C#: Consider Enums and System.DateTimeOffset as having a sanitizing effect.

2026-04-26 01:05:15 +02:00 · 2025-04-02 11:16:06 +02:00
parent 08159896f3
commit cf75493fe9
2 changed files with 8 additions and 2 deletions
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
@@ -756,6 +756,11 @@ class SystemDateTimeStruct extends SystemStruct {
  SystemDateTimeStruct() { this.hasName("DateTime") }
 }

+/** The `System.DateTimeOffset` struct. */
+class SystemDateTimeOffsetStruct extends SystemStruct {
+  SystemDateTimeOffsetStruct() { this.hasName("DateTimeOffset") }
+}
+
 /** The `System.Span<T>` struct. */
 class SystemSpanStruct extends SystemUnboundGenericStruct {
  SystemSpanStruct() {
--- a/csharp/ql/lib/semmle/code/csharp/security/Sanitizers.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/Sanitizers.qll
@@ -57,8 +57,9 @@ class SimpleTypeSanitizedExpr extends DataFlow::ExprNode {
  SimpleTypeSanitizedExpr() {
    exists(Type t | t = this.getType() or t = this.getType().(NullableType).getUnderlyingType() |
      t instanceof SimpleType or
-      t instanceof SystemDateTimeStruct
-      // or t instanceof Enum
+      t instanceof SystemDateTimeStruct or
+      t instanceof SystemDateTimeOffsetStruct or
+      t instanceof Enum
    )
  }
 }