExpr() = exprTo and
exprFrom = ct.getAnArgument() and
ct.getExpr() = e2 and
e1 = ct.getAnArgument() and
other = ct.getAnArgument() and
other.stripCasts().hasValue() and
exprFrom != other and
scope = exprTo and
e1 != other and
scope = e2 and
isSuccessor = true
)
or
exprFrom = exprTo.(LogicalOperation).getAnOperand() and
scope = exprTo and
e1 = e2.(LogicalOperation).getAnOperand() and
scope = e2 and
isSuccessor = false
or
// Taint from tuple argument
exprTo = any(TupleExpr te |
exprFrom = te.getAnArgument() and
e2 = any(TupleExpr te |
e1 = te.getAnArgument() and
te.isReadAccess() and
scope = exprTo and
scope = e2 and
isSuccessor = true
)
or
exprFrom = exprTo.(InterpolatedStringExpr).getAChild() and
scope = exprTo and
e1 = e2.(InterpolatedStringExpr).getAChild() and
scope = e2 and
isSuccessor = true
or
// Taint from tuple expression
exprTo = any(MemberAccess ma |
e2 = any(MemberAccess ma |
ma.getQualifier().getType() instanceof TupleType and
exprFrom = ma.getQualifier() and
scope = exprTo and
e1 = ma.getQualifier() and
scope = e2 and
isSuccessor = true
)
)
}
override predicate stepsToDefinition(
Expr exprFrom, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope,
override predicate candidateDef(
Expr e, AssignableDefinition defTo, ControlFlowElement scope, boolean exactScope,
boolean isSuccessor
) {
// Taint from `foreach` expression
exists(ForeachStmt fs |
exprFrom = fs.getIterableExpr() and
e = fs.getIterableExpr() and
defTo.(AssignableDefinitions::LocalVariableDefinition).getDeclaration() = fs
.getVariableDeclExpr() and
isSuccessor = true
@@ -226,14 +222,17 @@ module TaintTracking {
cached
module Cached {
cached
predicate forceCachingInSameStage() { any() }
predicate forceCachingInSameStage() { DataFlowPrivateCached::forceCachingInSameStage() }
cached
predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
DataFlow::Internal::Cached::forceCachingInSameStage() and
any(LocalTaintExprStepConfiguration x).hasStep(nodeFrom, nodeTo)
any(LocalTaintExprStepConfiguration x).hasNodePath(nodeFrom, nodeTo)
or
DataFlow::Internal::flowOutOfDelegateLibraryCall(nodeFrom, nodeTo, false)
nodeTo = nodeFrom.(TaintedParameterNode).getUnderlyingNode()
or
nodeFrom = nodeTo.(TaintedReturnNode).getUnderlyingNode()
or
flowOutOfDelegateLibraryCall(nodeFrom, nodeTo, false)
or
localTaintStepCil(nodeFrom, nodeTo)
or
@@ -247,11 +246,7 @@ module TaintTracking {
access.(PropertyRead).getQualifier() = nodeFrom.asExpr()
)
or
DataFlow::Internal::flowThroughCallableLibraryOutRef(_, nodeFrom, nodeTo, false)
or
exists(Callable c | c.canYieldReturn(nodeFrom.asExpr()) |
c = nodeTo.(DataFlow::Internal::YieldReturnNode).getEnclosingCallable()
)
flowThroughLibraryCallableOutRef(_, nodeFrom, nodeTo, false)
}
}
import Cached

196
csharp/ql/src/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll Normal file
View File

@@ -0,0 +1,196 @@
import csharp
private import DataFlowPrivate
private import DataFlowPublic
private ControlFlowElement getAScope(boolean exactScope) {
exists(ControlFlowReachabilityConfiguration c |
c.candidate(_, _, result, exactScope, _) or
c.candidateDef(_, _, result, exactScope, _)
)
}
private ControlFlowElement getANonExactScopeChild(ControlFlowElement scope) {
scope = getAScope(false) and
result = scope
or
result = getANonExactScopeChild(scope).getAChild()
}
pragma[noinline]
private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowElement scope, boolean exactScope) {
result.getANode().getElement() = getANonExactScopeChild(scope) and
exactScope = false
or
scope = getAScope(true) and
result.getANode().getElement() = scope and
exactScope = true
}
/**
* A helper class for determining control-flow reachability for pairs of
* elements.
*
* This is useful when defining for example expression-based data-flow steps in
* the presence of control-flow splitting, where a data-flow step should make
* sure to stay in the same split.
*
* For example, in
*
* ```
* if (b)
* ....
* var x = "foo";
* if (b)
* ....
* ```
*
* there should only be steps from `[b = true] "foo"` to `[b = true] SSA def(x)`
* and `[b = false] "foo"` to `[b = false] SSA def(x)`, and for example not from
* `[b = true] "foo"` to `[b = false] SSA def(x)`
*/
abstract class ControlFlowReachabilityConfiguration extends string {
bindingset[this]
ControlFlowReachabilityConfiguration() { any() }
/**
* Holds if `e1` and `e2` are expressions for which we want to find a
* control-flow path that follows control flow successors (resp.
* predecessors, as specified by `isSuccesor`) inside the syntactic scope
* `scope`. The Boolean `exactScope` indicates whether a transitive child
* of `scope` is allowed (`exactScope = false`).
*/
predicate candidate(
Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor
) {
none()
}
/**
* Holds if `e` and `def` are elements for which we want to find a
* control-flow path that follows control flow successors (resp.
* predecessors, as specified by `isSuccesor`) inside the syntactic scope
* `scope`. The Boolean `exactScope` indicates whether a transitive child
* of `scope` is allowed (`exactScope = false`).
*/
predicate candidateDef(
Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
boolean isSuccessor
) {
none()
}
pragma[nomagic]
private predicate reachesBasicBlockExprRec(
Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor,
ControlFlow::Nodes::ElementNode cfn1, ControlFlow::BasicBlock bb
) {
exists(ControlFlow::BasicBlock mid |
this.reachesBasicBlockExpr(e1, e2, scope, exactScope, isSuccessor, cfn1, mid)
|
isSuccessor = true and
bb = mid.getASuccessor()
or
isSuccessor = false and
bb = mid.getAPredecessor()
)
}
pragma[nomagic]
private predicate reachesBasicBlockExpr(
Expr e1, Expr e2, ControlFlowElement scope, boolean exactScope, boolean isSuccessor,
ControlFlow::Nodes::ElementNode cfn1, ControlFlow::BasicBlock bb
) {
this.candidate(e1, e2, scope, exactScope, isSuccessor) and
cfn1 = e1.getAControlFlowNode() and
bb = cfn1.getBasicBlock()
or
this.candidate(e1, e2, scope, exactScope, isSuccessor) and
exists(ControlFlowElement scope0, boolean exactScope0 |
this.reachesBasicBlockExprRec(e1, e2, scope0, exactScope0, isSuccessor, cfn1, bb)
|
bb = getABasicBlockInScope(scope0, exactScope0)
)
}
pragma[nomagic]
private predicate reachesBasicBlockDefinitionRec(
Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn, ControlFlow::BasicBlock bb
) {
exists(ControlFlow::BasicBlock mid |
this.reachesBasicBlockDefinition(e, def, scope, exactScope, isSuccessor, cfn, mid)
|
isSuccessor = true and
bb = mid.getASuccessor()
or
isSuccessor = false and
bb = mid.getAPredecessor()
)
}
pragma[nomagic]
private predicate reachesBasicBlockDefinition(
Expr e, AssignableDefinition def, ControlFlowElement scope, boolean exactScope,
boolean isSuccessor, ControlFlow::Nodes::ElementNode cfn, ControlFlow::BasicBlock bb
) {
this.candidateDef(e, def, scope, exactScope, isSuccessor) and
cfn = e.getAControlFlowNode() and
bb = cfn.getBasicBlock()
or
this.candidateDef(e, def, scope, exactScope, isSuccessor) and
exists(ControlFlowElement scope0, boolean exactScope0 |
this.reachesBasicBlockDefinitionRec(e, def, scope0, exactScope0, isSuccessor, cfn, bb)
|
bb = getABasicBlockInScope(scope0, exactScope0)
)
}
/**
* Holds if there is a control-flow path from `cfn1` to `cfn2`, where `cfn1` is a
* control-flow node for `e1` and `cfn2` is a control-flow node for `e2`.
*/
predicate hasExprPath(Expr e1, ControlFlow::Node cfn1, Expr e2, ControlFlow::Node cfn2) {
exists(ControlFlow::BasicBlock bb | this.reachesBasicBlockExpr(e1, e2, _, _, _, cfn1, bb) |
cfn2 = bb.getANode() and
cfn2 = e2.getAControlFlowNode()
)
}
/**
* Holds if there is a control-flow path from `cfn` to `cfnDef`, where `cfn` is a
* control-flow node for `e` and `cfnDef` is a control-flow node for `def`.
*/
predicate hasDefPath(
Expr e, ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef
) {
exists(ControlFlow::BasicBlock bb | this.reachesBasicBlockDefinition(e, def, _, _, _, cfn, bb) |
def.getAControlFlowNode() = cfnDef and
cfnDef = bb.getANode()
)
}
/**
* Holds if there is a control-flow path from `n1` to `n2`. `n2` is either an
* expression node or an SSA definition node.
*/
predicate hasNodePath(ExprNode n1, Node n2) {
exists(Expr e1, ControlFlow::Node cfn1, Expr e2, ControlFlow::Node cfn2 |
this.hasExprPath(e1, cfn1, e2, cfn2)
|
cfn1 = n1.getControlFlowNode() and
cfn2 = n2.(ExprNode).getControlFlowNode()
)
or
exists(
Expr e, ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef,
Ssa::ExplicitDefinition ssaDef
|
this.hasDefPath(e, cfn, def, cfnDef)
|
cfn = n1.getControlFlowNode() and
ssaDef.getADefinition() = def and
ssaDef.getControlFlowNode() = cfnDef and
n2.(SsaDefinitionNode).getDefinition() = ssaDef
)
}
}

460
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll Normal file
View File

@@ -0,0 +1,460 @@
private import csharp
private import cil
private import dotnet
private import DataFlowPrivate
private import semmle.code.csharp.dispatch.Dispatch
private import semmle.code.csharp.dataflow.DelegateDataFlow
private import semmle.code.csharp.frameworks.system.Collections
private import semmle.code.csharp.frameworks.system.collections.Generic
/**
* Gets a source declaration of callable `c` that has a body.
* If the callable has both CIL and source code, return only the source
* code version.
*/
DotNet::Callable getCallableForDataFlow(DotNet::Callable c) {
result.hasBody() and
exists(DotNet::Callable sourceDecl | sourceDecl = c.getSourceDeclaration() |
if sourceDecl.getFile().fromSource()
then
// C# callable with C# implementation in the database
result = sourceDecl
else
if sourceDecl instanceof CIL::Callable
then
// CIL callable with C# implementation in the database
sourceDecl.matchesHandle(result.(Callable))
or
// CIL callable without C# implementation in the database
not sourceDecl.matchesHandle(any(Callable k | k.hasBody())) and
result = sourceDecl
else
// C# callable without C# implementation in the database
sourceDecl.matchesHandle(result.(CIL::Callable))
)
}
/**
* Holds if callable `c` can return `e` as an `out`/`ref` value for parameter `p`.
*/
private predicate callableReturnsOutOrRef(Callable c, Parameter p, Expr e) {
exists(Ssa::ExplicitDefinition def |
def.getADefinition().getSource() = e and
def.isLiveOutRefParameterDefinition(p) and
p = c.getAParameter()
)
}
/**
* Holds if `cfn` corresponds to a call that can reach callable `c` using
* additional calls, and `c` is a callable that either reads or writes to
* a captured variable.
*/
private predicate transitiveCapturedCallTarget(ControlFlow::Nodes::ElementNode cfn, Callable c) {
exists(Ssa::ExplicitDefinition def |
exists(Ssa::ImplicitEntryDefinition edef |
def.isCapturedVariableDefinitionFlowIn(edef, cfn, true)
|
c = edef.getCallable()
)
or
exists(Ssa::ImplicitCallDefinition cdef | def.isCapturedVariableDefinitionFlowOut(cdef, true) |
cfn = cdef.getControlFlowNode() and
c = def.getEnclosingCallable()
)
)
}
cached
private module Cached {
private import CallContext
cached
module DataFlowDispatchCached {
cached
predicate forceCachingInSameStage() { DataFlowPrivateCached::forceCachingInSameStage() }
}
cached
newtype TReturnKind =
TNormalReturnKind() or
TYieldReturnKind() or
TOutReturnKind(int i) {
exists(Parameter p | callableReturnsOutOrRef(_, p, _) and p.isOut() | i = p.getPosition())
} or
TRefReturnKind(int i) {
exists(Parameter p | callableReturnsOutOrRef(_, p, _) and p.isRef() | i = p.getPosition())
} or
TImplicitCapturedReturnKind(LocalScopeVariable v) {
exists(Ssa::ExplicitDefinition def | def.isCapturedVariableDefinitionFlowOut(_, _) |
v = def.getSourceVariable().getAssignable()
)
}
cached
newtype TDataFlowCall =
TNonDelegateCall(ControlFlow::Nodes::ElementNode cfn, DispatchCall dc) {
cfn.getElement() = dc.getCall()
} or
TExplicitDelegateCall(ControlFlow::Nodes::ElementNode cfn, DelegateCall dc) {
cfn.getElement() = dc
} or
TImplicitDelegateCall(ControlFlow::Nodes::ElementNode cfn, DelegateArgumentToLibraryCallable arg) {
cfn.getElement() = arg
} or
TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn) {
transitiveCapturedCallTarget(cfn, _)
} or
TCilCall(CIL::Call call) {
// No need to include calls that are compiled from source
not call.getImplementation().getMethod().compiledFromSource()
}
/** Gets a viable run-time target for the call `call`. */
cached
DotNet::Callable viableImpl(DataFlowCall call) { result = call.getARuntimeTarget() }
/**
* Gets a viable run-time target for the delegate call `call`, requiring
* call context `cc`.
*/
private DotNet::Callable viableDelegateCallable(DataFlowCall call, CallContext cc) {
result = call.(DelegateDataFlowCall).getARuntimeTarget(cc)
}
/**
* Holds if the call context `ctx` reduces the set of viable run-time
* targets of call `call` in `c`.
*/
cached
predicate reducedViableImplInCallContext(DataFlowCall call, DotNet::Callable c, DataFlowCall ctx) {
c = viableImpl(ctx) and
c = call.getEnclosingCallable() and
exists(CallContext cc | exists(viableDelegateCallable(call, cc)) |
not cc instanceof EmptyCallContext
)
}
private DotNet::Callable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
exists(ArgumentCallContext cc | result = viableDelegateCallable(call, cc) |
cc.isArgument(ctx.getExpr(), _)
)
}
/**
* Gets a viable run-time target for the call `call` in the context
* `ctx`. This is restricted to those call nodes for which a context
* might make a difference.
*/
cached
DotNet::Callable prunedViableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
result = viableImplInCallContext(call, ctx) and
reducedViableImplInCallContext(call, _, ctx)
}
/**
* Holds if flow returning from callable `c` to call `call` might return
* further and if this path restricts the set of call sites that can be
* returned to.
*/
cached
predicate reducedViableImplInReturn(DotNet::Callable c, DataFlowCall call) {
exists(int tgts, int ctxtgts |
c = viableImpl(call) and
ctxtgts = strictcount(DataFlowCall ctx | c = viableImplInCallContext(call, ctx)) and
tgts = strictcount(DataFlowCall ctx | viableImpl(ctx) = call.getEnclosingCallable()) and
ctxtgts < tgts
)
}
/**
* Gets a viable run-time target for the call `call` in the context `ctx`.
* This is restricted to those call nodes and results for which the return
* flow from the result to `call` restricts the possible context `ctx`.
*/
cached
DotNet::Callable prunedViableImplInCallContextReverse(DataFlowCall call, DataFlowCall ctx) {
result = viableImplInCallContext(call, ctx) and
reducedViableImplInReturn(result, call)
}
/** A valid return type for a method that uses `yield return`. */
private class YieldReturnType extends Type {
YieldReturnType() {
exists(Type t | t = this.getSourceDeclaration() |
t instanceof SystemCollectionsIEnumerableInterface
or
t instanceof SystemCollectionsIEnumeratorInterface
or
t instanceof SystemCollectionsGenericIEnumerableTInterface
or
t instanceof SystemCollectionsGenericIEnumeratorInterface
)
}
}
/**
* Gets a node that can read the value returned from `call` with return kind
* `kind`.
*/
cached
OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
// normal `return`
result = call.getNode() and
kind instanceof NormalReturnKind and
not call.getExpr().getType() instanceof VoidType
or
// `yield return`
result = call.getNode() and
kind instanceof YieldReturnKind and
call.getExpr().getType() instanceof YieldReturnType
or
// `out`/`ref` parameter
exists(Parameter p, AssignableDefinitions::OutRefDefinition def |
p.getSourceDeclaration().getPosition() = kind.(OutRefReturnKind).getPosition()
|
def = result.(SsaDefinitionNode).getDefinition().(Ssa::ExplicitDefinition).getADefinition() and
def.getTargetAccess() = call.getExpr().(Call).getArgumentForParameter(p)
)
or
// implicit captured variable return
exists(Ssa::ExplicitDefinition def, Ssa::ImplicitCallDefinition cdef, LocalScopeVariable v |
kind.(ImplicitCapturedReturnKind).getVariable() = v and
def.isCapturedVariableDefinitionFlowOut(cdef, _) and
cdef = result.(SsaDefinitionNode).getDefinition() and
v = def.getSourceVariable().getAssignable()
|
call.getControlFlowNode() = cdef.getControlFlowNode()
or
exists(DataFlowCall outer | call.(ImplicitDelegateDataFlowCall).isArgumentOf(outer, _) |
outer.getControlFlowNode() = cdef.getControlFlowNode()
)
)
}
}
import Cached
predicate viableCallable = viableImpl/1;
/**
* A return kind. A return kind describes how a value can be returned
* from a callable.
*/
abstract class ReturnKind extends TReturnKind {
/** Gets a textual representation of this position. */
abstract string toString();
}
/**
* A value returned from a callable using a `return` statement or an expression
* body, that is, a "normal" return.
*/
class NormalReturnKind extends ReturnKind, TNormalReturnKind {
override string toString() { result = "return" }
}
/** A value returned from a callable using a `yield return` statement. */
class YieldReturnKind extends ReturnKind, TYieldReturnKind {
override string toString() { result = "yield return" }
}
/** A value returned from a callable using an `out` or a `ref` parameter. */
abstract class OutRefReturnKind extends ReturnKind {
/** Gets the position of the `out`/`ref` parameter. */
abstract int getPosition();
}
/** A value returned from a callable using an `out` parameter. */
class OutReturnKind extends OutRefReturnKind, TOutReturnKind {
override int getPosition() { this = TOutReturnKind(result) }
override string toString() { result = "out" }
}
/** A value returned from a callable using a `ref` parameter. */
class RefReturnKind extends OutRefReturnKind, TRefReturnKind {
override int getPosition() { this = TRefReturnKind(result) }
override string toString() { result = "ref" }
}
/** A value implicitly returned from a callable using a captured variable. */
class ImplicitCapturedReturnKind extends ReturnKind, TImplicitCapturedReturnKind {
private LocalScopeVariable v;
ImplicitCapturedReturnKind() { this = TImplicitCapturedReturnKind(v) }
/** Gets the captured variable. */
LocalScopeVariable getVariable() { result = v }
override string toString() { result = "captured " + v }
}
/** A call relevant for data flow. */
abstract class DataFlowCall extends TDataFlowCall {
/**
* Gets a run-time target of this call. A target is always a source
* declaration, and if the callable has both CIL and source code, only
* the source code version is returned.
*/
abstract DotNet::Callable getARuntimeTarget();
/** Gets the control flow node where this call happens, if any. */
abstract ControlFlow::Nodes::ElementNode getControlFlowNode();
/** Gets the data flow node corresponding to this call, if any. */
abstract DataFlow::Node getNode();
/** Gets the enclosing callable of this call. */
abstract DotNet::Callable getEnclosingCallable();
/** Gets the underlying expression, if any. */
final DotNet::Expr getExpr() { result = this.getNode().asExpr() }
/** Gets the `i`th argument of this call. */
final ArgumentNode getArgument(int i) { result.argumentOf(this, i) }
/** Gets a textual representation of this call. */
abstract string toString();
/** Gets the location of this call. */
abstract Location getLocation();
}
/** A non-delegate C# call relevant for data flow. */
class NonDelegateDataFlowCall extends DataFlowCall, TNonDelegateCall {
private ControlFlow::Nodes::ElementNode cfn;
private DispatchCall dc;
NonDelegateDataFlowCall() { this = TNonDelegateCall(cfn, dc) }
override DotNet::Callable getARuntimeTarget() {
result = getCallableForDataFlow(dc.getADynamicTarget())
}
override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
override DataFlow::ExprNode getNode() { result.getControlFlowNode() = cfn }
override Callable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
override string toString() { result = cfn.toString() }
override Location getLocation() { result = cfn.getLocation() }
}
/** A delegate call relevant for data flow. */
abstract class DelegateDataFlowCall extends DataFlowCall {
/** Gets a viable run-time target of this call requiring call context `cc`. */
abstract DotNet::Callable getARuntimeTarget(CallContext::CallContext cc);
override DotNet::Callable getARuntimeTarget() { result = this.getARuntimeTarget(_) }
}
/** An explicit delegate call relevant for data flow. */
class ExplicitDelegateDataFlowCall extends DelegateDataFlowCall, TExplicitDelegateCall {
private ControlFlow::Nodes::ElementNode cfn;
private DelegateCall dc;
ExplicitDelegateDataFlowCall() { this = TExplicitDelegateCall(cfn, dc) }
override DotNet::Callable getARuntimeTarget(CallContext::CallContext cc) {
result = dc.getARuntimeTarget(cc)
}
override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
override DataFlow::ExprNode getNode() { result.getControlFlowNode() = cfn }
override Callable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
override string toString() { result = cfn.toString() }
override Location getLocation() { result = cfn.getLocation() }
}
/**
* An implicit delegate call in a call to a library method. For example, we add
* an implicit call to `M` in `new Lazy<int>(M)` (although, technically, the delegate
* would first be called when accessing the `Value` property).
*/
class ImplicitDelegateDataFlowCall extends DelegateDataFlowCall, TImplicitDelegateCall {
private ControlFlow::Nodes::ElementNode cfn;
private DelegateArgumentToLibraryCallable arg;
ImplicitDelegateDataFlowCall() { this = TImplicitDelegateCall(cfn, arg) }
/**
* Holds if the underlying delegate argument is the `i`th argument of the
* call `c` targeting a library callable. For example, `M` is the `0`th
* argument of `new Lazy<int>(M)`.
*/
predicate isArgumentOf(DataFlowCall c, int i) {
exists(ImplicitDelegateOutNode out | out.getControlFlowNode() = cfn | out.isArgumentOf(c, i))
}
/** Gets the number of parameters of the supplied delegate. */
int getNumberOfDelegateParameters() { result = arg.getDelegateType().getNumberOfParameters() }
override DotNet::Callable getARuntimeTarget(CallContext::CallContext cc) {
result = cfn.getElement().(DelegateArgumentToLibraryCallable).getARuntimeTarget(cc)
}
override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
override ImplicitDelegateOutNode getNode() { result.getControlFlowNode() = cfn }
override Callable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
override string toString() { result = "[implicit call] " + cfn.toString() }
override Location getLocation() { result = cfn.getLocation() }
}
/**
* A call that can reach a callable, using one or more additional calls, which
* reads or updates a captured variable. We model such a chain of calls as just
* a single call for performance reasons.
*/
class TransitiveCapturedDataFlowCall extends DataFlowCall, TTransitiveCapturedCall {
ControlFlow::Nodes::ElementNode cfn;
TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn) }
override Callable getARuntimeTarget() { transitiveCapturedCallTarget(cfn, result) }
override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
override DataFlow::ExprNode getNode() { none() }
override Callable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
override string toString() { result = "[transitive] " + cfn.toString() }
override Location getLocation() { result = cfn.getLocation() }
}
/** A CIL call relevant for data flow. */
class CilDataFlowCall extends DataFlowCall, TCilCall {
private CIL::Call call;
CilDataFlowCall() { this = TCilCall(call) }
override DotNet::Callable getARuntimeTarget() {
// There is no dispatch library for CIL, so do not consider overrides for now
result = getCallableForDataFlow(call.getTarget())
}
override ControlFlow::Nodes::ElementNode getControlFlowNode() { none() }
override DataFlow::ExprNode getNode() { result.getExpr() = call }
override CIL::Callable getEnclosingCallable() { result = call.getEnclosingCallable() }
override string toString() { result = call.toString() }
override Location getLocation() { result = call.getLocation() }
}

11
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplSpecific.qll Normal file
View File

@@ -0,0 +1,11 @@
/**
* Provides C#-specific definitions for use in the data flow library.
*/
module Private {
import DataFlowPrivate
import DataFlowDispatch
}
module Public {
import DataFlowPublic
}

1060
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll Normal file
View File

File diff suppressed because it is too large Load Diff

122
csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll Normal file
View File

