github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'main' into fewer-dataflow-branches

This commit is contained in:
Mathias Vorreiter Pedersen 2023-12-08 09:30:01 +00:00
Родитель 1c73d43b4f 9a555ba16e
Коммит 7b83947383
79 изменённых файлов: 12353 добавлений и 3566 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

9
cpp/ql/lib/DefaultOptions.qll
Просмотреть файл

@ -52,12 +52,13 @@ class Options extends string {
/**
* Holds if a call to this function will never return.
*
* By default, this holds for `exit`, `_exit`, `abort`, `__assert_fail`,
* `longjmp`, `__builtin_unreachable` and any function with a
* `noreturn` attribute or specifier.
* By default, this holds for `exit`, `_exit`, `_Exit`, `abort`,
* `__assert_fail`, `longjmp`, `__builtin_unreachable` and any
* function with a `noreturn` or `__noreturn__` attribute or
* `noreturn` specifier.
*/
predicate exits(Function f) {
f.getAnAttribute().hasName("noreturn")
f.getAnAttribute().hasName(["noreturn", "__noreturn__"])
or
f.getASpecifier().hasName("noreturn")
or

4
cpp/ql/lib/change-notes/2022-11-21-ir-guards-replacement.md Normal file
Просмотреть файл

@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `Guards` library has been replaced with the API-compatible `IRGuards` implementation, which has better precision in some cases.

4
cpp/ql/lib/change-notes/2023-11-25-default-taint-tracking-removal.md Normal file
Просмотреть файл

@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The deprecated `DefaultTaintTracking` library has been removed.

366
cpp/ql/lib/semmle/code/cpp/controlflow/Guards.qll
Просмотреть файл

@ -7,371 +7,7 @@ import cpp
import semmle.code.cpp.controlflow.BasicBlocks
import semmle.code.cpp.controlflow.SSA
import semmle.code.cpp.controlflow.Dominance
/**
* A Boolean condition that guards one or more basic blocks. This includes
* operands of logical operators but not switch statements.
*/
class GuardCondition extends Expr {
GuardCondition() { is_condition(this) }
/**
* Holds if this condition controls `block`, meaning that `block` is only
* entered if the value of this condition is `testIsTrue`.
*
* Illustration:
*
* ```
* [ (testIsTrue) ]
* [ this ----------------succ ---- controlled ]
* [ | | ]
* [ (testIsFalse) | ------ ... ]
* [ other ]
* ```
*
* The predicate holds if all paths to `controlled` go via the `testIsTrue`
* edge of the control-flow graph. In other words, the `testIsTrue` edge
* must dominate `controlled`. This means that `controlled` must be
* dominated by both `this` and `succ` (the target of the `testIsTrue`
* edge). It also means that any other edge into `succ` must be a back-edge
* from a node which is dominated by `succ`.
*
* The short-circuit boolean operations have slightly surprising behavior
* here: because the operation itself only dominates one branch (due to
* being short-circuited) then it will only control blocks dominated by the
* true (for `&&`) or false (for `||`) branch.
*/
cached
predicate controls(BasicBlock controlled, boolean testIsTrue) {
// This condition must determine the flow of control; that is, this
// node must be a top-level condition.
this.controlsBlock(controlled, testIsTrue)
or
exists(BinaryLogicalOperation binop, GuardCondition lhs, GuardCondition rhs |
this = binop and
lhs = binop.getLeftOperand() and
rhs = binop.getRightOperand() and
lhs.controls(controlled, testIsTrue) and
rhs.controls(controlled, testIsTrue)
)
or
exists(GuardCondition ne, GuardCondition operand |
this = operand and
operand = ne.(NotExpr).getOperand() and
ne.controls(controlled, testIsTrue.booleanNot())
)
}
/** Holds if (determined by this guard) `left < right + k` evaluates to `isLessThan` if this expression evaluates to `testIsTrue`. */
cached
predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
compares_lt(this, left, right, k, isLessThan, testIsTrue)
}
/**
* Holds if (determined by this guard) `left < right + k` must be `isLessThan` in `block`.
* If `isLessThan = false` then this implies `left >= right + k`.
*/
cached
predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
exists(boolean testIsTrue |
compares_lt(this, left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
)
}
/** Holds if (determined by this guard) `left == right + k` evaluates to `areEqual` if this expression evaluates to `testIsTrue`. */
cached
predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
compares_eq(this, left, right, k, areEqual, testIsTrue)
}
/**
* Holds if (determined by this guard) `left == right + k` must be `areEqual` in `block`.
* If `areEqual = false` then this implies `left != right + k`.
*/
cached
predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
exists(boolean testIsTrue |
compares_eq(this, left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
)
}
/**
* Holds if this condition controls `block`, meaning that `block` is only
* entered if the value of this condition is `testIsTrue`. This helper
* predicate does not necessarily hold for binary logical operations like
* `&&` and `||`. See the detailed explanation on predicate `controls`.
*/
private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
exists(BasicBlock thisblock | thisblock.contains(this) |
exists(BasicBlock succ |
testIsTrue = true and succ = this.getATrueSuccessor()
or
testIsTrue = false and succ = this.getAFalseSuccessor()
|
bbDominates(succ, controlled) and
forall(BasicBlock pred | pred.getASuccessor() = succ |
pred = thisblock or bbDominates(succ, pred) or not reachable(pred)
)
)
)
}
}
private predicate is_condition(Expr guard) {
guard.isCondition()
or
is_condition(guard.(BinaryLogicalOperation).getAnOperand())
or
exists(NotExpr cond | is_condition(cond) and cond.getOperand() = guard)
}
/*
* Simplification of equality expressions:
* Simplify conditions in the source to the canonical form l op r + k.
*/
/**
* Holds if `left == right + k` is `areEqual` given that test is `testIsTrue`.
*
* Beware making mistaken logical implications here relating `areEqual` and `testIsTrue`.
*/
private predicate compares_eq(
Expr test, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
) {
/* The simple case where the test *is* the comparison so areEqual = testIsTrue xor eq. */
exists(boolean eq | simple_comparison_eq(test, left, right, k, eq) |
areEqual = true and testIsTrue = eq
or
areEqual = false and testIsTrue = eq.booleanNot()
)
or
logical_comparison_eq(test, left, right, k, areEqual, testIsTrue)
or
/* a == b + k => b == a - k */
exists(int mk | k = -mk | compares_eq(test, right, left, mk, areEqual, testIsTrue))
or
complex_eq(test, left, right, k, areEqual, testIsTrue)
or
/* (x is true => (left == right + k)) => (!x is false => (left == right + k)) */
exists(boolean isFalse | testIsTrue = isFalse.booleanNot() |
compares_eq(test.(NotExpr).getOperand(), left, right, k, areEqual, isFalse)
)
}
/**
* If `test => part` and `part => left == right + k` then `test => left == right + k`.
* Similarly for the case where `test` is false.
*/
private predicate logical_comparison_eq(
BinaryLogicalOperation test, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
) {
exists(boolean partIsTrue, Expr part | test.impliesValue(part, partIsTrue, testIsTrue) |
compares_eq(part, left, right, k, areEqual, partIsTrue)
)
}
/** Rearrange various simple comparisons into `left == right + k` form. */
private predicate simple_comparison_eq(
ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual
) {
left = cmp.getLeftOperand() and
cmp.getOperator() = "==" and
right = cmp.getRightOperand() and
k = 0 and
areEqual = true
or
left = cmp.getLeftOperand() and
cmp.getOperator() = "!=" and
right = cmp.getRightOperand() and
k = 0 and
areEqual = false
}
private predicate complex_eq(
ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
) {
sub_eq(cmp, left, right, k, areEqual, testIsTrue)
or
add_eq(cmp, left, right, k, areEqual, testIsTrue)
}
// left - x == right + c => left == right + (c+x)
// left == (right - x) + c => left == right + (c-x)
private predicate sub_eq(
ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
) {
exists(SubExpr lhs, int c, int x |
compares_eq(cmp, lhs, right, c, areEqual, testIsTrue) and
left = lhs.getLeftOperand() and
x = int_value(lhs.getRightOperand()) and
k = c + x
)
or
exists(SubExpr rhs, int c, int x |
compares_eq(cmp, left, rhs, c, areEqual, testIsTrue) and
right = rhs.getLeftOperand() and
x = int_value(rhs.getRightOperand()) and
k = c - x
)
}
// left + x == right + c => left == right + (c-x)
// left == (right + x) + c => left == right + (c+x)
private predicate add_eq(
ComparisonOperation cmp, Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue
) {
exists(AddExpr lhs, int c, int x |
compares_eq(cmp, lhs, right, c, areEqual, testIsTrue) and
(
left = lhs.getLeftOperand() and x = int_value(lhs.getRightOperand())
or
left = lhs.getRightOperand() and x = int_value(lhs.getLeftOperand())
) and
k = c - x
)
or
exists(AddExpr rhs, int c, int x |
compares_eq(cmp, left, rhs, c, areEqual, testIsTrue) and
(
right = rhs.getLeftOperand() and x = int_value(rhs.getRightOperand())
or
right = rhs.getRightOperand() and x = int_value(rhs.getLeftOperand())
) and
k = c + x
)
}
/*
* Simplification of inequality expressions:
* Simplify conditions in the source to the canonical form l < r + k.
*/
/** Holds if `left < right + k` evaluates to `isLt` given that test is `testIsTrue`. */
private predicate compares_lt(
Expr test, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
) {
/* In the simple case, the test is the comparison, so isLt = testIsTrue */
simple_comparison_lt(test, left, right, k) and isLt = true and testIsTrue = true
or
simple_comparison_lt(test, left, right, k) and isLt = false and testIsTrue = false
or
logical_comparison_lt(test, left, right, k, isLt, testIsTrue)
or
complex_lt(test, left, right, k, isLt, testIsTrue)
or
/* (not (left < right + k)) => (left >= right + k) */
exists(boolean isGe | isLt = isGe.booleanNot() |
compares_ge(test, left, right, k, isGe, testIsTrue)
)
or
/* (x is true => (left < right + k)) => (!x is false => (left < right + k)) */
exists(boolean isFalse | testIsTrue = isFalse.booleanNot() |
compares_lt(test.(NotExpr).getOperand(), left, right, k, isLt, isFalse)
)
}
/** `(a < b + k) => (b > a - k) => (b >= a + (1-k))` */
private predicate compares_ge(
Expr test, Expr left, Expr right, int k, boolean isGe, boolean testIsTrue
) {
exists(int onemk | k = 1 - onemk | compares_lt(test, right, left, onemk, isGe, testIsTrue))
}
/**
* If `test => part` and `part => left < right + k` then `test => left < right + k`.
* Similarly for the case where `test` evaluates false.
*/
private predicate logical_comparison_lt(
BinaryLogicalOperation test, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
) {
exists(boolean partIsTrue, Expr part | test.impliesValue(part, partIsTrue, testIsTrue) |
compares_lt(part, left, right, k, isLt, partIsTrue)
)
}
/** Rearrange various simple comparisons into `left < right + k` form. */
private predicate simple_comparison_lt(ComparisonOperation cmp, Expr left, Expr right, int k) {
left = cmp.getLeftOperand() and
cmp.getOperator() = "<" and
right = cmp.getRightOperand() and
k = 0
or
left = cmp.getLeftOperand() and
cmp.getOperator() = "<=" and
right = cmp.getRightOperand() and
k = 1
or
right = cmp.getLeftOperand() and
cmp.getOperator() = ">" and
left = cmp.getRightOperand() and
k = 0
or
right = cmp.getLeftOperand() and
cmp.getOperator() = ">=" and
left = cmp.getRightOperand() and
k = 1
}
private predicate complex_lt(
ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
) {
sub_lt(cmp, left, right, k, isLt, testIsTrue)
or
add_lt(cmp, left, right, k, isLt, testIsTrue)
}
// left - x < right + c => left < right + (c+x)
// left < (right - x) + c => left < right + (c-x)
private predicate sub_lt(
ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
) {
exists(SubExpr lhs, int c, int x |
compares_lt(cmp, lhs, right, c, isLt, testIsTrue) and
left = lhs.getLeftOperand() and
x = int_value(lhs.getRightOperand()) and
k = c + x
)
or
exists(SubExpr rhs, int c, int x |
compares_lt(cmp, left, rhs, c, isLt, testIsTrue) and
right = rhs.getLeftOperand() and
x = int_value(rhs.getRightOperand()) and
k = c - x
)
}
// left + x < right + c => left < right + (c-x)
// left < (right + x) + c => left < right + (c+x)
private predicate add_lt(
ComparisonOperation cmp, Expr left, Expr right, int k, boolean isLt, boolean testIsTrue
) {
exists(AddExpr lhs, int c, int x |
compares_lt(cmp, lhs, right, c, isLt, testIsTrue) and
(
left = lhs.getLeftOperand() and x = int_value(lhs.getRightOperand())
or
left = lhs.getRightOperand() and x = int_value(lhs.getLeftOperand())
) and
k = c - x
)
or
exists(AddExpr rhs, int c, int x |
compares_lt(cmp, left, rhs, c, isLt, testIsTrue) and
(
right = rhs.getLeftOperand() and x = int_value(rhs.getRightOperand())
or
right = rhs.getRightOperand() and x = int_value(rhs.getLeftOperand())
) and
k = c + x
)
}
/** The `int` value of integer constant expression. */
private int int_value(Expr e) {
e.getUnderlyingType() instanceof IntegralType and
result = e.getValue().toInt()
}
import IRGuards
/** An `SsaDefinition` with an additional predicate `isLt`. */
class GuardedSsa extends SsaDefinition {

