hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

C#: Introduce data flow return nodes

Browse Source 
Before this change,

```
flowOutOfCallableStep(CallNode call, ReturnNode ret, OutNode out, CallContext cc)
```

would compute all combinations of call sites `call` and returned expressions `ret`
up front.

Now, we instead introduce explicit return nodes, so each callable has exactly
one return node (as well as one for each `out`/`ref` parameter). There is then
local flow from a returned expression to the relevant return node, and
`flowOutOfCallableStep()` computes combinations of call sites and return nodes.

Not only does this result in better performance, it also makes `flowOutOfCallableStep()`
symmetric to `flowIntoCallableStep()`, where each argument is mapped to a parameter,
and not to all reads of that parameter.
This commit is contained in:
Tom Hvitved
2019-03-01 15:50:10 +01:00
parent e6630cda6b
commit e6f7632d4c
11 changed files with 297 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll
View File

@@ -246,17 +246,6 @@ module DataFlow {
none()
}
/**
* INTERNAL: Do not use.
*
* Holds if the additional flow step from `ret` to `out` out of the call
* `call` must be taken into account in the analysis, but only in call
* context `cc`.
*/
predicate isAdditionalFlowStepOutOfCall(Node call, Node ret, Node out, CallContext cc) {
none()
}
/**
* Holds if data may flow from `source` to `sink` for this configuration.
*/
@@ -503,8 +492,10 @@ module DataFlow {
/**
* Holds if this argument occurs at position `pos` in call `call`.
*/
predicate isArgumentOf(CallNode call, int pos, Configuration config) {
exists(ExplicitParameterNode p | flowIntoCallableStep(call, this, p, _, config) |
private predicate isArgumentOf(CallNode call, int pos, Configuration config) {
exists(ExplicitParameterNode p |
Pruning::flowIntoCallableStepCand(call, this, p, _, config)
|
pos = p.getParameter().getPosition()
)
}
@@ -518,7 +509,6 @@ module DataFlow {
)
}
bindingset[config]
override ExplicitArgumentContext getContext(Configuration config) {
result.getCallContext() = this.getArgumentCallContext(config)
}
@@ -591,18 +581,47 @@ module DataFlow {
abstract private class ReturnNode extends Node { }
/**
* A data flow node that represents an expression returned explicitly by a callable.
* Either an argument of `return`/`yield return` or an expression assigned to an
* `out`/`ref` parameter.
* A data flow node that represents an expression returned by a callable,
* using an ordinary `return` or a method expression.
*/
private class ExplicitReturnNode extends ReturnNode, ExprNode {
ExplicitReturnNode() {
exists(DotNet::Callable c, DotNet::Expr e | e = this.getExpr() |
c.canReturn(e) or
c.(Callable).canYieldReturn(e) or
callableReturnsOutOrRef(c, _, e)
)
}
class NormalReturnNode extends ReturnNode, TNormalReturnNode {
override Type getType() { result = this.getEnclosingCallable().getReturnType() }
override DotNet::Callable getEnclosingCallable() { this = TNormalReturnNode(result) }
override string toString() { result = "return" }
override Location getLocation() { result = this.getEnclosingCallable().getLocation() }
}
/**
* A data flow node that represents an expression returned by a callable,
* using `yield return`.
*/
class YieldReturnNode extends ReturnNode, TYieldReturnNode {
override Type getType() { result = this.getEnclosingCallable().getReturnType() }
override Callable getEnclosingCallable() { this = TYieldReturnNode(result) }
override string toString() { result = "yield return" }
override Location getLocation() { result = this.getEnclosingCallable().getLocation() }
}
/**
* A data flow node that represents an expression returned by a callable,
* using an `out`/`ref` parameter.
*/
private class OutRefReturnNode extends ReturnNode, TOutRefReturnNode {
Parameter getParameter() { this = TOutRefReturnNode(result) }
override Type getType() { result = this.getParameter().getType() }
override Callable getEnclosingCallable() { result = this.getParameter().getCallable() }
override string toString() { result = "return (out/ref)" }
override Location getLocation() { result = this.getParameter().getLocation() }
}
/**
@@ -998,6 +1017,12 @@ module DataFlow {
or
flowThroughCallableLibraryOutRef(_, nodeFrom, nodeTo, true)
or
exists(DotNet::Callable c | c.canReturn(nodeFrom.asExpr()) | nodeTo = TNormalReturnNode(c))
or
exists(Parameter p | callableReturnsOutOrRef(_, p, nodeFrom.asExpr()) |
nodeTo = TOutRefReturnNode(p)
)
or
localFlowStepCil(nodeFrom, nodeTo)
}
@@ -1100,7 +1125,10 @@ module DataFlow {
config.isSource(node) or
jumpStep(_, node) or
node instanceof ParameterNode or
node instanceof OutNode
node instanceof OutNode or
node instanceof NormalReturnNode or
node instanceof YieldReturnNode or
node instanceof OutRefReturnNode
)
}
@@ -1111,9 +1139,18 @@ module DataFlow {
predicate localFlowExit(Node node, Configuration config) {
Pruning::nodeCand(node, config) and
(
jumpStep(node, _) or
node instanceof ArgumentNode or
node instanceof ReturnNode or
jumpStep(node, _)
or
node instanceof ArgumentNode
or
node instanceof ReturnNode
or
exists(ReturnNode rn | localFlowStep(node, rn, config) |
rn instanceof NormalReturnNode or
rn instanceof YieldReturnNode or
rn instanceof OutRefReturnNode
)
or
config.isSink(node)
)
}
@@ -1175,9 +1212,7 @@ module DataFlow {
flowIntoCallableStep(_, arg, node, _, config)
)
or
exists(Node mid | nodeCandFwd1(mid, config) |
flowOutOfCallableStep(_, mid, node, _, config)
)
exists(Node mid | nodeCandFwd1(mid, config) | flowOutOfCallableStep(mid, _, node, _))
)
}
@@ -1198,7 +1233,7 @@ module DataFlow {
flowIntoCallableStep(_, node, p, _, config)
)
or
exists(Node mid | nodeCand1(mid, config) | flowOutOfCallableStep(_, node, mid, _, config))
exists(Node mid | nodeCand1(mid, config) | flowOutOfCallableStep(node, _, mid, _))
)
}
@@ -1258,12 +1293,15 @@ module DataFlow {
flowIntoCallableStep(call, arg, p, _, config)
}
pragma[noinline]
// noopt is need to force scan of `nodeCand1()` followed by join on
// `flowOutOfCallableStep()`, instead of the other way around
pragma[noopt]
private predicate flowOutOfCallableStepCand1(
CallNode call, ReturnNode ret, OutNode out, Configuration config
) {
nodeCand1(out, config) and
flowOutOfCallableStep(call, ret, out, _, config)
nodeCand1(ret, _) and
nodeCand1(ret, config) and
flowOutOfCallableStep(ret, call, out, _)
}
/**
@@ -1313,12 +1351,15 @@ module DataFlow {
flowIntoCallableStep(_, arg, p, _, config)
}
pragma[noinline]
// noopt is need to force scan of `nodeCandFwd2()` followed by join on
// `flowOutOfCallableStep()`, instead of the other way around
pragma[noopt]
private predicate flowOutOfCallableStepCandFwd2(
CallNode call, ReturnNode ret, OutNode out, CallContext cc, Configuration config
ReturnNode ret, OutNode out, Configuration config
) {
nodeCandFwd2(ret, _, _) and
nodeCandFwd2(ret, _, config) and
flowOutOfCallableStep(call, ret, out, cc, config)
flowOutOfCallableStep(ret, _, out, _)
}
/**
@@ -1346,7 +1387,7 @@ module DataFlow {
)
or
exists(OutNode out | nodeCand2(out, _, config) |
flowOutOfCallableStepCandFwd2(_, node, out, _, config) and
flowOutOfCallableStepCandFwd2(node, out, config) and
isReturned = true
)
or
@@ -1360,7 +1401,27 @@ module DataFlow {
* Holds if `node` is part of a path from a source to a sink in the
* configuration `config`, taking simple call contexts into consideration.
*/
pragma[noinline]
predicate nodeCand(Node node, Configuration config) { nodeCand2(node, _, config) }
pragma[noinline]
predicate flowIntoCallableStepCand(
CallNode call, ArgumentNode arg, ParameterNode p, CallContext cc, Configuration config
) {
nodeCand(p, config) and
flowIntoCallableStep(call, arg, p, cc, config)
}
// noopt is need to force scan of `nodeCand()` followed by join on
// `flowOutOfCallableStep()`, instead of the other way around
pragma[noopt]
predicate flowOutOfCallableStepCand(
CallNode call, ReturnNode ret, OutNode out, CallContext cc, Configuration config
) {
nodeCand(ret, _) and
nodeCand(ret, config) and
flowOutOfCallableStep(ret, call, out, cc)
}
}
// A workaround to avoid eager joining on configurations
@@ -1387,7 +1448,10 @@ module DataFlow {
exists(Ssa::ExplicitDefinition def | def.isCapturedVariableDefinitionFlowIn(_, c) |
v = def.getSourceVariable().getAssignable()
)
}
} or
TNormalReturnNode(DotNet::Callable c) { c.canReturn(_) } or
TYieldReturnNode(Callable c) { c.canYieldReturn(_) } or
TOutRefReturnNode(Parameter p) { callableReturnsOutOrRef(_, p, _) }
/**
* Holds if `pred` can flow to `succ`, by jumping from one callable to
@@ -1453,25 +1517,17 @@ module DataFlow {
* account.
*/
cached
predicate flowOutOfCallableStepNoConfig(
CallNode call, ReturnNode ret, OutNode out, CallContext cc
) {
flowOutOfCallableExplicitStep(call, ret, out, cc)
predicate flowOutOfCallableStep(ReturnNode ret, CallNode call, OutNode out, CallContext cc) {
flowOutOfCallableNonDelegateCall(call.asExpr(), ret, out) and
cc instanceof EmptyCallContext
or
flowOutOfCallableDelegateCall(call, ret, cc) and
out = call
or
flowOutOfCallableCapturedVarStep(call, ret, out) and
cc instanceof EmptyCallContext
}
private predicate flowOutOfCallableExplicitStep(
CallNode call, ReturnNode ret, OutNode out, CallContext cc
) {
