Modify test cases

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.cs

@@ -1,4 +1,6 @@
 using System;
+using System.Data.SqlClient;
+using System.Diagnostics;
 
 namespace System.Web.UI.WebControls
 {
@@ -34,5 +36,22 @@ namespace Test
             startInfoProps.WorkingDirectory = userInput;
             Process.Start(startInfoProps);
         }
+
+        public void StoredCommandInjection()
+        {
+            using (SqlConnection connection = new SqlConnection(""))
+            {
+                connection.Open();
+                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
+                SqlDataReader customerReader = customerCommand.ExecuteReader();
+
+                while (customerReader.Read())
+                {
+                    // BAD: Read from database, and use it to directly execute a command
+                    Process.Start("foo.exe", "/c " + customerReader.GetString(1));
+                }
+                customerReader.Close();
+            }
+        }
     }
 }

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.expected

@@ -1,4 +1,5 @@
 edges
+<<<<<<< HEAD
 | CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:26:27:26:47 | ... + ... | provenance |  |
 | CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:26:50:26:66 | ... + ... | provenance |  |
 | CommandInjection.cs:25:20:25:28 | access to local variable userInput : String | CommandInjection.cs:28:63:28:71 | access to local variable userInput | provenance |  |
@@ -42,18 +43,63 @@ nodes
 | CommandInjection.cs:33:13:33:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
 | CommandInjection.cs:33:40:33:48 | access to local variable userInput | semmle.label | access to local variable userInput |
 | CommandInjection.cs:33:40:33:48 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+=======
+| CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:27:32:27:51 | access to property Text : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:28:27:28:47 | ... + ... | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:28:50:28:66 | ... + ... | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:30:63:30:71 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:30:74:30:82 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:34:39:34:47 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:35:40:35:48 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:36:47:36:55 | access to local variable userInput | provenance |  |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | provenance |  |
+| CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | CommandInjection.cs:31:27:31:35 | access to local variable startInfo | provenance |  |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | provenance |  |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | provenance |  |
+| CommandInjection.cs:51:54:51:80 | call to method GetString : String | CommandInjection.cs:51:46:51:80 | ... + ... | provenance |  |
+nodes
+| CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
+| CommandInjection.cs:27:32:27:51 | access to property Text : String | semmle.label | access to property Text : String |
+| CommandInjection.cs:28:27:28:47 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:28:50:28:66 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:30:42:30:83 | object creation of type ProcessStartInfo : ProcessStartInfo | semmle.label | object creation of type ProcessStartInfo : ProcessStartInfo |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:31:27:31:35 | access to local variable startInfo | semmle.label | access to local variable startInfo |
+>>>>>>> 4fc83a3267 (Modify test cases)
 | CommandInjection.cs:34:13:34:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput | semmle.label | access to local variable userInput |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
-| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | semmle.label | access to local variable startInfoProps |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:35:13:35:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:36:13:36:26 | [post] access to local variable startInfoProps : ProcessStartInfo | semmle.label | [post] access to local variable startInfoProps : ProcessStartInfo |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput | semmle.label | access to local variable userInput |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput : String | semmle.label | access to local variable userInput : String |
+| CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | semmle.label | access to local variable startInfoProps |
+| CommandInjection.cs:51:46:51:80 | ... + ... | semmle.label | ... + ... |
+| CommandInjection.cs:51:54:51:80 | call to method GetString : String | semmle.label | call to method GetString : String |
 subpaths
 #select
-| CommandInjection.cs:26:27:26:47 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:27:26:47 | ... + ... | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:26:50:26:66 | ... + ... | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:26:50:26:66 | ... + ... | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:28:63:28:71 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:63:28:71 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:28:74:28:82 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:74:28:82 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:29:27:29:35 | access to local variable startInfo | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:29:27:29:35 | access to local variable startInfo | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:32:39:32:47 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:32:39:32:47 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:33:40:33:48 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:33:40:33:48 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:34:47:34:55 | access to local variable userInput | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:47:34:55 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
-| CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:27:35:40 | access to local variable startInfoProps | This command line depends on a $@. | CommandInjection.cs:25:32:25:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:28:27:28:47 | ... + ... | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:27:28:47 | ... + ... | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:28:50:28:66 | ... + ... | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:28:50:28:66 | ... + ... | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:30:63:30:71 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:30:63:30:71 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:30:74:30:82 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:30:74:30:82 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:31:27:31:35 | access to local variable startInfo | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:31:27:31:35 | access to local variable startInfo | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:34:39:34:47 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:34:39:34:47 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:35:40:35:48 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:35:40:35:48 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:36:47:36:55 | access to local variable userInput | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:36:47:36:55 | access to local variable userInput | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox : TextBox | CommandInjection.cs:37:27:37:40 | access to local variable startInfoProps | This command line depends on a $@. | CommandInjection.cs:27:32:27:46 | access to field categoryTextBox | user-provided value |
+| CommandInjection.cs:51:46:51:80 | ... + ... | CommandInjection.cs:51:54:51:80 | call to method GetString : String | CommandInjection.cs:51:46:51:80 | ... + ... | This command line depends on a $@. | CommandInjection.cs:51:54:51:80 | call to method GetString | user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-078/CommandInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.cs