21
cpp/ql/lib/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
Просмотреть файл

@ -1,21 +0,0 @@
/**
* DEPRECATED: Use `semmle.code.cpp.ir.dataflow.TaintTracking` as a replacement.
*
* An IR taint tracking library that uses an IR DataFlow configuration to track
* taint from user inputs as defined by `semmle.code.cpp.security.Security`.
*/
import cpp
import semmle.code.cpp.security.Security
private import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl as DefaultTaintTrackingImpl
deprecated predicate predictableOnlyFlow = DefaultTaintTrackingImpl::predictableOnlyFlow/1;
deprecated predicate tainted = DefaultTaintTrackingImpl::tainted/2;
deprecated predicate taintedIncludingGlobalVars =
DefaultTaintTrackingImpl::taintedIncludingGlobalVars/3;
deprecated predicate globalVarFromId = DefaultTaintTrackingImpl::globalVarFromId/1;
deprecated module TaintedWithPath = DefaultTaintTrackingImpl::TaintedWithPath;

668
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DefaultTaintTrackingImpl.qll
Просмотреть файл

@ -1,668 +0,0 @@
/**
* INTERNAL: Do not use.
*
* An IR taint tracking library that uses an IR DataFlow configuration to track
* taint from user inputs as defined by `semmle.code.cpp.security.Security`.
*/
import cpp
import semmle.code.cpp.security.Security
private import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.ResolveCall
private import semmle.code.cpp.controlflow.IRGuards
private import semmle.code.cpp.models.interfaces.Taint
private import semmle.code.cpp.models.interfaces.DataFlow
private import semmle.code.cpp.ir.dataflow.TaintTracking
private import semmle.code.cpp.ir.dataflow.TaintTracking2
private import semmle.code.cpp.ir.dataflow.TaintTracking3
private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
/**
* A predictable instruction is one where an external user can predict
* the value. For example, a literal in the source code is considered
* predictable.
*/
private predicate predictableInstruction(Instruction instr) {
instr instanceof ConstantInstruction
or
instr instanceof StringConstantInstruction
or
// This could be a conversion on a string literal
predictableInstruction(instr.(UnaryInstruction).getUnary())
}
/**
* Functions that we should only allow taint to flow through (to the return
* value) if all but the source argument are 'predictable'. This is done to
* emulate the old security library's implementation rather than due to any
* strong belief that this is the right approach.
*
* Note that the list itself is not very principled; it consists of all the
* functions listed in the old security library's [default] `isPureFunction`
* that have more than one argument, but are not in the old taint tracking
* library's `returnArgument` predicate.
*/
predicate predictableOnlyFlow(string name) {
name =
[
"strcasestr", "strchnul", "strchr", "strchrnul", "strcmp", "strcspn", "strncmp", "strndup",
"strnlen", "strrchr", "strspn", "strstr", "strtod", "strtof", "strtol", "strtoll", "strtoq",
"strtoul"
]
}
private DataFlow::Node getNodeForSource(Expr source) {
isUserInput(source, _) and
result = getNodeForExpr(source)
}
private DataFlow::Node getNodeForExpr(Expr node) {
node = DataFlow::ExprFlowCached::asExprInternal(result)
or
// Some of the sources in `isUserInput` are intended to match the value of
// an expression, while others (those modeled below) are intended to match
// the taint that propagates out of an argument, like the `char *` argument
// to `gets`. It's impossible here to tell which is which, but the "access
// to argv" source is definitely not intended to match an output argument,
// and it causes false positives if we let it.
//
// This case goes together with the similar (but not identical) rule in
// `nodeIsBarrierIn`.
result = DataFlow::definitionByReferenceNodeFromArgument(node) and
not argv(node.(VariableAccess).getTarget())
}
private predicate conflatePointerAndPointee(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Flow from `op` to `*op`.
exists(Operand operand, int indirectionIndex |
nodeHasOperand(nodeFrom, operand, indirectionIndex) and
nodeHasOperand(nodeTo, operand, indirectionIndex - 1)
)
or
// Flow from `instr` to `*instr`.
exists(Instruction instr, int indirectionIndex |
nodeHasInstruction(nodeFrom, instr, indirectionIndex) and
nodeHasInstruction(nodeTo, instr, indirectionIndex - 1)
)
}
private module DefaultTaintTrackingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
conflatePointerAndPointee(nodeFrom, nodeTo)
}
}
private module DefaultTaintTrackingFlow = TaintTracking::Global<DefaultTaintTrackingConfig>;
private module ToGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
predicate isSink(DataFlow::Node sink) { sink.asVariable() instanceof GlobalOrNamespaceVariable }
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
or
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
}
predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
}
private module ToGlobalVarTaintTrackingFlow = TaintTracking::Global<ToGlobalVarTaintTrackingConfig>;
private module FromGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
// This set of sources should be reasonably small, which is good for
// performance since the set of sinks is very large.
ToGlobalVarTaintTrackingFlow::flowTo(source)
}
predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
// Additional step for flow out of variables. There is no flow _into_
// variables in this configuration, so this step only serves to take flow
// out of a variable that's a source.
readsVariable(n2.asInstruction(), n1.asVariable())
}
predicate isBarrier(DataFlow::Node node) { nodeIsBarrier(node) }
predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
}
private module FromGlobalVarTaintTrackingFlow =
TaintTracking::Global<FromGlobalVarTaintTrackingConfig>;
private predicate readsVariable(LoadInstruction load, Variable var) {
load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
}
private predicate writesVariable(StoreInstruction store, Variable var) {
store.getDestinationAddress().(VariableAddressInstruction).getAstVariable() = var
}
/**
* A variable that has any kind of upper-bound check anywhere in the program. This is
* biased towards being inclusive because there are a lot of valid ways of doing an
* upper bounds checks if we don't consider where it occurs, for example:
* ```
* if (x < 10) { sink(x); }
*
* if (10 > y) { sink(y); }
*
* if (z > 10) { z = 10; }
* sink(z);
* ```
*/
// TODO: This coarse overapproximation, ported from the old taint tracking
// library, could be replaced with an actual semantic check that a particular
// variable _access_ is guarded by an upper-bound check. We probably don't want
// to do this right away since it could expose a lot of FPs that were
// previously suppressed by this predicate by coincidence.
private predicate hasUpperBoundsCheck(Variable var) {
exists(RelationalOperation oper, VariableAccess access |
oper.getAnOperand() = access and
access.getTarget() = var and
// Comparing to 0 is not an upper bound check
not oper.getAnOperand().getValue() = "0"
)
}
private predicate nodeIsBarrierEqualityCandidate(
DataFlow::Node node, Operand access, Variable checkedVar
) {
exists(Instruction instr | instr = node.asOperand().getDef() |
readsVariable(instr, checkedVar) and
any(IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
)
}
cached
private module Cached {
cached
predicate nodeIsBarrier(DataFlow::Node node) {
exists(Variable checkedVar, Instruction instr | instr = node.asOperand().getDef() |
readsVariable(instr, checkedVar) and
hasUpperBoundsCheck(checkedVar)
)
or
exists(Variable checkedVar, Operand access |
/*
* This node is guarded by a condition that forces the accessed variable
* to equal something else. For example:
* ```
* x = taintsource()
* if (x == 10) {
* taintsink(x); // not considered tainted
* }
* ```
*/
nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
readsVariable(access.getDef(), checkedVar)
)
}
cached
predicate nodeIsBarrierIn(DataFlow::Node node) {
// don't use dataflow into taint sources, as this leads to duplicate results.
exists(Expr source | isUserInput(source, _) |
source = DataFlow::ExprFlowCached::asExprInternal(node)
or
// This case goes together with the similar (but not identical) rule in
// `getNodeForSource`.
node = DataFlow::definitionByReferenceNodeFromArgument(source)
)
or
// don't use dataflow into binary instructions if both operands are unpredictable
exists(BinaryInstruction iTo |
iTo = node.asInstruction() and
not predictableInstruction(iTo.getLeft()) and
not predictableInstruction(iTo.getRight()) and
// propagate taint from either the pointer or the offset, regardless of predictability
not iTo instanceof PointerArithmeticInstruction
)
or
// don't use dataflow through calls to pure functions if two or more operands
// are unpredictable
exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
iTo = node.asInstruction() and
isPureFunction(iTo.getStaticCallTarget().getName()) and
iFrom1 = iTo.getAnArgument() and
iFrom2 = iTo.getAnArgument() and
not predictableInstruction(iFrom1) and
not predictableInstruction(iFrom2) and
iFrom1 != iFrom2
)
}
cached
Element adjustedSink(DataFlow::Node sink) {
// TODO: is it more appropriate to use asConvertedExpr here and avoid
// `getConversion*`? Or will that cause us to miss some cases where there's
// flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
// pretend there was flow to the converted `Expr` for the sake of
// compatibility.
sink.asExpr().getConversion*() = result
or
// For compatibility, send flow from arguments to parameters, even for
// functions with no body.
exists(FunctionCall call, int i |
sink.asExpr() = call.getArgument(pragma[only_bind_into](i)) and
result = resolveCall(call).getParameter(pragma[only_bind_into](i))
)
or
// For compatibility, send flow into a `Variable` if there is flow to any
// Load or Store of that variable.
exists(CopyInstruction copy |
copy.getSourceValue() = sink.asInstruction() and
(
readsVariable(copy, result) or
writesVariable(copy, result)
) and
not hasUpperBoundsCheck(result)
)
or
// For compatibility, send flow into a `NotExpr` even if it's part of a
// short-circuiting condition and thus might get skipped.
result.(NotExpr).getOperand() = sink.asExpr()
or
// Taint postfix and prefix crement operations when their operand is tainted.
result.(CrementOperation).getAnOperand() = sink.asExpr()
or
// Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
result.(AssignOperation).getAnOperand() = sink.asExpr()
or
result =
sink.asOperand()
.(SideEffectOperand)
.getUse()
.(ReadSideEffectInstruction)
.getArgumentDef()
.getUnconvertedResultExpression()
}
/**
* Step to return value of a modeled function when an input taints the
* dereference of the return value.
*/
cached
predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
n1 = callInput(call, modelIn) and
(
func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
or
func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
) and
call.getStaticCallTarget() = func and
modelOut.isReturnValueDeref() and
call = n2.asInstruction()
)
}
}
private import Cached
/**
* Holds if `tainted` may contain taint from `source`.
*
* A tainted expression is either directly user input, or is
* computed from user input in a way that users can probably
* control the exact output of the computation.
*