flowOutOfCallableNonDelegateCall(call.asExpr(), ret.asExpr(), out) and
cc instanceof EmptyCallContext
or
flowOutOfCallableDelegateCall(call, ret.asExpr(), cc) and
out = call
}
/**
* Holds if `ret` is an expression returned implicitly by a callable, from
* `call` using zero or more additional calls, and `out` is the corresponding
@@ -1496,9 +1552,9 @@ module DataFlow {
Pruning::nodeCand(arg, _)
} or
TReturnContext(CallNode call, DotNet::Callable callable) {
exists(ReturnNode ret, Configuration config | Pruning::nodeCand(ret, config) |
exists(ReturnNode ret |
callable = ret.getEnclosingCallable() and
flowOutOfCallableStep(call, ret, _, _, config)
Pruning::flowOutOfCallableStepCand(call, ret, _, _, _)
)
}
@@ -1516,8 +1572,8 @@ module DataFlow {
* Holds if flow out of a callable is allowed to go via the call
* `call` in this context.
*/
bindingset[call, config]
predicate flowOutAllowedToCall(DotNet::Expr call, Configuration config) {
bindingset[call]
predicate flowOutAllowedToCall(DotNet::Expr call) {
// This context poses no restriction
this instanceof NoContext or
// Data in this context is from a call, so flow back out must be through
@@ -1529,8 +1585,8 @@ module DataFlow {
// call context, in which case flow further out must respect that call
// context
this = any(ReturnContext rc |
not exists(rc.getARequiredContext(config)) or
rc.getARequiredContext(config).(ArgumentCallContext).isArgument(call, _)
not exists(rc.getARequiredContext()) or
rc.getARequiredContext().(ArgumentCallContext).isArgument(call, _)
)
}
}
@@ -1595,22 +1651,15 @@ module DataFlow {
* Gets a call context required for the flow out to the data described by this
* context to be possible.
*/
ArgumentCallContext getARequiredContext(Configuration config) {
result = getARequiredContext0(call, callable, config)
ArgumentCallContext getARequiredContext() {
exists(ReturnNode ret | Pruning::flowOutOfCallableStepCand(call, ret, _, result, _) |
callable = ret.getEnclosingCallable()
)
}
override string toString() { result = call.toString() }
}
pragma[noinline]
private ArgumentCallContext getARequiredContext0(
CallNode call, DotNet::Callable callable, Configuration config
) {
exists(ReturnNode ret | flowOutOfCallableStep(call, ret, _, result, config) |
callable = ret.getEnclosingCallable()
)
}
newtype TFlowGraphNode =
TFlowGraphNode0(Node node, Context ctx, Configuration config) {
// A source
@@ -1700,16 +1749,15 @@ module DataFlow {
pragma[noinline]
private predicate flowIntoCallable0(FlowGraphNode mid, ArgumentNode arg, ParameterNode p) {
exists(Context outerctx, CallContext cc, Configuration config |
config = mid.getConfiguration() and
flowIntoCallableStep(_, arg, p, cc, config) and
exists(Context outerctx, CallContext cc |
Pruning::flowIntoCallableStepCand(_, arg, p, cc, mid.getConfiguration()) and
arg = mid.getNode() and
outerctx = mid.getContext()
|
cc instanceof EmptyCallContext
or
exists(DotNet::Expr call | cc.(ArgumentCallContext).isArgument(call, _) |
outerctx.flowOutAllowedToCall(call, config)
outerctx.flowOutAllowedToCall(call)
)
)
}
@@ -1728,7 +1776,7 @@ module DataFlow {
private predicate flowOutOfCallable0(
FlowGraphNode mid, CallNode call, OutNode out, DotNet::Callable callable, Context innerctx
) {
flowOutOfCallableStep(call, mid.getNode(), out, _, mid.getConfiguration()) and
Pruning::flowOutOfCallableStepCand(call, mid.getNode(), out, _, mid.getConfiguration()) and
innerctx = mid.getContext() and
not innerctx instanceof ArgumentContext and
callable = mid.getEnclosingCallable()
@@ -1744,7 +1792,7 @@ module DataFlow {
flowOutOfCallable0(mid, call, out, callable, innerctx) and
outerctx = TReturnContext(call, callable)
|
innerctx.flowOutAllowedToCall(call.getCall(), mid.getConfiguration())
innerctx.flowOutAllowedToCall(call.getCall())
)
}
@@ -1755,7 +1803,7 @@ module DataFlow {
exists(int i | innerctx.getCallContext() = call.getCallContext(i) |
mid.getNode() = ret and
mid.getContext() = innerctx and
mid.getEnclosingCallable().getParameter(i) = p.getParameter()
mid.getEnclosingCallable() = p.getParameter().getCallable()
)
}
@@ -1771,13 +1819,14 @@ module DataFlow {
/** Holds if data may flow from `p` to a a node `out` returned by the callable. */
private predicate paramFlowsThrough(
CallNode call, ParameterNode p, OutNode out, ArgumentContext innerctx, CallContext cc
CallNode call, ParameterNode p, OutNode out, ArgumentContext innerctx, CallContext cc,
Configuration config
) {
exists(FlowGraphNode mid, ReturnNode ret |
paramFlowsThroughExplicit(call, p, innerctx, mid, ret) or
paramFlowsThroughImplicit(call, p, innerctx, mid, ret)
|
flowOutOfCallableStep(call, ret, out, cc, mid.getConfiguration())
Pruning::flowOutOfCallableStepCand(call, ret, out, cc, config)
)
}
@@ -1789,7 +1838,7 @@ module DataFlow {
private predicate flowThroughCallable0(FlowGraphNode mid, OutNode out, Context ctx) {
exists(CallNode call, ParameterNode p, ArgumentContext innerctx, CallContext cc |
flowIntoCallable(mid, p, innerctx) and
paramFlowsThrough(call, p, out, innerctx, cc)
paramFlowsThrough(call, p, out, innerctx, cc, mid.getConfiguration())
|
// Data in `mid` is from a call, so that call must match the required call (if any),
// and the context after flow through `call` must be recovered
@@ -1813,10 +1862,7 @@ module DataFlow {
flowThroughCallable0(_, out, _) and
e = out.asExpr()
or
exists(Expr mid |
flowThroughCallable1Scope(out, mid) |
e = mid.getAChildExpr()
)
exists(Expr mid | flowThroughCallable1Scope(out, mid) | e = mid.getAChildExpr())
}
pragma[nomagic]
@@ -1970,21 +2016,6 @@ module DataFlow {
config.isAdditionalFlowStepIntoCall(call, arg, p.getParameter(), cc)
}
/**
* Holds if `ret` is an expression returned by a callable to which the call
* `call` resolves, and `out` is the corresponding output (either `call`
* itself or an `out`/`ref` argument).
*
* Additional steps specified by the configuration are taken into account.
*/
bindingset[config]
predicate flowOutOfCallableStep(
CallNode call, ReturnNode ret, OutNode out, CallContext cc, Configuration config
) {
flowOutOfCallableStepNoConfig(call, ret, out, cc) or
config.isAdditionalFlowStepOutOfCall(call, ret, out, cc)
}
/**
* Holds if `arg` is an argument of the non-delegate call `call`,
* which resolves to a callable with corresponding parameter `p`.
@@ -2053,25 +2084,35 @@ module DataFlow {
p = result.getParameter(i)
}
pragma[noinline]
private predicate flowOutOfCallableNonDelegateCall0(ReturnNode ret, DotNet::Callable c) {
c = ret.(NormalReturnNode).getEnclosingCallable()
or
c = ret.(YieldReturnNode).getEnclosingCallable()
}
pragma[noinline]
private predicate flowOutOfCallableNonDelegateCall1(NonDelegateCall call, ReturnNode ret) {
flowOutOfCallableNonDelegateCall0(ret, call.getARuntimeTarget())
}
/**
* Holds if `ret` is an expression returned by a callable to
* which the non-delegate call `call` resolves, and `out` is the
* corresponding output (either `call` itself or first uses of
* a relevant `out`/`ref` argument).
*/
predicate flowOutOfCallableNonDelegateCall(NonDelegateCall call, DotNet::Expr ret, OutNode out) {
exists(DotNet::Callable callable | callable = call.getARuntimeTarget() |
// ordinary return value
callable.canReturn(ret) and
call = out.asExpr()
or
// return via out/ref parameter
exists(Parameter outRef, AssignableDefinitions::OutRefDefinition def |
callableReturnsOutOrRef(callable.getSourceDeclaration(), outRef.getSourceDeclaration(),
ret) and
def = out.(SsaDefinitionNode).getDefinition().(Ssa::ExplicitDefinition).getADefinition() and
def.getTargetAccess() = call.(Call).getArgumentForParameter(outRef)
)
predicate flowOutOfCallableNonDelegateCall(NonDelegateCall call, ReturnNode ret, OutNode out) {
// (yield) return value
flowOutOfCallableNonDelegateCall1(call, ret) and
call = out.asExpr()
or
// return via out/ref parameter
exists(Parameter p, AssignableDefinitions::OutRefDefinition def |
p.getSourceDeclaration() = ret.(OutRefReturnNode).getParameter()
|
def = out.(SsaDefinitionNode).getDefinition().(Ssa::ExplicitDefinition).getADefinition() and
def.getTargetAccess() = call.(Call).getArgumentForParameter(p)
)
}
@@ -2079,8 +2120,10 @@ module DataFlow {
* Holds if `ret` is an expression returned by a callable to
* which the delegate call `call` resolves.
*/
private predicate flowOutOfCallableDelegateCall(CallNode call, Expr ret, CallContext cc) {
exists(Callable target | target.getSourceDeclaration().canReturn(ret) |
private predicate flowOutOfCallableDelegateCall(
CallNode call, NormalReturnNode ret, CallContext cc
) {
exists(Callable target | ret.getEnclosingCallable() = target.getSourceDeclaration() |
target = call.asExpr().(DelegateCall).getARuntimeTarget(cc) or
target = call.(ImplicitDelegateCallNode).getArgument().getARuntimeTarget(cc)
)
@@ -2090,11 +2133,11 @@ module DataFlow {
* Holds if callable `c` can return `e` as an `out`/`ref` value
* for parameter `outRef`.
*/
predicate callableReturnsOutOrRef(Callable c, Parameter outRef, Expr e) {
predicate callableReturnsOutOrRef(Callable c, Parameter p, Expr e) {
exists(Ssa::ExplicitDefinition def |
def.getADefinition().getSource() = e and
def.isLiveOutRefParameterDefinition(outRef) and
outRef = c.getAParameter()
def.isLiveOutRefParameterDefinition(p) and
p = c.getAParameter()
)
}
}