@@ -0,0 +1,122 @@
private import csharp
private import cil
private import dotnet
private import DataFlowPrivate
private import DataFlowPrivateCached as C
/**
* An element, viewed as a node in a data flow graph. Either an expression
* (`ExprNode`) or a parameter (`ParameterNode`).
*/
class Node extends C::TNode {
/** Gets the expression corresponding to this node, if any. */
DotNet::Expr asExpr() { result = this.(ExprNode).getExpr() }
/**
* Gets the expression corresponding to this node, at control flow node `cfn`,
* if any.
*/
Expr asExprAtNode(ControlFlow::Nodes::ElementNode cfn) {
this = C::TExprNode(cfn) and
result = cfn.getElement()
}
/** Gets the parameter corresponding to this node, if any. */
DotNet::Parameter asParameter() { result = this.(ParameterNode).getParameter() }
/** Gets the type of this node. */
final Type getType() { result = C::getType(this) }
/** Gets an upper bound on the type of this node. */
Type getTypeBound() { result = this.getType() } // stub implementation
/** Gets the enclosing callable of this node. */
final DotNet::Callable getEnclosingCallable() { result = C::getEnclosingCallable(this) }
/** Gets the control flow node corresponding to this node, if any. */
ControlFlow::Node getControlFlowNode() { none() }
/** Gets a textual representation of this node. */
final string toString() { result = C::toString(this) }
/** Gets the location of this node. */
final Location getLocation() { result = C::getLocation(this) }
}
/**
* An expression, viewed as a node in a data flow graph.
*
* Note that because of control-flow splitting, one `Expr` may correspond
* to multiple `ExprNode`s, just like it may correspond to multiple
* `ControlFlow::Node`s.
*/
class ExprNode extends Node {
ExprNode() { this = C::TExprNode(_) or this = C::TCilExprNode(_) }
/** Gets the expression corresponding to this node. */
DotNet::Expr getExpr() {
result = this.getExprAtNode(_)
or
this = C::TCilExprNode(result)
}
/**
* Gets the expression corresponding to this node, at control flow node `cfn`,
* if any.
*/
Expr getExprAtNode(ControlFlow::Nodes::ElementNode cfn) {
this = C::TExprNode(cfn) and
result = cfn.getElement()
}
override ControlFlow::Nodes::ElementNode getControlFlowNode() { this = C::TExprNode(result) }
}
/**
* The value of a parameter at function entry, viewed as a node in a data
* flow graph.
*/
class ParameterNode extends Node {
ParameterNode() {
// charpred needed to avoid making `ParameterNode` abstract
explicitParameterNode(this, _) or
this.(SsaDefinitionNode).getDefinition() instanceof
ImplicitCapturedParameterNodeImpl::SsaCapturedEntryDefinition or
this = C::TCilParameterNode(_) or
this = C::TTaintedParameterNode(_)
}
/** Gets the parameter corresponding to this node, if any. */
DotNet::Parameter getParameter() { none() }
/**
* Holds if this node is the parameter of callable `c` at the specified
* (zero-based) position.
*/
predicate isParameterOf(DotNet::Callable c, int i) { none() }
}
/** Gets a node corresponding to expression `e`. */
ExprNode exprNode(DotNet::Expr e) { result.getExpr() = e }
/**
* Gets the node corresponding to the value of parameter `p` at function entry.
*/
ParameterNode parameterNode(DotNet::Parameter p) { result.getParameter() = p }
predicate localFlowStep = C::localFlowStepImpl/2;
/**
* Holds if data flows from `source` to `sink` in zero or more local
* (intra-procedural) steps.
*/
predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
/**
* A data flow node that jumps between callables. This can be extended in
* framework code to add additional data flow steps.
*/
abstract class NonLocalJumpNode extends Node {
/** Gets a successor node that is potentially in another callable. */
abstract Node getAJumpSuccessor(boolean preservesValue);
}

23
csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
View File

@@ -634,8 +634,7 @@ private module Internal {
* respectively.
*/
private RuntimeAccessor getAViableOverrider() {
exists(ValueOrRefType t |
t = this.getANonExactQualifierType() |
exists(ValueOrRefType t | t = this.getANonExactQualifierType() |
result = this.getAStaticTarget().(OverridableAccessor).getAnOverrider(t)
)
}
@@ -1104,21 +1103,20 @@ private module Internal {
override DynamicMemberAccess getCall() { this = TDispatchDynamicMemberAccess(result) }
override string getName() {
exists(DynamicMemberAccess dma | dma = getCall() |
exists(DynamicMemberAccess dma | dma = this.getCall() |
result = "get_" + dma.(DynamicMemberRead).getLateBoundTargetName()
or
result = "set_" + dma.(DynamicMemberWrite).getLateBoundTargetName()
)
}
override Expr getQualifier() { result = getCall().getQualifier() }
override Expr getQualifier() { result = this.getCall().getQualifier() }
override Expr getArgument(int i) {
// Only calls to setters have an argument
exists(DynamicMemberWrite dmw |
dmw = getCall() and
exists(DynamicMemberAccess dma | dma = this.getCall() |
// Only calls to setters have an argument
i = 0 and
exists(Assignment a | a.getLValue() = dmw and result = a.getRValue())
exists(AssignableDefinition def | def.getTargetAccess() = dma | result = def.getSource())
)
}
}
@@ -1129,23 +1127,22 @@ private module Internal {
override DynamicElementAccess getCall() { this = TDispatchDynamicElementAccess(result) }
override string getName() {
exists(DynamicElementAccess dea | dea = getCall() |
exists(DynamicElementAccess dea | dea = this.getCall() |
dea instanceof DynamicElementRead and result = "get_Item"
or
dea instanceof DynamicElementWrite and result = "set_Item"
)
}
override Expr getQualifier() { result = getCall().getQualifier() }
override Expr getQualifier() { result = this.getCall().getQualifier() }
override Expr getArgument(int i) {
exists(DynamicElementAccess dea | dea = getCall() |
exists(DynamicElementAccess dea | dea = this.getCall() |
result = dea.getIndex(i)
or
// Calls to setters have an extra argument
i = count(dea.getAnIndex()) and
dea instanceof DynamicElementWrite and
exists(Assignment a | a.getLValue() = dea and result = a.getRValue())
exists(AssignableDefinition def | def.getTargetAccess() = dea | result = def.getSource())
)
}
}

5
csharp/ql/src/semmle/code/csharp/exprs/Creation.qll
View File

@@ -4,6 +4,7 @@
import Expr
import semmle.code.csharp.Callable
private import semmle.code.csharp.frameworks.system.linq.Expressions
/**
* Either an object initializer (`ObjectInitializer`) or a collection
@@ -378,7 +379,9 @@ class ArrayCreation extends Expr, @array_creation_expr {
class AnonymousFunctionExpr extends Expr, Callable, @anonymous_function_expr {
override string getName() { result = "<anonymous>" }
override Type getReturnType() { result = getType().(DelegateType).getReturnType() }
override Type getReturnType() {
result = getType().(SystemLinqExpressions::DelegateExtType).getDelegateType().getReturnType()
}
override AnonymousFunctionExpr getSourceDeclaration() { result = this }

53
csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
View File

@@ -1,27 +1,20 @@
| CSharp7.cs:17:18:17:22 | access to field field | CSharp7.cs:17:9:17:11 | return Foo |
| CSharp7.cs:18:14:18:14 | 5 | CSharp7.cs:18:14:18:14 | return get_P |
| CSharp7.cs:21:16:21:20 | call to method Foo | CSharp7.cs:21:9:21:11 | return get_Q |
| CSharp7.cs:22:9:22:11 | value | CSharp7.cs:22:9:22:11 | value |
| CSharp7.cs:22:9:22:11 | value | CSharp7.cs:22:24:22:28 | access to parameter value |
| CSharp7.cs:22:16:22:28 | ... = ... | CSharp7.cs:22:9:22:11 | return set_Q |
| CSharp7.cs:25:39:25:43 | call to method Foo | CSharp7.cs:25:5:25:27 | return ExpressionBodiedMembers |
| CSharp7.cs:26:35:26:39 | call to method Foo | CSharp7.cs:26:6:26:28 | return ~ExpressionBodiedMembers |
| CSharp7.cs:31:19:31:19 | i | CSharp7.cs:31:19:31:19 | i |
| CSharp7.cs:31:19:31:19 | i | CSharp7.cs:33:16:33:16 | access to parameter i |
| CSharp7.cs:33:16:33:16 | access to parameter i | CSharp7.cs:33:16:33:20 | ... > ... |
| CSharp7.cs:33:16:33:16 | access to parameter i | CSharp7.cs:33:24:33:24 | access to parameter i |
| CSharp7.cs:33:16:33:20 | ... > ... | CSharp7.cs:33:16:33:59 | ... ? ... : ... |
| CSharp7.cs:33:16:33:59 | ... ? ... : ... | CSharp7.cs:31:9:31:13 | return Throw |
| CSharp7.cs:33:24:33:24 | access to parameter i | CSharp7.cs:33:16:33:59 | ... ? ... : ... |
| CSharp7.cs:33:28:33:59 | throw ... | CSharp7.cs:33:16:33:59 | ... ? ... : ... |
| CSharp7.cs:41:13:41:21 | "tainted" | CSharp7.cs:39:23:39:23 | return (out/ref) F |
| CSharp7.cs:41:13:41:21 | "tainted" | CSharp7.cs:41:9:41:21 | SSA def(x) |
| CSharp7.cs:44:19:44:19 | x | CSharp7.cs:44:19:44:19 | x |
| CSharp7.cs:44:19:44:19 | x | CSharp7.cs:46:13:46:13 | access to parameter x |
| CSharp7.cs:46:13:46:13 | access to parameter x | CSharp7.cs:44:33:44:33 | return (out/ref) G |
| CSharp7.cs:46:13:46:13 | access to parameter x | CSharp7.cs:46:9:46:13 | SSA def(y) |
| CSharp7.cs:51:22:51:23 | SSA def(t1) | CSharp7.cs:53:18:53:19 | access to local variable t1 |
| CSharp7.cs:52:19:52:20 | SSA def(t2) | CSharp7.cs:56:14:56:15 | access to local variable t2 |
| CSharp7.cs:54:15:54:16 | SSA def(t1) | CSharp7.cs:55:14:55:15 | access to local variable t1 |
| CSharp7.cs:57:30:57:31 | SSA def(t4) | CSharp7.cs:58:18:58:19 | access to local variable t4 |
| CSharp7.cs:66:16:66:21 | (..., ...) | CSharp7.cs:64:16:64:16 | return F |
| CSharp7.cs:66:17:66:17 | 1 | CSharp7.cs:66:16:66:21 | (..., ...) |
| CSharp7.cs:66:20:66:20 | 2 | CSharp7.cs:66:16:66:21 | (..., ...) |
| CSharp7.cs:72:13:72:19 | SSA def(z) | CSharp7.cs:75:16:75:16 | access to local variable z |
@@ -47,9 +40,9 @@
| CSharp7.cs:78:31:78:31 | access to local variable a | CSharp7.cs:78:27:78:32 | (..., ...) |
| CSharp7.cs:79:23:79:24 | "" | CSharp7.cs:79:22:79:28 | (..., ...) |
| CSharp7.cs:79:27:79:27 | access to local variable x | CSharp7.cs:79:22:79:28 | (..., ...) |
| CSharp7.cs:82:21:82:21 | x | CSharp7.cs:82:21:82:21 | x |
| CSharp7.cs:82:21:82:21 | x | CSharp7.cs:84:20:84:20 | access to parameter x |
| CSharp7.cs:84:16:84:24 | (..., ...) | CSharp7.cs:84:16:84:26 | access to field a |
| CSharp7.cs:84:16:84:26 | access to field a | CSharp7.cs:82:12:82:12 | return I |
| CSharp7.cs:84:20:84:20 | access to parameter x | CSharp7.cs:84:16:84:24 | (..., ...) |
| CSharp7.cs:84:23:84:23 | 2 | CSharp7.cs:84:16:84:24 | (..., ...) |
| CSharp7.cs:89:13:89:34 | SSA def(t1) | CSharp7.cs:90:28:90:29 | access to local variable t1 |
@@ -95,49 +88,43 @@
| CSharp7.cs:118:9:118:10 | access to local variable m2 | CSharp7.cs:119:19:119:20 | access to local variable m2 |
| CSharp7.cs:119:19:119:20 | access to local variable m2 | CSharp7.cs:119:19:119:26 | access to field Item1 |
| CSharp7.cs:123:28:123:36 | "DefUse3" | CSharp7.cs:123:22:123:36 | ... = ... |
| CSharp7.cs:131:20:131:20 | x | CSharp7.cs:131:20:131:20 | x |
| CSharp7.cs:131:20:131:20 | x | CSharp7.cs:131:32:131:32 | access to parameter x |
| CSharp7.cs:131:32:131:32 | access to parameter x | CSharp7.cs:131:32:131:36 | ... + ... |
| CSharp7.cs:131:32:131:36 | ... + ... | CSharp7.cs:131:9:131:39 | return f1 |
| CSharp7.cs:131:36:131:36 | 1 | CSharp7.cs:131:32:131:36 | ... + ... |
| CSharp7.cs:133:22:133:22 | t | CSharp7.cs:133:22:133:22 | t |
| CSharp7.cs:133:22:133:22 | t | CSharp7.cs:133:39:133:39 | access to parameter t |
| CSharp7.cs:133:39:133:39 | access to parameter t | CSharp7.cs:133:9:133:42 | return f2 |
| CSharp7.cs:137:21:137:21 | 2 | CSharp7.cs:137:9:137:22 | return f3 |
| CSharp7.cs:139:29:139:29 | x | CSharp7.cs:139:29:139:29 | x |
| CSharp7.cs:139:29:139:29 | x | CSharp7.cs:139:34:139:34 | access to parameter x |
| CSharp7.cs:139:34:139:34 | access to parameter x | CSharp7.cs:139:34:139:38 | ... + ... |
| CSharp7.cs:139:34:139:38 | ... + ... | CSharp7.cs:139:29:139:38 | return (...) => ... |
| CSharp7.cs:139:38:139:38 | 1 | CSharp7.cs:139:34:139:38 | ... + ... |
| CSharp7.cs:141:20:141:20 | x | CSharp7.cs:141:20:141:20 | x |
| CSharp7.cs:141:20:141:20 | x | CSharp7.cs:141:26:141:26 | access to parameter x |
| CSharp7.cs:141:26:141:26 | access to parameter x | CSharp7.cs:141:26:141:30 | ... > ... |
| CSharp7.cs:141:26:141:26 | access to parameter x | CSharp7.cs:141:41:141:41 | access to parameter x |
| CSharp7.cs:141:26:141:30 | ... > ... | CSharp7.cs:141:26:141:50 | ... ? ... : ... |
| CSharp7.cs:141:26:141:50 | ... ? ... : ... | CSharp7.cs:141:9:141:51 | return f6 |
| CSharp7.cs:141:34:141:34 | 1 | CSharp7.cs:141:34:141:46 | ... + ... |
| CSharp7.cs:141:34:141:46 | ... + ... | CSharp7.cs:141:26:141:50 | ... ? ... : ... |
| CSharp7.cs:141:38:141:46 | call to local function f7 | CSharp7.cs:141:34:141:46 | ... + ... |
| CSharp7.cs:141:50:141:50 | 0 | CSharp7.cs:141:26:141:50 | ... ? ... : ... |
| CSharp7.cs:143:20:143:20 | x | CSharp7.cs:143:20:143:20 | x |
| CSharp7.cs:143:20:143:20 | x | CSharp7.cs:143:29:143:29 | access to parameter x |
| CSharp7.cs:143:26:143:30 | call to local function f6 | CSharp7.cs:143:9:143:31 | return f7 |
| CSharp7.cs:147:24:147:24 | x | CSharp7.cs:147:24:147:24 | x |
| CSharp7.cs:147:24:147:24 | x | CSharp7.cs:147:33:147:33 | access to parameter x |
| CSharp7.cs:147:30:147:34 | call to local function f7 | CSharp7.cs:147:13:147:35 | return f9 |
| CSharp7.cs:148:20:148:24 | call to local function f9 | CSharp7.cs:145:9:149:9 | return f8 |
| CSharp7.cs:152:25:152:25 | 0 | CSharp7.cs:152:13:152:26 | return f9 |
| CSharp7.cs:155:16:155:20 | call to local function f1 | CSharp7.cs:129:9:129:12 | return Main |
| CSharp7.cs:160:23:160:23 | 1 | CSharp7.cs:160:9:160:24 | return f |
| CSharp7.cs:161:18:161:18 | t | CSharp7.cs:161:18:161:18 | t |
| CSharp7.cs:161:18:161:18 | t | CSharp7.cs:161:24:161:24 | access to parameter t |
| CSharp7.cs:161:24:161:24 | access to parameter t | CSharp7.cs:161:9:161:25 | return g |
| CSharp7.cs:163:26:163:26 | u | CSharp7.cs:163:26:163:26 | u |
| CSharp7.cs:163:26:163:26 | u | CSharp7.cs:167:22:167:22 | access to parameter u |
| CSharp7.cs:165:25:165:30 | call to local function f | CSharp7.cs:165:13:165:31 | return f2 |
| CSharp7.cs:167:20:167:23 | call to local function g | CSharp7.cs:163:9:168:9 | return h |
| CSharp7.cs:176:16:176:30 | SSA def(src) | CSharp7.cs:181:23:181:25 | access to local variable src |
| CSharp7.cs:176:22:176:30 | "tainted" | CSharp7.cs:176:16:176:30 | SSA def(src) |
| CSharp7.cs:177:25:177:25 | s | CSharp7.cs:177:25:177:25 | s |
| CSharp7.cs:177:25:177:25 | s | CSharp7.cs:177:33:177:33 | access to parameter s |
| CSharp7.cs:177:31:177:34 | call to local function g | CSharp7.cs:177:31:177:39 | ... + ... |
| CSharp7.cs:177:31:177:39 | ... + ... | CSharp7.cs:177:9:177:40 | return f |
| CSharp7.cs:177:38:177:39 | "" | CSharp7.cs:177:31:177:39 | ... + ... |
| CSharp7.cs:178:25:178:25 | s | CSharp7.cs:178:25:178:25 | s |
| CSharp7.cs:178:25:178:25 | s | CSharp7.cs:178:31:178:31 | access to parameter s |
| CSharp7.cs:178:31:178:31 | access to parameter s | CSharp7.cs:178:9:178:32 | return g |
| CSharp7.cs:179:25:179:25 | s | CSharp7.cs:179:25:179:25 | s |
| CSharp7.cs:179:25:179:25 | s | CSharp7.cs:179:37:179:37 | access to parameter s |
| CSharp7.cs:179:37:179:37 | access to parameter s | CSharp7.cs:179:9:179:40 | return h |
| CSharp7.cs:181:23:181:25 | access to local variable src | CSharp7.cs:182:23:182:25 | access to local variable src |
| CSharp7.cs:182:23:182:25 | access to local variable src | CSharp7.cs:183:23:183:25 | access to local variable src |
| CSharp7.cs:191:13:191:18 | SSA def(v1) | CSharp7.cs:192:26:192:27 | access to local variable v1 |
@@ -154,13 +141,11 @@
| CSharp7.cs:196:26:196:30 | access to local variable array | CSharp7.cs:196:26:196:33 | access to array element |
| CSharp7.cs:197:26:197:27 | access to local variable r1 | CSharp7.cs:199:33:199:34 | access to local variable r1 |
| CSharp7.cs:199:33:199:34 | access to local variable r1 | CSharp7.cs:200:16:200:17 | access to local variable r1 |
| CSharp7.cs:203:24:203:24 | p | CSharp7.cs:203:24:203:24 | p |
| CSharp7.cs:203:24:203:24 | p | CSharp7.cs:206:20:206:20 | access to parameter p |
| CSharp7.cs:205:28:205:28 | q | CSharp7.cs:205:28:205:28 | q |
| CSharp7.cs:205:28:205:28 | q | CSharp7.cs:205:44:205:44 | access to parameter q |
| CSharp7.cs:205:40:205:44 | ref ... | CSharp7.cs:205:9:205:47 | return F3 |
| CSharp7.cs:206:16:206:20 | ref ... | CSharp7.cs:203:13:203:14 | return F2 |
| CSharp7.cs:216:13:216:17 | false | CSharp7.cs:214:30:214:30 | return (out/ref) f |
| CSharp7.cs:216:13:216:17 | false | CSharp7.cs:216:9:216:17 | SSA def(x) |
| CSharp7.cs:217:16:217:23 | (..., ...) | CSharp7.cs:214:19:214:19 | return f |
| CSharp7.cs:217:17:217:17 | 0 | CSharp7.cs:217:16:217:23 | (..., ...) |
| CSharp7.cs:217:20:217:22 | 0 | CSharp7.cs:217:16:217:23 | (..., ...) |
| CSharp7.cs:233:16:233:23 | SSA def(o) | CSharp7.cs:234:13:234:13 | access to local variable o |
@@ -209,9 +194,9 @@
| CSharp7.cs:283:20:283:48 | object creation of type Dictionary<Int32,String> | CSharp7.cs:283:13:283:48 | SSA def(dict) |
| CSharp7.cs:284:13:284:62 | SSA def(list) | CSharp7.cs:286:39:286:42 | access to local variable list |
| CSharp7.cs:284:20:284:62 | call to method Select | CSharp7.cs:284:13:284:62 | SSA def(list) |
| CSharp7.cs:284:32:284:35 | item | CSharp7.cs:284:32:284:35 | item |
| CSharp7.cs:284:32:284:35 | item | CSharp7.cs:284:41:284:44 | access to parameter item |
| CSharp7.cs:284:32:284:61 | [implicit call] (...) => ... | CSharp7.cs:284:20:284:62 | call to method Select |
| CSharp7.cs:284:40:284:61 | (..., ...) | CSharp7.cs:284:32:284:61 | return (...) => ... |
| CSharp7.cs:284:32:284:61 | [output] (...) => ... | CSharp7.cs:284:20:284:62 | call to method Select |
| CSharp7.cs:284:41:284:44 | access to parameter item | CSharp7.cs:284:51:284:54 | access to parameter item |
| CSharp7.cs:284:41:284:48 | access to property Key | CSharp7.cs:284:40:284:61 | (..., ...) |
| CSharp7.cs:284:51:284:54 | access to parameter item | CSharp7.cs:284:51:284:60 | access to property Value |

2
csharp/ql/test/library-tests/csharp7/TaintReaches.expected
View File

@@ -1,4 +1,3 @@
| CSharp7.cs:41:13:41:21 | "tainted" | CSharp7.cs:39:23:39:23 | return (out/ref) F |
| CSharp7.cs:41:13:41:21 | "tainted" | CSharp7.cs:41:9:41:21 | SSA def(x) |
| CSharp7.cs:79:23:79:24 | "" | CSharp7.cs:79:22:79:28 | (..., ...) |
| CSharp7.cs:89:19:89:27 | "tainted" | CSharp7.cs:89:13:89:34 | SSA def(t1) |
@@ -30,7 +29,6 @@
| CSharp7.cs:176:22:176:30 | "tainted" | CSharp7.cs:181:23:181:25 | access to local variable src |
| CSharp7.cs:176:22:176:30 | "tainted" | CSharp7.cs:182:23:182:25 | access to local variable src |
| CSharp7.cs:176:22:176:30 | "tainted" | CSharp7.cs:183:23:183:25 | access to local variable src |
| CSharp7.cs:177:38:177:39 | "" | CSharp7.cs:177:9:177:40 | return f |
| CSharp7.cs:177:38:177:39 | "" | CSharp7.cs:177:31:177:39 | ... + ... |
| CSharp7.cs:236:33:236:36 | "int " | CSharp7.cs:236:31:236:41 | $"..." |
| CSharp7.cs:240:33:240:39 | "string " | CSharp7.cs:240:31:240:44 | $"..." |

2659
csharp/ql/test/library-tests/dataflow/global/DataFlowEdges.expected
View File