* This doesn't include data flow through global variables.
* If you need that you must call `taintedIncludingGlobalVars`.
*/
cached
predicate tainted(Expr source, Element tainted) {
exists(DataFlow::Node sink |
DefaultTaintTrackingFlow::flow(getNodeForSource(source), sink) and
tainted = adjustedSink(sink)
)
}
/**
* Holds if `tainted` may contain taint from `source`, where the taint passed
* through a global variable named `globalVar`.
*
* A tainted expression is either directly user input, or is
* computed from user input in a way that users can probably
* control the exact output of the computation.
*
* This version gives the same results as tainted but also includes
* data flow through global variables.
*
* The parameter `globalVar` is the qualified name of the last global variable
* used to move the value from source to tainted. If the taint did not pass
* through a global variable, then `globalVar = ""`.
*/
cached
predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
tainted(source, tainted) and
globalVar = ""
or
exists(
DataFlow::VariableNode variableNode, GlobalOrNamespaceVariable global, DataFlow::Node sink
|
global = variableNode.getVariable() and
ToGlobalVarTaintTrackingFlow::flow(getNodeForSource(source), variableNode) and
FromGlobalVarTaintTrackingFlow::flow(variableNode, sink) and
tainted = adjustedSink(sink) and
global = globalVarFromId(globalVar)
)
}
/**
* Gets the global variable whose qualified name is `id`. Use this predicate
* together with `taintedIncludingGlobalVars`. Example:
*
* ```
* exists(string varName |
* taintedIncludingGlobalVars(source, tainted, varName) and
* var = globalVarFromId(varName)
* )
* ```
*/
GlobalOrNamespaceVariable globalVarFromId(string id) { id = result.getQualifiedName() }
/**
* Provides definitions for augmenting source/sink pairs with data-flow paths
* between them. From a `@kind path-problem` query, import this module in the
* global scope, extend `TaintTrackingConfiguration`, and use `taintedWithPath`
* in place of `tainted`.
*
* Importing this module will also import the query predicates that contain the
* taint paths.
*/
module TaintedWithPath {
private newtype TSingleton = MkSingleton()
/**
* A taint-tracking configuration that matches sources and sinks in the same
* way as the `tainted` predicate.
*
* Override `isSink` and `taintThroughGlobals` as needed, but do not provide
* a characteristic predicate.
*/
class TaintTrackingConfiguration extends TSingleton {
/** Override this to specify which elements are sources in this configuration. */
predicate isSource(Expr source) { exists(getNodeForSource(source)) }
/** Override this to specify which elements are sinks in this configuration. */
abstract predicate isSink(Element e);
/** Override this to specify which expressions are barriers in this configuration. */
predicate isBarrier(Expr e) { nodeIsBarrier(getNodeForExpr(e)) }
/**
* Override this predicate to `any()` to allow taint to flow through global
* variables.
*/
predicate taintThroughGlobals() { none() }
/** Gets a textual representation of this element. */
string toString() { result = "TaintTrackingConfiguration" }
}
private module AdjustedConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(TaintTrackingConfiguration cfg, Expr e |
cfg.isSource(e) and source = getNodeForExpr(e)
)
}
predicate isSink(DataFlow::Node sink) {
exists(TaintTrackingConfiguration cfg | cfg.isSink(adjustedSink(sink)))
}
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
conflatePointerAndPointee(n1, n2)
or
// Steps into and out of global variables
exists(TaintTrackingConfiguration cfg | cfg.taintThroughGlobals() |
writesVariable(n1.asInstruction(), n2.asVariable().(GlobalOrNamespaceVariable))
or
readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
)
or
additionalTaintStep(n1, n2)
}
predicate isBarrier(DataFlow::Node node) {
exists(TaintTrackingConfiguration cfg, Expr e | cfg.isBarrier(e) and node = getNodeForExpr(e))
}
predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
predicate neverSkip(Node node) { none() }
}
private module AdjustedFlow = TaintTracking::Global<AdjustedConfig>;
/*
* A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
* inverse of) `adjustedSink`. For example, an `Expr` maps to all its
* conversions, and a `Variable` maps to all loads and stores from it. Because
* the path node is part of the tuple that constitutes the alert, this leads
* to duplicate alerts.
*
* To avoid showing duplicates, we edit the graph to replace the final node
* coming from the data-flow library with a node that matches exactly the
* `Element` sink that's requested.
*
* The same is done for sources.
*/
private newtype TPathNode =
TWrapPathNode(AdjustedFlow::PathNode n) or
// There's a single newtype constructor for both sources and sinks since
// that makes it easiest to deal with the case where source = sink.
TEndpointPathNode(Element e) {
exists(DataFlow::Node sourceNode, DataFlow::Node sinkNode |
AdjustedFlow::flow(sourceNode, sinkNode)
|
sourceNode = getNodeForExpr(e) and
exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
or
e = adjustedSink(sinkNode) and
exists(TaintTrackingConfiguration ttCfg | ttCfg.isSink(e))
)
}
/** An opaque type used for the nodes of a data-flow path. */
class PathNode extends TPathNode {
/** Gets a textual representation of this element. */
string toString() { none() }
/**
* Holds if this element is at the specified location.
* The location spans column `startcolumn` of line `startline` to
* column `endcolumn` of line `endline` in file `filepath`.
* For more information, see
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
none()
}
}
/**
* INTERNAL: Do not use.
*/
module Private {
/** Gets a predecessor `PathNode` of `pathNode`, if any. */
PathNode getAPredecessor(PathNode pathNode) { edges(result, pathNode) }
/** Gets the element that `pathNode` wraps, if any. */
Element getElementFromPathNode(PathNode pathNode) {
exists(DataFlow::Node node | node = pathNode.(WrapPathNode).inner().getNode() |
result = node.asInstruction().getAst()
or
result = node.asOperand().getDef().getAst()
)
or
result = pathNode.(EndpointPathNode).inner()
}
}
private class WrapPathNode extends PathNode, TWrapPathNode {
AdjustedFlow::PathNode inner() { this = TWrapPathNode(result) }
override string toString() { result = this.inner().toString() }
override predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.inner().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
}
}
private class EndpointPathNode extends PathNode, TEndpointPathNode {
Expr inner() { this = TEndpointPathNode(result) }
override string toString() { result = this.inner().toString() }
override predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.inner()
.getLocation()
.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
}
}
/** A PathNode whose `Element` is a source. It may also be a sink. */
private class InitialPathNode extends EndpointPathNode {
InitialPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSource(this.inner())) }
}
/** A PathNode whose `Element` is a sink. It may also be a source. */
private class FinalPathNode extends EndpointPathNode {
FinalPathNode() { exists(TaintTrackingConfiguration cfg | cfg.isSink(this.inner())) }
}
/** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
query predicate edges(PathNode a, PathNode b) {
AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), b.(WrapPathNode).inner())
or
// To avoid showing trivial-looking steps, we _replace_ the last node instead
// of adding an edge out of it.
exists(WrapPathNode sinkNode |
AdjustedFlow::PathGraph::edges(a.(WrapPathNode).inner(), sinkNode.inner()) and
b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
)
or
// Same for the first node
exists(WrapPathNode sourceNode |
AdjustedFlow::PathGraph::edges(sourceNode.inner(), b.(WrapPathNode).inner()) and
sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner())
)
or
// Finally, handle the case where the path goes directly from a source to a
// sink, meaning that they both need to be translated.
exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
AdjustedFlow::PathGraph::edges(sourceNode.inner(), sinkNode.inner()) and
sourceNode.inner().getNode() = getNodeForExpr(a.(InitialPathNode).inner()) and
b.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
)
}
/**
* Holds if there is flow from `arg` to `out` across a call that can by summarized by the flow
* from `par` to `ret` within it, in the graph of data flow path explanations.
*/
query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
ret.(WrapPathNode).inner(), out.(WrapPathNode).inner())
or
// To avoid showing trivial-looking steps, we _replace_ the last node instead
// of adding an edge out of it.
exists(WrapPathNode sinkNode |
AdjustedFlow::PathGraph::subpaths(arg.(WrapPathNode).inner(), par.(WrapPathNode).inner(),
ret.(WrapPathNode).inner(), sinkNode.inner()) and
out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
)
or
// Same for the first node
exists(WrapPathNode sourceNode |
AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
ret.(WrapPathNode).inner(), out.(WrapPathNode).inner()) and
sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner())
)
or
// Finally, handle the case where the path goes directly from a source to a
// sink, meaning that they both need to be translated.
exists(WrapPathNode sinkNode, WrapPathNode sourceNode |
AdjustedFlow::PathGraph::subpaths(sourceNode.inner(), par.(WrapPathNode).inner(),
ret.(WrapPathNode).inner(), sinkNode.inner()) and
sourceNode.inner().getNode() = getNodeForExpr(arg.(InitialPathNode).inner()) and
out.(FinalPathNode).inner() = adjustedSink(sinkNode.inner().getNode())
)
}
/** Holds if `n` is a node in the graph of data flow path explanations. */
query predicate nodes(PathNode n, string key, string val) {
key = "semmle.label" and val = n.toString()
}
/**
* Holds if `tainted` may contain taint from `source`, where `sourceNode` and
* `sinkNode` are the corresponding `PathNode`s that can be used in a query
* to provide path explanations. Extend `TaintTrackingConfiguration` to use
* this predicate.
*
* A tainted expression is either directly user input, or is computed from
* user input in a way that users can probably control the exact output of
* the computation.
*/
predicate taintedWithPath(Expr source, Element tainted, PathNode sourceNode, PathNode sinkNode) {
exists(DataFlow::Node flowSource, DataFlow::Node flowSink |
source = sourceNode.(InitialPathNode).inner() and
flowSource = getNodeForExpr(source) and
AdjustedFlow::flow(flowSource, flowSink) and
tainted = adjustedSink(flowSink) and
tainted = sinkNode.(FinalPathNode).inner()
)
}
private predicate isGlobalVariablePathNode(WrapPathNode n) {
n.inner().getNode().asVariable() instanceof GlobalOrNamespaceVariable
or
n.inner().getNode().asIndirectVariable() instanceof GlobalOrNamespaceVariable
}
private predicate edgesWithoutGlobals(PathNode a, PathNode b) {
edges(a, b) and
not isGlobalVariablePathNode(a) and
not isGlobalVariablePathNode(b)
}
/**
* Holds if `tainted` can be reached from a taint source without passing
* through a global variable.
*/
predicate taintedWithoutGlobals(Element tainted) {
exists(PathNode sourceNode, FinalPathNode sinkNode |
AdjustedConfig::isSource(sourceNode.(WrapPathNode).inner().getNode()) and
edgesWithoutGlobals+(sourceNode, sinkNode) and
tainted = sinkNode.inner()
)
}
}