14
csharp/ql/src/semmle/code/csharp/dataflow/DelegateDataFlow.qll
View File

@@ -205,14 +205,14 @@ private predicate flowsFrom(
exists(DataFlow::Node mid |
flowsFrom(sink, mid, _, lastCall) and
isReturned = true and
flowOutOfCallableNonDelegateCall(_, node.asExpr(), mid)
flowOutOfCallableNonDelegateCall(_, node, mid)
)
or
// Flow out of a callable (delegate call).
exists(DataFlow::ExprNode mid |
flowsFrom(sink, mid, _, _) and
isReturned = true and
flowOutOfDelegateCall(mid.getExpr(), node.asExpr(), lastCall)
flowOutOfDelegateCall(mid.getExpr(), node, lastCall)
)
}
@@ -230,7 +230,7 @@ private CallContext getLastCall(CallContext prevLastCall, Expr call, int i) {
result = prevLastCall
}
// Predicate folding to get proper join-order
pragma[noinline]
private predicate flowIntoDelegateCall(DelegateCall dc, Callable c, Expr e, int i) {
exists(DelegateFlowSource dfs, DelegateCallExpr dce |
// the call context is irrelevant because the delegate call
@@ -242,11 +242,13 @@ private predicate flowIntoDelegateCall(DelegateCall dc, Callable c, Expr e, int
)
}
// Predicate folding to get proper join-order
private predicate flowOutOfDelegateCall(DelegateCall dc, Expr e, CallContext lastCall) {
pragma[noinline]
private predicate flowOutOfDelegateCall(
DelegateCall dc, DataFlow::Internal::NormalReturnNode ret, CallContext lastCall
) {
exists(DelegateFlowSource dfs, DelegateCallExpr dce, Callable c |
flowsFrom(dce, dfs, _, lastCall) and
c.canReturn(e) and
ret.getEnclosingCallable() = c and
c = dfs.getCallable() and
dc = dce.getDelegateCall()
)

17
csharp/ql/src/semmle/code/csharp/dataflow/TaintTracking.qll
View File

@@ -90,17 +90,6 @@ module TaintTracking {
DataFlow::Internal::flowIntoCallableLibraryCall(_, arg, call, p, false, cc)
}
final override predicate isAdditionalFlowStepOutOfCall(
DataFlow::Node call, DataFlow::Node ret, DataFlow::Node out, CallContext::CallContext cc
) {
exists(DispatchCall dc, Callable callable | canYieldReturn(callable, ret.asExpr()) |
dc.getCall() = call.asExpr() and
call = out and
callable = dc.getADynamicTarget() and
cc instanceof CallContext::EmptyCallContext
)
}
/**
* Holds if taint may flow from `source` to `sink` for this configuration.
*/
@@ -112,8 +101,6 @@ module TaintTracking {
/** INTERNAL: Do not use. */
module Internal {
predicate canYieldReturn(Callable c, Expr e) { c.getSourceDeclaration().canYieldReturn(e) }
private CIL::DataFlowNode asCilDataFlowNode(DataFlow::Node node) {
result = node.asParameter() or
result = node.asExpr()
@@ -258,6 +245,10 @@ module TaintTracking {
)
or
DataFlow::Internal::flowThroughCallableLibraryOutRef(_, nodeFrom, nodeTo, false)
or
exists(Callable c | c.canYieldReturn(nodeFrom.asExpr()) |
c = nodeTo.(DataFlow::Internal::YieldReturnNode).getEnclosingCallable()
)
}
}
import Cached