@@ -1,28 +0,0 @@
-using System;
-using System.Data.SqlClient;
-using System.Diagnostics;
-
-namespace Test
-{
-
-    class StoredCommandInjection
-    {
-
-        public void Test()
-        {
-            using (SqlConnection connection = new SqlConnection(""))
-            {
-                connection.Open();
-                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
-                SqlDataReader customerReader = customerCommand.ExecuteReader();
-
-                while (customerReader.Read())
-                {
-                    // BAD: Read from database, and use it to directly execute a command
-                    Process.Start("foo.exe", "/c " + customerReader.GetString(1));
-                }
-                customerReader.Close();
-            }
-        }
-    }
-}

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.expected

@@ -1,8 +0,0 @@
-edges
-| StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | StoredCommandInjection.cs:22:46:22:80 | ... + ... | provenance |  |
-nodes
-| StoredCommandInjection.cs:22:46:22:80 | ... + ... | semmle.label | ... + ... |
-| StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | semmle.label | call to method GetString : String |
-subpaths
-#select
-| StoredCommandInjection.cs:22:46:22:80 | ... + ... | StoredCommandInjection.cs:22:54:22:80 | call to method GetString : String | StoredCommandInjection.cs:22:46:22:80 | ... + ... | This command line depends on a $@. | StoredCommandInjection.cs:22:54:22:80 | call to method GetString | stored (potentially user-provided) value |

csharp/ql/test/query-tests/Security Features/CWE-078/StoredCommandInjection.qlref

@@ -1 +0,0 @@
-Security Features/CWE-078/StoredCommandInjection.ql

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-079/StoredXSS/StoredXSS.qlref

@@ -1 +1 @@
-Security Features/CWE-079/StoredXSS.ql
+Security Features/CWE-079/XSS.ql

csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Data.SqlClient;
 using System.DirectoryServices;
 using System.DirectoryServices.Protocols;
 using System.Web;
@@ -27,6 +28,20 @@ public class LDAPInjectionHandler : IHttpHandler
         DirectoryEntry de = new DirectoryEntry("LDAP://Cn=" + userName);
         DirectoryEntry de2 = new DirectoryEntry();
         de2.Path = "LDAP://Cn=" + userName;
+
+        using (SqlConnection connection = new SqlConnection(""))
+        {
+            connection.Open();
+            SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
+            SqlDataReader customerReader = customerCommand.ExecuteReader();
+
+            while (customerReader.Read())
+            {
+                // BAD: Read from database, write it straight to a response
+                DirectorySearcher ds4 = new DirectorySearcher("accountname=" + customerReader.GetString(1));
+            }
+            customerReader.Close();
+        }
     }
 
     public string LDAPEncode(string value)

csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.expected

@@ -1,4 +1,5 @@
 edges
+<<<<<<< HEAD
 | LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:14:54:14:78 | ... + ... | provenance |  |
 | LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:16:21:16:45 | ... + ... | provenance |  |
 | LDAPInjection.cs:11:16:11:23 | access to local variable userName : String | LDAPInjection.cs:23:21:23:45 | ... + ... | provenance |  |
@@ -18,11 +19,39 @@ nodes
 | LDAPInjection.cs:24:53:24:77 | ... + ... | semmle.label | ... + ... |
 | LDAPInjection.cs:27:48:27:70 | ... + ... | semmle.label | ... + ... |
 | LDAPInjection.cs:29:20:29:42 | ... + ... | semmle.label | ... + ... |
+=======
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:12:27:12:61 | access to indexer : String | provenance |  |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:15:54:15:78 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:17:21:17:45 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:24:21:24:45 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:25:53:25:77 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:28:48:28:70 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:30:20:30:42 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | LDAPInjection.cs:15:54:15:78 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | LDAPInjection.cs:17:21:17:45 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | LDAPInjection.cs:24:21:24:45 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | LDAPInjection.cs:25:53:25:77 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | LDAPInjection.cs:28:48:28:70 | ... + ... | provenance |  |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | LDAPInjection.cs:30:20:30:42 | ... + ... | provenance |  |
+| LDAPInjection.cs:41:80:41:106 | call to method GetString : String | LDAPInjection.cs:41:63:41:106 | ... + ... | provenance |  |
+nodes
+| LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| LDAPInjection.cs:12:27:12:61 | access to indexer : String | semmle.label | access to indexer : String |
+| LDAPInjection.cs:15:54:15:78 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:17:21:17:45 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:24:21:24:45 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:25:53:25:77 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:28:48:28:70 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:30:20:30:42 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:41:63:41:106 | ... + ... | semmle.label | ... + ... |
+| LDAPInjection.cs:41:80:41:106 | call to method GetString : String | semmle.label | call to method GetString : String |
+>>>>>>> 4fc83a3267 (Modify test cases)
 subpaths
 #select
-| LDAPInjection.cs:14:54:14:78 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:14:54:14:78 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:16:21:16:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:16:21:16:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:23:21:23:45 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:23:21:23:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:24:53:24:77 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:24:53:24:77 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:27:48:27:70 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:27:48:27:70 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| LDAPInjection.cs:29:20:29:42 | ... + ... | LDAPInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:29:20:29:42 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:15:54:15:78 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:15:54:15:78 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:17:21:17:45 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:17:21:17:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:24:21:24:45 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:24:21:24:45 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:25:53:25:77 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:25:53:25:77 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:28:48:28:70 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:28:48:28:70 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:30:20:30:42 | ... + ... | LDAPInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | LDAPInjection.cs:30:20:30:42 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| LDAPInjection.cs:41:63:41:106 | ... + ... | LDAPInjection.cs:41:80:41:106 | call to method GetString : String | LDAPInjection.cs:41:63:41:106 | ... + ... | This LDAP query depends on a $@. | LDAPInjection.cs:41:80:41:106 | call to method GetString | user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]

csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.cs

@@ -1,28 +0,0 @@
-using System;
-using System.Data.SqlClient;
-using System.DirectoryServices;
-
-namespace Test
-{
-
-    class StoredLDAPInjection
-    {
-
-        public void processRequest()
-        {
-            using (SqlConnection connection = new SqlConnection(""))
-            {
-                connection.Open();
-                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
-                SqlDataReader customerReader = customerCommand.ExecuteReader();
-
-                while (customerReader.Read())
-                {
-                    // BAD: Read from database, write it straight to a response
-                    DirectorySearcher ds = new DirectorySearcher("accountname=" + customerReader.GetString(1));
-                }
-                customerReader.Close();
-            }
-        }
-    }
-}

csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.expected

@@ -1,8 +0,0 @@
-edges
-| StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | provenance |  |
-nodes
-| StoredLDAPInjection.cs:22:66:22:109 | ... + ... | semmle.label | ... + ... |
-| StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | semmle.label | call to method GetString : String |
-subpaths
-#select
-| StoredLDAPInjection.cs:22:66:22:109 | ... + ... | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString : String | StoredLDAPInjection.cs:22:66:22:109 | ... + ... | This LDAP query depends on a $@. | StoredLDAPInjection.cs:22:83:22:109 | call to method GetString | stored (potentially user-provided) value |