File diff suppressed because it is too large Load Diff

216
csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
View File

@@ -37,6 +37,7 @@ edges
| Capture.cs:170:25:170:31 | access to parameter tainted | Capture.cs:170:22:170:32 | call to local function Id |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:35:13:35:30 | access to property SinkProperty0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:37:35:37:52 | access to property SinkProperty0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:45:13:45:30 | access to property SinkProperty0 |
@@ -119,8 +120,9 @@ edges
| GlobalDataFlow.cs:70:21:70:46 | call to method Return | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:70:21:70:46 | call to method Return | GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 |
| GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 | GlobalDataFlow.cs:70:21:70:46 | call to method Return |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 |
| GlobalDataFlow.cs:72:21:72:101 | (...) ... | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:72:21:72:101 | (...) ... | GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | GlobalDataFlow.cs:72:21:72:101 | (...) ... |
| GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 | GlobalDataFlow.cs:72:29:72:101 | call to method Invoke |
| GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 | GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
| GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) | GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
@@ -137,16 +139,12 @@ edges
| GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) | GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:175:29:175:48 | return (...) => ... | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:175:29:175:48 | return (...) => ... |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:176:21:176:26 | delegate call | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:185:39:185:41 | [output] delegate creation of type Func<String> | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 | GlobalDataFlow.cs:230:26:230:35 | sinkParam0 |
| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 | GlobalDataFlow.cs:230:26:230:35 | sinkParam0 |
| GlobalDataFlow.cs:236:26:236:35 | sinkParam1 | GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:241:26:241:35 | sinkParam3 | GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
@@ -154,13 +152,12 @@ edges
| GlobalDataFlow.cs:251:26:251:35 | sinkParam5 | GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:256:26:256:35 | sinkParam6 | GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:261:26:261:35 | sinkParam7 | GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:311:12:311:14 | return Out | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:311:12:311:14 | return Out | GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:311:12:311:14 | return Out |
| GlobalDataFlow.cs:316:28:316:28 | return (out/ref) OutOut | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:316:28:316:28 | return (out/ref) OutOut |
| GlobalDataFlow.cs:321:28:321:28 | return (out/ref) OutRef | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:321:28:321:28 | return (out/ref) OutRef |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:185:39:185:41 | [output] delegate creation of type Func<String> |
| GlobalDataFlow.cs:318:9:318:26 | SSA def(x) | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:318:9:318:26 | SSA def(x) |
| GlobalDataFlow.cs:323:9:323:26 | SSA def(x) | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:323:9:323:26 | SSA def(x) |
| GlobalDataFlow.cs:354:41:354:41 | x | GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:354:41:354:41 | x | GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:356:11:356:11 | access to parameter x | GlobalDataFlow.cs:53:15:53:15 | x |
@@ -171,23 +168,17 @@ edges
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:56:37:56:37 | x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:251:26:251:35 | sinkParam5 |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:256:26:256:35 | sinkParam6 |
| GlobalDataFlow.cs:373:19:373:30 | return TaintedParam | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:373:19:373:30 | return TaintedParam |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 |
| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:399:9:399:11 | value | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:9:410:11 | return get_OutProperty | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:410:9:410:11 | return get_OutProperty |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:21:9:21:11 | value | Splitting.cs:21:28:21:32 | access to parameter value |
| Splitting.cs:24:28:24:34 | tainted | Splitting.cs:30:17:30:23 | [b (line 24): false] access to parameter tainted |
@@ -197,188 +188,14 @@ edges
| Splitting.cs:30:17:30:23 | [b (line 24): false] access to parameter tainted | Splitting.cs:21:9:21:11 | value |
| Splitting.cs:30:17:30:23 | [b (line 24): true] access to parameter tainted | Splitting.cs:21:9:21:11 | value |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | Splitting.cs:34:19:34:19 | access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | Splitting.cs:34:19:34:19 | access to local variable x |
| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
nodes
| Capture.cs:7:20:7:26 | tainted |
| Capture.cs:9:9:13:9 | SSA capture def(tainted) |
| Capture.cs:12:19:12:24 | access to local variable sink27 |
| Capture.cs:14:9:14:20 | [implicit argument] tainted |
| Capture.cs:18:13:22:13 | SSA capture def(tainted) |
| Capture.cs:21:23:21:28 | access to local variable sink28 |
| Capture.cs:25:9:25:20 | [implicit argument] tainted |
| Capture.cs:27:43:32:9 | SSA capture def(tainted) |
| Capture.cs:30:19:30:24 | access to local variable sink29 |
| Capture.cs:33:9:33:40 | [implicit argument] tainted |
| Capture.cs:57:13:57:35 | SSA def(sink30) |
| Capture.cs:57:22:57:35 | "taint source" |
| Capture.cs:59:9:59:21 | SSA call def(sink30) |
| Capture.cs:60:15:60:20 | access to local variable sink30 |
| Capture.cs:67:17:67:39 | SSA def(sink31) |
| Capture.cs:67:26:67:39 | "taint source" |
| Capture.cs:71:9:71:21 | SSA call def(sink31) |
| Capture.cs:72:15:72:20 | access to local variable sink31 |
| Capture.cs:77:13:77:35 | SSA def(sink32) |
| Capture.cs:77:22:77:35 | "taint source" |
| Capture.cs:80:9:80:41 | SSA call def(sink32) |
| Capture.cs:81:15:81:20 | access to local variable sink32 |
| Capture.cs:101:25:101:31 | tainted |
| Capture.cs:108:9:108:25 | SSA call def(sink33) |
| Capture.cs:108:9:108:25 | [implicit argument] tainted |
| Capture.cs:109:15:109:20 | access to local variable sink33 |
| Capture.cs:120:9:120:25 | SSA call def(sink34) |
| Capture.cs:120:9:120:25 | [implicit argument] tainted |
| Capture.cs:121:15:121:20 | access to local variable sink34 |
| Capture.cs:129:9:129:45 | SSA call def(sink35) |
| Capture.cs:129:9:129:45 | [implicit argument] tainted |
| Capture.cs:130:15:130:20 | access to local variable sink35 |
| Capture.cs:136:22:136:38 | [implicit argument] tainted |
| Capture.cs:136:22:136:38 | call to local function CaptureThrough4 |
| Capture.cs:137:15:137:20 | access to local variable sink36 |
| Capture.cs:144:9:144:32 | SSA call def(sink37) |
| Capture.cs:144:25:144:31 | access to parameter tainted |
| Capture.cs:145:15:145:20 | access to local variable sink37 |
| Capture.cs:170:22:170:32 | call to local function Id |
| Capture.cs:170:25:170:31 | access to parameter tainted |
| Capture.cs:171:15:171:20 | access to local variable sink38 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" |
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:35:13:35:30 | access to property SinkProperty0 |
| GlobalDataFlow.cs:37:35:37:52 | access to property SinkProperty0 |
| GlobalDataFlow.cs:44:30:44:39 | sinkParam2 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:45:13:45:30 | access to property SinkProperty0 |
| GlobalDataFlow.cs:52:20:52:37 | access to property SinkProperty0 |
| GlobalDataFlow.cs:53:15:53:15 | x |
| GlobalDataFlow.cs:53:24:53:24 | access to parameter x |
| GlobalDataFlow.cs:53:28:53:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:54:44:54:61 | access to property SinkProperty0 |
| GlobalDataFlow.cs:55:28:55:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:56:37:56:37 | x |
| GlobalDataFlow.cs:56:46:56:46 | access to parameter x |
| GlobalDataFlow.cs:57:35:57:52 | access to property SinkProperty0 |
| GlobalDataFlow.cs:64:22:64:39 | access to property SinkProperty0 |
| GlobalDataFlow.cs:70:21:70:46 | call to method Return |
| GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke |
| GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 |
| GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
| GlobalDataFlow.cs:78:19:78:23 | access to local variable sink2 |
| GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
| GlobalDataFlow.cs:131:21:131:34 | delegate call |
| GlobalDataFlow.cs:131:29:131:33 | access to local variable sink3 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 |
| GlobalDataFlow.cs:139:21:139:44 | call to method ApplyFunc |
| GlobalDataFlow.cs:139:39:139:43 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 |
| GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 |
| GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:175:29:175:48 | return (...) => ... |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" |
| GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 |
| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:236:26:236:35 | sinkParam1 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:241:26:241:35 | sinkParam3 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:246:26:246:35 | sinkParam4 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:251:26:251:35 | sinkParam5 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:256:26:256:35 | sinkParam6 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:261:26:261:35 | sinkParam7 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:311:12:311:14 | return Out |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" |
| GlobalDataFlow.cs:316:28:316:28 | return (out/ref) OutOut |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" |
| GlobalDataFlow.cs:321:28:321:28 | return (out/ref) OutRef |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" |
| GlobalDataFlow.cs:354:41:354:41 | x |
| GlobalDataFlow.cs:354:41:354:41 | x |
| GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:368:52:368:52 | x |
| GlobalDataFlow.cs:368:52:368:52 | x |
| GlobalDataFlow.cs:368:52:368:52 | x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:373:19:373:30 | return TaintedParam |
| GlobalDataFlow.cs:373:39:373:45 | tainted |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:399:9:399:11 | value |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:9:410:11 | return get_OutProperty |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" |
| Splitting.cs:3:28:3:34 | tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:21:9:21:11 | value |
| Splitting.cs:21:28:21:32 | access to parameter value |
| Splitting.cs:24:28:24:34 | tainted |
| Splitting.cs:30:17:30:23 | [b (line 24): false] access to parameter tainted |
| Splitting.cs:30:17:30:23 | [b (line 24): true] access to parameter tainted |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted |
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x |
#select
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 | access to field SinkField0 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 | access to local variable sink0 |
@@ -409,10 +226,7 @@ nodes
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 | access to local variable sink8 |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 | access to local variable sink9 |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 | access to parameter sinkParam2 |

186
csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected Normal file
View File

@@ -0,0 +1,186 @@
| Capture.cs:33:9:33:40 | call to method Select | return | Capture.cs:33:9:33:40 | call to method Select |
| Capture.cs:33:9:33:40 | call to method Select | yield return | Capture.cs:33:9:33:40 | call to method Select |
| Capture.cs:33:9:33:50 | call to method ToArray | return | Capture.cs:33:9:33:50 | call to method ToArray |
| Capture.cs:33:30:33:39 | [implicit call] access to local variable captureIn3 | return | Capture.cs:33:30:33:39 | [output] access to local variable captureIn3 |
| Capture.cs:59:9:59:21 | call to local function CaptureOut1 | captured sink30 | Capture.cs:59:9:59:21 | SSA call def(sink30) |
| Capture.cs:71:9:71:21 | [transitive] call to local function CaptureOut2 | captured sink31 | Capture.cs:71:9:71:21 | SSA call def(sink31) |
| Capture.cs:71:9:71:21 | call to local function CaptureOut2 | captured sink31 | Capture.cs:71:9:71:21 | SSA call def(sink31) |
| Capture.cs:80:9:80:41 | call to method Select | captured sink32 | Capture.cs:80:9:80:41 | SSA call def(sink32) |
| Capture.cs:80:9:80:41 | call to method Select | return | Capture.cs:80:9:80:41 | call to method Select |
| Capture.cs:80:9:80:41 | call to method Select | yield return | Capture.cs:80:9:80:41 | call to method Select |
| Capture.cs:80:9:80:51 | call to method ToArray | return | Capture.cs:80:9:80:51 | call to method ToArray |
| Capture.cs:80:30:80:40 | [implicit call] access to local variable captureOut3 | captured sink32 | Capture.cs:80:9:80:41 | SSA call def(sink32) |
| Capture.cs:80:30:80:40 | [implicit call] access to local variable captureOut3 | return | Capture.cs:80:30:80:40 | [output] access to local variable captureOut3 |
| Capture.cs:108:9:108:25 | call to local function CaptureThrough1 | captured sink33 | Capture.cs:108:9:108:25 | SSA call def(sink33) |
| Capture.cs:120:9:120:25 | [transitive] call to local function CaptureThrough2 | captured sink34 | Capture.cs:120:9:120:25 | SSA call def(sink34) |
| Capture.cs:120:9:120:25 | call to local function CaptureThrough2 | captured sink34 | Capture.cs:120:9:120:25 | SSA call def(sink34) |
| Capture.cs:129:9:129:45 | call to method Select | captured sink35 | Capture.cs:129:9:129:45 | SSA call def(sink35) |
| Capture.cs:129:9:129:45 | call to method Select | return | Capture.cs:129:9:129:45 | call to method Select |
| Capture.cs:129:9:129:45 | call to method Select | yield return | Capture.cs:129:9:129:45 | call to method Select |
| Capture.cs:129:9:129:55 | call to method ToArray | return | Capture.cs:129:9:129:55 | call to method ToArray |
| Capture.cs:129:30:129:44 | [implicit call] access to local variable captureThrough3 | captured sink35 | Capture.cs:129:9:129:45 | SSA call def(sink35) |
| Capture.cs:129:30:129:44 | [implicit call] access to local variable captureThrough3 | return | Capture.cs:129:30:129:44 | [output] access to local variable captureThrough3 |
| Capture.cs:136:22:136:38 | call to local function CaptureThrough4 | return | Capture.cs:136:22:136:38 | call to local function CaptureThrough4 |
| Capture.cs:144:9:144:32 | call to local function CaptureThrough5 | captured sink37 | Capture.cs:144:9:144:32 | SSA call def(sink37) |
| Capture.cs:167:20:167:22 | call to local function M | return | Capture.cs:167:20:167:22 | call to local function M |
| Capture.cs:170:22:170:32 | call to local function Id | return | Capture.cs:170:22:170:32 | call to local function Id |
| Capture.cs:172:20:172:25 | call to local function Id | return | Capture.cs:172:20:172:25 | call to local function Id |
| GlobalDataFlow.cs:25:9:25:26 | access to property SinkProperty0 | return | GlobalDataFlow.cs:25:9:25:26 | access to property SinkProperty0 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | return | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:29:9:29:29 | access to property NonSinkProperty0 | return | GlobalDataFlow.cs:29:9:29:29 | access to property NonSinkProperty0 |
| GlobalDataFlow.cs:30:15:30:35 | access to property NonSinkProperty0 | return | GlobalDataFlow.cs:30:15:30:35 | access to property NonSinkProperty0 |
| GlobalDataFlow.cs:31:9:31:29 | access to property NonSinkProperty1 | return | GlobalDataFlow.cs:31:9:31:29 | access to property NonSinkProperty1 |
| GlobalDataFlow.cs:32:15:32:35 | access to property NonSinkProperty1 | return | GlobalDataFlow.cs:32:15:32:35 | access to property NonSinkProperty1 |
| GlobalDataFlow.cs:35:13:35:30 | access to property SinkProperty0 | return | GlobalDataFlow.cs:35:13:35:30 | access to property SinkProperty0 |
| GlobalDataFlow.cs:36:26:36:58 | call to method GetMethod | return | GlobalDataFlow.cs:36:26:36:58 | call to method GetMethod |
| GlobalDataFlow.cs:37:35:37:52 | access to property SinkProperty0 | return | GlobalDataFlow.cs:37:35:37:52 | access to property SinkProperty0 |
| GlobalDataFlow.cs:38:9:38:37 | call to method Invoke | return | GlobalDataFlow.cs:38:9:38:37 | call to method Invoke |
| GlobalDataFlow.cs:45:13:45:30 | access to property SinkProperty0 | return | GlobalDataFlow.cs:45:13:45:30 | access to property SinkProperty0 |
| GlobalDataFlow.cs:52:20:52:37 | access to property SinkProperty0 | return | GlobalDataFlow.cs:52:20:52:37 | access to property SinkProperty0 |
| GlobalDataFlow.cs:53:28:53:45 | access to property SinkProperty0 | return | GlobalDataFlow.cs:53:28:53:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:54:44:54:61 | access to property SinkProperty0 | return | GlobalDataFlow.cs:54:44:54:61 | access to property SinkProperty0 |
| GlobalDataFlow.cs:55:28:55:45 | access to property SinkProperty0 | return | GlobalDataFlow.cs:55:28:55:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:57:35:57:52 | access to property SinkProperty0 | return | GlobalDataFlow.cs:57:35:57:52 | access to property SinkProperty0 |
| GlobalDataFlow.cs:64:9:64:18 | access to property InProperty | return | GlobalDataFlow.cs:64:9:64:18 | access to property InProperty |
| GlobalDataFlow.cs:64:22:64:39 | access to property SinkProperty0 | return | GlobalDataFlow.cs:64:22:64:39 | access to property SinkProperty0 |
| GlobalDataFlow.cs:67:9:67:21 | access to property NonInProperty | return | GlobalDataFlow.cs:67:9:67:21 | access to property NonInProperty |
| GlobalDataFlow.cs:70:21:70:46 | call to method Return | return | GlobalDataFlow.cs:70:21:70:46 | call to method Return |
| GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 | return | GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:72:29:72:64 | call to method GetMethod | return | GlobalDataFlow.cs:72:29:72:64 | call to method GetMethod |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | return | GlobalDataFlow.cs:72:29:72:101 | call to method Invoke |
| GlobalDataFlow.cs:75:9:75:35 | call to method ReturnOut | out | GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
| GlobalDataFlow.cs:75:9:75:35 | call to method ReturnOut | ref | GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
| GlobalDataFlow.cs:78:9:78:35 | call to method ReturnRef | out | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
| GlobalDataFlow.cs:78:9:78:35 | call to method ReturnRef | ref | GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
| GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven | return | GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven |
| GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven | yield return | GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven |
| GlobalDataFlow.cs:82:22:82:95 | call to method Select | return | GlobalDataFlow.cs:82:22:82:95 | call to method Select |
| GlobalDataFlow.cs:82:22:82:95 | call to method Select | yield return | GlobalDataFlow.cs:82:22:82:95 | call to method Select |
| GlobalDataFlow.cs:82:59:82:72 | call to method First | return | GlobalDataFlow.cs:82:59:82:72 | call to method First |
| GlobalDataFlow.cs:82:84:82:94 | [implicit call] delegate creation of type Func<String,String> | return | GlobalDataFlow.cs:82:84:82:94 | [output] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:84:22:84:136 | call to method Zip | return | GlobalDataFlow.cs:84:22:84:136 | call to method Zip |
| GlobalDataFlow.cs:84:22:84:136 | call to method Zip | yield return | GlobalDataFlow.cs:84:22:84:136 | call to method Zip |
| GlobalDataFlow.cs:84:59:84:72 | call to method First | return | GlobalDataFlow.cs:84:59:84:72 | call to method First |
| GlobalDataFlow.cs:84:125:84:135 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:84:125:84:135 | [output] (...) => ... |
| GlobalDataFlow.cs:86:22:86:136 | call to method Zip | return | GlobalDataFlow.cs:86:22:86:136 | call to method Zip |
| GlobalDataFlow.cs:86:22:86:136 | call to method Zip | yield return | GlobalDataFlow.cs:86:22:86:136 | call to method Zip |
| GlobalDataFlow.cs:86:106:86:119 | call to method First | return | GlobalDataFlow.cs:86:106:86:119 | call to method First |
| GlobalDataFlow.cs:86:125:86:135 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:86:125:86:135 | [output] (...) => ... |
| GlobalDataFlow.cs:88:22:88:70 | call to method Aggregate | return | GlobalDataFlow.cs:88:22:88:70 | call to method Aggregate |
| GlobalDataFlow.cs:88:43:88:61 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:88:43:88:61 | [output] (...) => ... |
| GlobalDataFlow.cs:88:64:88:69 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:88:64:88:69 | [output] (...) => ... |
| GlobalDataFlow.cs:90:22:90:118 | call to method Aggregate | return | GlobalDataFlow.cs:90:22:90:118 | call to method Aggregate |
| GlobalDataFlow.cs:90:75:90:88 | call to method First | return | GlobalDataFlow.cs:90:75:90:88 | call to method First |
| GlobalDataFlow.cs:90:91:90:109 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:90:91:90:109 | [output] (...) => ... |
| GlobalDataFlow.cs:90:112:90:117 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:90:112:90:117 | [output] (...) => ... |
| GlobalDataFlow.cs:93:9:93:42 | call to method TryParse | out | GlobalDataFlow.cs:93:36:93:41 | SSA def(sink21) |
| GlobalDataFlow.cs:93:9:93:42 | call to method TryParse | ref | GlobalDataFlow.cs:93:36:93:41 | SSA def(sink21) |
| GlobalDataFlow.cs:93:9:93:42 | call to method TryParse | return | GlobalDataFlow.cs:93:9:93:42 | call to method TryParse |
| GlobalDataFlow.cs:96:9:96:41 | call to method TryParse | out | GlobalDataFlow.cs:96:35:96:40 | SSA def(sink22) |
| GlobalDataFlow.cs:96:9:96:41 | call to method TryParse | ref | GlobalDataFlow.cs:96:35:96:40 | SSA def(sink22) |
| GlobalDataFlow.cs:96:9:96:41 | call to method TryParse | return | GlobalDataFlow.cs:96:9:96:41 | call to method TryParse |
| GlobalDataFlow.cs:100:24:100:33 | call to method Return | return | GlobalDataFlow.cs:100:24:100:33 | call to method Return |
| GlobalDataFlow.cs:102:28:102:63 | call to method GetMethod | return | GlobalDataFlow.cs:102:28:102:63 | call to method GetMethod |
| GlobalDataFlow.cs:102:28:102:103 | call to method Invoke | return | GlobalDataFlow.cs:102:28:102:103 | call to method Invoke |
| GlobalDataFlow.cs:104:9:104:35 | call to method ReturnOut | out | GlobalDataFlow.cs:104:27:104:34 | SSA def(nonSink0) |
| GlobalDataFlow.cs:104:9:104:35 | call to method ReturnOut | ref | GlobalDataFlow.cs:104:27:104:34 | SSA def(nonSink0) |
| GlobalDataFlow.cs:106:9:106:35 | call to method ReturnRef | out | GlobalDataFlow.cs:106:27:106:34 | SSA def(nonSink0) |
| GlobalDataFlow.cs:106:9:106:35 | call to method ReturnRef | ref | GlobalDataFlow.cs:106:27:106:34 | SSA def(nonSink0) |
| GlobalDataFlow.cs:108:24:108:90 | call to method SelectEven | return | GlobalDataFlow.cs:108:24:108:90 | call to method SelectEven |
| GlobalDataFlow.cs:108:24:108:90 | call to method SelectEven | yield return | GlobalDataFlow.cs:108:24:108:90 | call to method SelectEven |
| GlobalDataFlow.cs:110:20:110:82 | call to method Select | return | GlobalDataFlow.cs:110:20:110:82 | call to method Select |
| GlobalDataFlow.cs:110:20:110:82 | call to method Select | yield return | GlobalDataFlow.cs:110:20:110:82 | call to method Select |
| GlobalDataFlow.cs:110:76:110:81 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:110:76:110:81 | [output] (...) => ... |
| GlobalDataFlow.cs:112:20:112:134 | call to method Zip | return | GlobalDataFlow.cs:112:20:112:134 | call to method Zip |
| GlobalDataFlow.cs:112:20:112:134 | call to method Zip | yield return | GlobalDataFlow.cs:112:20:112:134 | call to method Zip |
| GlobalDataFlow.cs:112:57:112:70 | call to method First | return | GlobalDataFlow.cs:112:57:112:70 | call to method First |
| GlobalDataFlow.cs:112:123:112:133 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:112:123:112:133 | [output] (...) => ... |
| GlobalDataFlow.cs:114:20:114:134 | call to method Zip | return | GlobalDataFlow.cs:114:20:114:134 | call to method Zip |
| GlobalDataFlow.cs:114:20:114:134 | call to method Zip | yield return | GlobalDataFlow.cs:114:20:114:134 | call to method Zip |
| GlobalDataFlow.cs:114:104:114:117 | call to method First | return | GlobalDataFlow.cs:114:104:114:117 | call to method First |
| GlobalDataFlow.cs:114:123:114:133 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:114:123:114:133 | [output] (...) => ... |
| GlobalDataFlow.cs:116:20:116:64 | call to method Aggregate | return | GlobalDataFlow.cs:116:20:116:64 | call to method Aggregate |
| GlobalDataFlow.cs:116:41:116:55 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:116:41:116:55 | [output] (...) => ... |
| GlobalDataFlow.cs:116:58:116:63 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:116:58:116:63 | [output] (...) => ... |
| GlobalDataFlow.cs:118:20:118:69 | call to method Aggregate | return | GlobalDataFlow.cs:118:20:118:69 | call to method Aggregate |
| GlobalDataFlow.cs:118:41:118:59 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:118:41:118:59 | [output] (...) => ... |
| GlobalDataFlow.cs:118:62:118:68 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:118:62:118:68 | [output] (...) => ... |
| GlobalDataFlow.cs:120:20:120:67 | call to method Aggregate | return | GlobalDataFlow.cs:120:20:120:67 | call to method Aggregate |
| GlobalDataFlow.cs:120:46:120:58 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:120:46:120:58 | [output] (...) => ... |
| GlobalDataFlow.cs:120:61:120:66 | [implicit call] (...) => ... | return | GlobalDataFlow.cs:120:61:120:66 | [output] (...) => ... |
| GlobalDataFlow.cs:123:9:123:46 | call to method TryParse | out | GlobalDataFlow.cs:123:38:123:45 | SSA def(nonSink2) |
| GlobalDataFlow.cs:123:9:123:46 | call to method TryParse | ref | GlobalDataFlow.cs:123:38:123:45 | SSA def(nonSink2) |
| GlobalDataFlow.cs:123:9:123:46 | call to method TryParse | return | GlobalDataFlow.cs:123:9:123:46 | call to method TryParse |
| GlobalDataFlow.cs:126:9:126:45 | call to method TryParse | out | GlobalDataFlow.cs:126:37:126:44 | SSA def(nonSink3) |
| GlobalDataFlow.cs:126:9:126:45 | call to method TryParse | ref | GlobalDataFlow.cs:126:37:126:44 | SSA def(nonSink3) |
| GlobalDataFlow.cs:126:9:126:45 | call to method TryParse | return | GlobalDataFlow.cs:126:9:126:45 | call to method TryParse |
| GlobalDataFlow.cs:130:45:130:64 | call to method ApplyFunc | return | GlobalDataFlow.cs:130:45:130:64 | call to method ApplyFunc |
| GlobalDataFlow.cs:131:21:131:34 | delegate call | return | GlobalDataFlow.cs:131:21:131:34 | delegate call |
| GlobalDataFlow.cs:135:20:135:36 | delegate call | return | GlobalDataFlow.cs:135:20:135:36 | delegate call |
| GlobalDataFlow.cs:139:21:139:44 | call to method ApplyFunc | return | GlobalDataFlow.cs:139:21:139:44 | call to method ApplyFunc |
| GlobalDataFlow.cs:143:20:143:40 | call to method ApplyFunc | return | GlobalDataFlow.cs:143:20:143:40 | call to method ApplyFunc |
| GlobalDataFlow.cs:145:20:145:44 | call to method ApplyFunc | return | GlobalDataFlow.cs:145:20:145:44 | call to method ApplyFunc |
| GlobalDataFlow.cs:149:21:149:25 | call to method Out | return | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:152:9:152:25 | call to method OutOut | out | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:152:9:152:25 | call to method OutOut | ref | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:155:9:155:25 | call to method OutRef | out | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:155:9:155:25 | call to method OutRef | ref | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:157:22:157:31 | call to method OutYield | return | GlobalDataFlow.cs:157:22:157:31 | call to method OutYield |
| GlobalDataFlow.cs:157:22:157:31 | call to method OutYield | yield return | GlobalDataFlow.cs:157:22:157:31 | call to method OutYield |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | return | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:163:20:163:27 | call to method NonOut | return | GlobalDataFlow.cs:163:20:163:27 | call to method NonOut |
| GlobalDataFlow.cs:165:9:165:31 | call to method NonOutOut | out | GlobalDataFlow.cs:165:23:165:30 | SSA def(nonSink0) |
| GlobalDataFlow.cs:165:9:165:31 | call to method NonOutOut | ref | GlobalDataFlow.cs:165:23:165:30 | SSA def(nonSink0) |
| GlobalDataFlow.cs:167:9:167:31 | call to method NonOutRef | out | GlobalDataFlow.cs:167:23:167:30 | SSA def(nonSink0) |
| GlobalDataFlow.cs:167:9:167:31 | call to method NonOutRef | ref | GlobalDataFlow.cs:167:23:167:30 | SSA def(nonSink0) |
| GlobalDataFlow.cs:169:20:169:32 | call to method NonOutYield | return | GlobalDataFlow.cs:169:20:169:32 | call to method NonOutYield |
| GlobalDataFlow.cs:169:20:169:32 | call to method NonOutYield | yield return | GlobalDataFlow.cs:169:20:169:32 | call to method NonOutYield |
| GlobalDataFlow.cs:169:20:169:40 | call to method First | return | GlobalDataFlow.cs:169:20:169:40 | call to method First |
| GlobalDataFlow.cs:171:20:171:44 | call to method NonTaintedParam | return | GlobalDataFlow.cs:171:20:171:44 | call to method NonTaintedParam |
| GlobalDataFlow.cs:176:21:176:26 | delegate call | return | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:181:20:181:27 | delegate call | return | GlobalDataFlow.cs:181:20:181:27 | delegate call |
| GlobalDataFlow.cs:185:22:185:42 | object creation of type Lazy<String> | return | GlobalDataFlow.cs:185:22:185:42 | object creation of type Lazy<String> |
| GlobalDataFlow.cs:185:22:185:48 | access to property Value | return | GlobalDataFlow.cs:185:22:185:48 | access to property Value |
| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> | return | GlobalDataFlow.cs:185:39:185:41 | [output] delegate creation of type Func<String> |
| GlobalDataFlow.cs:189:20:189:43 | object creation of type Lazy<String> | return | GlobalDataFlow.cs:189:20:189:43 | object creation of type Lazy<String> |
| GlobalDataFlow.cs:189:20:189:49 | access to property Value | return | GlobalDataFlow.cs:189:20:189:49 | access to property Value |
| GlobalDataFlow.cs:189:37:189:42 | [implicit call] delegate creation of type Func<String> | return | GlobalDataFlow.cs:189:37:189:42 | [output] delegate creation of type Func<String> |
| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | return | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:197:20:197:33 | access to property NonOutProperty | return | GlobalDataFlow.cs:197:20:197:33 | access to property NonOutProperty |
| GlobalDataFlow.cs:205:76:205:90 | call to method ReturnCheck2 | return | GlobalDataFlow.cs:205:76:205:90 | call to method ReturnCheck2 |
| GlobalDataFlow.cs:206:22:206:39 | call to method Select | return | GlobalDataFlow.cs:206:22:206:39 | call to method Select |
| GlobalDataFlow.cs:206:22:206:39 | call to method Select | yield return | GlobalDataFlow.cs:206:22:206:39 | call to method Select |
| GlobalDataFlow.cs:206:37:206:38 | [implicit call] access to local variable f1 | return | GlobalDataFlow.cs:206:37:206:38 | [output] access to local variable f1 |
| GlobalDataFlow.cs:208:22:208:39 | call to method Select | return | GlobalDataFlow.cs:208:22:208:39 | call to method Select |
| GlobalDataFlow.cs:208:37:208:38 | [implicit call] access to local variable f2 | return | GlobalDataFlow.cs:208:37:208:38 | [output] access to local variable f2 |
| GlobalDataFlow.cs:210:22:210:49 | call to method Select | return | GlobalDataFlow.cs:210:22:210:49 | call to method Select |
| GlobalDataFlow.cs:210:22:210:49 | call to method Select | yield return | GlobalDataFlow.cs:210:22:210:49 | call to method Select |
| GlobalDataFlow.cs:210:37:210:48 | [implicit call] delegate creation of type Func<String,String> | return | GlobalDataFlow.cs:210:37:210:48 | [output] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:215:76:215:92 | call to method NonReturnCheck | return | GlobalDataFlow.cs:215:76:215:92 | call to method NonReturnCheck |
| GlobalDataFlow.cs:216:23:216:43 | call to method Select | return | GlobalDataFlow.cs:216:23:216:43 | call to method Select |
| GlobalDataFlow.cs:216:23:216:43 | call to method Select | yield return | GlobalDataFlow.cs:216:23:216:43 | call to method Select |
| GlobalDataFlow.cs:216:41:216:42 | [implicit call] access to local variable f1 | return | GlobalDataFlow.cs:216:41:216:42 | [output] access to local variable f1 |
| GlobalDataFlow.cs:218:19:218:39 | call to method Select | return | GlobalDataFlow.cs:218:19:218:39 | call to method Select |
| GlobalDataFlow.cs:218:37:218:38 | [implicit call] access to local variable f2 | return | GlobalDataFlow.cs:218:37:218:38 | [output] access to local variable f2 |
| GlobalDataFlow.cs:220:19:220:39 | call to method Select | return | GlobalDataFlow.cs:220:19:220:39 | call to method Select |
| GlobalDataFlow.cs:220:19:220:39 | call to method Select | yield return | GlobalDataFlow.cs:220:19:220:39 | call to method Select |
| GlobalDataFlow.cs:220:37:220:38 | [implicit call] access to local variable f3 | return | GlobalDataFlow.cs:220:37:220:38 | [output] access to local variable f3 |
| GlobalDataFlow.cs:222:19:222:39 | call to method Select | return | GlobalDataFlow.cs:222:19:222:39 | call to method Select |
| GlobalDataFlow.cs:222:37:222:38 | [implicit call] access to local variable f4 | return | GlobalDataFlow.cs:222:37:222:38 | [output] access to local variable f4 |
| GlobalDataFlow.cs:224:19:224:49 | call to method Select | return | GlobalDataFlow.cs:224:19:224:49 | call to method Select |
| GlobalDataFlow.cs:224:19:224:49 | call to method Select | yield return | GlobalDataFlow.cs:224:19:224:49 | call to method Select |
| GlobalDataFlow.cs:224:37:224:48 | [implicit call] delegate creation of type Func<String,String> | return | GlobalDataFlow.cs:224:37:224:48 | [output] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:273:17:273:38 | call to method ApplyFunc | return | GlobalDataFlow.cs:273:17:273:38 | call to method ApplyFunc |
| GlobalDataFlow.cs:361:16:361:19 | delegate call | return | GlobalDataFlow.cs:361:16:361:19 | delegate call |
| GlobalDataFlow.cs:426:44:426:47 | delegate call | return | GlobalDataFlow.cs:426:44:426:47 | delegate call |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | return | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | return | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:20:22:20:30 | call to method Return | return | Splitting.cs:20:22:20:30 | call to method Return |
| Splitting.cs:21:21:21:33 | call to method Return | return | Splitting.cs:21:21:21:33 | call to method Return |
| Splitting.cs:30:9:30:13 | [b (line 24): false] dynamic access to element | return | Splitting.cs:30:9:30:13 | [b (line 24): false] dynamic access to element |
| Splitting.cs:30:9:30:13 | [b (line 24): true] dynamic access to element | return | Splitting.cs:30:9:30:13 | [b (line 24): true] dynamic access to element |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element | return | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | return | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
| Splitting.cs:32:9:32:16 | [b (line 24): false] dynamic call to method Check | return | Splitting.cs:32:9:32:16 | [b (line 24): false] dynamic call to method Check |
| Splitting.cs:32:9:32:16 | [b (line 24): true] dynamic call to method Check | return | Splitting.cs:32:9:32:16 | [b (line 24): true] dynamic call to method Check |
| Splitting.cs:34:13:34:20 | dynamic call to method Check | return | Splitting.cs:34:13:34:20 | dynamic call to method Check |