33
csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
View File

@@ -1,17 +1,27 @@
| CSharp7.cs:17:18:17:22 | access to field field | CSharp7.cs:17:9:17:11 | return |
| CSharp7.cs:18:14:18:14 | 5 | CSharp7.cs:18:14:18:14 | return |
| CSharp7.cs:21:16:21:20 | call to method Foo | CSharp7.cs:21:9:21:11 | return |
| CSharp7.cs:22:9:22:11 | value | CSharp7.cs:22:24:22:28 | access to parameter value |
| CSharp7.cs:22:16:22:28 | ... = ... | CSharp7.cs:22:9:22:11 | return |
| CSharp7.cs:25:39:25:43 | call to method Foo | CSharp7.cs:25:5:25:27 | return |
| CSharp7.cs:26:35:26:39 | call to method Foo | CSharp7.cs:26:6:26:28 | return |
| CSharp7.cs:31:19:31:19 | i | CSharp7.cs:33:16:33:16 | access to parameter i |
| CSharp7.cs:33:16:33:16 | access to parameter i | CSharp7.cs:33:16:33:20 | ... > ... |
| CSharp7.cs:33:16:33:16 | access to parameter i | CSharp7.cs:33:24:33:24 | access to parameter i |
| CSharp7.cs:33:16:33:20 | ... > ... | CSharp7.cs:33:16:33:59 | ... ? ... : ... |
| CSharp7.cs:33:16:33:59 | ... ? ... : ... | CSharp7.cs:31:9:31:13 | return |
| CSharp7.cs:33:24:33:24 | access to parameter i | CSharp7.cs:33:16:33:59 | ... ? ... : ... |
| CSharp7.cs:33:28:33:59 | throw ... | CSharp7.cs:33:16:33:59 | ... ? ... : ... |
| CSharp7.cs:41:13:41:21 | "tainted" | CSharp7.cs:39:23:39:23 | return (out/ref) |
| CSharp7.cs:41:13:41:21 | "tainted" | CSharp7.cs:41:9:41:21 | SSA def(x) |
| CSharp7.cs:44:19:44:19 | x | CSharp7.cs:46:13:46:13 | access to parameter x |
| CSharp7.cs:46:13:46:13 | access to parameter x | CSharp7.cs:44:33:44:33 | return (out/ref) |
| CSharp7.cs:46:13:46:13 | access to parameter x | CSharp7.cs:46:9:46:13 | SSA def(y) |
| CSharp7.cs:51:22:51:23 | SSA def(t1) | CSharp7.cs:53:18:53:19 | access to local variable t1 |
| CSharp7.cs:52:19:52:20 | SSA def(t2) | CSharp7.cs:56:14:56:15 | access to local variable t2 |
| CSharp7.cs:54:15:54:16 | SSA def(t1) | CSharp7.cs:55:14:55:15 | access to local variable t1 |
| CSharp7.cs:57:30:57:31 | SSA def(t4) | CSharp7.cs:58:18:58:19 | access to local variable t4 |
| CSharp7.cs:66:16:66:21 | (..., ...) | CSharp7.cs:64:16:64:16 | return |
| CSharp7.cs:66:17:66:17 | 1 | CSharp7.cs:66:16:66:21 | (..., ...) |
| CSharp7.cs:66:20:66:20 | 2 | CSharp7.cs:66:16:66:21 | (..., ...) |
| CSharp7.cs:72:13:72:19 | SSA def(z) | CSharp7.cs:75:16:75:16 | access to local variable z |
@@ -39,6 +49,7 @@
| CSharp7.cs:79:27:79:27 | access to local variable x | CSharp7.cs:79:22:79:28 | (..., ...) |
| CSharp7.cs:82:21:82:21 | x | CSharp7.cs:84:20:84:20 | access to parameter x |
| CSharp7.cs:84:16:84:24 | (..., ...) | CSharp7.cs:84:16:84:26 | access to field a |
| CSharp7.cs:84:16:84:26 | access to field a | CSharp7.cs:82:12:82:12 | return |
| CSharp7.cs:84:20:84:20 | access to parameter x | CSharp7.cs:84:16:84:24 | (..., ...) |
| CSharp7.cs:84:23:84:23 | 2 | CSharp7.cs:84:16:84:24 | (..., ...) |
| CSharp7.cs:89:13:89:34 | SSA def(t1) | CSharp7.cs:90:28:90:29 | access to local variable t1 |
@@ -86,30 +97,47 @@
| CSharp7.cs:123:28:123:36 | "DefUse3" | CSharp7.cs:123:22:123:36 | ... = ... |
| CSharp7.cs:131:20:131:20 | x | CSharp7.cs:131:32:131:32 | access to parameter x |
| CSharp7.cs:131:32:131:32 | access to parameter x | CSharp7.cs:131:32:131:36 | ... + ... |
| CSharp7.cs:131:32:131:36 | ... + ... | CSharp7.cs:131:9:131:39 | return |
| CSharp7.cs:131:36:131:36 | 1 | CSharp7.cs:131:32:131:36 | ... + ... |
| CSharp7.cs:133:22:133:22 | t | CSharp7.cs:133:39:133:39 | access to parameter t |
| CSharp7.cs:133:39:133:39 | access to parameter t | CSharp7.cs:133:9:133:42 | return |
| CSharp7.cs:137:21:137:21 | 2 | CSharp7.cs:137:9:137:22 | return |
| CSharp7.cs:139:29:139:29 | x | CSharp7.cs:139:34:139:34 | access to parameter x |
| CSharp7.cs:139:34:139:34 | access to parameter x | CSharp7.cs:139:34:139:38 | ... + ... |
| CSharp7.cs:139:34:139:38 | ... + ... | CSharp7.cs:139:29:139:38 | return |
| CSharp7.cs:139:38:139:38 | 1 | CSharp7.cs:139:34:139:38 | ... + ... |
| CSharp7.cs:141:20:141:20 | x | CSharp7.cs:141:26:141:26 | access to parameter x |
| CSharp7.cs:141:26:141:26 | access to parameter x | CSharp7.cs:141:26:141:30 | ... > ... |
| CSharp7.cs:141:26:141:26 | access to parameter x | CSharp7.cs:141:41:141:41 | access to parameter x |
| CSharp7.cs:141:26:141:30 | ... > ... | CSharp7.cs:141:26:141:50 | ... ? ... : ... |
| CSharp7.cs:141:26:141:50 | ... ? ... : ... | CSharp7.cs:141:9:141:51 | return |
| CSharp7.cs:141:34:141:34 | 1 | CSharp7.cs:141:34:141:46 | ... + ... |
| CSharp7.cs:141:34:141:46 | ... + ... | CSharp7.cs:141:26:141:50 | ... ? ... : ... |
| CSharp7.cs:141:38:141:46 | call to local function f7 | CSharp7.cs:141:34:141:46 | ... + ... |
| CSharp7.cs:141:50:141:50 | 0 | CSharp7.cs:141:26:141:50 | ... ? ... : ... |
| CSharp7.cs:143:20:143:20 | x | CSharp7.cs:143:29:143:29 | access to parameter x |
| CSharp7.cs:143:26:143:30 | call to local function f6 | CSharp7.cs:143:9:143:31 | return |
| CSharp7.cs:147:24:147:24 | x | CSharp7.cs:147:33:147:33 | access to parameter x |
| CSharp7.cs:147:30:147:34 | call to local function f7 | CSharp7.cs:147:13:147:35 | return |
| CSharp7.cs:148:20:148:24 | call to local function f9 | CSharp7.cs:145:9:149:9 | return |
| CSharp7.cs:152:25:152:25 | 0 | CSharp7.cs:152:13:152:26 | return |
| CSharp7.cs:155:16:155:20 | call to local function f1 | CSharp7.cs:129:9:129:12 | return |
| CSharp7.cs:160:23:160:23 | 1 | CSharp7.cs:160:9:160:24 | return |
| CSharp7.cs:161:18:161:18 | t | CSharp7.cs:161:24:161:24 | access to parameter t |
| CSharp7.cs:161:24:161:24 | access to parameter t | CSharp7.cs:161:9:161:25 | return |
| CSharp7.cs:163:26:163:26 | u | CSharp7.cs:167:22:167:22 | access to parameter u |
| CSharp7.cs:165:25:165:30 | call to local function f | CSharp7.cs:165:13:165:31 | return |
| CSharp7.cs:167:20:167:23 | call to local function g | CSharp7.cs:163:9:168:9 | return |
| CSharp7.cs:176:16:176:30 | SSA def(src) | CSharp7.cs:181:23:181:25 | access to local variable src |
| CSharp7.cs:176:22:176:30 | "tainted" | CSharp7.cs:176:16:176:30 | SSA def(src) |
| CSharp7.cs:177:25:177:25 | s | CSharp7.cs:177:33:177:33 | access to parameter s |
| CSharp7.cs:177:31:177:34 | call to local function g | CSharp7.cs:177:31:177:39 | ... + ... |
| CSharp7.cs:177:31:177:39 | ... + ... | CSharp7.cs:177:9:177:40 | return |
| CSharp7.cs:177:38:177:39 | "" | CSharp7.cs:177:31:177:39 | ... + ... |
| CSharp7.cs:178:25:178:25 | s | CSharp7.cs:178:31:178:31 | access to parameter s |
| CSharp7.cs:178:31:178:31 | access to parameter s | CSharp7.cs:178:9:178:32 | return |
| CSharp7.cs:179:25:179:25 | s | CSharp7.cs:179:37:179:37 | access to parameter s |
| CSharp7.cs:179:37:179:37 | access to parameter s | CSharp7.cs:179:9:179:40 | return |
| CSharp7.cs:181:23:181:25 | access to local variable src | CSharp7.cs:182:23:182:25 | access to local variable src |
| CSharp7.cs:182:23:182:25 | access to local variable src | CSharp7.cs:183:23:183:25 | access to local variable src |
| CSharp7.cs:191:13:191:18 | SSA def(v1) | CSharp7.cs:192:26:192:27 | access to local variable v1 |
@@ -128,7 +156,11 @@
| CSharp7.cs:199:33:199:34 | access to local variable r1 | CSharp7.cs:200:16:200:17 | access to local variable r1 |
| CSharp7.cs:203:24:203:24 | p | CSharp7.cs:206:20:206:20 | access to parameter p |
| CSharp7.cs:205:28:205:28 | q | CSharp7.cs:205:44:205:44 | access to parameter q |
| CSharp7.cs:205:40:205:44 | ref ... | CSharp7.cs:205:9:205:47 | return |
| CSharp7.cs:206:16:206:20 | ref ... | CSharp7.cs:203:13:203:14 | return |
| CSharp7.cs:216:13:216:17 | false | CSharp7.cs:214:30:214:30 | return (out/ref) |
| CSharp7.cs:216:13:216:17 | false | CSharp7.cs:216:9:216:17 | SSA def(x) |
| CSharp7.cs:217:16:217:23 | (..., ...) | CSharp7.cs:214:19:214:19 | return |
| CSharp7.cs:217:17:217:17 | 0 | CSharp7.cs:217:16:217:23 | (..., ...) |
| CSharp7.cs:217:20:217:22 | 0 | CSharp7.cs:217:16:217:23 | (..., ...) |
| CSharp7.cs:233:16:233:23 | SSA def(o) | CSharp7.cs:234:13:234:13 | access to local variable o |
@@ -179,6 +211,7 @@
| CSharp7.cs:284:20:284:62 | call to method Select | CSharp7.cs:284:13:284:62 | SSA def(list) |
| CSharp7.cs:284:32:284:35 | item | CSharp7.cs:284:41:284:44 | access to parameter item |
| CSharp7.cs:284:32:284:61 | [implicit call] (...) => ... | CSharp7.cs:284:20:284:62 | call to method Select |
| CSharp7.cs:284:40:284:61 | (..., ...) | CSharp7.cs:284:32:284:61 | return |
| CSharp7.cs:284:41:284:44 | access to parameter item | CSharp7.cs:284:51:284:54 | access to parameter item |
| CSharp7.cs:284:41:284:48 | access to property Key | CSharp7.cs:284:40:284:61 | (..., ...) |
| CSharp7.cs:284:51:284:54 | access to parameter item | CSharp7.cs:284:51:284:60 | access to property Value |