10
cpp/ql/lib/semmle/code/cpp/security/TaintTracking.qll
Просмотреть файл

@ -1,10 +0,0 @@
/**
* Support for tracking tainted data through the program. This is an alias for
* `semmle.code.cpp.ir.dataflow.DefaultTaintTracking` provided for backwards
* compatibility.
*
* Prefer to use `semmle.code.cpp.dataflow.TaintTracking` or
* `semmle.code.cpp.ir.dataflow.TaintTracking` when designing new queries.
*/
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking

654
cpp/ql/lib/semmle/code/cpp/security/TaintTrackingImpl.qll
Просмотреть файл

@ -1,654 +0,0 @@
/**
* DEPRECATED: we now use `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`,
* which is based on the IR but designed to behave similarly to this old
* library.
*
* Provides the implementation of `semmle.code.cpp.security.TaintTracking`. Do
* not import this file directly.
*/
import cpp
import Security
/** Expressions that change the value of a variable */
private predicate valueSource(Expr expr) {
exists(AssignExpr ae | expr = ae.getLValue())
or
exists(FunctionCall fc, int i |
userInputArgument(fc, i) and
expr = fc.getArgument(i)
)
or
exists(FunctionCall c, int arg |
copyValueBetweenArguments(c.getTarget(), _, arg) and
expr = c.getArgument(arg)
)
or
exists(FunctionCall c, int arg |
c.getTarget().getParameter(arg).getType() instanceof ReferenceType and
expr = c.getArgument(arg)
)
}
/** Expressions that are inside an expression that changes the value of a variable */
private predicate insideValueSource(Expr expr) {
valueSource(expr)
or
insideValueSource(expr.getParent()) and
// A modification of array[offset] does not modify offset
not expr.getParent().(ArrayExpr).getArrayOffset() = expr
}
private predicate isPointer(Type type) {
type instanceof PointerType or
isPointer(type.(ReferenceType).getBaseType())
}
/**
* Tracks data flow from src to dest.
* If this is used in the left side of an assignment src and dest should be swapped
*/
private predicate moveToDependingOnSide(Expr src, Expr dest) {
exists(ParenthesisExpr e |
src = e.getAChild() and
dest = e
)
or
exists(ArrayExpr e |
src = e.getArrayBase() and
dest = e
)
or
exists(PointerDereferenceExpr e |
src = e.getOperand() and
dest = e
)
or
exists(AddressOfExpr e |
src = e.getOperand() and
dest = e
)
or
// if var+offset is tainted, then so is var
exists(VariableAccess base, BinaryOperation binop |
dest = binop and
(base = binop.getLeftOperand() or base = binop.getRightOperand()) and
isPointer(base.getType()) and
base.getTarget() instanceof LocalScopeVariable and
src = base and
// flow through pointer-pointer subtraction is dubious, the result should be
// a number bounded by the size of the pointed-to thing.
not binop instanceof PointerDiffExpr
)
or
exists(UnaryOperation unop |
dest = unop and
unop.getAnOperand() = src
)
or
exists(BinaryOperation binop |
dest = binop and
binop.getLeftOperand() = src and
predictable(binop.getRightOperand())
)
or
exists(BinaryOperation binop |
dest = binop and
binop.getRightOperand() = src and
predictable(binop.getLeftOperand())
)
or
exists(Cast cast |
dest = cast and
src = cast.getExpr()
)
or
exists(ConditionalExpr cond |
cond = dest and
(
cond.getThen() = src or
cond.getElse() = src
)
)
}
/**
* Track value flow between functions.
* Handles the following cases:
* - If an argument to a function is tainted, all the usages of the parameter inside the function are tainted
* - If a function obtains input from the user internally and returns it, all calls to the function are tainted
* - If an argument to a function is tainted and that parameter is returned, all calls to the function are not tainted
* (this is done to avoid false positives). Because of this we need to track if the tainted element came from an argument
* or not, and for that we use destFromArg
*/
deprecated private predicate betweenFunctionsValueMoveTo(
Element src, Element dest, boolean destFromArg
) {
not unreachable(src) and
not unreachable(dest) and
(
exists(Call call, int i |
src = call.getArgument(i) and
resolveCallWithParam(call, _, i, dest) and
destFromArg = true
)
or
// Only move the return of the function to the function itself if the value didn't came from an
// argument, or else we would taint all the calls to one function if one argument is tainted
// somewhere
exists(Function f, ReturnStmt ret |
ret.getEnclosingFunction() = f and
src = ret.getExpr() and
destFromArg = false and
dest = f
)
or
exists(Call call, Function f |
f = resolveCall(call) and
src = f and
dest = call and
destFromArg = false
)
or
// If a parameter of type reference is tainted inside a function, taint the argument too
exists(Call call, int pi, Parameter p |
resolveCallWithParam(call, _, pi, p) and
p.getType() instanceof ReferenceType and
src = p and
dest = call.getArgument(pi) and
destFromArg = false
)
)
}
// predicate folding for proper join-order
// bad magic: pushes down predicate that ruins join-order
pragma[nomagic]
deprecated private predicate resolveCallWithParam(Call call, Function called, int i, Parameter p) {
called = resolveCall(call) and
p = called.getParameter(i)
}
/** A variable for which flow through is allowed. */
deprecated library class FlowVariable extends Variable {
FlowVariable() {
(
this instanceof LocalScopeVariable or
this instanceof GlobalOrNamespaceVariable
) and
not argv(this)
}
}
/** A local scope variable for which flow through is allowed. */
deprecated library class FlowLocalScopeVariable extends Variable {
FlowLocalScopeVariable() { this instanceof LocalScopeVariable }
}
deprecated private predicate insideFunctionValueMoveTo(Element src, Element dest) {
not unreachable(src) and
not unreachable(dest) and
(
// Taint all variable usages when one is tainted
// This function taints global variables but doesn't taint from a global variable (see globalVariableValueMoveTo)
exists(FlowLocalScopeVariable v |
src = v and
dest = v.getAnAccess() and
not insideValueSource(dest)
)
or
exists(FlowVariable v |
src = v.getAnAccess() and
dest = v and
insideValueSource(src)
)
or
// Taint all union usages when one is tainted
// This function taints global variables but doesn't taint from a global variable (see globalVariableValueMoveTo)
exists(FlowLocalScopeVariable v, FieldAccess a |
unionAccess(v, _, a) and
src = v and
dest = a and
not insideValueSource(dest)
)
or
exists(FlowVariable v, FieldAccess a |
unionAccess(v, _, a) and
src = a and
dest = v and
insideValueSource(src)
)
or
// If a pointer is tainted, taint the original variable
exists(FlowVariable p, FlowVariable v, AddressOfExpr e |
p.getAnAssignedValue() = e and
e.getOperand() = v.getAnAccess() and
src = p and
dest = v
)
or
// If a reference is tainted, taint the original variable
exists(FlowVariable r, FlowVariable v |
r.getType() instanceof ReferenceType and
r.getInitializer().getExpr() = v.getAnAccess() and
src = r and
dest = v
)
or
exists(Variable var |
var = dest and
var.getInitializer().getExpr() = src
)
or
exists(AssignExpr ae |
src = ae.getRValue() and
dest = ae.getLValue()
)
or
exists(CommaExpr comma |
comma = dest and
comma.getRightOperand() = src
)
or
exists(FunctionCall c, int sourceArg, int destArg |
copyValueBetweenArguments(c.getTarget(), sourceArg, destArg) and
// Only consider copies from `printf`-like functions if the format is a string
(
exists(FormattingFunctionCall ffc, FormatLiteral format |
ffc = c and
format = ffc.getFormat() and
format.getConversionChar(sourceArg - ffc.getTarget().getNumberOfParameters()) = ["s", "S"]
)
or
not c.(FormattingFunctionCall).getFormat() instanceof FormatLiteral
or
not c instanceof FormattingFunctionCall
) and
src = c.getArgument(sourceArg) and
dest = c.getArgument(destArg)
)
or
exists(FunctionCall c, int sourceArg |
returnArgument(c.getTarget(), sourceArg) and
src = c.getArgument(sourceArg) and
dest = c
)
or
exists(FormattingFunctionCall formattingSend, int arg, FormatLiteral format |
dest = formattingSend and
formattingSend.getArgument(arg) = src and
format = formattingSend.getFormat() and
format.getConversionChar(arg - formattingSend.getTarget().getNumberOfParameters()) =
["s", "S", "@"]
)
or
// Expressions computed from tainted data are also tainted
exists(FunctionCall call | dest = call and isPureFunction(call.getTarget().getName()) |
call.getAnArgument() = src and
forall(Expr arg | arg = call.getAnArgument() | arg = src or predictable(arg)) and
// flow through `strlen` tends to cause dubious results, if the length is
// bounded.
not call.getTarget().getName() = "strlen"
)
or
exists(Element a, Element b |
moveToDependingOnSide(a, b) and
if insideValueSource(a) then (src = b and dest = a) else (src = a and dest = b)
)
)
}
/**
* Handles data flow from global variables to its usages.
* The tainting for the global variable itself is done at insideFunctionValueMoveTo.
*/
private predicate globalVariableValueMoveTo(GlobalOrNamespaceVariable src, Expr dest) {
not unreachable(dest) and
(
exists(GlobalOrNamespaceVariable v |
src = v and
dest = v.getAnAccess() and
not insideValueSource(dest)
)
or
exists(GlobalOrNamespaceVariable v, FieldAccess a |
unionAccess(v, _, a) and
src = v and
dest = a and
not insideValueSource(dest)
)
)
}
private predicate unionAccess(Variable v, Field f, FieldAccess a) {
f.getDeclaringType() instanceof Union and
a.getTarget() = f and
a.getQualifier() = v.getAnAccess()
}
deprecated GlobalOrNamespaceVariable globalVarFromId(string id) {
if result instanceof NamespaceVariable
then id = result.getNamespace() + "::" + result.getName()
else id = result.getName()
}
/**
* A variable that has any kind of upper-bound check anywhere in the program. This is
* biased towards being inclusive because there are a lot of valid ways of doing an
* upper bounds checks if we don't consider where it occurs, for example:
* ```
* if (x < 10) { sink(x); }
*
* if (10 > y) { sink(y); }
*
* if (z > 10) { z = 10; }
* sink(z);
* ```
*/
private predicate hasUpperBoundsCheck(Variable var) {
exists(RelationalOperation oper, VariableAccess access |
oper.getAnOperand() = access and
access.getTarget() = var and
// Comparing to 0 is not an upper bound check
not oper.getAnOperand().getValue() = "0"
)
}
cached
deprecated private predicate taintedWithArgsAndGlobalVars(
Element src, Element dest, boolean destFromArg, string globalVar
) {
isUserInput(src, _) and
not unreachable(src) and
dest = src and
destFromArg = false and
globalVar = ""
or
exists(Element other, boolean otherFromArg, string otherGlobalVar |
taintedWithArgsAndGlobalVars(src, other, otherFromArg, otherGlobalVar)
|
not unreachable(dest) and
not hasUpperBoundsCheck(dest) and
(
// Direct flow from one expression to another.
betweenFunctionsValueMoveTo(other, dest, destFromArg) and
(destFromArg = true or otherFromArg = false) and
globalVar = otherGlobalVar
or
insideFunctionValueMoveTo(other, dest) and
destFromArg = otherFromArg and
globalVar = otherGlobalVar
or
exists(GlobalOrNamespaceVariable v |
v = other and
globalVariableValueMoveTo(v, dest) and
destFromArg = false and
v = globalVarFromId(globalVar)
)
)
)
}
/**
* A tainted expression is either directly user input, or is
* computed from user input in a way that users can probably
* control the exact output of the computation.
*
* This doesn't include data flow through global variables.
* If you need that you must call taintedIncludingGlobalVars.
*/
deprecated predicate tainted(Expr source, Element tainted) {
taintedWithArgsAndGlobalVars(source, tainted, _, "")
}
/**
* A tainted expression is either directly user input, or is
* computed from user input in a way that users can probably
* control the exact output of the computation.
*
* This version gives the same results as tainted but also includes
* data flow through global variables.
*
* The parameter `globalVar` is the name of the last global variable used to move the
* value from source to tainted.
*/
deprecated predicate taintedIncludingGlobalVars(Expr source, Element tainted, string globalVar) {
taintedWithArgsAndGlobalVars(source, tainted, _, globalVar)
}
/**
* A predictable expression is one where an external user can predict
* the value. For example, a literal in the source code is considered
* predictable.
*/
private predicate predictable(Expr expr) {
expr instanceof Literal
or
exists(BinaryOperation binop | binop = expr |
predictable(binop.getLeftOperand()) and predictable(binop.getRightOperand())
)
or
exists(UnaryOperation unop | unop = expr | predictable(unop.getOperand()))
}
private int maxArgIndex(Function f) {
result =
max(FunctionCall fc, int toMax |
fc.getTarget() = f and toMax = fc.getNumberOfArguments() - 1
|
toMax
)
}
/** Functions that copy the value of one argument to another */
private predicate copyValueBetweenArguments(Function f, int sourceArg, int destArg) {
f.hasGlobalOrStdName("memcpy") and sourceArg = 1 and destArg = 0
or
f.hasGlobalName("__builtin___memcpy_chk") and sourceArg = 1 and destArg = 0
or
f.hasGlobalOrStdName("memmove") and sourceArg = 1 and destArg = 0
or
f.hasGlobalOrStdName("strcat") and sourceArg = 1 and destArg = 0
or
f.hasGlobalName("_mbscat") and sourceArg = 1 and destArg = 0
or
f.hasGlobalOrStdName("wcscat") and sourceArg = 1 and destArg = 0
or
f.hasGlobalOrStdName("strncat") and sourceArg = 1 and destArg = 0
or
f.hasGlobalName("_mbsncat") and sourceArg = 1 and destArg = 0
or
f.hasGlobalName("wcsncat") and sourceArg = 1 and destArg = 0
or
f.hasGlobalOrStdName("strcpy") and sourceArg = 1 and destArg = 0
or
f.hasGlobalName("_mbscpy") and sourceArg = 1 and destArg = 0
or
f.hasGlobalOrStdName("wcscpy") and sourceArg = 1 and destArg = 0
or
f.hasGlobalOrStdName("strncpy") and sourceArg = 1 and destArg = 0
or
f.hasGlobalName("_mbsncpy") and sourceArg = 1 and destArg = 0
or
f.hasGlobalOrStdName("wcsncpy") and sourceArg = 1 and destArg = 0
or
f.hasGlobalName("inet_aton") and sourceArg = 0 and destArg = 1
or
f.hasGlobalName("inet_pton") and sourceArg = 1 and destArg = 2
or
f.hasGlobalOrStdName("strftime") and sourceArg in [2 .. maxArgIndex(f)] and destArg = 0
or
exists(FormattingFunction ff | ff = f |
sourceArg in [ff.getFormatParameterIndex() .. maxArgIndex(f)] and
destArg = ff.getOutputParameterIndex(false)
)
}
/** Functions where if one of the arguments is tainted, the result should be tainted */
private predicate returnArgument(Function f, int sourceArg) {
f.hasGlobalName("memcpy") and sourceArg = 0
or
f.hasGlobalName("__builtin___memcpy_chk") and sourceArg = 0
or
f.hasGlobalOrStdName("memmove") and sourceArg = 0
or
f.hasGlobalOrStdName("strcat") and sourceArg = 0
or
f.hasGlobalName("_mbscat") and sourceArg = 0
or
f.hasGlobalOrStdName("wcsncat") and sourceArg = 0
or
f.hasGlobalOrStdName("strncat") and sourceArg = 0
or
f.hasGlobalName("_mbsncat") and sourceArg = 0
or
f.hasGlobalOrStdName("wcsncat") and sourceArg = 0
or
f.hasGlobalOrStdName("strcpy") and sourceArg = 0
or
f.hasGlobalName("_mbscpy") and sourceArg = 0
or
f.hasGlobalOrStdName("wcscpy") and sourceArg = 0
or
f.hasGlobalOrStdName("strncpy") and sourceArg = 0
or
f.hasGlobalName("_mbsncpy") and sourceArg = 0
or
f.hasGlobalOrStdName("wcsncpy") and sourceArg = 0
or
f.hasGlobalName("inet_ntoa") and sourceArg = 0
or
f.hasGlobalName("inet_addr") and sourceArg = 0
or
f.hasGlobalName("inet_network") and sourceArg = 0
or
f.hasGlobalName("inet_ntoa") and sourceArg = 0
or
f.hasGlobalName("inet_makeaddr") and
(sourceArg = 0 or sourceArg = 1)
or
f.hasGlobalName("inet_lnaof") and sourceArg = 0
or
f.hasGlobalName("inet_netof") and sourceArg = 0
or
f.hasGlobalName("gethostbyname") and sourceArg = 0
or
f.hasGlobalName("gethostbyaddr") and sourceArg = 0
}
/**
* Resolve potential target function(s) for `call`.
*
* If `call` is a call through a function pointer (`ExprCall`) or
* targets a virtual method, simple data flow analysis is performed
* in order to identify target(s).
*/
deprecated Function resolveCall(Call call) {
result = call.getTarget()
or
result = call.(DataSensitiveCallExpr).resolve()
}
/** A data sensitive call expression. */
abstract deprecated library class DataSensitiveCallExpr extends Expr {
DataSensitiveCallExpr() { not unreachable(this) }
abstract Expr getSrc();
cached
abstract Function resolve();
/**
* Whether `src` can flow to this call expression.
*
* Searches backwards from `getSrc()` to `src`.
*/
predicate flowsFrom(Element src, boolean allowFromArg) {
src = this.getSrc() and allowFromArg = true
or
exists(Element other, boolean allowOtherFromArg | this.flowsFrom(other, allowOtherFromArg) |
exists(boolean otherFromArg | betweenFunctionsValueMoveToStatic(src, other, otherFromArg) |
otherFromArg = true and allowOtherFromArg = true and allowFromArg = true
or
otherFromArg = false and allowFromArg = false
)
or
insideFunctionValueMoveTo(src, other) and allowFromArg = allowOtherFromArg
or
globalVariableValueMoveTo(src, other) and allowFromArg = true
)
}
}
/** Call through a function pointer. */
deprecated library class DataSensitiveExprCall extends DataSensitiveCallExpr, ExprCall {
override Expr getSrc() { result = this.getExpr() }
override Function resolve() {
exists(FunctionAccess fa | this.flowsFrom(fa, true) | result = fa.getTarget())
}
}
/** Call to a virtual function. */
deprecated library class DataSensitiveOverriddenFunctionCall extends DataSensitiveCallExpr,
FunctionCall
{
DataSensitiveOverriddenFunctionCall() {
exists(this.getTarget().(VirtualFunction).getAnOverridingFunction())
}
override Expr getSrc() { result = this.getQualifier() }
override MemberFunction resolve() {
exists(NewExpr new |
this.flowsFrom(new, true) and
memberFunctionFromNewExpr(new, result) and
result.overrides*(this.getTarget().(VirtualFunction))
)
}
}
private predicate memberFunctionFromNewExpr(NewExpr new, MemberFunction f) {
f = new.getAllocatedType().(Class).getAMemberFunction()
}
/** Same as `betweenFunctionsValueMoveTo`, but calls are resolved to their static target. */
private predicate betweenFunctionsValueMoveToStatic(Element src, Element dest, boolean destFromArg) {
not unreachable(src) and
not unreachable(dest) and
(
exists(FunctionCall call, Function called, int i |
src = call.getArgument(i) and
called = call.getTarget() and
dest = called.getParameter(i) and
destFromArg = true
)
or
// Only move the return of the function to the function itself if the value didn't came from an
// argument, or else we would taint all the calls to one function if one argument is tainted
// somewhere
exists(Function f, ReturnStmt ret |
ret.getEnclosingFunction() = f and
src = ret.getExpr() and
destFromArg = false and
dest = f
)
or
exists(FunctionCall call, Function f |
call.getTarget() = f and
src = f and
dest = call and
destFromArg = false
)
or
// If a parameter of type reference is tainted inside a function, taint the argument too
exists(FunctionCall call, Function f, int pi, Parameter p |
call.getTarget() = f and
f.getParameter(pi) = p and
p.getType() instanceof ReferenceType and
src = p and
dest = call.getArgument(pi) and
destFromArg = false
)
)
}