csharp/ql/test/query-tests/Security Features/CWE-090/StoredLDAPInjection.qlref

@@ -1 +0,0 @@
-Security Features/CWE-090/StoredLDAPInjection.ql

csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.cs

@@ -1,37 +0,0 @@
-using System;
-using System.Data.SqlClient;
-using System.Xml;
-using System.Xml.XPath;
-
-namespace Test
-{
-
-    class StoredXPathInjection
-    {
-
-        public void processRequest()
-        {
-            using (SqlConnection connection = new SqlConnection(""))
-            {
-                connection.Open();
-                SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
-                SqlDataReader customerReader = customerCommand.ExecuteReader();
-
-                while (customerReader.Read())
-                {
-                    string userName = customerReader.GetString(1);
-                    string password = customerReader.GetString(2);
-                    // BAD: User input used directly in an XPath expression
-                    XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
-                    XmlNode xmlNode = null;
-                    // BAD: User input used directly in an XPath expression to SelectNodes
-                    xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
-
-                    // GOOD: Uses parameters to avoid including user input directly in XPath expression
-                    XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()");
-                }
-                customerReader.Close();
-            }
-        }
-    }
-}

csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.expected

@@ -1,20 +0,0 @@
-edges
-| StoredXPathInjection.cs:22:28:22:35 | access to local variable userName : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | provenance |  |
-| StoredXPathInjection.cs:22:28:22:35 | access to local variable userName : String | StoredXPathInjection.cs:28:41:28:144 | ... + ... | provenance |  |
-| StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | StoredXPathInjection.cs:22:28:22:35 | access to local variable userName : String | provenance |  |
-| StoredXPathInjection.cs:23:28:23:35 | access to local variable password : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | provenance |  |
-| StoredXPathInjection.cs:23:28:23:35 | access to local variable password : String | StoredXPathInjection.cs:28:41:28:144 | ... + ... | provenance |  |
-| StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | StoredXPathInjection.cs:23:28:23:35 | access to local variable password : String | provenance |  |
-nodes
-| StoredXPathInjection.cs:22:28:22:35 | access to local variable userName : String | semmle.label | access to local variable userName : String |
-| StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | semmle.label | call to method GetString : String |
-| StoredXPathInjection.cs:23:28:23:35 | access to local variable password : String | semmle.label | access to local variable password : String |
-| StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | semmle.label | call to method GetString : String |
-| StoredXPathInjection.cs:25:45:25:148 | ... + ... | semmle.label | ... + ... |
-| StoredXPathInjection.cs:28:41:28:144 | ... + ... | semmle.label | ... + ... |
-subpaths
-#select
-| StoredXPathInjection.cs:25:45:25:148 | ... + ... | StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | This XPath expression depends on a $@. | StoredXPathInjection.cs:22:39:22:65 | call to method GetString | stored (potentially user-provided) value |
-| StoredXPathInjection.cs:25:45:25:148 | ... + ... | StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | StoredXPathInjection.cs:25:45:25:148 | ... + ... | This XPath expression depends on a $@. | StoredXPathInjection.cs:23:39:23:65 | call to method GetString | stored (potentially user-provided) value |
-| StoredXPathInjection.cs:28:41:28:144 | ... + ... | StoredXPathInjection.cs:22:39:22:65 | call to method GetString : String | StoredXPathInjection.cs:28:41:28:144 | ... + ... | This XPath expression depends on a $@. | StoredXPathInjection.cs:22:39:22:65 | call to method GetString | stored (potentially user-provided) value |
-| StoredXPathInjection.cs:28:41:28:144 | ... + ... | StoredXPathInjection.cs:23:39:23:65 | call to method GetString : String | StoredXPathInjection.cs:28:41:28:144 | ... + ... | This XPath expression depends on a $@. | StoredXPathInjection.cs:23:39:23:65 | call to method GetString | stored (potentially user-provided) value |