5
csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.ql Normal file
View File

@@ -0,0 +1,5 @@
import csharp
import semmle.code.csharp.dataflow.internal.DataFlowDispatch
from DataFlowCall call, ReturnKind kind
select call, kind, getAnOutNode(call, kind)

3885
csharp/ql/test/library-tests/dataflow/global/TaintTrackingEdges.expected
View File

File diff suppressed because it is too large Load Diff

320
csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
View File

@@ -37,6 +37,7 @@ edges
| Capture.cs:170:25:170:31 | access to parameter tainted | Capture.cs:170:22:170:32 | call to local function Id |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:35:13:35:30 | access to property SinkProperty0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:37:35:37:52 | access to property SinkProperty0 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:45:13:45:30 | access to property SinkProperty0 |
@@ -119,8 +120,9 @@ edges
| GlobalDataFlow.cs:70:21:70:46 | call to method Return | GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:70:21:70:46 | call to method Return | GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 |
| GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 | GlobalDataFlow.cs:70:21:70:46 | call to method Return |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 |
| GlobalDataFlow.cs:72:21:72:101 | (...) ... | GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:72:21:72:101 | (...) ... | GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke | GlobalDataFlow.cs:72:21:72:101 | (...) ... |
| GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 | GlobalDataFlow.cs:72:29:72:101 | call to method Invoke |
| GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 | GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
| GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) | GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
@@ -132,25 +134,25 @@ edges
| GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven | GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 |
| GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven | GlobalDataFlow.cs:82:23:82:74 | (...) ... |
| GlobalDataFlow.cs:80:23:80:65 | (...) ... | GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven |
| GlobalDataFlow.cs:82:23:82:74 | (...) ... | GlobalDataFlow.cs:82:84:82:94 | [implicit call] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:82:23:82:74 | (...) ... | GlobalDataFlow.cs:82:84:82:94 | [output] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:82:23:82:74 | (...) ... | GlobalDataFlow.cs:287:31:287:40 | sinkParam8 |
| GlobalDataFlow.cs:82:84:82:94 | [implicit call] delegate creation of type Func<String,String> | GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 |
| GlobalDataFlow.cs:82:84:82:94 | [implicit call] delegate creation of type Func<String,String> | GlobalDataFlow.cs:84:23:84:74 | (...) ... |
| GlobalDataFlow.cs:82:84:82:94 | [implicit call] delegate creation of type Func<String,String> | GlobalDataFlow.cs:88:22:88:27 | access to local variable sink14 |
| GlobalDataFlow.cs:82:84:82:94 | [implicit call] delegate creation of type Func<String,String> | GlobalDataFlow.cs:90:75:90:88 | call to method First |
| GlobalDataFlow.cs:84:23:84:74 | (...) ... | GlobalDataFlow.cs:84:125:84:135 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:84:125:84:135 | [implicit call] (...) => ... | GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 |
| GlobalDataFlow.cs:84:125:84:135 | [implicit call] (...) => ... | GlobalDataFlow.cs:86:70:86:121 | (...) ... |
| GlobalDataFlow.cs:86:70:86:121 | (...) ... | GlobalDataFlow.cs:86:125:86:135 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:86:125:86:135 | [implicit call] (...) => ... | GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 |
| GlobalDataFlow.cs:88:22:88:27 | access to local variable sink14 | GlobalDataFlow.cs:88:43:88:61 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:88:43:88:61 | [implicit call] (...) => ... | GlobalDataFlow.cs:88:64:88:69 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:88:64:88:69 | [implicit call] (...) => ... | GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 |
| GlobalDataFlow.cs:90:75:90:88 | call to method First | GlobalDataFlow.cs:90:91:90:109 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:90:91:90:109 | [implicit call] (...) => ... | GlobalDataFlow.cs:90:112:90:117 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:90:112:90:117 | [implicit call] (...) => ... | GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 |
| GlobalDataFlow.cs:90:112:90:117 | [implicit call] (...) => ... | GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 |
| GlobalDataFlow.cs:90:112:90:117 | [implicit call] (...) => ... | GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 |
| GlobalDataFlow.cs:82:84:82:94 | [output] delegate creation of type Func<String,String> | GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 |
| GlobalDataFlow.cs:82:84:82:94 | [output] delegate creation of type Func<String,String> | GlobalDataFlow.cs:84:23:84:74 | (...) ... |
| GlobalDataFlow.cs:82:84:82:94 | [output] delegate creation of type Func<String,String> | GlobalDataFlow.cs:88:22:88:27 | access to local variable sink14 |
| GlobalDataFlow.cs:82:84:82:94 | [output] delegate creation of type Func<String,String> | GlobalDataFlow.cs:90:75:90:88 | call to method First |
| GlobalDataFlow.cs:84:23:84:74 | (...) ... | GlobalDataFlow.cs:84:125:84:135 | [output] (...) => ... |
| GlobalDataFlow.cs:84:125:84:135 | [output] (...) => ... | GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 |
| GlobalDataFlow.cs:84:125:84:135 | [output] (...) => ... | GlobalDataFlow.cs:86:70:86:121 | (...) ... |
| GlobalDataFlow.cs:86:70:86:121 | (...) ... | GlobalDataFlow.cs:86:125:86:135 | [output] (...) => ... |
| GlobalDataFlow.cs:86:125:86:135 | [output] (...) => ... | GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 |
| GlobalDataFlow.cs:88:22:88:27 | access to local variable sink14 | GlobalDataFlow.cs:88:43:88:61 | [output] (...) => ... |
| GlobalDataFlow.cs:88:43:88:61 | [output] (...) => ... | GlobalDataFlow.cs:88:64:88:69 | [output] (...) => ... |
| GlobalDataFlow.cs:88:64:88:69 | [output] (...) => ... | GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 |
| GlobalDataFlow.cs:90:75:90:88 | call to method First | GlobalDataFlow.cs:90:91:90:109 | [output] (...) => ... |
| GlobalDataFlow.cs:90:91:90:109 | [output] (...) => ... | GlobalDataFlow.cs:90:112:90:117 | [output] (...) => ... |
| GlobalDataFlow.cs:90:112:90:117 | [output] (...) => ... | GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 |
| GlobalDataFlow.cs:90:112:90:117 | [output] (...) => ... | GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 |
| GlobalDataFlow.cs:90:112:90:117 | [output] (...) => ... | GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 |
| GlobalDataFlow.cs:131:21:131:34 | delegate call | GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 |
| GlobalDataFlow.cs:131:21:131:34 | delegate call | GlobalDataFlow.cs:139:39:139:43 | access to local variable sink4 |
| GlobalDataFlow.cs:131:29:131:33 | access to local variable sink3 | GlobalDataFlow.cs:131:21:131:34 | delegate call |
@@ -161,10 +163,9 @@ edges
| GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:157:22:157:31 | call to method OutYield | GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:175:29:175:48 | return (...) => ... | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:175:29:175:48 | return (...) => ... |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:176:21:176:26 | delegate call | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:185:39:185:41 | [output] delegate creation of type Func<String> | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:206:22:206:28 | access to parameter tainted |
| GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:208:22:208:28 | access to parameter tainted |
@@ -173,19 +174,16 @@ edges
| GlobalDataFlow.cs:205:71:205:71 | x | GlobalDataFlow.cs:205:89:205:89 | access to parameter x |
| GlobalDataFlow.cs:205:89:205:89 | access to parameter x | GlobalDataFlow.cs:293:32:293:41 | sinkParam9 |
| GlobalDataFlow.cs:206:22:206:28 | access to parameter tainted | GlobalDataFlow.cs:204:35:204:45 | sinkParam10 |
| GlobalDataFlow.cs:206:22:206:28 | access to parameter tainted | GlobalDataFlow.cs:206:37:206:38 | [implicit call] access to local variable f1 |
| GlobalDataFlow.cs:206:37:206:38 | [implicit call] access to local variable f1 | GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 |
| GlobalDataFlow.cs:206:22:206:28 | access to parameter tainted | GlobalDataFlow.cs:206:37:206:38 | [output] access to local variable f1 |
| GlobalDataFlow.cs:206:37:206:38 | [output] access to local variable f1 | GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 |
| GlobalDataFlow.cs:208:22:208:28 | access to parameter tainted | GlobalDataFlow.cs:205:71:205:71 | x |
| GlobalDataFlow.cs:208:22:208:28 | access to parameter tainted | GlobalDataFlow.cs:208:37:208:38 | [implicit call] access to local variable f2 |
| GlobalDataFlow.cs:208:37:208:38 | [implicit call] access to local variable f2 | GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 |
| GlobalDataFlow.cs:210:22:210:28 | access to parameter tainted | GlobalDataFlow.cs:210:37:210:48 | [implicit call] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:208:22:208:28 | access to parameter tainted | GlobalDataFlow.cs:208:37:208:38 | [output] access to local variable f2 |
| GlobalDataFlow.cs:208:37:208:38 | [output] access to local variable f2 | GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 |
| GlobalDataFlow.cs:210:22:210:28 | access to parameter tainted | GlobalDataFlow.cs:210:37:210:48 | [output] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:210:22:210:28 | access to parameter tainted | GlobalDataFlow.cs:299:32:299:42 | sinkParam11 |
| GlobalDataFlow.cs:210:37:210:48 | [implicit call] delegate creation of type Func<String,String> | GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:210:37:210:48 | [output] delegate creation of type Func<String,String> | GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 | GlobalDataFlow.cs:230:26:230:35 | sinkParam0 |
| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 | GlobalDataFlow.cs:230:26:230:35 | sinkParam0 |
| GlobalDataFlow.cs:236:26:236:35 | sinkParam1 | GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:241:26:241:35 | sinkParam3 | GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
@@ -196,15 +194,14 @@ edges
| GlobalDataFlow.cs:287:31:287:40 | sinkParam8 | GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 |
| GlobalDataFlow.cs:293:32:293:41 | sinkParam9 | GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 |
| GlobalDataFlow.cs:299:32:299:42 | sinkParam11 | GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:311:12:311:14 | return Out | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:311:12:311:14 | return Out | GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:311:12:311:14 | return Out |
| GlobalDataFlow.cs:316:28:316:28 | return (out/ref) OutOut | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:316:28:316:28 | return (out/ref) OutOut |
| GlobalDataFlow.cs:321:28:321:28 | return (out/ref) OutRef | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:321:28:321:28 | return (out/ref) OutRef |
| GlobalDataFlow.cs:326:25:326:32 | yield return OutYield | GlobalDataFlow.cs:157:22:157:31 | call to method OutYield |
| GlobalDataFlow.cs:329:22:329:35 | "taint source" | GlobalDataFlow.cs:326:25:326:32 | yield return OutYield |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:185:39:185:41 | [output] delegate creation of type Func<String> |
| GlobalDataFlow.cs:318:9:318:26 | SSA def(x) | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:318:9:318:26 | SSA def(x) |
| GlobalDataFlow.cs:323:9:323:26 | SSA def(x) | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:323:9:323:26 | SSA def(x) |
| GlobalDataFlow.cs:329:22:329:35 | "taint source" | GlobalDataFlow.cs:157:22:157:31 | call to method OutYield |
| GlobalDataFlow.cs:329:22:329:35 | "taint source" | GlobalDataFlow.cs:329:22:329:35 | "taint source" |
| GlobalDataFlow.cs:354:41:354:41 | x | GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:354:41:354:41 | x | GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:356:11:356:11 | access to parameter x | GlobalDataFlow.cs:53:15:53:15 | x |
@@ -215,23 +212,17 @@ edges
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:56:37:56:37 | x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:251:26:251:35 | sinkParam5 |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:256:26:256:35 | sinkParam6 |
| GlobalDataFlow.cs:373:19:373:30 | return TaintedParam | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:373:19:373:30 | return TaintedParam |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 |
| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:399:9:399:11 | value | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:9:410:11 | return get_OutProperty | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:410:9:410:11 | return get_OutProperty |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return | Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:21:9:21:11 | value | Splitting.cs:21:28:21:32 | access to parameter value |
| Splitting.cs:24:28:24:34 | tainted | Splitting.cs:30:17:30:23 | [b (line 24): false] access to parameter tainted |
@@ -244,229 +235,10 @@ edges
| Splitting.cs:30:17:30:23 | [b (line 24): false] access to parameter tainted | Splitting.cs:21:9:21:11 | value |
| Splitting.cs:30:17:30:23 | [b (line 24): true] access to parameter tainted | Splitting.cs:21:9:21:11 | value |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | Splitting.cs:34:19:34:19 | access to local variable x |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element | Splitting.cs:34:19:34:19 | access to local variable x |
| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted | Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
nodes
| Capture.cs:7:20:7:26 | tainted |
| Capture.cs:9:9:13:9 | SSA capture def(tainted) |
| Capture.cs:12:19:12:24 | access to local variable sink27 |
| Capture.cs:14:9:14:20 | [implicit argument] tainted |
| Capture.cs:18:13:22:13 | SSA capture def(tainted) |
| Capture.cs:21:23:21:28 | access to local variable sink28 |
| Capture.cs:25:9:25:20 | [implicit argument] tainted |
| Capture.cs:27:43:32:9 | SSA capture def(tainted) |
| Capture.cs:30:19:30:24 | access to local variable sink29 |
| Capture.cs:33:9:33:40 | [implicit argument] tainted |
| Capture.cs:57:13:57:35 | SSA def(sink30) |
| Capture.cs:57:22:57:35 | "taint source" |
| Capture.cs:59:9:59:21 | SSA call def(sink30) |
| Capture.cs:60:15:60:20 | access to local variable sink30 |
| Capture.cs:67:17:67:39 | SSA def(sink31) |
| Capture.cs:67:26:67:39 | "taint source" |
| Capture.cs:71:9:71:21 | SSA call def(sink31) |
| Capture.cs:72:15:72:20 | access to local variable sink31 |
| Capture.cs:77:13:77:35 | SSA def(sink32) |
| Capture.cs:77:22:77:35 | "taint source" |
| Capture.cs:80:9:80:41 | SSA call def(sink32) |
| Capture.cs:81:15:81:20 | access to local variable sink32 |
| Capture.cs:101:25:101:31 | tainted |
| Capture.cs:108:9:108:25 | SSA call def(sink33) |
| Capture.cs:108:9:108:25 | [implicit argument] tainted |
| Capture.cs:109:15:109:20 | access to local variable sink33 |
| Capture.cs:120:9:120:25 | SSA call def(sink34) |
| Capture.cs:120:9:120:25 | [implicit argument] tainted |
| Capture.cs:121:15:121:20 | access to local variable sink34 |
| Capture.cs:129:9:129:45 | SSA call def(sink35) |
| Capture.cs:129:9:129:45 | [implicit argument] tainted |
| Capture.cs:130:15:130:20 | access to local variable sink35 |
| Capture.cs:136:22:136:38 | [implicit argument] tainted |
| Capture.cs:136:22:136:38 | call to local function CaptureThrough4 |
| Capture.cs:137:15:137:20 | access to local variable sink36 |
| Capture.cs:144:9:144:32 | SSA call def(sink37) |
| Capture.cs:144:25:144:31 | access to parameter tainted |
| Capture.cs:145:15:145:20 | access to local variable sink37 |
| Capture.cs:170:22:170:32 | call to local function Id |
| Capture.cs:170:25:170:31 | access to parameter tainted |
| Capture.cs:171:15:171:20 | access to local variable sink38 |
| GlobalDataFlow.cs:17:27:17:40 | "taint source" |
| GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
| GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
| GlobalDataFlow.cs:35:13:35:30 | access to property SinkProperty0 |
| GlobalDataFlow.cs:37:35:37:52 | access to property SinkProperty0 |
| GlobalDataFlow.cs:44:30:44:39 | sinkParam2 |
| GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |
| GlobalDataFlow.cs:45:13:45:30 | access to property SinkProperty0 |
| GlobalDataFlow.cs:52:20:52:37 | access to property SinkProperty0 |
| GlobalDataFlow.cs:53:15:53:15 | x |
| GlobalDataFlow.cs:53:24:53:24 | access to parameter x |
| GlobalDataFlow.cs:53:28:53:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:54:44:54:61 | access to property SinkProperty0 |
| GlobalDataFlow.cs:55:28:55:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:56:37:56:37 | x |
| GlobalDataFlow.cs:56:46:56:46 | access to parameter x |
| GlobalDataFlow.cs:57:35:57:52 | access to property SinkProperty0 |
| GlobalDataFlow.cs:64:22:64:39 | access to property SinkProperty0 |
| GlobalDataFlow.cs:70:21:70:46 | call to method Return |
| GlobalDataFlow.cs:70:28:70:45 | access to property SinkProperty0 |
| GlobalDataFlow.cs:71:15:71:19 | access to local variable sink0 |
| GlobalDataFlow.cs:72:29:72:101 | call to method Invoke |
| GlobalDataFlow.cs:72:94:72:98 | access to local variable sink0 |
| GlobalDataFlow.cs:73:15:73:19 | access to local variable sink1 |
| GlobalDataFlow.cs:75:19:75:23 | access to local variable sink1 |
| GlobalDataFlow.cs:75:30:75:34 | SSA def(sink2) |
| GlobalDataFlow.cs:76:15:76:19 | access to local variable sink2 |
| GlobalDataFlow.cs:78:19:78:23 | access to local variable sink2 |
| GlobalDataFlow.cs:78:30:78:34 | SSA def(sink3) |
| GlobalDataFlow.cs:79:15:79:19 | access to local variable sink3 |
| GlobalDataFlow.cs:80:22:80:85 | call to method SelectEven |
| GlobalDataFlow.cs:80:23:80:65 | (...) ... |
| GlobalDataFlow.cs:81:15:81:20 | access to local variable sink13 |
| GlobalDataFlow.cs:82:23:82:74 | (...) ... |
| GlobalDataFlow.cs:82:84:82:94 | [implicit call] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:83:15:83:20 | access to local variable sink14 |
| GlobalDataFlow.cs:84:23:84:74 | (...) ... |
| GlobalDataFlow.cs:84:125:84:135 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:85:15:85:20 | access to local variable sink15 |
| GlobalDataFlow.cs:86:70:86:121 | (...) ... |
| GlobalDataFlow.cs:86:125:86:135 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:87:15:87:20 | access to local variable sink16 |
| GlobalDataFlow.cs:88:22:88:27 | access to local variable sink14 |
| GlobalDataFlow.cs:88:43:88:61 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:88:64:88:69 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:89:15:89:20 | access to local variable sink17 |
| GlobalDataFlow.cs:90:75:90:88 | call to method First |
| GlobalDataFlow.cs:90:91:90:109 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:90:112:90:117 | [implicit call] (...) => ... |
| GlobalDataFlow.cs:91:15:91:20 | access to local variable sink18 |
| GlobalDataFlow.cs:94:15:94:20 | access to local variable sink21 |
| GlobalDataFlow.cs:97:15:97:20 | access to local variable sink22 |
| GlobalDataFlow.cs:131:21:131:34 | delegate call |
| GlobalDataFlow.cs:131:29:131:33 | access to local variable sink3 |
| GlobalDataFlow.cs:132:15:132:19 | access to local variable sink4 |
| GlobalDataFlow.cs:139:21:139:44 | call to method ApplyFunc |
| GlobalDataFlow.cs:139:39:139:43 | access to local variable sink4 |
| GlobalDataFlow.cs:140:15:140:19 | access to local variable sink5 |
| GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:150:15:150:19 | access to local variable sink6 |
| GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:157:22:157:31 | call to method OutYield |
| GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:175:29:175:48 | return (...) => ... |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" |
| GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> |
| GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
| GlobalDataFlow.cs:201:39:201:45 | tainted |
| GlobalDataFlow.cs:204:35:204:45 | sinkParam10 |
| GlobalDataFlow.cs:204:58:204:68 | access to parameter sinkParam10 |
| GlobalDataFlow.cs:205:71:205:71 | x |
| GlobalDataFlow.cs:205:89:205:89 | access to parameter x |
| GlobalDataFlow.cs:206:22:206:28 | access to parameter tainted |
| GlobalDataFlow.cs:206:37:206:38 | [implicit call] access to local variable f1 |
| GlobalDataFlow.cs:207:15:207:20 | access to local variable sink24 |
| GlobalDataFlow.cs:208:22:208:28 | access to parameter tainted |
| GlobalDataFlow.cs:208:37:208:38 | [implicit call] access to local variable f2 |
| GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 |
| GlobalDataFlow.cs:210:22:210:28 | access to parameter tainted |
| GlobalDataFlow.cs:210:37:210:48 | [implicit call] delegate creation of type Func<String,String> |
| GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 |
| GlobalDataFlow.cs:230:26:230:35 | sinkParam0 |
| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:232:16:232:25 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:236:26:236:35 | sinkParam1 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:241:26:241:35 | sinkParam3 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:246:26:246:35 | sinkParam4 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 |
| GlobalDataFlow.cs:251:26:251:35 | sinkParam5 |
| GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:256:26:256:35 | sinkParam6 |
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:261:26:261:35 | sinkParam7 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:287:31:287:40 | sinkParam8 |
| GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 |
| GlobalDataFlow.cs:293:32:293:41 | sinkParam9 |
| GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 |
| GlobalDataFlow.cs:299:32:299:42 | sinkParam11 |
| GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:311:12:311:14 | return Out |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" |
| GlobalDataFlow.cs:316:28:316:28 | return (out/ref) OutOut |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" |
| GlobalDataFlow.cs:321:28:321:28 | return (out/ref) OutRef |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" |
| GlobalDataFlow.cs:326:25:326:32 | yield return OutYield |
| GlobalDataFlow.cs:329:22:329:35 | "taint source" |
| GlobalDataFlow.cs:354:41:354:41 | x |
| GlobalDataFlow.cs:354:41:354:41 | x |
| GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:368:52:368:52 | x |
| GlobalDataFlow.cs:368:52:368:52 | x |
| GlobalDataFlow.cs:368:52:368:52 | x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:373:19:373:30 | return TaintedParam |
| GlobalDataFlow.cs:373:39:373:45 | tainted |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:399:9:399:11 | value |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:9:410:11 | return get_OutProperty |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" |
| Splitting.cs:3:28:3:34 | tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |
| Splitting.cs:21:9:21:11 | value |
| Splitting.cs:21:28:21:32 | access to parameter value |
| Splitting.cs:24:28:24:34 | tainted |
| Splitting.cs:30:17:30:23 | [b (line 24): false] access to parameter tainted |
| Splitting.cs:30:17:30:23 | [b (line 24): true] access to parameter tainted |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:17:31:26 | [b (line 24): false] dynamic access to element |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
| Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element |
| Splitting.cs:31:19:31:25 | [b (line 24): false] access to parameter tainted |
| Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x |
#select
| Capture.cs:12:19:12:24 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted | Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 |
| Capture.cs:21:23:21:28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted | Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 |
@@ -510,7 +282,6 @@ nodes
| GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:209:15:209:20 | access to local variable sink25 | access to local variable sink25 |
| GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 | GlobalDataFlow.cs:201:39:201:45 | tainted | GlobalDataFlow.cs:211:15:211:20 | access to local variable sink26 | access to local variable sink26 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:233:15:233:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:238:15:238:24 | access to parameter sinkParam1 | access to parameter sinkParam1 |
| GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:243:15:243:24 | access to parameter sinkParam3 | access to parameter sinkParam3 |
| GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:248:15:248:24 | access to parameter sinkParam4 | access to parameter sinkParam4 |
@@ -523,18 +294,9 @@ nodes
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 | access to local variable sink11 |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 | access to local variable sink20 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |
| Splitting.cs:21:28:21:32 | access to parameter value | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:21:28:21:32 | access to parameter value | access to parameter value |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
| Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |

5
csharp/ql/test/library-tests/dataflow/local/Common.qll
View File

@@ -1,4 +1,5 @@
import csharp
private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
class MyFlowSource extends DataFlow::Node {
MyFlowSource() {
@@ -11,7 +12,9 @@ class MyFlowSource extends DataFlow::Node {
or
this.asParameter().hasName("tainted")
or
exists(Expr e | e = this.(DataFlow::Internal::ImplicitDelegateCallNode).getArgument() |
exists(Expr e |
this = DataFlowPrivateCached::TImplicitDelegateOutNode(e.getAControlFlowNode(), _)
|
e.(DelegateCreation).getArgument().(MethodAccess).getTarget().hasName("TaintedMethod") or
e.(LambdaExpr).getExpressionBody().(StringLiteral).getValue() = "taint source"
)

28
csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

@@ -14,11 +14,6 @@
| Capture.cs:58:21:58:21 | 1 | Capture.cs:58:17:58:21 | SSA def(i) |
| Capture.cs:61:17:61:17 | 1 | Capture.cs:61:13:61:17 | SSA def(i) |
| Capture.cs:63:9:63:17 | SSA call def(i) | Capture.cs:64:13:64:13 | access to local variable i |
| LocalDataFlow.cs:16:55:16:58 | null | LocalDataFlow.cs:16:42:16:44 | return get_Item |
| LocalDataFlow.cs:18:63:18:66 | null | LocalDataFlow.cs:18:50:18:52 | return get_QueryString |
| LocalDataFlow.cs:20:59:20:62 | null | LocalDataFlow.cs:20:46:20:48 | return get_Headers |
| LocalDataFlow.cs:22:45:22:48 | null | LocalDataFlow.cs:22:32:22:34 | return get_RawUrl |
| LocalDataFlow.cs:24:39:24:42 | null | LocalDataFlow.cs:24:26:24:28 | return get_Url |
| LocalDataFlow.cs:49:30:49:30 | b | LocalDataFlow.cs:96:21:96:21 | access to parameter b |
| LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) | LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 |
| LocalDataFlow.cs:52:21:52:34 | "taint source" | LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) |
@@ -112,14 +107,12 @@
| LocalDataFlow.cs:136:22:136:55 | call to method First | LocalDataFlow.cs:136:13:136:55 | SSA def(sink14) |
| LocalDataFlow.cs:136:35:136:35 | x | LocalDataFlow.cs:136:40:136:40 | access to parameter x |
| LocalDataFlow.cs:136:40:136:40 | access to parameter x | LocalDataFlow.cs:136:40:136:46 | access to property Value |
| LocalDataFlow.cs:136:40:136:54 | ... != ... | LocalDataFlow.cs:136:35:136:54 | return (...) => ... |
| LocalDataFlow.cs:140:9:140:55 | SSA def(nonSink3) | LocalDataFlow.cs:206:33:206:40 | access to local variable nonSink3 |
| LocalDataFlow.cs:140:20:140:27 | access to local variable nonSink1 | LocalDataFlow.cs:141:15:141:22 | access to local variable nonSink1 |
| LocalDataFlow.cs:140:20:140:55 | (...) ... | LocalDataFlow.cs:140:9:140:55 | SSA def(nonSink3) |
| LocalDataFlow.cs:140:20:140:55 | call to method First | LocalDataFlow.cs:140:20:140:55 | (...) ... |
| LocalDataFlow.cs:140:35:140:35 | x | LocalDataFlow.cs:140:40:140:40 | access to parameter x |
| LocalDataFlow.cs:140:40:140:40 | access to parameter x | LocalDataFlow.cs:140:40:140:46 | access to property Value |
| LocalDataFlow.cs:140:40:140:54 | ... != ... | LocalDataFlow.cs:140:35:140:54 | return (...) => ... |
| LocalDataFlow.cs:141:15:141:22 | access to local variable nonSink1 | LocalDataFlow.cs:214:20:214:27 | access to local variable nonSink1 |
| LocalDataFlow.cs:144:13:144:39 | SSA def(sink15) | LocalDataFlow.cs:145:15:145:20 | access to local variable sink15 |
| LocalDataFlow.cs:144:22:144:39 | call to method Parse | LocalDataFlow.cs:144:13:144:39 | SSA def(sink15) |
@@ -309,30 +302,28 @@
| LocalDataFlow.cs:295:9:295:17 | access to local variable nonSink10 | LocalDataFlow.cs:296:15:296:23 | access to local variable nonSink10 |
| LocalDataFlow.cs:299:13:299:52 | SSA def(sink40) | LocalDataFlow.cs:300:15:300:20 | access to local variable sink40 |
| LocalDataFlow.cs:299:22:299:52 | object creation of type Lazy<String> | LocalDataFlow.cs:299:13:299:52 | SSA def(sink40) |
| LocalDataFlow.cs:299:39:299:51 | [implicit call] delegate creation of type Func<String> | LocalDataFlow.cs:299:22:299:52 | object creation of type Lazy<String> |
| LocalDataFlow.cs:299:39:299:51 | [output] delegate creation of type Func<String> | LocalDataFlow.cs:299:22:299:52 | object creation of type Lazy<String> |
| LocalDataFlow.cs:300:15:300:20 | access to local variable sink40 | LocalDataFlow.cs:301:22:301:27 | access to local variable sink40 |
| LocalDataFlow.cs:301:13:301:33 | SSA def(sink41) | LocalDataFlow.cs:302:15:302:20 | access to local variable sink41 |
| LocalDataFlow.cs:301:22:301:27 | access to local variable sink40 | LocalDataFlow.cs:301:22:301:33 | access to property Value |
| LocalDataFlow.cs:301:22:301:33 | access to property Value | LocalDataFlow.cs:301:13:301:33 | SSA def(sink41) |
| LocalDataFlow.cs:303:13:303:59 | SSA def(sink42) | LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 |
| LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> | LocalDataFlow.cs:303:13:303:59 | SSA def(sink42) |
| LocalDataFlow.cs:303:39:303:58 | [implicit call] (...) => ... | LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> |
| LocalDataFlow.cs:303:45:303:58 | "taint source" | LocalDataFlow.cs:303:39:303:58 | return (...) => ... |
| LocalDataFlow.cs:303:39:303:58 | [output] (...) => ... | LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> |
| LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 | LocalDataFlow.cs:305:22:305:27 | access to local variable sink42 |
| LocalDataFlow.cs:305:13:305:33 | SSA def(sink43) | LocalDataFlow.cs:306:15:306:20 | access to local variable sink43 |
| LocalDataFlow.cs:305:22:305:27 | access to local variable sink42 | LocalDataFlow.cs:305:22:305:33 | access to property Value |
| LocalDataFlow.cs:305:22:305:33 | access to property Value | LocalDataFlow.cs:305:13:305:33 | SSA def(sink43) |
| LocalDataFlow.cs:309:13:309:58 | SSA def(nonSink12) | LocalDataFlow.cs:310:15:310:23 | access to local variable nonSink12 |
| LocalDataFlow.cs:309:25:309:58 | object creation of type Lazy<String> | LocalDataFlow.cs:309:13:309:58 | SSA def(nonSink12) |
| LocalDataFlow.cs:309:42:309:57 | [implicit call] delegate creation of type Func<String> | LocalDataFlow.cs:309:25:309:58 | object creation of type Lazy<String> |
| LocalDataFlow.cs:309:42:309:57 | [output] delegate creation of type Func<String> | LocalDataFlow.cs:309:25:309:58 | object creation of type Lazy<String> |
| LocalDataFlow.cs:310:15:310:23 | access to local variable nonSink12 | LocalDataFlow.cs:311:20:311:28 | access to local variable nonSink12 |
| LocalDataFlow.cs:311:9:311:34 | SSA def(nonSink0) | LocalDataFlow.cs:312:15:312:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:311:20:311:28 | access to local variable nonSink12 | LocalDataFlow.cs:311:20:311:34 | access to property Value |
| LocalDataFlow.cs:311:20:311:34 | access to property Value | LocalDataFlow.cs:311:9:311:34 | SSA def(nonSink0) |
| LocalDataFlow.cs:313:9:313:46 | SSA def(nonSink12) | LocalDataFlow.cs:314:15:314:23 | access to local variable nonSink12 |
| LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> | LocalDataFlow.cs:313:9:313:46 | SSA def(nonSink12) |
| LocalDataFlow.cs:313:38:313:45 | [implicit call] (...) => ... | LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> |
| LocalDataFlow.cs:313:44:313:45 | "" | LocalDataFlow.cs:313:38:313:45 | return (...) => ... |
| LocalDataFlow.cs:313:38:313:45 | [output] (...) => ... | LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> |
| LocalDataFlow.cs:314:15:314:23 | access to local variable nonSink12 | LocalDataFlow.cs:315:20:315:28 | access to local variable nonSink12 |
| LocalDataFlow.cs:315:9:315:34 | SSA def(nonSink0) | LocalDataFlow.cs:316:15:316:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:315:20:315:28 | access to local variable nonSink12 | LocalDataFlow.cs:315:20:315:34 | access to property Value |
@@ -426,16 +417,14 @@
| LocalDataFlow.cs:387:20:387:34 | access to property Value | LocalDataFlow.cs:387:9:387:34 | SSA def(nonSink0) |
| LocalDataFlow.cs:391:13:391:51 | SSA def(sink67) | LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 |
| LocalDataFlow.cs:391:22:391:51 | call to method Run | LocalDataFlow.cs:391:13:391:51 | SSA def(sink67) |
| LocalDataFlow.cs:391:31:391:50 | [implicit call] (...) => ... | LocalDataFlow.cs:391:22:391:51 | call to method Run |
| LocalDataFlow.cs:391:37:391:50 | "taint source" | LocalDataFlow.cs:391:31:391:50 | return (...) => ... |
| LocalDataFlow.cs:391:31:391:50 | [output] (...) => ... | LocalDataFlow.cs:391:22:391:51 | call to method Run |
| LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 | LocalDataFlow.cs:393:28:393:33 | access to local variable sink67 |
| LocalDataFlow.cs:393:13:393:33 | SSA def(sink68) | LocalDataFlow.cs:394:15:394:20 | access to local variable sink68 |
| LocalDataFlow.cs:393:22:393:33 | await ... | LocalDataFlow.cs:393:13:393:33 | SSA def(sink68) |
| LocalDataFlow.cs:393:28:393:33 | access to local variable sink67 | LocalDataFlow.cs:393:22:393:33 | await ... |
| LocalDataFlow.cs:397:13:397:42 | SSA def(nonSink21) | LocalDataFlow.cs:398:15:398:23 | access to local variable nonSink21 |
| LocalDataFlow.cs:397:25:397:42 | call to method Run | LocalDataFlow.cs:397:13:397:42 | SSA def(nonSink21) |
| LocalDataFlow.cs:397:34:397:41 | [implicit call] (...) => ... | LocalDataFlow.cs:397:25:397:42 | call to method Run |
| LocalDataFlow.cs:397:40:397:41 | "" | LocalDataFlow.cs:397:34:397:41 | return (...) => ... |
| LocalDataFlow.cs:397:34:397:41 | [output] (...) => ... | LocalDataFlow.cs:397:25:397:42 | call to method Run |
| LocalDataFlow.cs:398:15:398:23 | access to local variable nonSink21 | LocalDataFlow.cs:399:26:399:34 | access to local variable nonSink21 |
| LocalDataFlow.cs:399:9:399:34 | SSA def(nonSink0) | LocalDataFlow.cs:400:15:400:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:399:20:399:34 | await ... | LocalDataFlow.cs:399:9:399:34 | SSA def(nonSink0) |
@@ -464,9 +453,6 @@
| LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) |
| LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 |
| LocalDataFlow.cs:447:37:447:38 | "" | LocalDataFlow.cs:447:12:447:24 | return TaintedMethod |
| LocalDataFlow.cs:449:40:449:41 | "" | LocalDataFlow.cs:449:12:449:27 | return NonTaintedMethod |
| LocalDataFlow.cs:458:41:458:45 | access to field anInt | LocalDataFlow.cs:458:28:458:30 | return get_AnInt |
| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:64:458:68 | access to parameter value |
| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:471:15:471:24 | access to parameter nonTainted |
@@ -638,10 +624,8 @@
| SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:146:13:146:13 | (...) ... |
| SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:149:17:149:17 | access to parameter t |
| SSA.cs:147:13:147:26 | SSA def(t) | SSA.cs:144:17:144:26 | SSA phi(t) |
| SSA.cs:147:17:147:26 | default(...) | SSA.cs:144:34:144:34 | return (out/ref) Certain |
| SSA.cs:147:17:147:26 | default(...) | SSA.cs:147:13:147:26 | SSA def(t) |
| SSA.cs:149:13:149:17 | SSA def(t) | SSA.cs:144:17:144:26 | SSA phi(t) |
| SSA.cs:149:17:149:17 | access to parameter t | SSA.cs:144:34:144:34 | return (out/ref) Certain |
| SSA.cs:149:17:149:17 | access to parameter t | SSA.cs:149:13:149:17 | SSA def(t) |
| SSA.cs:152:36:152:36 | t | SSA.cs:154:13:154:13 | access to parameter t |
| SSA.cs:154:13:154:13 | access to parameter t | SSA.cs:152:17:152:28 | SSA phi(t) |

