Merge pull request #2442 from hvitved/csharp/dataflow/conversion-operator

Approved by calumgrant
2026-04-28 18:25:24 +02:00 · 2019-12-02 11:01:35 +00:00
parent f958916c76 04cecc04dd
commit dc7a0c1b91
6 changed files with 42 additions and 1 deletions
--- a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
+++ b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
@@ -586,6 +586,9 @@
 | LocalDataFlow.cs:480:67:480:68 | os | LocalDataFlow.cs:486:32:486:33 | access to parameter os |
 | LocalDataFlow.cs:483:21:483:21 | access to parameter x | LocalDataFlow.cs:483:16:483:21 | ... = ... |
 | LocalDataFlow.cs:486:32:486:33 | access to parameter os | LocalDataFlow.cs:486:26:486:33 | ... = ... |
+| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:493:29:493:32 | access to parameter args |
+| LocalDataFlow.cs:493:29:493:32 | [post] access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
+| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
 | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
 | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
 | SSA.cs:5:26:5:32 | tainted | SSA.cs:8:24:8:30 | access to parameter tainted |
--- a/csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs
+++ b/csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs
@@ -485,4 +485,12 @@ public class LocalDataFlow
        IEnumerable<object> os2;
        foreach(var o in os2 = os) { }
    }
+
+    public static implicit operator LocalDataFlow(string[] args) => null;
+
+    public void ConversionFlow(string[] args)
+    {
+        Span<object> span = args; // flow (library operator)
+        LocalDataFlow x = args; // no flow (source code operator)
+    }
 }
--- a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
+++ b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
@@ -736,6 +736,11 @@
 | LocalDataFlow.cs:480:67:480:68 | os | LocalDataFlow.cs:486:32:486:33 | access to parameter os |
 | LocalDataFlow.cs:483:21:483:21 | access to parameter x | LocalDataFlow.cs:483:16:483:21 | ... = ... |
 | LocalDataFlow.cs:486:32:486:33 | access to parameter os | LocalDataFlow.cs:486:26:486:33 | ... = ... |
+| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:491:41:491:44 | args |
+| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:493:29:493:32 | access to parameter args |
+| LocalDataFlow.cs:493:29:493:32 | [post] access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
+| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:493:29:493:32 | call to operator implicit conversion |
+| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
 | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
 | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
 | SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | tainted |
--- a/csharp/ql/test/library-tests/frameworks/EntityFramework/EntityFrameworkCore.cs
+++ b/csharp/ql/test/library-tests/frameworks/EntityFramework/EntityFrameworkCore.cs
@@ -50,7 +50,7 @@ namespace EFCoreTests
            Sink(taintSource);  // Tainted
            Sink(new RawSqlString(taintSource));  // Tainted
            Sink((RawSqlString)taintSource);  // Tainted
-            Sink((RawSqlString)(FormattableString)$"{taintSource}");  // Not tainted
+            Sink((RawSqlString)(FormattableString)$"{taintSource}");  // Tainted, but not reported because conversion operator is in a stub .cs file

            // Tainted via database, even though technically there were no reads or writes to the database in this particular case.
            var p1 = new Person { Name = taintSource };