7
cpp/ql/test/library-tests/controlflow/controlflow/SsaLt.expected
Просмотреть файл

@ -11,7 +11,6 @@
| test.c:2:31:72:1 | { ... } | test.c:2:14:2:14 | x | < | test.c:17:12:17:12 | 0 | 50 | 52 |
| test.c:2:31:72:1 | { ... } | test.c:2:14:2:14 | x | < | test.c:17:12:17:12 | 0 | 53 | 53 |
| test.c:2:31:72:1 | { ... } | test.c:2:14:2:14 | x | < | test.c:17:12:17:12 | 0 | 53 | 55 |
| test.c:2:31:72:1 | { ... } | test.c:2:14:2:14 | x | < | test.c:17:12:17:12 | 0 | 56 | 63 |
| test.c:2:31:72:1 | { ... } | test.c:2:14:2:14 | x | < | test.c:17:12:17:12 | 0 | 59 | 61 |
| test.c:2:31:72:1 | { ... } | test.c:2:14:2:14 | x | < | test.c:17:12:17:12 | 0 | 64 | 71 |
| test.c:2:31:72:1 | { ... } | test.c:2:14:2:14 | x | > | test.c:7:13:7:13 | 0 | 7 | 9 |
@ -23,7 +22,6 @@
| test.c:34:11:34:11 | x | test.c:2:14:2:14 | x | < | test.c:34:15:34:15 | 0 | 50 | 52 |
| test.c:34:11:34:11 | x | test.c:2:14:2:14 | x | < | test.c:34:15:34:15 | 0 | 53 | 53 |
| test.c:34:11:34:11 | x | test.c:2:14:2:14 | x | < | test.c:34:15:34:15 | 0 | 53 | 55 |
| test.c:34:11:34:11 | x | test.c:2:14:2:14 | x | < | test.c:34:15:34:15 | 0 | 56 | 63 |
| test.c:34:11:34:11 | x | test.c:2:14:2:14 | x | < | test.c:34:15:34:15 | 0 | 59 | 61 |
| test.c:34:11:34:11 | x | test.c:2:14:2:14 | x | < | test.c:34:15:34:15 | 0 | 64 | 71 |
| test.c:34:11:34:11 | x | test.c:2:14:2:14 | x | > | test.c:34:15:34:15 | 0 | 34 | 36 |
@ -33,20 +31,17 @@
| test.c:42:16:42:16 | j | test.c:3:9:3:9 | j | > | test.c:42:20:42:21 | 10 | 50 | 52 |
| test.c:42:16:42:16 | j | test.c:3:9:3:9 | j | > | test.c:42:20:42:21 | 10 | 53 | 53 |
| test.c:42:16:42:16 | j | test.c:3:9:3:9 | j | > | test.c:42:20:42:21 | 10 | 53 | 55 |
| test.c:42:16:42:16 | j | test.c:3:9:3:9 | j | > | test.c:42:20:42:21 | 10 | 56 | 63 |
| test.c:42:16:42:16 | j | test.c:3:9:3:9 | j | > | test.c:42:20:42:21 | 10 | 59 | 61 |
| test.c:42:16:42:16 | j | test.c:3:9:3:9 | j | > | test.c:42:20:42:21 | 10 | 64 | 71 |
| test.c:47:5:47:10 | ... += ... | test.c:2:28:2:28 | z | < | test.c:52:16:52:16 | 0 | 50 | 50 |
| test.c:47:5:47:10 | ... += ... | test.c:2:28:2:28 | z | < | test.c:52:16:52:16 | 0 | 59 | 61 |
| test.c:47:5:47:10 | ... += ... | test.c:2:28:2:28 | z | > | test.c:52:16:52:16 | 0 | 53 | 53 |
| test.c:47:5:47:10 | ... += ... | test.c:2:28:2:28 | z | > | test.c:52:16:52:16 | 0 | 53 | 55 |
| test.c:47:5:47:10 | ... += ... | test.c:2:28:2:28 | z | > | test.c:52:16:52:16 | 0 | 56 | 63 |
| test.c:50:16:50:16 | j | test.c:3:9:3:9 | j | < | test.c:50:20:50:21 | 10 | 50 | 50 |
| test.c:50:16:50:16 | j | test.c:3:9:3:9 | j | < | test.c:50:20:50:21 | 10 | 50 | 52 |
| test.c:50:16:50:16 | j | test.c:3:9:3:9 | j | < | test.c:50:20:50:21 | 10 | 53 | 53 |
| test.c:50:16:50:16 | j | test.c:3:9:3:9 | j | < | test.c:50:20:50:21 | 10 | 53 | 55 |
| test.c:50:16:50:16 | j | test.c:3:9:3:9 | j | < | test.c:50:20:50:21 | 10 | 56 | 63 |
| test.c:50:16:50:16 | j | test.c:3:9:3:9 | j | < | test.c:50:20:50:21 | 10 | 59 | 61 |
| test.c:51:9:51:14 | ... = ... | test.c:4:10:4:10 | y | < | test.c:53:20:53:20 | 0 | 56 | 63 |
| test.c:51:9:51:14 | ... = ... | test.c:4:10:4:10 | y | > | test.c:53:20:53:20 | 0 | 53 | 55 |
| test.c:74:19:89:1 | { ... } | test.c:74:16:74:16 | a | > | test.c:79:17:79:19 | 100 | 79 | 81 |
| test.cpp:9:19:9:19 | i | test.cpp:9:12:9:12 | i | < | test.cpp:9:23:9:24 | 10 | 9 | 9 |

1
cpp/ql/test/library-tests/controlflow/guards/Guards.expected
Просмотреть файл

@ -24,7 +24,6 @@
| test.c:126:12:126:26 | call to test3_condition |
| test.c:131:7:131:7 | b |
| test.c:137:7:137:7 | 0 |
| test.c:138:9:138:9 | i |
| test.c:146:7:146:8 | ! ... |
| test.c:146:8:146:8 | x |
| test.cpp:18:8:18:10 | call to get |

12
cpp/ql/test/library-tests/controlflow/guards/GuardsControl.expected
Просмотреть файл

@ -12,7 +12,6 @@
| test.c:26:11:26:15 | ... > ... | false | 42 | 44 |
| test.c:26:11:26:15 | ... > ... | false | 45 | 45 |
| test.c:26:11:26:15 | ... > ... | false | 45 | 47 |
| test.c:26:11:26:15 | ... > ... | false | 48 | 55 |
| test.c:26:11:26:15 | ... > ... | false | 51 | 53 |
| test.c:26:11:26:15 | ... > ... | false | 56 | 58 |
| test.c:26:11:26:15 | ... > ... | false | 58 | 58 |
@ -25,7 +24,6 @@
| test.c:34:16:34:21 | ... < ... | false | 42 | 44 |
| test.c:34:16:34:21 | ... < ... | false | 45 | 45 |
| test.c:34:16:34:21 | ... < ... | false | 45 | 47 |
| test.c:34:16:34:21 | ... < ... | false | 48 | 55 |
| test.c:34:16:34:21 | ... < ... | false | 51 | 53 |
| test.c:34:16:34:21 | ... < ... | false | 56 | 58 |
| test.c:34:16:34:21 | ... < ... | false | 58 | 58 |
@ -36,13 +34,11 @@
| test.c:42:16:42:21 | ... < ... | true | 42 | 44 |
| test.c:42:16:42:21 | ... < ... | true | 45 | 45 |
| test.c:42:16:42:21 | ... < ... | true | 45 | 47 |
| test.c:42:16:42:21 | ... < ... | true | 48 | 55 |
| test.c:42:16:42:21 | ... < ... | true | 51 | 53 |
| test.c:44:12:44:16 | ... > ... | false | 42 | 42 |
| test.c:44:12:44:16 | ... > ... | false | 51 | 53 |
| test.c:44:12:44:16 | ... > ... | true | 45 | 45 |
| test.c:44:12:44:16 | ... > ... | true | 45 | 47 |
| test.c:44:12:44:16 | ... > ... | true | 48 | 55 |
| test.c:45:16:45:20 | ... > ... | false | 48 | 55 |
| test.c:45:16:45:20 | ... > ... | true | 45 | 47 |
| test.c:58:9:58:14 | ... == ... | false | 58 | 58 |
| test.c:58:9:58:14 | ... == ... | false | 62 | 62 |
@ -81,10 +77,12 @@
| test.c:126:12:126:26 | call to test3_condition | true | 126 | 128 |
| test.c:131:7:131:7 | b | true | 131 | 132 |
| test.c:137:7:137:7 | 0 | false | 142 | 136 |
| test.c:138:9:138:9 | i | true | 138 | 139 |
| test.c:146:7:146:8 | ! ... | true | 146 | 147 |
| test.c:146:8:146:8 | x | false | 146 | 147 |
| test.cpp:18:8:18:10 | call to get | false | 20 | 16 |
| test.cpp:18:8:18:10 | call to get | true | 19 | 19 |
| test.cpp:31:7:31:13 | ... == ... | false | 30 | 30 |
| test.cpp:31:7:31:13 | ... == ... | false | 34 | 34 |
| test.cpp:31:7:31:13 | ... == ... | true | 30 | 30 |
| test.cpp:31:7:31:13 | ... == ... | true | 31 | 32 |
| test.cpp:42:13:42:20 | call to getABool | false | 53 | 53 |
| test.cpp:42:13:42:20 | call to getABool | true | 43 | 45 |

16
cpp/ql/test/library-tests/controlflow/guards/GuardsEnsure.expected
Просмотреть файл