2
csharp/ql/test/library-tests/csharp7/TaintReaches.expected
View File

@@ -1,3 +1,4 @@
| CSharp7.cs:41:13:41:21 | "tainted" | CSharp7.cs:39:23:39:23 | return (out/ref) |
| CSharp7.cs:41:13:41:21 | "tainted" | CSharp7.cs:41:9:41:21 | SSA def(x) |
| CSharp7.cs:79:23:79:24 | "" | CSharp7.cs:79:22:79:28 | (..., ...) |
| CSharp7.cs:89:19:89:27 | "tainted" | CSharp7.cs:89:13:89:34 | SSA def(t1) |
@@ -29,6 +30,7 @@
| CSharp7.cs:176:22:176:30 | "tainted" | CSharp7.cs:181:23:181:25 | access to local variable src |
| CSharp7.cs:176:22:176:30 | "tainted" | CSharp7.cs:182:23:182:25 | access to local variable src |
| CSharp7.cs:176:22:176:30 | "tainted" | CSharp7.cs:183:23:183:25 | access to local variable src |
| CSharp7.cs:177:38:177:39 | "" | CSharp7.cs:177:9:177:40 | return |
| CSharp7.cs:177:38:177:39 | "" | CSharp7.cs:177:31:177:39 | ... + ... |
| CSharp7.cs:236:33:236:36 | "int " | CSharp7.cs:236:31:236:41 | $"..." |
| CSharp7.cs:240:33:240:39 | "string " | CSharp7.cs:240:31:240:44 | $"..." |

28
csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
View File

@@ -137,7 +137,8 @@ edges
| GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) | GlobalDataFlow.cs:153:15:153:19 | access to local variable sink7 |
| GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:175:29:175:48 | return | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:175:29:175:48 | return |
| GlobalDataFlow.cs:176:21:176:26 | delegate call | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
@@ -153,10 +154,13 @@ edges
| GlobalDataFlow.cs:251:26:251:35 | sinkParam5 | GlobalDataFlow.cs:253:15:253:24 | access to parameter sinkParam5 |
| GlobalDataFlow.cs:256:26:256:35 | sinkParam6 | GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:261:26:261:35 | sinkParam7 | GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:311:12:311:14 | return | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:311:12:311:14 | return | GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:311:12:311:14 | return |
| GlobalDataFlow.cs:316:28:316:28 | return (out/ref) | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:316:28:316:28 | return (out/ref) |
| GlobalDataFlow.cs:321:28:321:28 | return (out/ref) | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:321:28:321:28 | return (out/ref) |
| GlobalDataFlow.cs:354:41:354:41 | x | GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:354:41:354:41 | x | GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:356:11:356:11 | access to parameter x | GlobalDataFlow.cs:53:15:53:15 | x |
@@ -167,11 +171,12 @@ edges
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:56:37:56:37 | x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:251:26:251:35 | sinkParam5 |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:256:26:256:35 | sinkParam6 |
| GlobalDataFlow.cs:373:19:373:30 | return | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:373:19:373:30 | return |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 |
| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:399:9:399:11 | value | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:410:9:410:11 | return | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:410:9:410:11 | return |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@@ -270,6 +275,7 @@ nodes
| GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:175:29:175:48 | return |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" |
| GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
@@ -295,8 +301,11 @@ nodes
| GlobalDataFlow.cs:258:15:258:24 | access to parameter sinkParam6 |
| GlobalDataFlow.cs:261:26:261:35 | sinkParam7 |
| GlobalDataFlow.cs:263:15:263:24 | access to parameter sinkParam7 |
| GlobalDataFlow.cs:311:12:311:14 | return |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" |
| GlobalDataFlow.cs:316:28:316:28 | return (out/ref) |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" |
| GlobalDataFlow.cs:321:28:321:28 | return (out/ref) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" |
| GlobalDataFlow.cs:354:41:354:41 | x |
| GlobalDataFlow.cs:354:41:354:41 | x |
@@ -308,11 +317,12 @@ nodes
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:373:19:373:30 | return |
| GlobalDataFlow.cs:373:39:373:45 | tainted |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 |
| GlobalDataFlow.cs:399:9:399:11 | value |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:9:410:11 | return |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" |
| Splitting.cs:3:28:3:34 | tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |

32
csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
View File

@@ -161,7 +161,8 @@ edges
| GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) | GlobalDataFlow.cs:156:15:156:19 | access to local variable sink8 |
| GlobalDataFlow.cs:157:22:157:31 | call to method OutYield | GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam | GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:175:29:175:48 | return | GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" | GlobalDataFlow.cs:175:29:175:48 | return |
| GlobalDataFlow.cs:176:21:176:26 | delegate call | GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
| GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> | GlobalDataFlow.cs:186:15:186:20 | access to local variable sink10 |
| GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty | GlobalDataFlow.cs:194:15:194:20 | access to local variable sink19 |
@@ -195,11 +196,15 @@ edges
| GlobalDataFlow.cs:287:31:287:40 | sinkParam8 | GlobalDataFlow.cs:289:15:289:24 | access to parameter sinkParam8 |
| GlobalDataFlow.cs:293:32:293:41 | sinkParam9 | GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 |
| GlobalDataFlow.cs:299:32:299:42 | sinkParam11 | GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:329:22:329:35 | "taint source" | GlobalDataFlow.cs:157:22:157:31 | call to method OutYield |
| GlobalDataFlow.cs:311:12:311:14 | return | GlobalDataFlow.cs:149:21:149:25 | call to method Out |
| GlobalDataFlow.cs:311:12:311:14 | return | GlobalDataFlow.cs:185:39:185:41 | [implicit call] delegate creation of type Func<String> |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" | GlobalDataFlow.cs:311:12:311:14 | return |
| GlobalDataFlow.cs:316:28:316:28 | return (out/ref) | GlobalDataFlow.cs:152:20:152:24 | SSA def(sink7) |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" | GlobalDataFlow.cs:316:28:316:28 | return (out/ref) |
| GlobalDataFlow.cs:321:28:321:28 | return (out/ref) | GlobalDataFlow.cs:155:20:155:24 | SSA def(sink8) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:321:28:321:28 | return (out/ref) |
| GlobalDataFlow.cs:326:25:326:32 | yield return | GlobalDataFlow.cs:157:22:157:31 | call to method OutYield |
| GlobalDataFlow.cs:329:22:329:35 | "taint source" | GlobalDataFlow.cs:326:25:326:32 | yield return |
| GlobalDataFlow.cs:354:41:354:41 | x | GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:354:41:354:41 | x | GlobalDataFlow.cs:356:11:356:11 | access to parameter x |
| GlobalDataFlow.cs:356:11:356:11 | access to parameter x | GlobalDataFlow.cs:53:15:53:15 | x |
@@ -210,11 +215,12 @@ edges
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:56:37:56:37 | x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:251:26:251:35 | sinkParam5 |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x | GlobalDataFlow.cs:256:26:256:35 | sinkParam6 |
| GlobalDataFlow.cs:373:19:373:30 | return | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:373:19:373:30 | return |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:373:39:373:45 | tainted | GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 |
| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 | GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:399:9:399:11 | value | GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:410:9:410:11 | return | GlobalDataFlow.cs:193:22:193:32 | access to property OutProperty |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" | GlobalDataFlow.cs:410:9:410:11 | return |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted |
| Splitting.cs:3:28:3:34 | tainted | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@@ -337,6 +343,7 @@ nodes
| GlobalDataFlow.cs:158:15:158:20 | access to local variable sink12 |
| GlobalDataFlow.cs:159:22:159:43 | call to method TaintedParam |
| GlobalDataFlow.cs:160:15:160:20 | access to local variable sink23 |
| GlobalDataFlow.cs:175:29:175:48 | return |
| GlobalDataFlow.cs:175:35:175:48 | "taint source" |
| GlobalDataFlow.cs:176:21:176:26 | delegate call |
| GlobalDataFlow.cs:177:15:177:19 | access to local variable sink9 |
@@ -382,9 +389,13 @@ nodes
| GlobalDataFlow.cs:295:15:295:24 | access to parameter sinkParam9 |
| GlobalDataFlow.cs:299:32:299:42 | sinkParam11 |
| GlobalDataFlow.cs:301:15:301:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:311:12:311:14 | return |
| GlobalDataFlow.cs:313:16:313:29 | "taint source" |
| GlobalDataFlow.cs:316:28:316:28 | return (out/ref) |
| GlobalDataFlow.cs:318:13:318:26 | "taint source" |
| GlobalDataFlow.cs:321:28:321:28 | return (out/ref) |
| GlobalDataFlow.cs:323:13:323:26 | "taint source" |
| GlobalDataFlow.cs:326:25:326:32 | yield return |
| GlobalDataFlow.cs:329:22:329:35 | "taint source" |
| GlobalDataFlow.cs:354:41:354:41 | x |
| GlobalDataFlow.cs:354:41:354:41 | x |
@@ -396,11 +407,12 @@ nodes
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:370:11:370:11 | access to parameter x |
| GlobalDataFlow.cs:373:19:373:30 | return |
| GlobalDataFlow.cs:373:39:373:45 | tainted |
| GlobalDataFlow.cs:376:15:376:20 | access to local variable sink11 |
| GlobalDataFlow.cs:377:16:377:21 | access to local variable sink11 |
| GlobalDataFlow.cs:399:9:399:11 | value |
| GlobalDataFlow.cs:399:41:399:46 | access to local variable sink20 |
| GlobalDataFlow.cs:410:9:410:11 | return |
| GlobalDataFlow.cs:410:22:410:35 | "taint source" |
| Splitting.cs:3:28:3:34 | tainted |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return |

16
csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

@@ -14,6 +14,11 @@
| Capture.cs:58:21:58:21 | 1 | Capture.cs:58:17:58:21 | SSA def(i) |
| Capture.cs:61:17:61:17 | 1 | Capture.cs:61:13:61:17 | SSA def(i) |
| Capture.cs:63:9:63:17 | SSA call def(i) | Capture.cs:64:13:64:13 | access to local variable i |
| LocalDataFlow.cs:16:55:16:58 | null | LocalDataFlow.cs:16:42:16:44 | return |
| LocalDataFlow.cs:18:63:18:66 | null | LocalDataFlow.cs:18:50:18:52 | return |
| LocalDataFlow.cs:20:59:20:62 | null | LocalDataFlow.cs:20:46:20:48 | return |
| LocalDataFlow.cs:22:45:22:48 | null | LocalDataFlow.cs:22:32:22:34 | return |
| LocalDataFlow.cs:24:39:24:42 | null | LocalDataFlow.cs:24:26:24:28 | return |
| LocalDataFlow.cs:49:30:49:30 | b | LocalDataFlow.cs:96:21:96:21 | access to parameter b |
| LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) | LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 |
| LocalDataFlow.cs:52:21:52:34 | "taint source" | LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) |
@@ -107,12 +112,14 @@
| LocalDataFlow.cs:136:22:136:55 | call to method First | LocalDataFlow.cs:136:13:136:55 | SSA def(sink14) |
| LocalDataFlow.cs:136:35:136:35 | x | LocalDataFlow.cs:136:40:136:40 | access to parameter x |
| LocalDataFlow.cs:136:40:136:40 | access to parameter x | LocalDataFlow.cs:136:40:136:46 | access to property Value |
| LocalDataFlow.cs:136:40:136:54 | ... != ... | LocalDataFlow.cs:136:35:136:54 | return |
| LocalDataFlow.cs:140:9:140:55 | SSA def(nonSink3) | LocalDataFlow.cs:206:33:206:40 | access to local variable nonSink3 |
| LocalDataFlow.cs:140:20:140:27 | access to local variable nonSink1 | LocalDataFlow.cs:141:15:141:22 | access to local variable nonSink1 |
| LocalDataFlow.cs:140:20:140:55 | (...) ... | LocalDataFlow.cs:140:9:140:55 | SSA def(nonSink3) |
| LocalDataFlow.cs:140:20:140:55 | call to method First | LocalDataFlow.cs:140:20:140:55 | (...) ... |
| LocalDataFlow.cs:140:35:140:35 | x | LocalDataFlow.cs:140:40:140:40 | access to parameter x |
| LocalDataFlow.cs:140:40:140:40 | access to parameter x | LocalDataFlow.cs:140:40:140:46 | access to property Value |
| LocalDataFlow.cs:140:40:140:54 | ... != ... | LocalDataFlow.cs:140:35:140:54 | return |
| LocalDataFlow.cs:141:15:141:22 | access to local variable nonSink1 | LocalDataFlow.cs:214:20:214:27 | access to local variable nonSink1 |
| LocalDataFlow.cs:144:13:144:39 | SSA def(sink15) | LocalDataFlow.cs:145:15:145:20 | access to local variable sink15 |
| LocalDataFlow.cs:144:22:144:39 | call to method Parse | LocalDataFlow.cs:144:13:144:39 | SSA def(sink15) |
@@ -310,6 +317,7 @@
| LocalDataFlow.cs:303:13:303:59 | SSA def(sink42) | LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 |
| LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> | LocalDataFlow.cs:303:13:303:59 | SSA def(sink42) |
| LocalDataFlow.cs:303:39:303:58 | [implicit call] (...) => ... | LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> |
| LocalDataFlow.cs:303:45:303:58 | "taint source" | LocalDataFlow.cs:303:39:303:58 | return |
| LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 | LocalDataFlow.cs:305:22:305:27 | access to local variable sink42 |
| LocalDataFlow.cs:305:13:305:33 | SSA def(sink43) | LocalDataFlow.cs:306:15:306:20 | access to local variable sink43 |
| LocalDataFlow.cs:305:22:305:27 | access to local variable sink42 | LocalDataFlow.cs:305:22:305:33 | access to property Value |
@@ -324,6 +332,7 @@
| LocalDataFlow.cs:313:9:313:46 | SSA def(nonSink12) | LocalDataFlow.cs:314:15:314:23 | access to local variable nonSink12 |
| LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> | LocalDataFlow.cs:313:9:313:46 | SSA def(nonSink12) |
| LocalDataFlow.cs:313:38:313:45 | [implicit call] (...) => ... | LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> |
| LocalDataFlow.cs:313:44:313:45 | "" | LocalDataFlow.cs:313:38:313:45 | return |
| LocalDataFlow.cs:314:15:314:23 | access to local variable nonSink12 | LocalDataFlow.cs:315:20:315:28 | access to local variable nonSink12 |
| LocalDataFlow.cs:315:9:315:34 | SSA def(nonSink0) | LocalDataFlow.cs:316:15:316:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:315:20:315:28 | access to local variable nonSink12 | LocalDataFlow.cs:315:20:315:34 | access to property Value |
@@ -418,6 +427,7 @@
| LocalDataFlow.cs:391:13:391:51 | SSA def(sink67) | LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 |
| LocalDataFlow.cs:391:22:391:51 | call to method Run | LocalDataFlow.cs:391:13:391:51 | SSA def(sink67) |
| LocalDataFlow.cs:391:31:391:50 | [implicit call] (...) => ... | LocalDataFlow.cs:391:22:391:51 | call to method Run |
| LocalDataFlow.cs:391:37:391:50 | "taint source" | LocalDataFlow.cs:391:31:391:50 | return |
| LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 | LocalDataFlow.cs:393:28:393:33 | access to local variable sink67 |
| LocalDataFlow.cs:393:13:393:33 | SSA def(sink68) | LocalDataFlow.cs:394:15:394:20 | access to local variable sink68 |
| LocalDataFlow.cs:393:22:393:33 | await ... | LocalDataFlow.cs:393:13:393:33 | SSA def(sink68) |
@@ -425,6 +435,7 @@
| LocalDataFlow.cs:397:13:397:42 | SSA def(nonSink21) | LocalDataFlow.cs:398:15:398:23 | access to local variable nonSink21 |
| LocalDataFlow.cs:397:25:397:42 | call to method Run | LocalDataFlow.cs:397:13:397:42 | SSA def(nonSink21) |
| LocalDataFlow.cs:397:34:397:41 | [implicit call] (...) => ... | LocalDataFlow.cs:397:25:397:42 | call to method Run |
| LocalDataFlow.cs:397:40:397:41 | "" | LocalDataFlow.cs:397:34:397:41 | return |
| LocalDataFlow.cs:398:15:398:23 | access to local variable nonSink21 | LocalDataFlow.cs:399:26:399:34 | access to local variable nonSink21 |
| LocalDataFlow.cs:399:9:399:34 | SSA def(nonSink0) | LocalDataFlow.cs:400:15:400:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:399:20:399:34 | await ... | LocalDataFlow.cs:399:9:399:34 | SSA def(nonSink0) |
@@ -453,6 +464,9 @@
| LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) |
| LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 |
| LocalDataFlow.cs:447:37:447:38 | "" | LocalDataFlow.cs:447:12:447:24 | return |
| LocalDataFlow.cs:449:40:449:41 | "" | LocalDataFlow.cs:449:12:449:27 | return |
| LocalDataFlow.cs:458:41:458:45 | access to field anInt | LocalDataFlow.cs:458:28:458:30 | return |
| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:64:458:68 | access to parameter value |
| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:471:15:471:24 | access to parameter nonTainted |
@@ -624,8 +638,10 @@
| SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:146:13:146:13 | (...) ... |
| SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:149:17:149:17 | access to parameter t |
| SSA.cs:147:13:147:26 | SSA def(t) | SSA.cs:144:17:144:26 | SSA phi(t) |
| SSA.cs:147:17:147:26 | default(...) | SSA.cs:144:34:144:34 | return (out/ref) |
| SSA.cs:147:17:147:26 | default(...) | SSA.cs:147:13:147:26 | SSA def(t) |
| SSA.cs:149:13:149:17 | SSA def(t) | SSA.cs:144:17:144:26 | SSA phi(t) |
| SSA.cs:149:17:149:17 | access to parameter t | SSA.cs:144:34:144:34 | return (out/ref) |
| SSA.cs:149:17:149:17 | access to parameter t | SSA.cs:149:13:149:17 | SSA def(t) |
| SSA.cs:152:36:152:36 | t | SSA.cs:154:13:154:13 | access to parameter t |
| SSA.cs:154:13:154:13 | access to parameter t | SSA.cs:152:17:152:28 | SSA phi(t) |