csharp/ql/test/query-tests/Security Features/CWE-643/StoredXPathInjection.qlref

@@ -1 +0,0 @@
-Security Features/CWE-643/StoredXPathInjection.ql

csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Data.SqlClient;
 using System.Web;
 using System.Xml;
 using System.Xml.XPath;
@@ -62,4 +63,30 @@ public class XPathInjectionHandler : IHttpHandler
             return true;
         }
     }
+
+    public void ProcessStoredRequest()
+    {
+
+        using (SqlConnection connection = new SqlConnection(""))
+        {
+            connection.Open();
+            SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
+            SqlDataReader customerReader = customerCommand.ExecuteReader();
+
+            while (customerReader.Read())
+            {
+                string userName = customerReader.GetString(1);
+                string password = customerReader.GetString(2);
+                // BAD: User input used directly in an XPath expression
+                XPathExpression.Compile("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
+                XmlNode xmlNode = null;
+                // BAD: User input used directly in an XPath expression to SelectNodes
+                xmlNode.SelectNodes("//users/user[login/text()='" + userName + "' and password/text() = '" + password + "']/home_dir/text()");
+
+                // GOOD: Uses parameters to avoid including user input directly in XPath expression
+                XPathExpression.Compile("//users/user[login/text()=$username]/home_dir/text()");
+            }
+            customerReader.Close();
+        }
+    }
 }

csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.expected

@@ -1,4 +1,5 @@
 edges
+<<<<<<< HEAD
 | XPathInjection.cs:10:16:10:23 | access to local variable userName : String | XPathInjection.cs:13:13:13:13 | access to local variable s : String | provenance |  |
 | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:10:16:10:23 | access to local variable userName : String | provenance |  |
 | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:10:27:10:61 | access to indexer : String | provenance |  |
@@ -29,19 +30,75 @@ nodes
 | XPathInjection.cs:40:21:40:21 | access to local variable s | semmle.label | access to local variable s |
 | XPathInjection.cs:46:22:46:22 | access to local variable s | semmle.label | access to local variable s |
 | XPathInjection.cs:52:21:52:21 | access to local variable s | semmle.label | access to local variable s |
+=======
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:11:27:11:61 | access to indexer : String | provenance |  |
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:17:33:17:33 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:20:29:20:29 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:29:20:29:20 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:35:30:35:30 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:41:21:41:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:47:22:47:22 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:53:21:53:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:17:33:17:33 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:20:29:20:29 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:29:20:29:20 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:35:30:35:30 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:41:21:41:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:47:22:47:22 | access to local variable s | provenance |  |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | XPathInjection.cs:53:21:53:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:12:27:12:61 | access to indexer : String | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:17:33:17:33 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:20:29:20:29 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:29:20:29:20 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:35:30:35:30 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:41:21:41:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:47:22:47:22 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:53:21:53:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | XPathInjection.cs:17:33:17:33 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | XPathInjection.cs:20:29:20:29 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | XPathInjection.cs:29:20:29:20 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | XPathInjection.cs:35:30:35:30 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | XPathInjection.cs:41:21:41:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | XPathInjection.cs:47:22:47:22 | access to local variable s | provenance |  |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | XPathInjection.cs:53:21:53:21 | access to local variable s | provenance |  |
+| XPathInjection.cs:78:35:78:61 | call to method GetString : String | XPathInjection.cs:81:41:81:144 | ... + ... | provenance |  |
+| XPathInjection.cs:78:35:78:61 | call to method GetString : String | XPathInjection.cs:84:37:84:140 | ... + ... | provenance |  |
+| XPathInjection.cs:79:35:79:61 | call to method GetString : String | XPathInjection.cs:81:41:81:144 | ... + ... | provenance |  |
+| XPathInjection.cs:79:35:79:61 | call to method GetString : String | XPathInjection.cs:84:37:84:140 | ... + ... | provenance |  |
+nodes
+| XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| XPathInjection.cs:11:27:11:61 | access to indexer : String | semmle.label | access to indexer : String |
+| XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| XPathInjection.cs:12:27:12:61 | access to indexer : String | semmle.label | access to indexer : String |
+| XPathInjection.cs:17:33:17:33 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:20:29:20:29 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:29:20:29:20 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:35:30:35:30 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:41:21:41:21 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:47:22:47:22 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:53:21:53:21 | access to local variable s | semmle.label | access to local variable s |
+| XPathInjection.cs:78:35:78:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| XPathInjection.cs:79:35:79:61 | call to method GetString : String | semmle.label | call to method GetString : String |
+| XPathInjection.cs:81:41:81:144 | ... + ... | semmle.label | ... + ... |
+| XPathInjection.cs:84:37:84:140 | ... + ... | semmle.label | ... + ... |
+>>>>>>> 4fc83a3267 (Modify test cases)
 subpaths
 #select
-| XPathInjection.cs:16:33:16:33 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:33 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:16:33:16:33 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:16:33:16:33 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:19:29:19:29 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:29 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:19:29:19:29 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:19:29:19:29 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:28:20:28:20 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:20 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:28:20:28:20 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:28:20:28:20 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:34:30:34:30 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:34:30:34:30 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:34:30:34:30 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:34:30:34:30 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:40:21:40:21 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:40:21:40:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:40:21:40:21 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:40:21:40:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:46:22:46:22 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:46:22:46:22 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:46:22:46:22 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:46:22:46:22 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:52:21:52:21 | access to local variable s | XPathInjection.cs:10:27:10:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:52:21:52:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:10:27:10:49 | access to property QueryString | user-provided value |
-| XPathInjection.cs:52:21:52:21 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:52:21:52:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:17:33:17:33 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:17:33:17:33 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:17:33:17:33 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:17:33:17:33 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:20:29:20:29 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:20:29:20:29 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:20:29:20:29 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:20:29:20:29 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:29:20:29:20 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:29:20:29:20 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:29:20:29:20 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:29:20:29:20 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:35:30:35:30 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:35:30:35:30 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:35:30:35:30 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:35:30:35:30 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:41:21:41:21 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:41:21:41:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:41:21:41:21 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:41:21:41:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:47:22:47:22 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:47:22:47:22 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:47:22:47:22 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:47:22:47:22 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:53:21:53:21 | access to local variable s | XPathInjection.cs:11:27:11:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:53:21:53:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:11:27:11:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:53:21:53:21 | access to local variable s | XPathInjection.cs:12:27:12:49 | access to property QueryString : NameValueCollection | XPathInjection.cs:53:21:53:21 | access to local variable s | This XPath expression depends on a $@. | XPathInjection.cs:12:27:12:49 | access to property QueryString | user-provided value |
+| XPathInjection.cs:81:41:81:144 | ... + ... | XPathInjection.cs:78:35:78:61 | call to method GetString : String | XPathInjection.cs:81:41:81:144 | ... + ... | This XPath expression depends on a $@. | XPathInjection.cs:78:35:78:61 | call to method GetString | user-provided value |
+| XPathInjection.cs:81:41:81:144 | ... + ... | XPathInjection.cs:79:35:79:61 | call to method GetString : String | XPathInjection.cs:81:41:81:144 | ... + ... | This XPath expression depends on a $@. | XPathInjection.cs:79:35:79:61 | call to method GetString | user-provided value |
+| XPathInjection.cs:84:37:84:140 | ... + ... | XPathInjection.cs:78:35:78:61 | call to method GetString : String | XPathInjection.cs:84:37:84:140 | ... + ... | This XPath expression depends on a $@. | XPathInjection.cs:78:35:78:61 | call to method GetString | user-provided value |
+| XPathInjection.cs:84:37:84:140 | ... + ... | XPathInjection.cs:79:35:79:61 | call to method GetString : String | XPathInjection.cs:84:37:84:140 | ... + ... | This XPath expression depends on a $@. | XPathInjection.cs:79:35:79:61 | call to method GetString | user-provided value |

csharp/ql/test/query-tests/Security Features/CWE-643/XPathInjection.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]