45
csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
View File

@@ -14,11 +14,7 @@
| Capture.cs:58:21:58:21 | 1 | Capture.cs:58:17:58:21 | SSA def(i) |
| Capture.cs:61:17:61:17 | 1 | Capture.cs:61:13:61:17 | SSA def(i) |
| Capture.cs:63:9:63:17 | SSA call def(i) | Capture.cs:64:13:64:13 | access to local variable i |
| LocalDataFlow.cs:16:55:16:58 | null | LocalDataFlow.cs:16:42:16:44 | return get_Item |
| LocalDataFlow.cs:18:63:18:66 | null | LocalDataFlow.cs:18:50:18:52 | return get_QueryString |
| LocalDataFlow.cs:20:59:20:62 | null | LocalDataFlow.cs:20:46:20:48 | return get_Headers |
| LocalDataFlow.cs:22:45:22:48 | null | LocalDataFlow.cs:22:32:22:34 | return get_RawUrl |
| LocalDataFlow.cs:24:39:24:42 | null | LocalDataFlow.cs:24:26:24:28 | return get_Url |
| LocalDataFlow.cs:49:30:49:30 | b | LocalDataFlow.cs:49:30:49:30 | b |
| LocalDataFlow.cs:49:30:49:30 | b | LocalDataFlow.cs:96:21:96:21 | access to parameter b |
| LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) | LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 |
| LocalDataFlow.cs:52:21:52:34 | "taint source" | LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) |
@@ -133,19 +129,19 @@
| LocalDataFlow.cs:136:22:136:27 | access to local variable sink11 | LocalDataFlow.cs:136:22:136:55 | call to method First |
| LocalDataFlow.cs:136:22:136:27 | access to local variable sink11 | LocalDataFlow.cs:210:22:210:27 | access to local variable sink11 |
| LocalDataFlow.cs:136:22:136:55 | call to method First | LocalDataFlow.cs:136:13:136:55 | SSA def(sink14) |
| LocalDataFlow.cs:136:35:136:35 | x | LocalDataFlow.cs:136:35:136:35 | x |
| LocalDataFlow.cs:136:35:136:35 | x | LocalDataFlow.cs:136:40:136:40 | access to parameter x |
| LocalDataFlow.cs:136:40:136:40 | access to parameter x | LocalDataFlow.cs:136:40:136:46 | access to property Value |
| LocalDataFlow.cs:136:40:136:46 | access to property Value | LocalDataFlow.cs:136:40:136:54 | ... != ... |
| LocalDataFlow.cs:136:40:136:54 | ... != ... | LocalDataFlow.cs:136:35:136:54 | return (...) => ... |
| LocalDataFlow.cs:140:9:140:55 | SSA def(nonSink3) | LocalDataFlow.cs:206:33:206:40 | access to local variable nonSink3 |
| LocalDataFlow.cs:140:20:140:27 | access to local variable nonSink1 | LocalDataFlow.cs:140:20:140:55 | call to method First |
| LocalDataFlow.cs:140:20:140:27 | access to local variable nonSink1 | LocalDataFlow.cs:141:15:141:22 | access to local variable nonSink1 |
| LocalDataFlow.cs:140:20:140:55 | (...) ... | LocalDataFlow.cs:140:9:140:55 | SSA def(nonSink3) |
| LocalDataFlow.cs:140:20:140:55 | call to method First | LocalDataFlow.cs:140:20:140:55 | (...) ... |
| LocalDataFlow.cs:140:35:140:35 | x | LocalDataFlow.cs:140:35:140:35 | x |
| LocalDataFlow.cs:140:35:140:35 | x | LocalDataFlow.cs:140:40:140:40 | access to parameter x |
| LocalDataFlow.cs:140:40:140:40 | access to parameter x | LocalDataFlow.cs:140:40:140:46 | access to property Value |
| LocalDataFlow.cs:140:40:140:46 | access to property Value | LocalDataFlow.cs:140:40:140:54 | ... != ... |
| LocalDataFlow.cs:140:40:140:54 | ... != ... | LocalDataFlow.cs:140:35:140:54 | return (...) => ... |
| LocalDataFlow.cs:141:15:141:22 | access to local variable nonSink1 | LocalDataFlow.cs:214:20:214:27 | access to local variable nonSink1 |
| LocalDataFlow.cs:144:13:144:39 | SSA def(sink15) | LocalDataFlow.cs:145:15:145:20 | access to local variable sink15 |
| LocalDataFlow.cs:144:22:144:39 | call to method Parse | LocalDataFlow.cs:144:13:144:39 | SSA def(sink15) |
@@ -425,30 +421,28 @@
| LocalDataFlow.cs:295:30:295:37 | access to local variable nonSink0 | LocalDataFlow.cs:295:9:295:17 | access to local variable nonSink10 |
| LocalDataFlow.cs:299:13:299:52 | SSA def(sink40) | LocalDataFlow.cs:300:15:300:20 | access to local variable sink40 |
| LocalDataFlow.cs:299:22:299:52 | object creation of type Lazy<String> | LocalDataFlow.cs:299:13:299:52 | SSA def(sink40) |
| LocalDataFlow.cs:299:39:299:51 | [implicit call] delegate creation of type Func<String> | LocalDataFlow.cs:299:22:299:52 | object creation of type Lazy<String> |
| LocalDataFlow.cs:299:39:299:51 | [output] delegate creation of type Func<String> | LocalDataFlow.cs:299:22:299:52 | object creation of type Lazy<String> |
| LocalDataFlow.cs:300:15:300:20 | access to local variable sink40 | LocalDataFlow.cs:301:22:301:27 | access to local variable sink40 |
| LocalDataFlow.cs:301:13:301:33 | SSA def(sink41) | LocalDataFlow.cs:302:15:302:20 | access to local variable sink41 |
| LocalDataFlow.cs:301:22:301:27 | access to local variable sink40 | LocalDataFlow.cs:301:22:301:33 | access to property Value |
| LocalDataFlow.cs:301:22:301:33 | access to property Value | LocalDataFlow.cs:301:13:301:33 | SSA def(sink41) |
| LocalDataFlow.cs:303:13:303:59 | SSA def(sink42) | LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 |
| LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> | LocalDataFlow.cs:303:13:303:59 | SSA def(sink42) |
| LocalDataFlow.cs:303:39:303:58 | [implicit call] (...) => ... | LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> |
| LocalDataFlow.cs:303:45:303:58 | "taint source" | LocalDataFlow.cs:303:39:303:58 | return (...) => ... |
| LocalDataFlow.cs:303:39:303:58 | [output] (...) => ... | LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> |
| LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 | LocalDataFlow.cs:305:22:305:27 | access to local variable sink42 |
| LocalDataFlow.cs:305:13:305:33 | SSA def(sink43) | LocalDataFlow.cs:306:15:306:20 | access to local variable sink43 |
| LocalDataFlow.cs:305:22:305:27 | access to local variable sink42 | LocalDataFlow.cs:305:22:305:33 | access to property Value |
| LocalDataFlow.cs:305:22:305:33 | access to property Value | LocalDataFlow.cs:305:13:305:33 | SSA def(sink43) |
| LocalDataFlow.cs:309:13:309:58 | SSA def(nonSink12) | LocalDataFlow.cs:310:15:310:23 | access to local variable nonSink12 |
| LocalDataFlow.cs:309:25:309:58 | object creation of type Lazy<String> | LocalDataFlow.cs:309:13:309:58 | SSA def(nonSink12) |
| LocalDataFlow.cs:309:42:309:57 | [implicit call] delegate creation of type Func<String> | LocalDataFlow.cs:309:25:309:58 | object creation of type Lazy<String> |
| LocalDataFlow.cs:309:42:309:57 | [output] delegate creation of type Func<String> | LocalDataFlow.cs:309:25:309:58 | object creation of type Lazy<String> |
| LocalDataFlow.cs:310:15:310:23 | access to local variable nonSink12 | LocalDataFlow.cs:311:20:311:28 | access to local variable nonSink12 |
| LocalDataFlow.cs:311:9:311:34 | SSA def(nonSink0) | LocalDataFlow.cs:312:15:312:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:311:20:311:28 | access to local variable nonSink12 | LocalDataFlow.cs:311:20:311:34 | access to property Value |
| LocalDataFlow.cs:311:20:311:34 | access to property Value | LocalDataFlow.cs:311:9:311:34 | SSA def(nonSink0) |
| LocalDataFlow.cs:313:9:313:46 | SSA def(nonSink12) | LocalDataFlow.cs:314:15:314:23 | access to local variable nonSink12 |
| LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> | LocalDataFlow.cs:313:9:313:46 | SSA def(nonSink12) |
| LocalDataFlow.cs:313:38:313:45 | [implicit call] (...) => ... | LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> |
| LocalDataFlow.cs:313:44:313:45 | "" | LocalDataFlow.cs:313:38:313:45 | return (...) => ... |
| LocalDataFlow.cs:313:38:313:45 | [output] (...) => ... | LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> |
| LocalDataFlow.cs:314:15:314:23 | access to local variable nonSink12 | LocalDataFlow.cs:315:20:315:28 | access to local variable nonSink12 |
| LocalDataFlow.cs:315:9:315:34 | SSA def(nonSink0) | LocalDataFlow.cs:316:15:316:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:315:20:315:28 | access to local variable nonSink12 | LocalDataFlow.cs:315:20:315:34 | access to property Value |
@@ -564,16 +558,14 @@
| LocalDataFlow.cs:387:20:387:34 | access to property Value | LocalDataFlow.cs:387:9:387:34 | SSA def(nonSink0) |
| LocalDataFlow.cs:391:13:391:51 | SSA def(sink67) | LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 |
| LocalDataFlow.cs:391:22:391:51 | call to method Run | LocalDataFlow.cs:391:13:391:51 | SSA def(sink67) |
| LocalDataFlow.cs:391:31:391:50 | [implicit call] (...) => ... | LocalDataFlow.cs:391:22:391:51 | call to method Run |
| LocalDataFlow.cs:391:37:391:50 | "taint source" | LocalDataFlow.cs:391:31:391:50 | return (...) => ... |
| LocalDataFlow.cs:391:31:391:50 | [output] (...) => ... | LocalDataFlow.cs:391:22:391:51 | call to method Run |
| LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 | LocalDataFlow.cs:393:28:393:33 | access to local variable sink67 |
| LocalDataFlow.cs:393:13:393:33 | SSA def(sink68) | LocalDataFlow.cs:394:15:394:20 | access to local variable sink68 |
| LocalDataFlow.cs:393:22:393:33 | await ... | LocalDataFlow.cs:393:13:393:33 | SSA def(sink68) |
| LocalDataFlow.cs:393:28:393:33 | access to local variable sink67 | LocalDataFlow.cs:393:22:393:33 | await ... |
| LocalDataFlow.cs:397:13:397:42 | SSA def(nonSink21) | LocalDataFlow.cs:398:15:398:23 | access to local variable nonSink21 |
| LocalDataFlow.cs:397:25:397:42 | call to method Run | LocalDataFlow.cs:397:13:397:42 | SSA def(nonSink21) |
| LocalDataFlow.cs:397:34:397:41 | [implicit call] (...) => ... | LocalDataFlow.cs:397:25:397:42 | call to method Run |
| LocalDataFlow.cs:397:40:397:41 | "" | LocalDataFlow.cs:397:34:397:41 | return (...) => ... |
| LocalDataFlow.cs:397:34:397:41 | [output] (...) => ... | LocalDataFlow.cs:397:25:397:42 | call to method Run |
| LocalDataFlow.cs:398:15:398:23 | access to local variable nonSink21 | LocalDataFlow.cs:399:26:399:34 | access to local variable nonSink21 |
| LocalDataFlow.cs:399:9:399:34 | SSA def(nonSink0) | LocalDataFlow.cs:400:15:400:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:399:20:399:34 | await ... | LocalDataFlow.cs:399:9:399:34 | SSA def(nonSink0) |
@@ -606,14 +598,16 @@
| LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) |
| LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 |
| LocalDataFlow.cs:447:37:447:38 | "" | LocalDataFlow.cs:447:12:447:24 | return TaintedMethod |
| LocalDataFlow.cs:449:40:449:41 | "" | LocalDataFlow.cs:449:12:449:27 | return NonTaintedMethod |
| LocalDataFlow.cs:458:41:458:45 | access to field anInt | LocalDataFlow.cs:458:28:458:30 | return get_AnInt |
| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:50:458:52 | value |
| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:64:458:68 | access to parameter value |
| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:464:41:464:47 | tainted |
| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:469:44:469:53 | nonTainted |
| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:471:15:471:24 | access to parameter nonTainted |
| SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
| SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | tainted |
| SSA.cs:5:26:5:32 | tainted | SSA.cs:8:24:8:30 | access to parameter tainted |
| SSA.cs:5:42:5:51 | nonTainted | SSA.cs:5:42:5:51 | nonTainted |
| SSA.cs:5:42:5:51 | nonTainted | SSA.cs:12:24:12:33 | access to parameter nonTainted |
| SSA.cs:8:13:8:30 | SSA def(ssaSink0) | SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
| SSA.cs:8:24:8:30 | access to parameter tainted | SSA.cs:8:13:8:30 | SSA def(ssaSink0) |
@@ -790,16 +784,16 @@
| SSA.cs:136:23:136:28 | SSA def(this.S) | SSA.cs:137:15:137:20 | access to field S |
| SSA.cs:136:23:136:28 | SSA qualifier def(this.S.SsaFieldNonSink0) | SSA.cs:137:15:137:37 | access to field SsaFieldNonSink0 |
| SSA.cs:136:23:136:28 | access to field S | SSA.cs:136:23:136:28 | SSA def(this.S) |
| SSA.cs:144:34:144:34 | t | SSA.cs:144:34:144:34 | t |
| SSA.cs:144:34:144:34 | t | SSA.cs:146:13:146:13 | access to parameter t |
| SSA.cs:146:13:146:13 | (...) ... | SSA.cs:146:13:146:21 | ... == ... |
| SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:146:13:146:13 | (...) ... |
| SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:149:17:149:17 | access to parameter t |
| SSA.cs:147:13:147:26 | SSA def(t) | SSA.cs:144:17:144:26 | SSA phi(t) |
| SSA.cs:147:17:147:26 | default(...) | SSA.cs:144:34:144:34 | return (out/ref) Certain |
| SSA.cs:147:17:147:26 | default(...) | SSA.cs:147:13:147:26 | SSA def(t) |
| SSA.cs:149:13:149:17 | SSA def(t) | SSA.cs:144:17:144:26 | SSA phi(t) |
| SSA.cs:149:17:149:17 | access to parameter t | SSA.cs:144:34:144:34 | return (out/ref) Certain |
| SSA.cs:149:17:149:17 | access to parameter t | SSA.cs:149:13:149:17 | SSA def(t) |
| SSA.cs:152:36:152:36 | t | SSA.cs:152:36:152:36 | t |
| SSA.cs:152:36:152:36 | t | SSA.cs:154:13:154:13 | access to parameter t |
| SSA.cs:154:13:154:13 | (...) ... | SSA.cs:154:13:154:21 | ... == ... |
| SSA.cs:154:13:154:13 | access to parameter t | SSA.cs:152:17:152:28 | SSA phi(t) |
@@ -807,7 +801,9 @@
| SSA.cs:154:13:154:13 | access to parameter t | SSA.cs:155:25:155:25 | access to parameter t |
| SSA.cs:155:25:155:25 | SSA def(t) | SSA.cs:152:17:152:28 | SSA phi(t) |
| SSA.cs:155:25:155:25 | access to parameter t | SSA.cs:152:17:152:28 | SSA phi(t) |
| SSA.cs:168:22:168:28 | tainted | SSA.cs:168:22:168:28 | tainted |
| SSA.cs:168:22:168:28 | tainted | SSA.cs:173:24:173:30 | access to parameter tainted |
| SSA.cs:168:35:168:35 | i | SSA.cs:168:35:168:35 | i |
| SSA.cs:168:35:168:35 | i | SSA.cs:171:13:171:13 | access to parameter i |
| SSA.cs:170:16:170:28 | SSA def(ssaSink5) | SSA.cs:180:9:180:24 | SSA phi(ssaSink5) |
| SSA.cs:170:27:170:28 | "" | SSA.cs:170:16:170:28 | SSA def(ssaSink5) |
@@ -822,7 +818,9 @@
| SSA.cs:177:21:177:28 | access to local variable ssaSink5 | SSA.cs:176:21:176:28 | access to local variable ssaSink5 |
| SSA.cs:177:21:177:28 | access to local variable ssaSink5 | SSA.cs:180:9:180:24 | SSA phi(ssaSink5) |
| SSA.cs:180:9:180:24 | SSA phi(ssaSink5) | SSA.cs:180:15:180:22 | access to local variable ssaSink5 |
| Splitting.cs:3:18:3:18 | b | Splitting.cs:3:18:3:18 | b |
| Splitting.cs:3:18:3:18 | b | Splitting.cs:6:13:6:13 | access to parameter b |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:3:28:3:34 | tainted |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:5:17:5:23 | access to parameter tainted |
| Splitting.cs:5:13:5:23 | SSA def(x) | Splitting.cs:8:19:8:19 | [b (line 3): true] access to local variable x |
| Splitting.cs:5:13:5:23 | SSA def(x) | Splitting.cs:12:15:12:15 | [b (line 3): false] access to local variable x |
@@ -833,6 +831,7 @@
| Splitting.cs:9:17:9:17 | [b (line 3): true] access to local variable x | Splitting.cs:9:17:9:25 | [b (line 3): true] ... == ... |
| Splitting.cs:9:17:9:17 | [b (line 3): true] access to local variable x | Splitting.cs:12:15:12:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:12:15:12:15 | [b (line 3): true] access to local variable x | Splitting.cs:14:19:14:19 | access to local variable x |
| Splitting.cs:17:18:17:18 | b | Splitting.cs:17:18:17:18 | b |
| Splitting.cs:17:18:17:18 | b | Splitting.cs:20:13:20:13 | access to parameter b |
| Splitting.cs:19:13:19:18 | SSA def(x) | Splitting.cs:22:19:22:19 | [b (line 17): true] access to local variable x |
| Splitting.cs:19:13:19:18 | SSA def(x) | Splitting.cs:25:15:25:15 | [b (line 17): false] access to local variable x |
@@ -843,6 +842,7 @@
| Splitting.cs:23:17:23:30 | [b (line 17): true] "taint source" | Splitting.cs:23:13:23:30 | [b (line 17): true] SSA def(x) |
| Splitting.cs:25:15:25:15 | [b (line 17): false] access to local variable x | Splitting.cs:29:19:29:19 | access to local variable x |
| Splitting.cs:25:15:25:15 | [b (line 17): true] access to local variable x | Splitting.cs:27:19:27:19 | access to local variable x |
| Splitting.cs:32:18:32:18 | b | Splitting.cs:32:18:32:18 | b |
| Splitting.cs:32:18:32:18 | b | Splitting.cs:35:13:35:13 | access to parameter b |
| Splitting.cs:35:13:35:13 | access to parameter b | Splitting.cs:39:15:39:15 | [b (line 32): false] access to parameter b |
| Splitting.cs:35:13:35:13 | access to parameter b | Splitting.cs:39:15:39:15 | [b (line 32): true] access to parameter b |
@@ -863,6 +863,7 @@
| Splitting.cs:40:23:40:23 | [b (line 32): true] access to local variable x | Splitting.cs:40:15:40:23 | [b (line 32): true] (...) ... |
| Splitting.cs:41:19:41:21 | [b (line 32): false] "d" | Splitting.cs:41:15:41:21 | [b (line 32): false] ... = ... |
| Splitting.cs:41:19:41:21 | [b (line 32): true] "d" | Splitting.cs:41:15:41:21 | [b (line 32): true] ... = ... |
| Splitting.cs:46:18:46:18 | b | Splitting.cs:46:18:46:18 | b |
| Splitting.cs:46:18:46:18 | b | Splitting.cs:49:13:49:13 | access to parameter b |
| Splitting.cs:48:13:48:18 | SSA def(x) | Splitting.cs:53:13:53:13 | [b (line 46): false] access to local variable x |
| Splitting.cs:48:17:48:18 | "" | Splitting.cs:48:13:48:18 | SSA def(x) |

80
csharp/ql/test/library-tests/dataflow/ssa/SsaCapturedVariableDef.expected
View File

@@ -1,40 +1,40 @@
| in | Capture.cs:6:16:6:16 | i | Capture.cs:6:16:6:16 | SSA param(i) | Capture.cs:10:20:27:9 | SSA capture def(i) | Capture.cs:38:9:38:11 | delegate call |
| in | Capture.cs:6:16:6:16 | i | Capture.cs:6:16:6:16 | SSA param(i) | Capture.cs:10:20:27:9 | SSA capture def(i) | Capture.cs:44:9:44:12 | call to method M |
| in | Capture.cs:8:13:8:13 | x | Capture.cs:8:13:8:17 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:38:9:38:11 | delegate call |
| in | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:25:13:25:15 | delegate call |
| in | Capture.cs:8:13:8:13 | x | Capture.cs:43:9:43:13 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:44:9:44:12 | call to method M |
| in | Capture.cs:17:17:17:17 | y | Capture.cs:17:17:17:21 | SSA def(y) | Capture.cs:19:24:23:13 | SSA capture def(y) | Capture.cs:25:13:25:15 | delegate call |
| in | Capture.cs:59:13:59:13 | i | Capture.cs:59:13:59:17 | SSA def(i) | Capture.cs:60:31:60:38 | SSA capture def(i) | Capture.cs:61:9:61:25 | call to method Select |
| in | Capture.cs:67:13:67:13 | c | Capture.cs:67:13:67:19 | SSA def(c) | Capture.cs:68:32:68:49 | SSA capture def(c) | Capture.cs:68:18:68:50 | call to method Where |
| in | Capture.cs:67:13:67:13 | c | Capture.cs:67:13:67:19 | SSA def(c) | Capture.cs:69:9:69:62 | SSA capture def(c) | Capture.cs:70:9:70:25 | call to method Select |
| in | Capture.cs:75:13:75:13 | i | Capture.cs:75:13:75:17 | SSA def(i) | Capture.cs:76:67:76:81 | SSA capture def(i) | Capture.cs:77:9:77:25 | call to method Select |
| in | Capture.cs:85:13:85:13 | b | Capture.cs:85:13:85:20 | SSA def(b) | Capture.cs:86:68:86:73 | SSA capture def(b) | Capture.cs:87:9:87:24 | call to method Where |
| in | Capture.cs:94:13:94:13 | y | Capture.cs:94:13:94:18 | SSA def(y) | Capture.cs:96:12:100:9 | SSA capture def(y) | Capture.cs:96:9:100:10 | call to local function fn |
| in | Capture.cs:94:13:94:13 | y | Capture.cs:94:13:94:18 | SSA def(y) | Capture.cs:96:12:100:9 | SSA capture def(y) | Capture.cs:103:9:107:10 | call to local function fn |
| in | Capture.cs:114:13:114:13 | a | Capture.cs:114:13:114:18 | SSA def(a) | Capture.cs:115:9:119:9 | SSA capture def(a) | Capture.cs:120:9:120:12 | call to local function M1 |
| in | Capture.cs:182:17:182:17 | i | Capture.cs:182:17:182:21 | SSA def(i) | Capture.cs:183:13:186:13 | SSA capture def(i) | Capture.cs:187:13:187:17 | call to local function M10 |
| in | Capture.cs:182:17:182:17 | i | Capture.cs:188:13:188:17 | SSA def(i) | Capture.cs:183:13:186:13 | SSA capture def(i) | Capture.cs:189:13:189:17 | call to local function M11 |
| in | Capture.cs:197:17:197:17 | i | Capture.cs:197:17:197:21 | SSA def(i) | Capture.cs:198:33:198:44 | SSA capture def(i) | Capture.cs:200:13:200:19 | delegate call |
| in | Capture.cs:197:17:197:17 | i | Capture.cs:197:17:197:21 | SSA def(i) | Capture.cs:203:34:203:45 | SSA capture def(i) | Capture.cs:200:13:200:19 | delegate call |
| in | Capture.cs:209:17:209:17 | i | Capture.cs:209:17:209:21 | SSA def(i) | Capture.cs:212:39:212:71 | SSA capture def(i) | Capture.cs:213:17:213:24 | access to event Exited |
| in | Capture.cs:229:13:229:13 | i | Capture.cs:232:9:232:13 | SSA def(i) | Capture.cs:231:9:231:49 | SSA capture def(i) | Capture.cs:233:9:233:12 | call to local function M2 |
| in | Fields.cs:77:13:77:13 | f | Fields.cs:77:13:77:45 | SSA def(f) | Fields.cs:78:27:78:54 | SSA capture def(f) | Fields.cs:81:9:81:11 | delegate call |
| in | Fields.cs:77:13:77:13 | f | Fields.cs:77:13:77:45 | SSA def(f) | Fields.cs:78:27:78:54 | SSA capture def(f) | Fields.cs:86:9:86:47 | call to method Select |
| in | Fields.cs:78:23:78:23 | a | Fields.cs:78:23:78:54 | SSA def(a) | Fields.cs:86:24:86:46 | SSA capture def(a) | Fields.cs:86:9:86:47 | call to method Select |
| in | Fields.cs:79:23:79:23 | b | Fields.cs:79:23:79:35 | SSA def(b) | Fields.cs:89:24:89:46 | SSA capture def(b) | Fields.cs:89:9:89:47 | call to method Select |
| in | Properties.cs:73:13:73:13 | f | Properties.cs:73:13:73:32 | SSA def(f) | Properties.cs:74:27:74:54 | SSA capture def(f) | Properties.cs:77:9:77:11 | delegate call |
| in | Properties.cs:73:13:73:13 | f | Properties.cs:73:13:73:32 | SSA def(f) | Properties.cs:74:27:74:54 | SSA capture def(f) | Properties.cs:82:9:82:47 | call to method Select |
| in | Properties.cs:74:23:74:23 | a | Properties.cs:74:23:74:54 | SSA def(a) | Properties.cs:82:24:82:46 | SSA capture def(a) | Properties.cs:82:9:82:47 | call to method Select |
| in | Properties.cs:75:23:75:23 | b | Properties.cs:75:23:75:35 | SSA def(b) | Properties.cs:85:24:85:46 | SSA capture def(b) | Properties.cs:85:9:85:47 | call to method Select |
| out | Capture.cs:6:16:6:16 | i | Capture.cs:13:13:13:17 | SSA def(i) | Capture.cs:38:9:38:11 | SSA call def(i) | Capture.cs:38:9:38:11 | delegate call |
| out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:38:9:38:11 | SSA call def(x) | Capture.cs:38:9:38:11 | delegate call |
| out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:44:9:44:12 | SSA call def(x) | Capture.cs:44:9:44:12 | call to method M |
| out | Capture.cs:29:13:29:13 | z | Capture.cs:30:28:30:32 | SSA def(z) | Capture.cs:32:9:32:11 | SSA call def(z) | Capture.cs:32:9:32:11 | delegate call |
| out | Capture.cs:50:20:50:20 | a | Capture.cs:52:28:52:40 | SSA def(a) | Capture.cs:53:9:53:11 | SSA call def(a) | Capture.cs:53:9:53:11 | delegate call |
| out | Capture.cs:59:13:59:13 | i | Capture.cs:60:36:60:38 | SSA def(i) | Capture.cs:61:9:61:25 | SSA call def(i) | Capture.cs:61:9:61:25 | call to method Select |
| out | Capture.cs:75:13:75:13 | i | Capture.cs:76:80:76:80 | SSA def(i) | Capture.cs:77:9:77:25 | SSA call def(i) | Capture.cs:77:9:77:25 | call to method Select |
| out | Capture.cs:130:13:130:13 | c | Capture.cs:133:13:133:17 | SSA def(c) | Capture.cs:136:9:136:12 | SSA call def(c) | Capture.cs:136:9:136:12 | call to local function M3 |
| out | Capture.cs:139:13:139:13 | d | Capture.cs:142:13:142:17 | SSA def(d) | Capture.cs:144:9:144:12 | SSA call def(d) | Capture.cs:144:9:144:12 | call to local function M4 |
| out | Capture.cs:168:13:168:13 | h | Capture.cs:174:17:174:21 | SSA def(h) | Capture.cs:176:13:176:16 | SSA call def(h) | Capture.cs:176:13:176:16 | call to local function M9 |
| out | Capture.cs:229:13:229:13 | i | Capture.cs:235:21:235:25 | SSA def(i) | Capture.cs:236:9:236:12 | SSA call def(i) | Capture.cs:236:9:236:12 | call to local function M3 |
| out | DefUse.cs:167:23:167:23 | i | DefUse.cs:173:13:173:17 | SSA def(i) | DefUse.cs:181:9:181:11 | SSA call def(i) | DefUse.cs:181:9:181:11 | delegate call |
| in | Capture.cs:6:16:6:16 | i | Capture.cs:6:16:6:16 | SSA param(i) | Capture.cs:10:20:27:9 | SSA capture def(i) | Capture.cs:38:9:38:11 | delegate call | false |
| in | Capture.cs:6:16:6:16 | i | Capture.cs:6:16:6:16 | SSA param(i) | Capture.cs:10:20:27:9 | SSA capture def(i) | Capture.cs:44:9:44:12 | call to method M | true |
| in | Capture.cs:8:13:8:13 | x | Capture.cs:8:13:8:17 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:38:9:38:11 | delegate call | true |
| in | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:25:13:25:15 | delegate call | false |
| in | Capture.cs:8:13:8:13 | x | Capture.cs:43:9:43:13 | SSA def(x) | Capture.cs:19:24:23:13 | SSA capture def(x) | Capture.cs:44:9:44:12 | call to method M | true |
| in | Capture.cs:17:17:17:17 | y | Capture.cs:17:17:17:21 | SSA def(y) | Capture.cs:19:24:23:13 | SSA capture def(y) | Capture.cs:25:13:25:15 | delegate call | false |
| in | Capture.cs:59:13:59:13 | i | Capture.cs:59:13:59:17 | SSA def(i) | Capture.cs:60:31:60:38 | SSA capture def(i) | Capture.cs:61:9:61:25 | call to method Select | false |
| in | Capture.cs:67:13:67:13 | c | Capture.cs:67:13:67:19 | SSA def(c) | Capture.cs:68:32:68:49 | SSA capture def(c) | Capture.cs:68:18:68:50 | call to method Where | false |
| in | Capture.cs:67:13:67:13 | c | Capture.cs:67:13:67:19 | SSA def(c) | Capture.cs:69:9:69:62 | SSA capture def(c) | Capture.cs:70:9:70:25 | call to method Select | false |
| in | Capture.cs:75:13:75:13 | i | Capture.cs:75:13:75:17 | SSA def(i) | Capture.cs:76:67:76:81 | SSA capture def(i) | Capture.cs:77:9:77:25 | call to method Select | false |
| in | Capture.cs:85:13:85:13 | b | Capture.cs:85:13:85:20 | SSA def(b) | Capture.cs:86:68:86:73 | SSA capture def(b) | Capture.cs:87:9:87:24 | call to method Where | false |
| in | Capture.cs:94:13:94:13 | y | Capture.cs:94:13:94:18 | SSA def(y) | Capture.cs:96:12:100:9 | SSA capture def(y) | Capture.cs:96:9:100:10 | call to local function fn | true |
| in | Capture.cs:94:13:94:13 | y | Capture.cs:94:13:94:18 | SSA def(y) | Capture.cs:96:12:100:9 | SSA capture def(y) | Capture.cs:103:9:107:10 | call to local function fn | true |
| in | Capture.cs:114:13:114:13 | a | Capture.cs:114:13:114:18 | SSA def(a) | Capture.cs:115:9:119:9 | SSA capture def(a) | Capture.cs:120:9:120:12 | call to local function M1 | false |
| in | Capture.cs:182:17:182:17 | i | Capture.cs:182:17:182:21 | SSA def(i) | Capture.cs:183:13:186:13 | SSA capture def(i) | Capture.cs:187:13:187:17 | call to local function M10 | true |
| in | Capture.cs:182:17:182:17 | i | Capture.cs:188:13:188:17 | SSA def(i) | Capture.cs:183:13:186:13 | SSA capture def(i) | Capture.cs:189:13:189:17 | call to local function M11 | false |
| in | Capture.cs:197:17:197:17 | i | Capture.cs:197:17:197:21 | SSA def(i) | Capture.cs:198:33:198:44 | SSA capture def(i) | Capture.cs:200:13:200:19 | delegate call | false |
| in | Capture.cs:197:17:197:17 | i | Capture.cs:197:17:197:21 | SSA def(i) | Capture.cs:203:34:203:45 | SSA capture def(i) | Capture.cs:200:13:200:19 | delegate call | false |
| in | Capture.cs:209:17:209:17 | i | Capture.cs:209:17:209:21 | SSA def(i) | Capture.cs:212:39:212:71 | SSA capture def(i) | Capture.cs:213:17:213:24 | access to event Exited | false |
| in | Capture.cs:229:13:229:13 | i | Capture.cs:232:9:232:13 | SSA def(i) | Capture.cs:231:9:231:49 | SSA capture def(i) | Capture.cs:233:9:233:12 | call to local function M2 | false |
| in | Fields.cs:77:13:77:13 | f | Fields.cs:77:13:77:45 | SSA def(f) | Fields.cs:78:27:78:54 | SSA capture def(f) | Fields.cs:81:9:81:11 | delegate call | false |
| in | Fields.cs:77:13:77:13 | f | Fields.cs:77:13:77:45 | SSA def(f) | Fields.cs:78:27:78:54 | SSA capture def(f) | Fields.cs:86:9:86:47 | call to method Select | true |
| in | Fields.cs:78:23:78:23 | a | Fields.cs:78:23:78:54 | SSA def(a) | Fields.cs:86:24:86:46 | SSA capture def(a) | Fields.cs:86:9:86:47 | call to method Select | false |
| in | Fields.cs:79:23:79:23 | b | Fields.cs:79:23:79:35 | SSA def(b) | Fields.cs:89:24:89:46 | SSA capture def(b) | Fields.cs:89:9:89:47 | call to method Select | false |
| in | Properties.cs:73:13:73:13 | f | Properties.cs:73:13:73:32 | SSA def(f) | Properties.cs:74:27:74:54 | SSA capture def(f) | Properties.cs:77:9:77:11 | delegate call | false |
| in | Properties.cs:73:13:73:13 | f | Properties.cs:73:13:73:32 | SSA def(f) | Properties.cs:74:27:74:54 | SSA capture def(f) | Properties.cs:82:9:82:47 | call to method Select | true |
| in | Properties.cs:74:23:74:23 | a | Properties.cs:74:23:74:54 | SSA def(a) | Properties.cs:82:24:82:46 | SSA capture def(a) | Properties.cs:82:9:82:47 | call to method Select | false |
| in | Properties.cs:75:23:75:23 | b | Properties.cs:75:23:75:35 | SSA def(b) | Properties.cs:85:24:85:46 | SSA capture def(b) | Properties.cs:85:9:85:47 | call to method Select | false |
| out | Capture.cs:6:16:6:16 | i | Capture.cs:13:13:13:17 | SSA def(i) | Capture.cs:38:9:38:11 | SSA call def(i) | Capture.cs:38:9:38:11 | delegate call | false |
| out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:38:9:38:11 | SSA call def(x) | Capture.cs:38:9:38:11 | delegate call | false |
| out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:44:9:44:12 | SSA call def(x) | Capture.cs:44:9:44:12 | call to method M | true |
| out | Capture.cs:29:13:29:13 | z | Capture.cs:30:28:30:32 | SSA def(z) | Capture.cs:32:9:32:11 | SSA call def(z) | Capture.cs:32:9:32:11 | delegate call | false |
| out | Capture.cs:50:20:50:20 | a | Capture.cs:52:28:52:40 | SSA def(a) | Capture.cs:53:9:53:11 | SSA call def(a) | Capture.cs:53:9:53:11 | delegate call | false |
| out | Capture.cs:59:13:59:13 | i | Capture.cs:60:36:60:38 | SSA def(i) | Capture.cs:61:9:61:25 | SSA call def(i) | Capture.cs:61:9:61:25 | call to method Select | false |
| out | Capture.cs:75:13:75:13 | i | Capture.cs:76:80:76:80 | SSA def(i) | Capture.cs:77:9:77:25 | SSA call def(i) | Capture.cs:77:9:77:25 | call to method Select | false |
| out | Capture.cs:130:13:130:13 | c | Capture.cs:133:13:133:17 | SSA def(c) | Capture.cs:136:9:136:12 | SSA call def(c) | Capture.cs:136:9:136:12 | call to local function M3 | false |
| out | Capture.cs:139:13:139:13 | d | Capture.cs:142:13:142:17 | SSA def(d) | Capture.cs:144:9:144:12 | SSA call def(d) | Capture.cs:144:9:144:12 | call to local function M4 | false |
| out | Capture.cs:168:13:168:13 | h | Capture.cs:174:17:174:21 | SSA def(h) | Capture.cs:176:13:176:16 | SSA call def(h) | Capture.cs:176:13:176:16 | call to local function M9 | false |
| out | Capture.cs:229:13:229:13 | i | Capture.cs:235:21:235:25 | SSA def(i) | Capture.cs:236:9:236:12 | SSA call def(i) | Capture.cs:236:9:236:12 | call to local function M3 | false |
| out | DefUse.cs:167:23:167:23 | i | DefUse.cs:173:13:173:17 | SSA def(i) | DefUse.cs:181:9:181:11 | SSA call def(i) | DefUse.cs:181:9:181:11 | delegate call | false |