16
csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
View File

@@ -14,6 +14,11 @@
| Capture.cs:58:21:58:21 | 1 | Capture.cs:58:17:58:21 | SSA def(i) |
| Capture.cs:61:17:61:17 | 1 | Capture.cs:61:13:61:17 | SSA def(i) |
| Capture.cs:63:9:63:17 | SSA call def(i) | Capture.cs:64:13:64:13 | access to local variable i |
| LocalDataFlow.cs:16:55:16:58 | null | LocalDataFlow.cs:16:42:16:44 | return |
| LocalDataFlow.cs:18:63:18:66 | null | LocalDataFlow.cs:18:50:18:52 | return |
| LocalDataFlow.cs:20:59:20:62 | null | LocalDataFlow.cs:20:46:20:48 | return |
| LocalDataFlow.cs:22:45:22:48 | null | LocalDataFlow.cs:22:32:22:34 | return |
| LocalDataFlow.cs:24:39:24:42 | null | LocalDataFlow.cs:24:26:24:28 | return |
| LocalDataFlow.cs:49:30:49:30 | b | LocalDataFlow.cs:96:21:96:21 | access to parameter b |
| LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) | LocalDataFlow.cs:53:15:53:19 | access to local variable sink0 |
| LocalDataFlow.cs:52:21:52:34 | "taint source" | LocalDataFlow.cs:52:13:52:34 | SSA def(sink0) |
@@ -131,6 +136,7 @@
| LocalDataFlow.cs:136:35:136:35 | x | LocalDataFlow.cs:136:40:136:40 | access to parameter x |
| LocalDataFlow.cs:136:40:136:40 | access to parameter x | LocalDataFlow.cs:136:40:136:46 | access to property Value |
| LocalDataFlow.cs:136:40:136:46 | access to property Value | LocalDataFlow.cs:136:40:136:54 | ... != ... |
| LocalDataFlow.cs:136:40:136:54 | ... != ... | LocalDataFlow.cs:136:35:136:54 | return |
| LocalDataFlow.cs:140:9:140:55 | SSA def(nonSink3) | LocalDataFlow.cs:206:33:206:40 | access to local variable nonSink3 |
| LocalDataFlow.cs:140:20:140:27 | access to local variable nonSink1 | LocalDataFlow.cs:140:20:140:55 | call to method First |
| LocalDataFlow.cs:140:20:140:27 | access to local variable nonSink1 | LocalDataFlow.cs:141:15:141:22 | access to local variable nonSink1 |
@@ -139,6 +145,7 @@
| LocalDataFlow.cs:140:35:140:35 | x | LocalDataFlow.cs:140:40:140:40 | access to parameter x |
| LocalDataFlow.cs:140:40:140:40 | access to parameter x | LocalDataFlow.cs:140:40:140:46 | access to property Value |
| LocalDataFlow.cs:140:40:140:46 | access to property Value | LocalDataFlow.cs:140:40:140:54 | ... != ... |
| LocalDataFlow.cs:140:40:140:54 | ... != ... | LocalDataFlow.cs:140:35:140:54 | return |
| LocalDataFlow.cs:141:15:141:22 | access to local variable nonSink1 | LocalDataFlow.cs:214:20:214:27 | access to local variable nonSink1 |
| LocalDataFlow.cs:144:13:144:39 | SSA def(sink15) | LocalDataFlow.cs:145:15:145:20 | access to local variable sink15 |
| LocalDataFlow.cs:144:22:144:39 | call to method Parse | LocalDataFlow.cs:144:13:144:39 | SSA def(sink15) |
@@ -426,6 +433,7 @@
| LocalDataFlow.cs:303:13:303:59 | SSA def(sink42) | LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 |
| LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> | LocalDataFlow.cs:303:13:303:59 | SSA def(sink42) |
| LocalDataFlow.cs:303:39:303:58 | [implicit call] (...) => ... | LocalDataFlow.cs:303:22:303:59 | object creation of type Lazy<String> |
| LocalDataFlow.cs:303:45:303:58 | "taint source" | LocalDataFlow.cs:303:39:303:58 | return |
| LocalDataFlow.cs:304:15:304:20 | access to local variable sink42 | LocalDataFlow.cs:305:22:305:27 | access to local variable sink42 |
| LocalDataFlow.cs:305:13:305:33 | SSA def(sink43) | LocalDataFlow.cs:306:15:306:20 | access to local variable sink43 |
| LocalDataFlow.cs:305:22:305:27 | access to local variable sink42 | LocalDataFlow.cs:305:22:305:33 | access to property Value |
@@ -440,6 +448,7 @@
| LocalDataFlow.cs:313:9:313:46 | SSA def(nonSink12) | LocalDataFlow.cs:314:15:314:23 | access to local variable nonSink12 |
| LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> | LocalDataFlow.cs:313:9:313:46 | SSA def(nonSink12) |
| LocalDataFlow.cs:313:38:313:45 | [implicit call] (...) => ... | LocalDataFlow.cs:313:21:313:46 | object creation of type Lazy<String> |
| LocalDataFlow.cs:313:44:313:45 | "" | LocalDataFlow.cs:313:38:313:45 | return |
| LocalDataFlow.cs:314:15:314:23 | access to local variable nonSink12 | LocalDataFlow.cs:315:20:315:28 | access to local variable nonSink12 |
| LocalDataFlow.cs:315:9:315:34 | SSA def(nonSink0) | LocalDataFlow.cs:316:15:316:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:315:20:315:28 | access to local variable nonSink12 | LocalDataFlow.cs:315:20:315:34 | access to property Value |
@@ -556,6 +565,7 @@
| LocalDataFlow.cs:391:13:391:51 | SSA def(sink67) | LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 |
| LocalDataFlow.cs:391:22:391:51 | call to method Run | LocalDataFlow.cs:391:13:391:51 | SSA def(sink67) |
| LocalDataFlow.cs:391:31:391:50 | [implicit call] (...) => ... | LocalDataFlow.cs:391:22:391:51 | call to method Run |
| LocalDataFlow.cs:391:37:391:50 | "taint source" | LocalDataFlow.cs:391:31:391:50 | return |
| LocalDataFlow.cs:392:15:392:20 | access to local variable sink67 | LocalDataFlow.cs:393:28:393:33 | access to local variable sink67 |
| LocalDataFlow.cs:393:13:393:33 | SSA def(sink68) | LocalDataFlow.cs:394:15:394:20 | access to local variable sink68 |
| LocalDataFlow.cs:393:22:393:33 | await ... | LocalDataFlow.cs:393:13:393:33 | SSA def(sink68) |
@@ -563,6 +573,7 @@
| LocalDataFlow.cs:397:13:397:42 | SSA def(nonSink21) | LocalDataFlow.cs:398:15:398:23 | access to local variable nonSink21 |
| LocalDataFlow.cs:397:25:397:42 | call to method Run | LocalDataFlow.cs:397:13:397:42 | SSA def(nonSink21) |
| LocalDataFlow.cs:397:34:397:41 | [implicit call] (...) => ... | LocalDataFlow.cs:397:25:397:42 | call to method Run |
| LocalDataFlow.cs:397:40:397:41 | "" | LocalDataFlow.cs:397:34:397:41 | return |
| LocalDataFlow.cs:398:15:398:23 | access to local variable nonSink21 | LocalDataFlow.cs:399:26:399:34 | access to local variable nonSink21 |
| LocalDataFlow.cs:399:9:399:34 | SSA def(nonSink0) | LocalDataFlow.cs:400:15:400:22 | access to local variable nonSink0 |
| LocalDataFlow.cs:399:20:399:34 | await ... | LocalDataFlow.cs:399:9:399:34 | SSA def(nonSink0) |
@@ -595,6 +606,9 @@
| LocalDataFlow.cs:429:18:429:30 | SSA def(sink72) | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
| LocalDataFlow.cs:435:17:435:24 | access to local variable nonSink0 | LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) |
| LocalDataFlow.cs:437:18:437:33 | SSA def(nonSink17) | LocalDataFlow.cs:438:23:438:31 | access to local variable nonSink17 |
| LocalDataFlow.cs:447:37:447:38 | "" | LocalDataFlow.cs:447:12:447:24 | return |
| LocalDataFlow.cs:449:40:449:41 | "" | LocalDataFlow.cs:449:12:449:27 | return |
| LocalDataFlow.cs:458:41:458:45 | access to field anInt | LocalDataFlow.cs:458:28:458:30 | return |
| LocalDataFlow.cs:458:50:458:52 | value | LocalDataFlow.cs:458:64:458:68 | access to parameter value |
| LocalDataFlow.cs:464:41:464:47 | tainted | LocalDataFlow.cs:466:15:466:21 | access to parameter tainted |
| LocalDataFlow.cs:469:44:469:53 | nonTainted | LocalDataFlow.cs:471:15:471:24 | access to parameter nonTainted |
@@ -781,8 +795,10 @@
| SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:146:13:146:13 | (...) ... |
| SSA.cs:146:13:146:13 | access to parameter t | SSA.cs:149:17:149:17 | access to parameter t |
| SSA.cs:147:13:147:26 | SSA def(t) | SSA.cs:144:17:144:26 | SSA phi(t) |
| SSA.cs:147:17:147:26 | default(...) | SSA.cs:144:34:144:34 | return (out/ref) |
| SSA.cs:147:17:147:26 | default(...) | SSA.cs:147:13:147:26 | SSA def(t) |
| SSA.cs:149:13:149:17 | SSA def(t) | SSA.cs:144:17:144:26 | SSA phi(t) |
| SSA.cs:149:17:149:17 | access to parameter t | SSA.cs:144:34:144:34 | return (out/ref) |
| SSA.cs:149:17:149:17 | access to parameter t | SSA.cs:149:13:149:17 | SSA def(t) |
| SSA.cs:152:36:152:36 | t | SSA.cs:154:13:154:13 | access to parameter t |
| SSA.cs:154:13:154:13 | (...) ... | SSA.cs:154:13:154:21 | ... == ... |