@ -20,7 +20,6 @@
| test.c:26:11:26:15 | ... > ... | test.c:26:11:26:11 | x | < | test.c:26:15:26:15 | 0 | 1 | 42 | 44 |
| test.c:26:11:26:15 | ... > ... | test.c:26:11:26:11 | x | < | test.c:26:15:26:15 | 0 | 1 | 45 | 45 |
| test.c:26:11:26:15 | ... > ... | test.c:26:11:26:11 | x | < | test.c:26:15:26:15 | 0 | 1 | 45 | 47 |
| test.c:26:11:26:15 | ... > ... | test.c:26:11:26:11 | x | < | test.c:26:15:26:15 | 0 | 1 | 48 | 55 |
| test.c:26:11:26:15 | ... > ... | test.c:26:11:26:11 | x | < | test.c:26:15:26:15 | 0 | 1 | 51 | 53 |
| test.c:26:11:26:15 | ... > ... | test.c:26:11:26:11 | x | < | test.c:26:15:26:15 | 0 | 1 | 56 | 58 |
| test.c:26:11:26:15 | ... > ... | test.c:26:11:26:11 | x | < | test.c:26:15:26:15 | 0 | 1 | 58 | 58 |
@ -36,7 +35,6 @@
| test.c:26:11:26:15 | ... > ... | test.c:26:15:26:15 | 0 | >= | test.c:26:11:26:11 | x | 0 | 42 | 44 |
| test.c:26:11:26:15 | ... > ... | test.c:26:15:26:15 | 0 | >= | test.c:26:11:26:11 | x | 0 | 45 | 45 |
| test.c:26:11:26:15 | ... > ... | test.c:26:15:26:15 | 0 | >= | test.c:26:11:26:11 | x | 0 | 45 | 47 |
| test.c:26:11:26:15 | ... > ... | test.c:26:15:26:15 | 0 | >= | test.c:26:11:26:11 | x | 0 | 48 | 55 |
| test.c:26:11:26:15 | ... > ... | test.c:26:15:26:15 | 0 | >= | test.c:26:11:26:11 | x | 0 | 51 | 53 |
| test.c:26:11:26:15 | ... > ... | test.c:26:15:26:15 | 0 | >= | test.c:26:11:26:11 | x | 0 | 56 | 58 |
| test.c:26:11:26:15 | ... > ... | test.c:26:15:26:15 | 0 | >= | test.c:26:11:26:11 | x | 0 | 58 | 58 |
@ -49,7 +47,6 @@
| test.c:34:16:34:21 | ... < ... | test.c:34:16:34:16 | j | >= | test.c:34:20:34:21 | 10 | 0 | 42 | 44 |
| test.c:34:16:34:21 | ... < ... | test.c:34:16:34:16 | j | >= | test.c:34:20:34:21 | 10 | 0 | 45 | 45 |
| test.c:34:16:34:21 | ... < ... | test.c:34:16:34:16 | j | >= | test.c:34:20:34:21 | 10 | 0 | 45 | 47 |
| test.c:34:16:34:21 | ... < ... | test.c:34:16:34:16 | j | >= | test.c:34:20:34:21 | 10 | 0 | 48 | 55 |
| test.c:34:16:34:21 | ... < ... | test.c:34:16:34:16 | j | >= | test.c:34:20:34:21 | 10 | 0 | 51 | 53 |
| test.c:34:16:34:21 | ... < ... | test.c:34:16:34:16 | j | >= | test.c:34:20:34:21 | 10 | 0 | 56 | 58 |
| test.c:34:16:34:21 | ... < ... | test.c:34:16:34:16 | j | >= | test.c:34:20:34:21 | 10 | 0 | 58 | 58 |
@ -61,7 +58,6 @@
| test.c:34:16:34:21 | ... < ... | test.c:34:20:34:21 | 10 | < | test.c:34:16:34:16 | j | 1 | 42 | 44 |
| test.c:34:16:34:21 | ... < ... | test.c:34:20:34:21 | 10 | < | test.c:34:16:34:16 | j | 1 | 45 | 45 |
| test.c:34:16:34:21 | ... < ... | test.c:34:20:34:21 | 10 | < | test.c:34:16:34:16 | j | 1 | 45 | 47 |
| test.c:34:16:34:21 | ... < ... | test.c:34:20:34:21 | 10 | < | test.c:34:16:34:16 | j | 1 | 48 | 55 |
| test.c:34:16:34:21 | ... < ... | test.c:34:20:34:21 | 10 | < | test.c:34:16:34:16 | j | 1 | 51 | 53 |
| test.c:34:16:34:21 | ... < ... | test.c:34:20:34:21 | 10 | < | test.c:34:16:34:16 | j | 1 | 56 | 58 |
| test.c:34:16:34:21 | ... < ... | test.c:34:20:34:21 | 10 | < | test.c:34:16:34:16 | j | 1 | 58 | 58 |
@ -72,26 +68,22 @@
| test.c:42:16:42:21 | ... < ... | test.c:42:16:42:16 | j | < | test.c:42:20:42:21 | 10 | 0 | 42 | 44 |
| test.c:42:16:42:21 | ... < ... | test.c:42:16:42:16 | j | < | test.c:42:20:42:21 | 10 | 0 | 45 | 45 |
| test.c:42:16:42:21 | ... < ... | test.c:42:16:42:16 | j | < | test.c:42:20:42:21 | 10 | 0 | 45 | 47 |
| test.c:42:16:42:21 | ... < ... | test.c:42:16:42:16 | j | < | test.c:42:20:42:21 | 10 | 0 | 48 | 55 |
| test.c:42:16:42:21 | ... < ... | test.c:42:16:42:16 | j | < | test.c:42:20:42:21 | 10 | 0 | 51 | 53 |
| test.c:42:16:42:21 | ... < ... | test.c:42:20:42:21 | 10 | >= | test.c:42:16:42:16 | j | 1 | 42 | 42 |
| test.c:42:16:42:21 | ... < ... | test.c:42:20:42:21 | 10 | >= | test.c:42:16:42:16 | j | 1 | 42 | 44 |
| test.c:42:16:42:21 | ... < ... | test.c:42:20:42:21 | 10 | >= | test.c:42:16:42:16 | j | 1 | 45 | 45 |
| test.c:42:16:42:21 | ... < ... | test.c:42:20:42:21 | 10 | >= | test.c:42:16:42:16 | j | 1 | 45 | 47 |
| test.c:42:16:42:21 | ... < ... | test.c:42:20:42:21 | 10 | >= | test.c:42:16:42:16 | j | 1 | 48 | 55 |
| test.c:42:16:42:21 | ... < ... | test.c:42:20:42:21 | 10 | >= | test.c:42:16:42:16 | j | 1 | 51 | 53 |
| test.c:44:12:44:16 | ... > ... | test.c:44:12:44:12 | z | < | test.c:44:16:44:16 | 0 | 1 | 42 | 42 |
| test.c:44:12:44:16 | ... > ... | test.c:44:12:44:12 | z | < | test.c:44:16:44:16 | 0 | 1 | 51 | 53 |
| test.c:44:12:44:16 | ... > ... | test.c:44:12:44:12 | z | >= | test.c:44:16:44:16 | 0 | 1 | 45 | 45 |
| test.c:44:12:44:16 | ... > ... | test.c:44:12:44:12 | z | >= | test.c:44:16:44:16 | 0 | 1 | 45 | 47 |
| test.c:44:12:44:16 | ... > ... | test.c:44:12:44:12 | z | >= | test.c:44:16:44:16 | 0 | 1 | 48 | 55 |
| test.c:44:12:44:16 | ... > ... | test.c:44:16:44:16 | 0 | < | test.c:44:12:44:12 | z | 0 | 45 | 45 |
| test.c:44:12:44:16 | ... > ... | test.c:44:16:44:16 | 0 | < | test.c:44:12:44:12 | z | 0 | 45 | 47 |
| test.c:44:12:44:16 | ... > ... | test.c:44:16:44:16 | 0 | < | test.c:44:12:44:12 | z | 0 | 48 | 55 |
| test.c:44:12:44:16 | ... > ... | test.c:44:16:44:16 | 0 | >= | test.c:44:12:44:12 | z | 0 | 42 | 42 |
| test.c:44:12:44:16 | ... > ... | test.c:44:16:44:16 | 0 | >= | test.c:44:12:44:12 | z | 0 | 51 | 53 |
| test.c:45:16:45:20 | ... > ... | test.c:45:16:45:16 | y | < | test.c:45:20:45:20 | 0 | 1 | 48 | 55 |
| test.c:45:16:45:20 | ... > ... | test.c:45:16:45:16 | y | >= | test.c:45:20:45:20 | 0 | 1 | 45 | 47 |
| test.c:45:16:45:20 | ... > ... | test.c:45:20:45:20 | 0 | < | test.c:45:16:45:16 | y | 0 | 45 | 47 |
| test.c:45:16:45:20 | ... > ... | test.c:45:20:45:20 | 0 | >= | test.c:45:16:45:16 | y | 0 | 48 | 55 |
| test.c:58:9:58:14 | ... == ... | test.c:58:9:58:9 | x | != | test.c:58:14:58:14 | 0 | 0 | 58 | 58 |
| test.c:58:9:58:14 | ... == ... | test.c:58:9:58:9 | x | != | test.c:58:14:58:14 | 0 | 0 | 62 | 62 |
| test.c:58:9:58:14 | ... == ... | test.c:58:14:58:14 | 0 | != | test.c:58:9:58:9 | x | 0 | 58 | 58 |
@ -154,7 +146,11 @@
| test.c:109:9:109:23 | ... \|\| ... | test.c:109:23:109:23 | 0 | < | test.c:109:19:109:19 | y | 1 | 113 | 113 |
| test.c:109:19:109:23 | ... < ... | test.c:109:19:109:19 | y | >= | test.c:109:23:109:23 | 0 | 0 | 113 | 113 |
| test.c:109:19:109:23 | ... < ... | test.c:109:23:109:23 | 0 | < | test.c:109:19:109:19 | y | 1 | 113 | 113 |
| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 34 | 34 |
| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | test.cpp:31:12:31:13 | - ... | 0 | 31 | 32 |
| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | != | test.cpp:31:7:31:7 | x | 0 | 30 | 30 |
| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | != | test.cpp:31:7:31:7 | x | 0 | 34 | 34 |
| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | == | test.cpp:31:7:31:7 | x | 0 | 30 | 30 |
| test.cpp:31:7:31:13 | ... == ... | test.cpp:31:12:31:13 | - ... | == | test.cpp:31:7:31:7 | x | 0 | 31 | 32 |

74
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/dispatch.cpp
Просмотреть файл

@ -1,74 +0,0 @@
#include "../shared.h"
using SinkFunction = void (*)(int);
void notSink(int notSinkParam);
void callsSink(int sinkParam) { // $ ir-path=31:23 ir-path=32:26 ir-path=34:17
sink(sinkParam); // $ ast=31:28 ast=32:31 ast=34:22 ir-sink
}
struct {
SinkFunction sinkPtr, notSinkPtr;
} globalStruct;
union {
SinkFunction sinkPtr, notSinkPtr;
} globalUnion;
SinkFunction globalSinkPtr;
void assignGlobals() {
globalStruct.sinkPtr = callsSink;
globalUnion.sinkPtr = callsSink;
globalSinkPtr = callsSink;
};
void testStruct() {
globalStruct.sinkPtr(atoi(getenv("TAINTED"))); // $ MISSING: ir-path,ast
globalStruct.notSinkPtr(atoi(getenv("TAINTED"))); // clean
globalUnion.sinkPtr(atoi(getenv("TAINTED"))); // $ ast ir-path
globalUnion.notSinkPtr(atoi(getenv("TAINTED"))); // $ ast ir-path
globalSinkPtr(atoi(getenv("TAINTED"))); // $ ast ir-path
}
class B {
public:
virtual void f(const char*) = 0;
};
class D1 : public B {};
class D2 : public D1 {
public:
void f(const char* p) override {}
};
class D3 : public D2 {
public:
void f(const char* p) override { // $ ir-path=58:10 ir-path=60:17 ir-path=61:28 ir-path=62:29 ir-path=63:33 SPURIOUS: ir-path=73:30
sink(p); // $ ast=58:10 ast=60:17 ast=61:28 ast=62:29 ast=63:33 ir-sink SPURIOUS: ast=73:30
}
};
void test_dynamic_cast() {
B* b = new D3();
b->f(getenv("VAR")); // $ ast ir-path
((D2*)b)->f(getenv("VAR")); // $ ast ir-path
static_cast<D2*>(b)->f(getenv("VAR")); // $ ast ir-path
dynamic_cast<D2*>(b)->f(getenv("VAR")); // $ ast ir-path
reinterpret_cast<D2*>(b)->f(getenv("VAR")); // $ ast ir-path
B* b2 = new D2();
b2->f(getenv("VAR"));
((D2*)b2)->f(getenv("VAR"));
static_cast<D2*>(b2)->f(getenv("VAR"));
dynamic_cast<D2*>(b2)->f(getenv("VAR"));
reinterpret_cast<D2*>(b2)->f(getenv("VAR"));
dynamic_cast<D3*>(b2)->f(getenv("VAR")); // $ SPURIOUS: ast ir-path
}