10
csharp/ql/test/library-tests/dataflow/ssa/SsaCapturedVariableDef.ql
View File

@@ -1,10 +1,10 @@
import csharp
from string inout, Ssa::ExplicitDefinition def, Ssa::Definition targetDef, Call c
from string inout, Ssa::ExplicitDefinition def, Ssa::Definition targetDef, ControlFlow::Node call, boolean additionalCalls
where
inout = "in" and def.isCapturedVariableDefinitionFlowIn(targetDef, c)
inout = "in" and def.isCapturedVariableDefinitionFlowIn(targetDef, call, additionalCalls)
or
inout = "out" and
def.isCapturedVariableDefinitionFlowOut(targetDef) and
targetDef.(Ssa::ImplicitCallDefinition).getCall() = c
select inout, def.getSourceVariable(), def, targetDef, c
def.isCapturedVariableDefinitionFlowOut(targetDef, additionalCalls) and
targetDef.(Ssa::ImplicitCallDefinition).getControlFlowNode() = call
select inout, def.getSourceVariable(), def, targetDef, call, additionalCalls

9
csharp/ql/test/query-tests/Security Features/CWE-022/TaintedPath/TaintedPath.expected
View File

@@ -6,15 +6,6 @@ edges
| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:38:25:38:31 | access to local variable badPath |
| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:40:49:40:55 | access to local variable badPath |
| TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:53:26:53:29 | access to local variable path |
nodes
| TaintedPath.cs:12:23:12:45 | access to property QueryString |
| TaintedPath.cs:14:50:14:53 | access to local variable path |
| TaintedPath.cs:19:51:19:54 | access to local variable path |
| TaintedPath.cs:27:30:27:33 | access to local variable path |
| TaintedPath.cs:33:30:33:33 | access to local variable path |
| TaintedPath.cs:38:25:38:31 | access to local variable badPath |
| TaintedPath.cs:40:49:40:55 | access to local variable badPath |
| TaintedPath.cs:53:26:53:29 | access to local variable path |
#select
| TaintedPath.cs:14:50:14:53 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:14:50:14:53 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value |
| TaintedPath.cs:19:51:19:54 | access to local variable path | TaintedPath.cs:12:23:12:45 | access to property QueryString | TaintedPath.cs:19:51:19:54 | access to local variable path | $@ flows to here and is used in a path. | TaintedPath.cs:12:23:12:45 | access to property QueryString | User-provided value |

17
csharp/ql/test/query-tests/Security Features/CWE-022/ZipSlip/ZipSlip.expected
View File

@@ -1,30 +1,13 @@
edges
| ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath |
| ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:36:45:36:56 | access to local variable destFilePath |
| ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:39:53:39:89 | call to method Combine |
| ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:40:41:40:52 | access to local variable destFilePath |
| ZipSlip.cs:19:31:19:44 | access to property FullName | ZipSlip.cs:24:41:24:52 | access to local variable destFileName |
| ZipSlip.cs:39:53:39:89 | call to method Combine | ZipSlip.cs:40:41:40:52 | access to local variable destFilePath |
| ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:69:74:69:85 | access to local variable destFilePath |
| ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:76:71:76:82 | access to local variable destFilePath |
| ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:83:57:83:68 | access to local variable destFilePath |
| ZipSlip.cs:62:72:62:85 | access to property FullName | ZipSlip.cs:91:58:91:69 | access to local variable destFilePath |
| ZipSlipBad.cs:9:59:9:72 | access to property FullName | ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName |
nodes
| ZipSlip.cs:16:52:16:65 | access to property FullName |
| ZipSlip.cs:19:31:19:44 | access to property FullName |
| ZipSlip.cs:24:41:24:52 | access to local variable destFileName |
| ZipSlip.cs:32:41:32:52 | access to local variable destFilePath |
| ZipSlip.cs:36:45:36:56 | access to local variable destFilePath |
| ZipSlip.cs:39:53:39:89 | call to method Combine |
| ZipSlip.cs:40:41:40:52 | access to local variable destFilePath |
| ZipSlip.cs:62:72:62:85 | access to property FullName |
| ZipSlip.cs:69:74:69:85 | access to local variable destFilePath |
| ZipSlip.cs:76:71:76:82 | access to local variable destFilePath |
| ZipSlip.cs:83:57:83:68 | access to local variable destFilePath |
| ZipSlip.cs:91:58:91:69 | access to local variable destFilePath |
| ZipSlipBad.cs:9:59:9:72 | access to property FullName |
| ZipSlipBad.cs:10:29:10:40 | access to local variable destFileName |
#select
| ZipSlip.cs:24:41:24:52 | access to local variable destFileName | ZipSlip.cs:19:31:19:44 | access to property FullName | ZipSlip.cs:24:41:24:52 | access to local variable destFileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:19:31:19:44 | access to property FullName | item path |
| ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | ZipSlip.cs:16:52:16:65 | access to property FullName | ZipSlip.cs:32:41:32:52 | access to local variable destFilePath | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlip.cs:16:52:16:65 | access to property FullName | item path |

9
csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected
View File

@@ -6,15 +6,6 @@ edges
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput |
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput |
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput |
nodes
| CommandInjection.cs:25:32:25:46 | access to field categoryTextBox |
| CommandInjection.cs:26:27:26:47 | ... + ... |
| CommandInjection.cs:26:50:26:66 | ... + ... |
| CommandInjection.cs:28:63:28:71 | access to local variable userInput |
| CommandInjection.cs:28:74:28:82 | access to local variable userInput |
| CommandInjection.cs:32:39:32:47 | access to local variable userInput |
| CommandInjection.cs:33:40:33:48 | access to local variable userInput |
| CommandInjection.cs:34:47:34:55 | access to local variable userInput |
#select
| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:27:26:47 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |
| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | CommandInjection.cs:26:50:26:66 | ... + ... | $@ flows to here and is used in a command. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | User-provided value |

3
csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected
View File

@@ -1,7 +1,4 @@
edges
| StoredCommandInjection.cs:24:54:24:80 | call to method GetString | StoredCommandInjection.cs:24:46:24:80 | ... + ... |
nodes
| StoredCommandInjection.cs:24:46:24:80 | ... + ... |
| StoredCommandInjection.cs:24:54:24:80 | call to method GetString |
#select
| StoredCommandInjection.cs:24:46:24:80 | ... + ... | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | StoredCommandInjection.cs:24:46:24:80 | ... + ... | $@ flows to here and is used in a command. | StoredCommandInjection.cs:24:54:24:80 | call to method GetString | Stored user-provided value |

3
csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.expected
View File

@@ -1,7 +1,4 @@
edges
| StoredXSS.cs:24:60:24:86 | call to method GetString | StoredXSS.cs:24:44:24:86 | ... + ... |
nodes
| StoredXSS.cs:24:44:24:86 | ... + ... |
| StoredXSS.cs:24:60:24:86 | call to method GetString |
#select
| StoredXSS.cs:24:44:24:86 | ... + ... | StoredXSS.cs:24:60:24:86 | call to method GetString | StoredXSS.cs:24:44:24:86 | ... + ... | $@ flows to here and is written to HTML or JavaScript. | StoredXSS.cs:24:60:24:86 | call to method GetString | Stored user-provided value |

3
csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected
View File

@@ -1,7 +1,4 @@
edges
| SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... |
nodes
| SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... |
| SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString |
#select
| SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | Stored user-provided value |

22
csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected
View File

@@ -1,36 +1,14 @@
edges
| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 |
| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:49:62:49:81 | access to property Text |
| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:61:62:61:81 | access to property Text |
| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:49:62:49:81 | access to property Text |
| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:61:62:61:81 | access to property Text |
| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
| SqlInjection.cs:49:62:49:81 | access to property Text | SqlInjection.cs:61:62:61:81 | access to property Text |
| SqlInjection.cs:49:62:49:81 | access to property Text | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
| SqlInjection.cs:49:62:49:81 | access to property Text | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:61:62:61:81 | access to property Text |
| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
| SqlInjection.cs:61:62:61:81 | access to property Text | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
| SqlInjection.cs:61:62:61:81 | access to property Text | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
| SqlInjection.cs:87:21:87:29 | access to property Text | SqlInjection.cs:88:50:88:55 | access to local variable query1 |
nodes
| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox |
| SqlInjection.cs:39:50:39:55 | access to local variable query1 |
| SqlInjection.cs:49:62:49:76 | access to field categoryTextBox |
| SqlInjection.cs:49:62:49:81 | access to property Text |
| SqlInjection.cs:61:62:61:76 | access to field categoryTextBox |
| SqlInjection.cs:61:62:61:81 | access to property Text |
| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox |
| SqlInjection.cs:74:56:74:61 | access to local variable query1 |
| SqlInjection.cs:75:55:75:60 | access to local variable query1 |
| SqlInjection.cs:87:21:87:29 | access to property Text |
| SqlInjection.cs:88:50:88:55 | access to local variable query1 |
#select
| SqlInjection.cs:39:50:39:55 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input |
| SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input |

8
csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected
View File

@@ -5,14 +5,6 @@ edges
| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:26:53:26:77 | ... + ... |
| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:29:48:29:70 | ... + ... |
| LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:31:20:31:42 | ... + ... |
nodes
| LDAPInjection.cs:13:27:13:49 | access to property QueryString |
| LDAPInjection.cs:16:54:16:78 | ... + ... |
| LDAPInjection.cs:18:21:18:45 | ... + ... |
| LDAPInjection.cs:25:21:25:45 | ... + ... |
| LDAPInjection.cs:26:53:26:77 | ... + ... |
| LDAPInjection.cs:29:48:29:70 | ... + ... |
| LDAPInjection.cs:31:20:31:42 | ... + ... |
#select
| LDAPInjection.cs:16:54:16:78 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:16:54:16:78 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |
| LDAPInjection.cs:18:21:18:45 | ... + ... | LDAPInjection.cs:13:27:13:49 | access to property QueryString | LDAPInjection.cs:18:21:18:45 | ... + ... | $@ flows to here and is used in an LDAP query. | LDAPInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |

3
csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected
View File

@@ -1,7 +1,4 @@
edges
| StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | StoredLDAPInjection.cs:24:66:24:109 | ... + ... |
nodes
| StoredLDAPInjection.cs:24:66:24:109 | ... + ... |
| StoredLDAPInjection.cs:24:83:24:109 | call to method GetString |
#select
| StoredLDAPInjection.cs:24:66:24:109 | ... + ... | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | StoredLDAPInjection.cs:24:66:24:109 | ... + ... | $@ flows to here and is used in an LDAP query. | StoredLDAPInjection.cs:24:83:24:109 | call to method GetString | Stored user-provided value |

6
csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected
View File

@@ -1,11 +1,7 @@
edges
| CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:31:64:31:67 | access to local variable code |
| CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:42:36:42:39 | access to local variable code |
nodes
| CodeInjection.cs:25:23:25:45 | access to property QueryString |
| CodeInjection.cs:31:64:31:67 | access to local variable code |
| CodeInjection.cs:42:36:42:39 | access to local variable code |
| CodeInjection.cs:58:36:58:44 | access to property Text |
| CodeInjection.cs:58:36:58:44 | access to property Text | CodeInjection.cs:58:36:58:44 | access to property Text |
#select
| CodeInjection.cs:31:64:31:67 | access to local variable code | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:31:64:31:67 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value |
| CodeInjection.cs:42:36:42:39 | access to local variable code | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:42:36:42:39 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value |

4
csharp/ql/test/query-tests/Security Features/CWE-099/ResourceInjection.expected
View File

@@ -1,10 +1,6 @@
edges
| ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:13:57:13:72 | access to local variable connectionString |
| ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:15:42:15:57 | access to local variable connectionString |
nodes
| ResourceInjection.cs:10:27:10:49 | access to property QueryString |
| ResourceInjection.cs:13:57:13:72 | access to local variable connectionString |
| ResourceInjection.cs:15:42:15:57 | access to local variable connectionString |
#select
| ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:13:57:13:72 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:10:27:10:49 | access to property QueryString | User-provided value |
| ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | ResourceInjection.cs:10:27:10:49 | access to property QueryString | ResourceInjection.cs:15:42:15:57 | access to local variable connectionString | $@ flows to here and is used in a resource descriptor. | ResourceInjection.cs:10:27:10:49 | access to property QueryString | User-provided value |

15
csharp/ql/test/query-tests/Security Features/CWE-112/MissingXMLValidation.expected
View File

@@ -8,21 +8,6 @@ edges
| MissingXMLValidation.cs:27:42:27:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:29:61:29:72 | access to local variable badSettings2 |
| MissingXMLValidation.cs:32:42:32:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:37:61:37:72 | access to local variable goodSettings |
| MissingXMLValidation.cs:40:42:40:64 | object creation of type XmlReaderSettings | MissingXMLValidation.cs:47:61:47:72 | access to local variable badSettings3 |
nodes
| MissingXMLValidation.cs:14:34:14:56 | access to property QueryString |
| MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader |
| MissingXMLValidation.cs:22:42:22:64 | object creation of type XmlReaderSettings |
| MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader |
| MissingXMLValidation.cs:23:61:23:72 | access to local variable badSettings1 |
| MissingXMLValidation.cs:27:42:27:64 | object creation of type XmlReaderSettings |
| MissingXMLValidation.cs:29:26:29:58 | object creation of type StringReader |
| MissingXMLValidation.cs:29:61:29:72 | access to local variable badSettings2 |
| MissingXMLValidation.cs:32:42:32:64 | object creation of type XmlReaderSettings |
| MissingXMLValidation.cs:37:26:37:58 | object creation of type StringReader |
| MissingXMLValidation.cs:37:61:37:72 | access to local variable goodSettings |
| MissingXMLValidation.cs:40:42:40:64 | object creation of type XmlReaderSettings |
| MissingXMLValidation.cs:47:26:47:58 | object creation of type StringReader |
| MissingXMLValidation.cs:47:61:47:72 | access to local variable badSettings3 |
#select
| MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:18:26:18:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because there is no 'XmlReaderSettings' instance specifying schema validation. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value |
| MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | MissingXMLValidation.cs:23:26:23:58 | object creation of type StringReader | $@ flows to here and is processed as XML without validation because the 'XmlReaderSettings' instance does not specify the 'ValidationType' as 'Schema'. | MissingXMLValidation.cs:14:34:14:56 | access to property QueryString | User-provided value |

4
csharp/ql/test/query-tests/Security Features/CWE-117/LogForging.expected
View File

@@ -1,10 +1,6 @@
edges
| LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:22:21:22:43 | ... + ... |
| LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:28:50:28:72 | ... + ... |
nodes
| LogForging.cs:19:27:19:49 | access to property QueryString |
| LogForging.cs:22:21:22:43 | ... + ... |
| LogForging.cs:28:50:28:72 | ... + ... |
#select
| LogForging.cs:22:21:22:43 | ... + ... | LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:22:21:22:43 | ... + ... | $@ flows to log entry. | LogForging.cs:19:27:19:49 | access to property QueryString | User-provided value |
| LogForging.cs:28:50:28:72 | ... + ... | LogForging.cs:19:27:19:49 | access to property QueryString | LogForging.cs:28:50:28:72 | ... + ... | $@ flows to log entry. | LogForging.cs:19:27:19:49 | access to property QueryString | User-provided value |

12
csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected
View File

@@ -1,16 +1,10 @@
edges
| UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path |
| UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
| UncontrolledFormatString.cs:20:23:20:38 | "Do not do this" | UncontrolledFormatString.cs:20:23:20:38 | "Do not do this" |
| UncontrolledFormatString.cs:23:46:23:61 | "Do not do this" | UncontrolledFormatString.cs:23:46:23:61 | "Do not do this" |
| UncontrolledFormatString.cs:31:23:31:31 | access to property Text | UncontrolledFormatString.cs:31:23:31:31 | access to property Text |
| UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
nodes
| UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString |
| UncontrolledFormatString.cs:14:23:14:26 | access to local variable path |
| UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
| UncontrolledFormatString.cs:20:23:20:38 | "Do not do this" |
| UncontrolledFormatString.cs:23:46:23:61 | "Do not do this" |
| UncontrolledFormatString.cs:31:23:31:31 | access to property Text |
| UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString |
| UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
#select
| UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
| UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |

16
csharp/ql/test/query-tests/Security Features/CWE-201/ExposureInTransmittedData/ExposureInTransmittedData.expected
View File

@@ -1,21 +1,13 @@
edges
| ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password |
| ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString |
| ExposureInTransmittedData.cs:24:32:24:41 | access to property Message | ExposureInTransmittedData.cs:24:32:24:41 | access to property Message |
| ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString | ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString |
| ExposureInTransmittedData.cs:26:32:26:38 | access to property Data | ExposureInTransmittedData.cs:26:32:26:50 | access to indexer |
| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:33:53:33:53 | access to local variable p |
| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:33:56:33:56 | access to local variable p |
| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:34:24:34:52 | ... + ... |
| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField | ExposureInTransmittedData.cs:35:27:35:27 | access to local variable p |
nodes
| ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password |
| ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString |
| ExposureInTransmittedData.cs:24:32:24:41 | access to property Message |
| ExposureInTransmittedData.cs:25:32:25:44 | call to method ToString |
| ExposureInTransmittedData.cs:26:32:26:38 | access to property Data |
| ExposureInTransmittedData.cs:26:32:26:50 | access to indexer |
| ExposureInTransmittedData.cs:32:17:32:36 | call to method GetField |
| ExposureInTransmittedData.cs:33:53:33:53 | access to local variable p |
| ExposureInTransmittedData.cs:33:56:33:56 | access to local variable p |
| ExposureInTransmittedData.cs:34:24:34:52 | ... + ... |
| ExposureInTransmittedData.cs:35:27:35:27 | access to local variable p |
#select
| ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:16:32:16:39 | access to local variable password | access to local variable password |
| ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | Sensitive information from $@ flows to here, and is transmitted to the user. | ExposureInTransmittedData.cs:20:32:20:44 | call to method ToString | call to method ToString |

11
csharp/ql/test/query-tests/Security Features/CWE-209/ExceptionInformationExposure.expected
View File

@@ -1,11 +1,10 @@
edges
| ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex |
nodes
| ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex |
| ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString |
| ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex |
| ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace |
| ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString |
| ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex |
| ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString |
| ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex |
| ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace | ExceptionInformationExposure.cs:22:32:22:44 | access to property StackTrace |
| ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString | ExceptionInformationExposure.cs:41:28:41:55 | call to method ToString |
#select
| ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:18:32:18:44 | call to method ToString | call to method ToString |
| ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | ExceptionInformationExposure.cs:20:32:20:33 | access to local variable ex | Exception information from $@ flows to here, and is exposed to the user. | ExceptionInformationExposure.cs:18:32:18:33 | access to local variable ex | access to local variable ex |