17
csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected
View File

@@ -1,23 +1,30 @@
edges
| InsecureRandomness.cs:21:26:21:45 | return | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString |
| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:21:26:21:45 | return |
| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:29:27:29:61 | call to method GetString |
| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:31:16:31:32 | call to method ToString |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString | InsecureRandomness.cs:21:26:21:45 | return |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString | InsecureRandomness.cs:31:16:31:32 | call to method ToString |
| InsecureRandomness.cs:31:16:31:32 | call to method ToString | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString |
| InsecureRandomness.cs:31:16:31:32 | call to method ToString | InsecureRandomness.cs:21:26:21:45 | return |
| InsecureRandomness.cs:53:26:53:58 | return | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection |
| InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:53:26:53:58 | return |
| InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:62:16:62:32 | call to method ToString |
| InsecureRandomness.cs:62:16:62:32 | call to method ToString | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection |
| InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:74:16:74:21 | access to local variable result |
| InsecureRandomness.cs:74:16:74:21 | access to local variable result | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer |
| InsecureRandomness.cs:62:16:62:32 | call to method ToString | InsecureRandomness.cs:53:26:53:58 | return |
| InsecureRandomness.cs:65:26:65:56 | return | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer |
| InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:65:26:65:56 | return |
nodes
| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString |
| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection |
| InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer |
| InsecureRandomness.cs:21:26:21:45 | return |
| InsecureRandomness.cs:28:29:28:43 | call to method Next |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString |
| InsecureRandomness.cs:31:16:31:32 | call to method ToString |
| InsecureRandomness.cs:53:26:53:58 | return |
| InsecureRandomness.cs:60:31:60:39 | call to method Next |
| InsecureRandomness.cs:62:16:62:32 | call to method ToString |
| InsecureRandomness.cs:65:26:65:56 | return |
| InsecureRandomness.cs:72:31:72:39 | call to method Next |
| InsecureRandomness.cs:74:16:74:21 | access to local variable result |
#select
| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next |
| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next |

4
csharp/ql/test/query-tests/Security Features/CWE-838/InappropriateEncoding.expected
View File

@@ -6,7 +6,8 @@ edges
| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:38:22:38:59 | ... + ... |
| InappropriateEncoding.cs:36:28:36:55 | call to method UrlEncode | InappropriateEncoding.cs:39:22:39:71 | call to method Format |
| InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode | InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue |
| InappropriateEncoding.cs:68:16:68:42 | call to method Replace | InappropriateEncoding.cs:15:28:15:40 | call to method Encode |
| InappropriateEncoding.cs:66:19:66:24 | return | InappropriateEncoding.cs:15:28:15:40 | call to method Encode |
| InappropriateEncoding.cs:68:16:68:42 | call to method Replace | InappropriateEncoding.cs:66:19:66:24 | return |
| SqlEncode.cs:16:62:16:87 | call to method Replace | SqlEncode.cs:17:46:17:50 | access to local variable query |
| UrlEncode.cs:12:43:12:69 | call to method HtmlEncode | UrlEncode.cs:12:31:12:69 | ... + ... |
nodes
@@ -25,6 +26,7 @@ nodes
| InappropriateEncoding.cs:39:22:39:71 | call to method Format |
| InappropriateEncoding.cs:57:28:57:56 | call to method HtmlEncode |
| InappropriateEncoding.cs:58:31:58:42 | access to local variable encodedValue |
| InappropriateEncoding.cs:66:19:66:24 | return |
| InappropriateEncoding.cs:68:16:68:42 | call to method Replace |
| SqlEncode.cs:16:62:16:87 | call to method Replace |
| SqlEncode.cs:17:46:17:50 | access to local variable query |