4
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.expected
Просмотреть файл

@ -1,4 +0,0 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:9,8-47)
WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:20,49-74)
testFailures
failures

100
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/tainted.ql
Просмотреть файл

@ -1,100 +0,0 @@
/**
* This test provides the possibility to annotate elements when they are on a path of a taint flow to a sink.
* This is different when compared to the tests in `../annotate_sink`, where only sink invocations are annotated.
*/
import cpp
import semmle.code.cpp.security.TaintTrackingImpl as AstTaintTracking
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
import TaintedWithPath::Private
import TestUtilities.InlineExpectationsTest
predicate isSinkArgument(Element sink) {
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink = call.getAnArgument()
)
}
predicate astTaint(Expr source, Element sink) { AstTaintTracking::tainted(source, sink) }
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { isSinkArgument(e) }
}
predicate irTaint(Element source, TaintedWithPath::PathNode predNode, string tag) {
exists(TaintedWithPath::PathNode sinkNode |
TaintedWithPath::taintedWithPath(source, _, _, sinkNode) and
predNode = getAPredecessor*(sinkNode) and
// Make sure the path is actually reachable from this predecessor.
// Otherwise, we could pick `predNode` to be b when `source` is
// `source1` in this dataflow graph:
// source1 ---> a ---> c ---> sinkNode
// ^
// source2 ---> b --/
source = getElementFromPathNode(getAPredecessor*(predNode)) and
if predNode = sinkNode then tag = "ir-sink" else tag = "ir-path"
)
}
module IRDefaultTaintTrackingTest implements TestSig {
string getARelevantTag() { result = ["ir-path", "ir-sink"] }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element elem, TaintedWithPath::PathNode node, int n |
irTaint(_, node, tag) and
elem = getElementFromPathNode(node) and
n = count(int startline | getAPredecessor(node).hasLocationInfo(_, startline, _, _, _)) and
location = elem.getLocation() and
element = elem.toString()
|
// Zero predecessors means it's a source, and 1 predecessor means it has a unique predecessor.
// In either of these cases we leave out the location.
n = [0, 1] and value = ""
or
// If there is more than one predecessor for this node
// we specify the source location explicitly.
n > 1 and
exists(TaintedWithPath::PathNode pred | pred = getAPredecessor(node) |
value =
getElementFromPathNode(pred).getLocation().getStartLine().toString() + ":" +
getElementFromPathNode(pred).getLocation().getStartColumn()
)
)
}
}
module AstTaintTrackingTest implements TestSig {
string getARelevantTag() { result = "ast" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Expr source, Element tainted, int n |
tag = "ast" and
astTaint(source, tainted) and
(
isSinkArgument(tainted)
or
exists(Element sink |
isSinkArgument(sink) and
astTaint(tainted, sink)
)
) and
n = strictcount(Expr otherSource | astTaint(otherSource, tainted)) and
(
n = 1 and value = ""
or
// If there is more than one source for this sink
// we specify the source location explicitly.
n > 1 and
value =
source.getLocation().getStartLine().toString() + ":" +
source.getLocation().getStartColumn()
) and
location = tainted.getLocation() and
element = tainted.toString()
)
}
}
import MakeTest<MergeTests<IRDefaultTaintTrackingTest, AstTaintTrackingTest>>

129
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_path_to_sink/test_diff.cpp
Просмотреть файл

@ -1,129 +0,0 @@
#include "../shared.h"
struct S {
void(*f)(const char*);
void apply(char* p) {
f(p);
}
void (*get())(const char*) {
return f;
}
};
void calls_sink_with_argv(const char* a) { // $ ir-path=96:26 ir-path=102:26
sink(a); // $ ast=96:26 ast=98:18 ir-sink
}
extern int i;
class BaseWithPureVirtual {
public:
virtual void f(const char*) = 0;
};
class DerivedCallsSink : public BaseWithPureVirtual {
public:
void f(const char* p) override { // $ ir-path
sink(p); // $ ast=108:10 ir-sink SPURIOUS: ast=111:10
}
};
class DerivedDoesNotCallSink : public BaseWithPureVirtual {
public:
void f(const char* p) override {}
};
class DerivedCallsSinkDiamond1 : virtual public BaseWithPureVirtual {
public:
void f(const char* p) override { // $ ir-path
sink(p); // $ ast ir-sink
}
};
class DerivedDoesNotCallSinkDiamond2 : virtual public BaseWithPureVirtual {
public:
void f(const char* p) override {}
};
class DerivesMultiple : public DerivedCallsSinkDiamond1, public DerivedDoesNotCallSinkDiamond2 {
void f(const char* p) override { // $ ir-path=53:37 ir-path=115:11
DerivedCallsSinkDiamond1::f(p); // $ ir-path
}
};
template<typename T>
class CRTP {
public:
void f(const char* p) { // $ ir-path
static_cast<T*>(this)->g(p); // $ ir-path
}
};
class CRTPCallsSink : public CRTP<CRTPCallsSink> {
public:
void g(const char* p) { // $ ir-path
sink(p); // $ ast ir-sink
}
};
class Derived1 : public BaseWithPureVirtual {};
class Derived2 : public Derived1 {
public:
void f(const char* p) override {}
};
class Derived3 : public Derived2 {
public:
void f(const char* p) override { // $ ir-path=124:19 ir-path=126:43 ir-path=128:44
sink(p); // $ ast=124:19 ast=126:43 ast=128:44 ir-sink
}
};
class CRTPDoesNotCallSink : public CRTP<CRTPDoesNotCallSink> {
public:
void g(const char* p) {}
};
int main(int argc, char *argv[]) {
sink(argv[0]); // $ ast,ir-path,ir-sink
sink(reinterpret_cast<int>(argv)); // $ ast,ir-sink
calls_sink_with_argv(argv[1]); // $ ast,ir-path
char*** p = &argv; // $ ast,ir-path
sink(*p[0]); // $ ast ir-sink=96:26 ir-sink=98:18 ir-sink=98:17
calls_sink_with_argv(*p[i]); // $ ir-path=96:26 ir-path=98:18 ir-path=98:17 MISSING:ast
sink(*(argv + 1)); // $ ast ir-path ir-sink
BaseWithPureVirtual* b = new DerivedCallsSink;
b->f(argv[1]); // $ ast,ir-path
b = new DerivedDoesNotCallSink;
b->f(argv[0]); // $ SPURIOUS: ast
BaseWithPureVirtual* b2 = new DerivesMultiple;
b2->f(argv[i]); // $ ast,ir-path
CRTP<CRTPDoesNotCallSink> crtp_not_call_sink;
crtp_not_call_sink.f(argv[0]); // clean
CRTP<CRTPCallsSink> crtp_calls_sink;
crtp_calls_sink.f(argv[0]); // $ ast,ir-path
Derived1* calls_sink = new Derived3;
calls_sink->f(argv[1]); // $ ast,ir-path
static_cast<Derived2*>(calls_sink)->f(argv[1]); // $ ast,ir-path
dynamic_cast<Derived2*>(calls_sink)->f(argv[1]); // $ ast,ir-path
}

237
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
Просмотреть файл

@ -1,237 +0,0 @@
#include "../shared.h"
int main() {
sink(_strdup(getenv("VAR"))); // $ ir MISSING: ast
sink(strdup(getenv("VAR"))); // $ ast,ir
sink(unmodeled_function(getenv("VAR"))); // clean by assumption
char untainted_buf[100] = "";
char buf[100] = "VAR = ";
sink(strcat(buf, getenv("VAR"))); // $ ast,ir
sink(buf); // $ ast,ir
sink(untainted_buf); // the two buffers would be conflated if we added flow through all partial chi inputs
return 0;
}
typedef unsigned int inet_addr_retval;
inet_addr_retval inet_addr(const char *dotted_address);
void sink(inet_addr_retval);
void test_indirect_arg_to_model() {
// This test is non-sensical but carefully arranged so we get data flow into
// inet_addr not through the function argument but through its associated
// read side effect.
void *env_pointer = getenv("VAR"); // env_pointer is tainted, not its data.
inet_addr_retval a = inet_addr((const char *)&env_pointer);
sink(a); // $ ast,ir
}
namespace std {
template< class T >
T&& move( T&& t ) noexcept;
}
void test_std_move() {
sink(std::move(getenv("VAR"))); // $ ir MISSING: ast
}
void flow_to_outparam(char ** ret, char *arg) {
*ret = arg;
}
void test_outparams() {
char *p2 = nullptr;
flow_to_outparam(&p2, getenv("VAR"));
sink(p2); // $ ir MISSING: ast
}
struct XY {
int x;
int y;
};
void taint_y(XY *xyp) {
int tainted = getenv("VAR")[0];
xyp->y = tainted;
}
void test_conflated_fields3() {
XY xy;
xy.x = 0;
taint_y(&xy);
sink(xy.x); // not tainted
}
struct Point {
int x;
int y;
void callSink() {
sink(this->x); // $ ir MISSING: ast
sink(this->y); // not tainted
}
};
void test_conflated_fields1() {
Point p;
p.x = getenv("VAR")[0];
sink(p.x); // $ ir MISSING: ast
sink(p.y); // not tainted
p.callSink();
}
void taint_x(Point *pp) {
pp->x = getenv("VAR")[0];
}
void y_to_sink(Point *pp) {
sink(pp->y); // not tainted
}
void test_conflated_fields2() {
Point p;
taint_x(&p);
y_to_sink(&p);
}
void sink(Point*);
void sink(Point);
void test_field_to_obj_taint_object(Point p) {
p.x = getenv("VAR")[0];
sink(p); // not tainted
sink(p.x); // $ ir MISSING: ast
}
void test_field_to_obj_taint_object_addrof(Point p) {
taint_x(&p);
sink(p); // not tainted
sink(&p); // not tainted
sink(p.x); // $ ir MISSING: ast
}
void test_field_to_obj_taint_pointer(Point* pp) {
pp->x = getenv("VAR")[0];
sink(pp);// not tainted
sink(*pp); // not tainted
}
void call_sink_on_object(Point* pp) {
sink(pp);// not tainted
sink(*pp);// not tainted
}
void test_field_to_obj_taint_call_sink(Point* pp) {
pp->x = getenv("VAR")[0];
call_sink_on_object(pp);
}
void test_field_to_obj_taint_through_setter(Point* pp) {
taint_x(pp);
sink(pp);// not tainted
sink(*pp); // not tainted
}
Point* getPoint();
void test_field_to_obj_local_variable() {
Point* pp = getPoint();
pp->x = getenv("VAR")[0];
sink(pp); // not tainted
sink(*pp); // not tainted
}
void test_field_to_obj_taint_array(Point* pp, int i) {
pp[0].x = getenv("VAR")[0];
sink(pp[i]); // not tainted
sink(pp);// not tainted
sink(*pp); // not tainted
}
void test_field_to_obj_test_pointer_arith(Point* pp) {
(pp + sizeof(*pp))->x = getenv("VAR")[0];
sink(pp);// not tainted
sink(pp + sizeof(*pp));// not tainted
}
void sink(char **);
void test_pointers1()
{
char buffer[1024];
char *s = getenv("VAR");
char *ptr1, **ptr2;
char *ptr3, **ptr4;
ptr1 = buffer;
ptr2 = &ptr1;
memcpy(buffer, s, 1024);
ptr3 = buffer;
ptr4 = &ptr3;
sink(buffer); // $ ast,ir
sink(ptr1); // $ ast MISSING: ir
sink(ptr2); // $ SPURIOUS: ast
sink(*ptr2); // $ ast MISSING: ir
sink(ptr3); // $ ast,ir
sink(ptr4); // $ SPURIOUS: ast,ir
sink(*ptr4); // $ ast,ir
}
void test_pointers2()
{
char buffer[1024];
char *s = getenv("VAR");
char *ptr1, **ptr2;
char *ptr3, **ptr4;
ptr1 = buffer;
ptr2 = &ptr1;
memcpy(*ptr2, s, 1024);
ptr3 = buffer;
ptr4 = &ptr3;
sink(buffer); // $ MISSING: ast,ir
sink(ptr1); // $ ast MISSING: ir
sink(ptr2); // $ SPURIOUS: ast,ir
sink(*ptr2); // $ ast,ir
sink(ptr3); // $ MISSING: ast,ir
sink(ptr4); // clean
sink(*ptr4); // $ MISSING: ast,ir
}
// --- recv ---
int recv(int s, char* buf, int len, int flags);
void test_recv() {
char buffer[1024];
recv(0, buffer, sizeof(buffer), 0);
sink(buffer); // $ ast,ir
sink(*buffer); // $ ast,ir
}
// --- send and related functions ---
struct iovec {
void *iov_base;
unsigned iov_len;
};
int readv(int, const struct iovec*, int);
void sink(const iovec* iovs);
void sink(iovec);
void test_readv_and_writev(iovec* iovs) {
readv(0, iovs, 16);
sink(iovs); // $ast,ir
sink(iovs[0]); // $ast,ir
sink(*iovs); // $ast,ir
char* p = (char*)iovs[1].iov_base;
sink(p); // $ MISSING: ast,ir
sink(*p); // $ MISSING: ast,ir
}