17
csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected
View File

@@ -1,13 +1,12 @@
edges
nodes
| CleartextStorage.cs:14:50:14:59 | access to field accountKey |
| CleartextStorage.cs:15:62:15:74 | call to method GetPassword |
| CleartextStorage.cs:16:69:16:81 | call to method GetPassword |
| CleartextStorage.cs:17:50:17:63 | call to method GetAccountID |
| CleartextStorage.cs:25:21:25:33 | call to method GetPassword |
| CleartextStorage.cs:73:21:73:33 | access to property Text |
| CleartextStorage.cs:74:21:74:29 | access to property Text |
| CleartextStorage.cs:75:21:75:29 | access to property Text |
| CleartextStorage.cs:14:50:14:59 | access to field accountKey | CleartextStorage.cs:14:50:14:59 | access to field accountKey |
| CleartextStorage.cs:15:62:15:74 | call to method GetPassword | CleartextStorage.cs:15:62:15:74 | call to method GetPassword |
| CleartextStorage.cs:16:69:16:81 | call to method GetPassword | CleartextStorage.cs:16:69:16:81 | call to method GetPassword |
| CleartextStorage.cs:17:50:17:63 | call to method GetAccountID | CleartextStorage.cs:17:50:17:63 | call to method GetAccountID |
| CleartextStorage.cs:25:21:25:33 | call to method GetPassword | CleartextStorage.cs:25:21:25:33 | call to method GetPassword |
| CleartextStorage.cs:73:21:73:33 | access to property Text | CleartextStorage.cs:73:21:73:33 | access to property Text |
| CleartextStorage.cs:74:21:74:29 | access to property Text | CleartextStorage.cs:74:21:74:29 | access to property Text |
| CleartextStorage.cs:75:21:75:29 | access to property Text | CleartextStorage.cs:75:21:75:29 | access to property Text |
#select
| CleartextStorage.cs:14:50:14:59 | access to field accountKey | CleartextStorage.cs:14:50:14:59 | access to field accountKey | CleartextStorage.cs:14:50:14:59 | access to field accountKey | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:14:50:14:59 | access to field accountKey | access to field accountKey |
| CleartextStorage.cs:15:62:15:74 | call to method GetPassword | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | Sensitive data returned by $@ is stored here. | CleartextStorage.cs:15:62:15:74 | call to method GetPassword | call to method GetPassword |

7
csharp/ql/test/query-tests/Security Features/CWE-327/DontInstallRootCert/DontInstallRootCert.expected
View File

@@ -2,13 +2,6 @@ edges
| Test.cs:17:31:17:59 | object creation of type X509Store | Test.cs:20:13:20:17 | access to local variable store |
| Test.cs:27:31:27:86 | object creation of type X509Store | Test.cs:30:13:30:17 | access to local variable store |
| Test.cs:72:31:72:86 | object creation of type X509Store | Test.cs:75:13:75:17 | access to local variable store |
nodes
| Test.cs:17:31:17:59 | object creation of type X509Store |
| Test.cs:20:13:20:17 | access to local variable store |
| Test.cs:27:31:27:86 | object creation of type X509Store |
| Test.cs:30:13:30:17 | access to local variable store |
| Test.cs:72:31:72:86 | object creation of type X509Store |
| Test.cs:75:13:75:17 | access to local variable store |
#select
| Test.cs:20:13:20:17 | access to local variable store | Test.cs:17:31:17:59 | object creation of type X509Store | Test.cs:20:13:20:17 | access to local variable store | Certificate added to the root certificate store. |
| Test.cs:30:13:30:17 | access to local variable store | Test.cs:27:31:27:86 | object creation of type X509Store | Test.cs:30:13:30:17 | access to local variable store | Certificate added to the root certificate store. |

31
csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected
View File

@@ -1,30 +1,11 @@
edges
| InsecureRandomness.cs:21:26:21:45 | return InsecureRandomString | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString |
| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:21:26:21:45 | return InsecureRandomString |
| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:29:27:29:61 | call to method GetString |
| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:31:16:31:32 | call to method ToString |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString | InsecureRandomness.cs:21:26:21:45 | return InsecureRandomString |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString | InsecureRandomness.cs:31:16:31:32 | call to method ToString |
| InsecureRandomness.cs:31:16:31:32 | call to method ToString | InsecureRandomness.cs:21:26:21:45 | return InsecureRandomString |
| InsecureRandomness.cs:53:26:53:58 | return InsecureRandomStringFromSelection | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection |
| InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:53:26:53:58 | return InsecureRandomStringFromSelection |
| InsecureRandomness.cs:28:23:28:43 | (...) ... | InsecureRandomness.cs:31:16:31:32 | call to method ToString |
| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:28:23:28:43 | (...) ... |
| InsecureRandomness.cs:31:16:31:32 | call to method ToString | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString |
| InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:62:16:62:32 | call to method ToString |
| InsecureRandomness.cs:62:16:62:32 | call to method ToString | InsecureRandomness.cs:53:26:53:58 | return InsecureRandomStringFromSelection |
| InsecureRandomness.cs:65:26:65:56 | return InsecureRandomStringFromIndexer | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer |
| InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:65:26:65:56 | return InsecureRandomStringFromIndexer |
nodes
| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString |
| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection |
| InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer |
| InsecureRandomness.cs:21:26:21:45 | return InsecureRandomString |
| InsecureRandomness.cs:28:29:28:43 | call to method Next |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString |
| InsecureRandomness.cs:31:16:31:32 | call to method ToString |
| InsecureRandomness.cs:53:26:53:58 | return InsecureRandomStringFromSelection |
| InsecureRandomness.cs:60:31:60:39 | call to method Next |
| InsecureRandomness.cs:62:16:62:32 | call to method ToString |
| InsecureRandomness.cs:65:26:65:56 | return InsecureRandomStringFromIndexer |
| InsecureRandomness.cs:72:31:72:39 | call to method Next |
| InsecureRandomness.cs:62:16:62:32 | call to method ToString | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection |
| InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:74:16:74:21 | access to local variable result |
| InsecureRandomness.cs:74:16:74:21 | access to local variable result | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer |
#select
| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next |
| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next |

9
csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected
View File

@@ -1,9 +1,8 @@
edges
nodes
| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer |
| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone |
| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone |
| ExposureOfPrivateInformation.cs:42:21:42:33 | access to property Text |
| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer |
| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone |
| ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone | ExposureOfPrivateInformation.cs:24:21:24:36 | call to method getTelephone |
| ExposureOfPrivateInformation.cs:42:21:42:33 | access to property Text | ExposureOfPrivateInformation.cs:42:21:42:33 | access to property Text |
#select
| ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:18:50:18:84 | access to indexer | access to indexer |
| ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | Private data returned by $@ is written to an external location. | ExposureOfPrivateInformation.cs:20:50:20:65 | call to method getTelephone | call to method getTelephone |

21
csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected
View File

@@ -13,27 +13,6 @@ edges
| UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:50:28:50:32 | access to parameter value |
| UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:55:32:55:45 | object creation of type Uri |
| UrlRedirectCore.cs:47:51:47:55 | value | UrlRedirectCore.cs:58:31:58:35 | access to parameter value |
nodes
| UrlRedirect.cs:14:31:14:53 | access to property QueryString |
| UrlRedirect.cs:14:31:14:61 | access to indexer |
| UrlRedirect.cs:24:22:24:44 | access to property QueryString |
| UrlRedirect.cs:39:44:39:66 | access to property QueryString |
| UrlRedirect.cs:39:44:39:74 | access to indexer |
| UrlRedirect.cs:40:47:40:69 | access to property QueryString |
| UrlRedirect.cs:40:47:40:77 | access to indexer |
| UrlRedirect.cs:49:29:49:31 | access to local variable url |
| UrlRedirectCore.cs:15:44:15:48 | value |
| UrlRedirectCore.cs:18:22:18:26 | access to parameter value |
| UrlRedirectCore.cs:21:44:21:48 | call to operator implicit conversion |
| UrlRedirectCore.cs:27:46:27:50 | call to operator implicit conversion |
| UrlRedirectCore.cs:33:66:33:70 | access to parameter value |
| UrlRedirectCore.cs:36:49:36:53 | call to operator implicit conversion |
| UrlRedirectCore.cs:39:69:39:73 | access to parameter value |
| UrlRedirectCore.cs:42:39:42:53 | ... + ... |
| UrlRedirectCore.cs:47:51:47:55 | value |
| UrlRedirectCore.cs:50:28:50:32 | access to parameter value |
| UrlRedirectCore.cs:55:32:55:45 | object creation of type Uri |
| UrlRedirectCore.cs:58:31:58:35 | access to parameter value |
#select
| UrlRedirect.cs:14:31:14:61 | access to indexer | UrlRedirect.cs:14:31:14:53 | access to property QueryString | UrlRedirect.cs:14:31:14:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:14:31:14:53 | access to property QueryString | user-provided value |
| UrlRedirect.cs:39:44:39:74 | access to indexer | UrlRedirect.cs:39:44:39:66 | access to property QueryString | UrlRedirect.cs:39:44:39:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:39:44:39:66 | access to property QueryString | user-provided value |

5
csharp/ql/test/query-tests/Security Features/CWE-611/UntrustedDataInsecureXml.expected
View File

@@ -1,10 +1,5 @@
edges
| Test.cs:13:50:13:72 | access to property QueryString | Test.cs:13:50:13:84 | access to indexer |
| Test.cs:18:38:18:60 | object creation of type XmlReaderSettings | Test.cs:23:55:23:62 | access to local variable settings |
nodes
| Test.cs:13:50:13:72 | access to property QueryString |
| Test.cs:13:50:13:84 | access to indexer |
| Test.cs:18:38:18:60 | object creation of type XmlReaderSettings |
| Test.cs:23:55:23:62 | access to local variable settings |
#select
| Test.cs:13:50:13:84 | access to indexer | Test.cs:13:50:13:72 | access to property QueryString | Test.cs:13:50:13:84 | access to indexer | $@ flows to here and is loaded insecurely as XML (DTD processing is enabled with an insecure resolver). | Test.cs:13:50:13:72 | access to property QueryString | User-provided value |

5
csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected
View File

@@ -3,11 +3,6 @@ edges
| StoredXPathInjection.cs:24:39:24:65 | call to method GetString | StoredXPathInjection.cs:30:41:30:144 | ... + ... |
| StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... |
| StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:30:41:30:144 | ... + ... |
nodes
| StoredXPathInjection.cs:24:39:24:65 | call to method GetString |
| StoredXPathInjection.cs:25:39:25:65 | call to method GetString |
| StoredXPathInjection.cs:27:45:27:148 | ... + ... |
| StoredXPathInjection.cs:30:41:30:144 | ... + ... |
#select
| StoredXPathInjection.cs:27:45:27:148 | ... + ... | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:24:39:24:65 | call to method GetString | Stored user-provided value |
| StoredXPathInjection.cs:27:45:27:148 | ... + ... | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | StoredXPathInjection.cs:27:45:27:148 | ... + ... | $@ flows to here and is used in an XPath expression. | StoredXPathInjection.cs:25:39:25:65 | call to method GetString | Stored user-provided value |

5
csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected
View File

@@ -3,11 +3,6 @@ edges
| XPathInjection.cs:12:27:12:49 | access to property QueryString | XPathInjection.cs:19:29:19:132 | ... + ... |
| XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... |
| XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:19:29:19:132 | ... + ... |
nodes
| XPathInjection.cs:12:27:12:49 | access to property QueryString |
| XPathInjection.cs:13:27:13:49 | access to property QueryString |
| XPathInjection.cs:16:33:16:136 | ... + ... |
| XPathInjection.cs:19:29:19:132 | ... + ... |
#select
| XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:12:27:12:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:12:27:12:49 | access to property QueryString | User-provided value |
| XPathInjection.cs:16:33:16:136 | ... + ... | XPathInjection.cs:13:27:13:49 | access to property QueryString | XPathInjection.cs:16:33:16:136 | ... + ... | $@ flows to here and is used in an XPath expression. | XPathInjection.cs:13:27:13:49 | access to property QueryString | User-provided value |

26
csharp/ql/test/query-tests/Security Features/CWE-730/ReDoS/ReDoS.expected
View File

@@ -1,5 +1,7 @@
edges
| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" | ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:17:40:17:48 | access to local variable userInput |
@@ -11,28 +13,14 @@ edges
| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:29:90:29:98 | access to local variable userInput |
| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:30:21:30:29 | access to local variable userInput |
| ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:32:57:32:65 | access to local variable userInput |
| ExponentialRegex.cs:17:19:17:31 | "^([a-z]+)+$" | ExponentialRegex.cs:17:19:17:31 | "^([a-z]+)+$" |
| ExponentialRegex.cs:18:19:18:31 | "^([a-z]*)*$" | ExponentialRegex.cs:18:19:18:31 | "^([a-z]*)*$" |
| ExponentialRegex.cs:21:19:21:130 | "^([a-zA-Z0-9])(([\\-.]\|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})\|([a-z]{2,3}[.]{1}[a-z]{2,3}))$" | ExponentialRegex.cs:21:19:21:130 | "^([a-zA-Z0-9])(([\\-.]\|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})\|([a-z]{2,3}[.]{1}[a-z]{2,3}))$" |
| ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX | ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX |
nodes
| ExponentialRegex.cs:9:55:9:83 | "^(([a-z])+.)+[A-Z]([a-z])+$" |
| ExponentialRegex.cs:13:28:13:50 | access to property QueryString |
| ExponentialRegex.cs:17:19:17:31 | "^([a-z]+)+$" |
| ExponentialRegex.cs:17:40:17:48 | access to local variable userInput |
| ExponentialRegex.cs:18:19:18:31 | "^([a-z]*)*$" |
| ExponentialRegex.cs:18:42:18:50 | access to local variable userInput |
| ExponentialRegex.cs:21:19:21:130 | "^([a-zA-Z0-9])(([\\-.]\|[_]+)?([a-zA-Z0-9]+))*(@){1}[a-z0-9]+[.]{1}(([a-z]{2,3})\|([a-z]{2,3}[.]{1}[a-z]{2,3}))$" |
| ExponentialRegex.cs:21:139:21:147 | access to local variable userInput |
| ExponentialRegex.cs:24:19:24:34 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:24:43:24:51 | access to local variable userInput |
| ExponentialRegex.cs:26:21:26:29 | access to local variable userInput |
| ExponentialRegex.cs:26:32:26:47 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:28:47:28:55 | access to local variable userInput |
| ExponentialRegex.cs:29:19:29:31 | "^([a-z]+)+$" |
| ExponentialRegex.cs:29:90:29:98 | access to local variable userInput |
| ExponentialRegex.cs:30:21:30:29 | access to local variable userInput |
| ExponentialRegex.cs:30:32:30:47 | access to field JAVA_CLASS_REGEX |
| ExponentialRegex.cs:32:57:32:65 | access to local variable userInput |
| ExponentialRegex.cs:29:19:29:31 | "^([a-z]+)+$" | ExponentialRegex.cs:29:19:29:31 | "^([a-z]+)+$" |
#select
| ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:17:40:17:48 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value |
| ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | ExponentialRegex.cs:18:42:18:50 | access to local variable userInput | $@ flows to regular expression operation with dangerous regex. | ExponentialRegex.cs:13:28:13:50 | access to property QueryString | User-provided value |

5
csharp/ql/test/query-tests/Security Features/CWE-730/ReDoSGlobalTimeout/ReDoS.expected
View File

@@ -1,7 +1,4 @@
edges
| ExponentialRegex.cs:15:28:15:50 | access to property QueryString | ExponentialRegex.cs:18:40:18:48 | access to local variable userInput |
nodes
| ExponentialRegex.cs:15:28:15:50 | access to property QueryString |
| ExponentialRegex.cs:18:19:18:31 | "^([a-z]+)+$" |
| ExponentialRegex.cs:18:40:18:48 | access to local variable userInput |
| ExponentialRegex.cs:18:19:18:31 | "^([a-z]+)+$" | ExponentialRegex.cs:18:19:18:31 | "^([a-z]+)+$" |
#select

3
csharp/ql/test/query-tests/Security Features/CWE-730/RegexInjection/RegexInjection.expected
View File

@@ -1,7 +1,4 @@
edges
| RegexInjection.cs:12:24:12:46 | access to property QueryString | RegexInjection.cs:16:19:16:23 | access to local variable regex |
nodes
| RegexInjection.cs:12:24:12:46 | access to property QueryString |
| RegexInjection.cs:16:19:16:23 | access to local variable regex |
#select
| RegexInjection.cs:16:19:16:23 | access to local variable regex | RegexInjection.cs:12:24:12:46 | access to property QueryString | RegexInjection.cs:16:19:16:23 | access to local variable regex | $@ flows to the construction of a regular expression. | RegexInjection.cs:12:24:12:46 | access to property QueryString | User-provided value |

25
csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedConnectionString.expected
View File

@@ -1,19 +1,16 @@
edges
| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" |
| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" |
| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" |
| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData |
nodes
| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" |
| HardcodedCredentials.cs:33:19:33:28 | "username" |
| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" |
| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] |
| HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData |
| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" |
| HardcodedCredentials.cs:56:48:56:63 | "Password=12345" |
| HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" |
| HardcodedCredentials.cs:76:31:76:42 | "myusername" |
| HardcodedCredentials.cs:76:45:76:56 | "mypassword" |
| TestHardcodedCredentials.cs:21:31:21:42 | "myusername" |
| TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" |
| TestHardcodedCredentials.cs:26:19:26:28 | "username" |
| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" |
| HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | HardcodedCredentials.cs:56:48:56:63 | "Password=12345" |
| HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" |
| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" |
| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" |
| TestHardcodedCredentials.cs:21:31:21:42 | "myusername" | TestHardcodedCredentials.cs:21:31:21:42 | "myusername" |
| TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" | TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" |
| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" |
#select
| HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | HardcodedCredentials.cs:56:48:56:63 | "Password=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:56:30:56:64 | object creation of type SqlConnection | object creation of type SqlConnection |
| HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | HardcodedCredentials.cs:58:49:58:63 | "User Id=12345" | 'ConnectionString' property includes hard-coded credentials set in $@. | HardcodedCredentials.cs:58:31:58:64 | object creation of type SqlConnection | object creation of type SqlConnection |

43
csharp/ql/test/query-tests/Security Features/CWE-798/HardcodedCredentials.expected
View File

@@ -1,23 +1,42 @@
edges
| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" |
| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" |
| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" |
| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData |
nodes
| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" |
| HardcodedCredentials.cs:33:19:33:28 | "username" |
| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" |
| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] |
| HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData |
| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" |
| HardcodedCredentials.cs:76:31:76:42 | "myusername" |
| HardcodedCredentials.cs:76:45:76:56 | "mypassword" |
| TestHardcodedCredentials.cs:21:31:21:42 | "myusername" |
| TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" |
| TestHardcodedCredentials.cs:26:19:26:28 | "username" |
| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" |
| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" |
| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" |
| TestHardcodedCredentials.cs:21:31:21:42 | "myusername" | TestHardcodedCredentials.cs:21:31:21:42 | "myusername" |
| TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" | TestHardcodedCredentials.cs:21:45:21:56 | "mypassword" |
| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" |
#select
| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password |
| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password |
| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password |
| HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | The hard-coded value "myPa55word" flows to $@ which is compared against $@. | HardcodedCredentials.cs:17:25:17:36 | "myPa55word" | "myPa55word" | HardcodedCredentials.cs:17:13:17:20 | access to local variable password | access to local variable password |
| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser |
| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser |
| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser |
| HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | HardcodedCredentials.cs:33:19:33:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | HardcodedCredentials.cs:33:19:33:28 | "username" | name | HardcodedCredentials.cs:31:31:45:13 | object creation of type MembershipUser | object creation of type MembershipUser |
| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword |
| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword |
| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword |
| HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | The hard-coded value "myNewPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:47:39:47:53 | "myNewPa55word" | newPassword | HardcodedCredentials.cs:47:9:47:54 | call to method ChangePassword | call to method ChangePassword |
| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
| HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:49:30:49:60 | array creation of type Byte[] | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | This hard-coded value flows to the $@ parameter in $@. | HardcodedCredentials.cs:52:13:52:23 | access to local variable rawCertData | rawData | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
| HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | The hard-coded value "myPa55word" flows to the $@ parameter in $@. | HardcodedCredentials.cs:53:13:53:24 | "myPa55word" | password | HardcodedCredentials.cs:51:33:53:25 | object creation of type X509Certificate2 | object creation of type X509Certificate2 |
| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
| HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | HardcodedCredentials.cs:76:31:76:42 | "myusername" | The hard-coded value "myusername" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:31:76:42 | "myusername" | username | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
| HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | The hard-coded value "mypassword" flows to the $@ parameter in $@. | HardcodedCredentials.cs:76:45:76:56 | "mypassword" | password | HardcodedCredentials.cs:76:9:76:57 | call to method CreateUser | call to method CreateUser |
| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser |
| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser |
| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser |
| TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | TestHardcodedCredentials.cs:26:19:26:28 | "username" | The hard-coded value "username" flows to the $@ parameter in $@. | TestHardcodedCredentials.cs:26:19:26:28 | "username" | name | TestHardcodedCredentials.cs:24:31:38:13 | object creation of type MembershipUser | object creation of type MembershipUser |

13
csharp/ql/test/query-tests/Security Features/CWE-807/ConditionalBypass.expected
View File

@@ -6,19 +6,6 @@ edges
| ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress | ConditionalBypass.cs:51:13:51:29 | access to property HostName |
| ConditionalBypass.cs:72:34:72:52 | access to property Cookies | ConditionalBypass.cs:74:13:74:40 | ... == ... |
| ConditionalBypass.cs:85:34:85:52 | access to property Cookies | ConditionalBypass.cs:86:13:86:40 | ... == ... |
nodes
| ConditionalBypass.cs:14:26:14:48 | access to property QueryString |
| ConditionalBypass.cs:18:13:18:30 | ... == ... |
| ConditionalBypass.cs:21:34:21:52 | access to property Cookies |
| ConditionalBypass.cs:24:13:24:45 | call to method Equals |
| ConditionalBypass.cs:29:13:29:40 | ... == ... |
| ConditionalBypass.cs:44:32:44:66 | call to method GetHostByAddress |
| ConditionalBypass.cs:46:13:46:46 | ... == ... |
| ConditionalBypass.cs:51:13:51:29 | access to property HostName |
| ConditionalBypass.cs:72:34:72:52 | access to property Cookies |
| ConditionalBypass.cs:74:13:74:40 | ... == ... |
| ConditionalBypass.cs:85:34:85:52 | access to property Cookies |
| ConditionalBypass.cs:86:13:86:40 | ... == ... |
#select
| ConditionalBypass.cs:19:13:19:33 | call to method login | ConditionalBypass.cs:14:26:14:48 | access to property QueryString | ConditionalBypass.cs:18:13:18:30 | ... == ... | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:18:13:18:30 | ... == ... | this condition | ConditionalBypass.cs:14:26:14:48 | access to property QueryString | user input |
| ConditionalBypass.cs:25:13:25:33 | call to method login | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | ConditionalBypass.cs:24:13:24:45 | call to method Equals | Sensitive method may not be executed depending on $@, which flows from $@. | ConditionalBypass.cs:24:13:24:45 | call to method Equals | this condition | ConditionalBypass.cs:21:34:21:52 | access to property Cookies | user input |

29
csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected
View File

@@ -1,37 +1,16 @@
edges
| HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | HtmlEncode.cs:12:28:12:65 | ... + ... |
| InappropriateEncoding.cs:15:28:15:40 | call to method Encode | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 |
| InappropriateEncoding.cs:15:28:15:40 | call to method Encode | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 |
| InappropriateEncoding.cs:33:22:33:34 | call to method Encode | InappropriateEncoding.cs:33:22:33:34 | call to method Encode |
| InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode | InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode |
| InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode | InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode |
| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:37:32:37:43 | access to local variable encodedValue |
| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:38:22:38:59 | ... + ... |
| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:39:22:39:71 | call to method Format |
| InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode | InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue |
| InappropriateEncoding.cs:66:19:66:24 | return Encode | InappropriateEncoding.cs:15:28:15:40 | call to method Encode |
| InappropriateEncoding.cs:68:16:68:42 | call to method Replace | InappropriateEncoding.cs:66:19:66:24 | return Encode |
| InappropriateEncoding.cs:68:16:68:42 | call to method Replace | InappropriateEncoding.cs:15:28:15:40 | call to method Encode |
| SqlEncode.cs:16:62:16:87 | call to method Replace | SqlEncode.cs:17:46:17:50 | access to local variable query |
| UrlEncode.cs:12:43:12:69 | call to method HtmlEncode | UrlEncode.cs:12:31:12:69 | ... + ... |
nodes
| HtmlEncode.cs:12:28:12:65 | ... + ... |
| HtmlEncode.cs:12:40:12:65 | call to method UrlEncode |
| InappropriateEncoding.cs:15:28:15:40 | call to method Encode |
| InappropriateEncoding.cs:15:28:15:40 | call to method Encode |
| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 |
| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 |
| InappropriateEncoding.cs:33:22:33:34 | call to method Encode |
| InappropriateEncoding.cs:34:22:34:49 | call to method UrlEncode |
| InappropriateEncoding.cs:35:22:35:73 | call to method UrlEncode |
| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode |
| InappropriateEncoding.cs:37:32:37:43 | access to local variable encodedValue |
| InappropriateEncoding.cs:38:22:38:59 | ... + ... |
| InappropriateEncoding.cs:39:22:39:71 | call to method Format |
| InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode |
| InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue |
| InappropriateEncoding.cs:66:19:66:24 | return Encode |
| InappropriateEncoding.cs:68:16:68:42 | call to method Replace |
| SqlEncode.cs:16:62:16:87 | call to method Replace |
| SqlEncode.cs:17:46:17:50 | access to local variable query |
| UrlEncode.cs:12:31:12:69 | ... + ... |
| UrlEncode.cs:12:43:12:69 | call to method HtmlEncode |
#select
| HtmlEncode.cs:12:28:12:65 | ... + ... | HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | HtmlEncode.cs:12:28:12:65 | ... + ... | This HTML expression may include data from a $@. | HtmlEncode.cs:12:40:12:65 | call to method UrlEncode | possibly inappropriately encoded value |
| InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | InappropriateEncoding.cs:20:46:20:51 | access to local variable query1 | This SQL expression may include data from a $@. | InappropriateEncoding.cs:15:28:15:40 | call to method Encode | possibly inappropriately encoded value |