159
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/stl.cpp
Просмотреть файл

@ -1,159 +0,0 @@
#include "../shared.h"
typedef unsigned long size_t;
namespace std
{
template<class charT> struct char_traits;
typedef size_t streamsize;
template <class T> class allocator {
public:
allocator() throw();
};
template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
class basic_string {
public:
explicit basic_string(const Allocator& a = Allocator());
basic_string(const charT* s, const Allocator& a = Allocator());
const charT* c_str() const;
};
typedef basic_string<char> string;
template <class charT, class traits = char_traits<charT> >
class basic_istream /*: virtual public basic_ios<charT,traits> - not needed for this test */ {
public:
basic_istream<charT,traits>& operator>>(int& n);
};
template <class charT, class traits = char_traits<charT> >
class basic_ostream /*: virtual public basic_ios<charT,traits> - not needed for this test */ {
public:
typedef charT char_type;
basic_ostream<charT,traits>& write(const char_type* s, streamsize n);
basic_ostream<charT, traits>& operator<<(int n);
};
template<class charT, class traits> basic_ostream<charT,traits>& operator<<(basic_ostream<charT,traits>&, const charT*);
template<class charT, class traits, class Allocator> basic_ostream<charT, traits>& operator<<(basic_ostream<charT, traits>& os, const basic_string<charT, traits, Allocator>& str);
template<class charT, class traits = char_traits<charT>>
class basic_iostream : public basic_istream<charT, traits>, public basic_ostream<charT, traits> {
public:
};
template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT>>
class basic_stringstream : public basic_iostream<charT, traits> {
public:
explicit basic_stringstream(/*ios_base::openmode which = ios_base::out|ios_base::in - not needed for this test*/);
basic_string<charT, traits, Allocator> str() const;
};
using stringstream = basic_stringstream<char>;
}
char *source() { return getenv("USERDATA"); }
void sink(const std::string &s) {};
void sink(const std::stringstream &s) {};
void test_string()
{
char *a = source();
std::string b("123");
std::string c(source());
sink(a); // $ ast,ir
sink(b); // clean
sink(c); // $ ir MISSING: ast
sink(b.c_str()); // clean
sink(c.c_str()); // $ ir MISSING: ast
}
void test_stringstream()
{
std::stringstream ss1, ss2, ss3, ss4, ss5;
std::string t(source());
ss1 << "1234";
ss2 << source();
ss3 << "123" << source();
ss4 << source() << "456";
ss5 << t;
sink(ss1);
sink(ss2); // $ ir MISSING: ast
sink(ss3); // $ ir MISSING: ast
sink(ss4); // $ ir MISSING: ast
sink(ss5); // $ ir MISSING: ast
sink(ss1.str());
sink(ss2.str()); // $ ir MISSING: ast
sink(ss3.str()); // $ ir MISSING: ast
sink(ss4.str()); // $ ir MISSING: ast
sink(ss5.str()); // $ ir MISSING: ast
}
void test_stringstream_int(int source)
{
std::stringstream ss1, ss2;
ss1 << 1234;
ss2 << source;
sink(ss1); // clean
sink(ss2); // $ MISSING: ast,ir
sink(ss1.str()); // clean
sink(ss2.str()); // $ MISSING: ast,ir
}
using namespace std;
char *user_input() {
return source();
}
void sink(const char *filename, const char *mode);
void test_strings2()
{
string path1 = user_input();
sink(path1.c_str(), "r"); // $ ir MISSING: ast
string path2;
path2 = user_input();
sink(path2.c_str(), "r"); // $ ir MISSING: ast
string path3(user_input());
sink(path3.c_str(), "r"); // $ ir MISSING: ast
}
void test_string3()
{
const char *cs = source();
// convert char * -> std::string
std::string ss(cs);
sink(cs); // $ ast,ir
sink(ss); // $ ir MISSING: ast
}
void test_string4()
{
const char *cs = source();
// convert char * -> std::string
std::string ss(cs);
// convert back std::string -> char *
cs = ss.c_str();
sink(cs); // $ ast,ir
sink(ss); // $ ir MISSING: ast
}

4
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
Просмотреть файл

@ -1,4 +0,0 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted.ql:10,8-47)
WARNING: Predicate tainted has been deprecated and may be removed in future (tainted.ql:21,3-28)
testFailures
failures

80
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.ql
Просмотреть файл

@ -1,80 +0,0 @@
/**
* This test provides the usual facilities to annotate taint flow when reaching a sink.
* This is different when compared to the tests in `../annotate_path_to_sink`, where all elements on a taint path to a sink
* are annotated.
*/
import cpp
import semmle.code.cpp.security.TaintTrackingImpl as AstTaintTracking
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
import IRDefaultTaintTracking::TaintedWithPath as TaintedWithPath
import TestUtilities.InlineExpectationsTest
predicate argToSinkCall(Element sink) {
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink = call.getAnArgument()
)
}
predicate astTaint(Expr source, Element sink) {
AstTaintTracking::tainted(source, sink) and argToSinkCall(sink)
}
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { argToSinkCall(e) }
}
predicate irTaint(Expr source, Element sink) {
TaintedWithPath::taintedWithPath(source, sink, _, _)
}
module IRDefaultTaintTrackingTest implements TestSig {
string getARelevantTag() { result = "ir" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Expr source, Element tainted, int n |
tag = "ir" and
irTaint(source, tainted) and
n = strictcount(Expr otherSource | irTaint(otherSource, tainted)) and
(
n = 1 and value = ""
or
// If there is more than one source for this sink
// we specify the source location explicitly.
n > 1 and
value =
source.getLocation().getStartLine().toString() + ":" +
source.getLocation().getStartColumn()
) and
location = tainted.getLocation() and
element = tainted.toString()
)
}
}
module AstTaintTrackingTest implements TestSig {
string getARelevantTag() { result = "ast" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Expr source, Element tainted, int n |
tag = "ast" and
astTaint(source, tainted) and
n = strictcount(Expr otherSource | astTaint(otherSource, tainted)) and
(
n = 1 and value = ""
or
// If there is more than one source for this sink
// we specify the source location explicitly.
n > 1 and
value =
source.getLocation().getStartLine().toString() + ":" +
source.getLocation().getStartColumn()
) and
location = tainted.getLocation() and
element = tainted.toString()
)
}
}
import MakeTest<MergeTests<IRDefaultTaintTrackingTest, AstTaintTrackingTest>>

4
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.expected
Просмотреть файл

@ -1,4 +0,0 @@
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:8,3-47)
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (global.ql:12,3-53)
failures
testFailures

41
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/global.ql
Просмотреть файл

@ -1,41 +0,0 @@
import cpp
import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTrackingImpl as AstTaintTracking
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IRDefaultTaintTracking
import TestUtilities.InlineExpectationsTest
predicate astTaint(Expr source, Element sink, string globalVar) {
AstTaintTracking::taintedIncludingGlobalVars(source, sink, globalVar) and globalVar != ""
}
predicate irTaint(Expr source, Element sink, string globalVar) {
IRDefaultTaintTracking::taintedIncludingGlobalVars(source, sink, globalVar) and globalVar != ""
}
module IRGlobalDefaultTaintTrackingTest implements TestSig {
string getARelevantTag() { result = "ir" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element tainted |
tag = "ir" and
irTaint(_, tainted, value) and
location = tainted.getLocation() and
element = tainted.toString()
)
}
}
module AstGlobalDefaultTaintTrackingTest implements TestSig {
string getARelevantTag() { result = "ast" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element tainted |
tag = "ast" and
astTaint(_, tainted, value) and
location = tainted.getLocation() and
element = tainted.toString()
)
}
}
import MakeTest<MergeTests<IRGlobalDefaultTaintTrackingTest, AstGlobalDefaultTaintTrackingTest>>

24
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/globals/globals.cpp
Просмотреть файл

@ -1,24 +0,0 @@
char *getenv(const char *name);
void sink(const char *sinkparam); // $ ast,ir=global1 ast,ir=global2
void throughLocal() {
char * local = getenv("VAR");
sink(local);
}
char * global1 = 0;
void readWriteGlobal1() {
sink(global1); // $ ast,ir=global1
global1 = getenv("VAR");
}
static char * global2 = 0;
void readGlobal2() {
sink(global2); // $ ast,ir=global2
}
void writeGlobal2() {
global2 = getenv("VAR");
}

17
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/shared.h
Просмотреть файл

@ -1,17 +0,0 @@
// Common declarations in this test dir should go in this file. Otherwise, some
// declarations will have multiple locations, which leads to confusing test
// output.
void sink(const char *sinkparam);
void sink(int sinkparam);
int atoi(const char *nptr);
char *getenv(const char *name);
char *strcat(char * s1, const char * s2);
char *strdup(const char *string);
char *_strdup(const char *string);
char *unmodeled_function(const char *const_string);
typedef unsigned long size_t;
void *memcpy(void *s1, const void *s2, size_t n);

91
cpp/ql/test/library-tests/dataflow/security-taint/tainted.expected
Просмотреть файл

@ -1,91 +0,0 @@
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (tainted.ql:5,3-29)
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:12 | call to strcmp | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:29 | (bool)... | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:14:25:19 | envStr | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:6:29:28 | ! ... | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... | |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr | |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv | |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... | |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr | |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... | envStrGlobal |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal | envStrGlobal |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv | |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... | |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName | |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy | |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi | |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv | |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... | |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy | |
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | |
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | |
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets | |
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | |
| test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | |
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... | |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy | |

7
cpp/ql/test/library-tests/dataflow/security-taint/tainted.ql
Просмотреть файл

@ -1,7 +0,0 @@
import semmle.code.cpp.security.TaintTrackingImpl
from Expr source, Element tainted, string globalVar
where
taintedIncludingGlobalVars(source, tainted, globalVar) and
not tainted.getLocation().getFile().getExtension() = "h"
select source, tainted, globalVar

51
cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.expected
Просмотреть файл

@ -1,51 +0,0 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_diff.ql:5,35-54)
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_diff.ql:12,7-26)
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_diff.ql:16,3-22)
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (tainted_diff.ql:11,3-34)
WARNING: Predicate taintedIncludingGlobalVars has been deprecated and may be removed in future (tainted_diff.ql:17,7-38)
| test.cpp:23:23:23:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:14:23:19 | envStr | AST only |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:14:38:19 | envStr | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:45:13:45:24 | envStrGlobal | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:14:49:19 | envStr | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:15:50:24 | envStr_ptr | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:28:50:40 | & ... | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:50:29:50:40 | envStrGlobal | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:2:52:12 | * ... | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:3:52:12 | envStr_ptr | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:6:54:35 | ! ... | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:12 | call to strcmp | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:7:54:35 | (bool)... | AST only |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:54:14:54:25 | envStrGlobal | AST only |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:10:27:10:27 | s | AST only |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:18:60:25 | userName | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:67:7:67:13 | copying | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:17:68:24 | userName | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:69:10:69:13 | copy | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:5:70:10 | call to strcpy | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:12:70:15 | copy | AST only |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | array to pointer conversion | IR only |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:15:22:15:25 | nptr | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:17:83:24 | userName | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:85:8:85:11 | copy | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:2:86:7 | call to strcpy | AST only |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:9:86:12 | copy | AST only |
| test.cpp:100:12:100:15 | call to gets | test.cpp:98:8:98:14 | pointer | AST only |
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:2:100:8 | pointer | AST only |
| test.cpp:100:17:100:22 | buffer | test.cpp:93:18:93:18 | s | AST only |
| test.cpp:100:17:100:22 | buffer | test.cpp:97:7:97:12 | buffer | AST only |
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion | IR only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:8:24:8:25 | s1 | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:20:11:21 | s1 | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:11:36:11:37 | s2 | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:17:106:24 | userName | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:108:8:108:11 | copy | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:2:109:7 | call to strcpy | AST only |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:9:109:12 | copy | AST only |

20
cpp/ql/test/library-tests/dataflow/security-taint/tainted_diff.ql
Просмотреть файл

@ -1,20 +0,0 @@
import semmle.code.cpp.security.TaintTrackingImpl as AST
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking as IR
import cpp
class SourceConfiguration extends IR::TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { any() }
}
from Expr source, Element tainted, string side
where
AST::taintedIncludingGlobalVars(source, tainted, _) and
not IR::TaintedWithPath::taintedWithPath(source, tainted, _, _) and
not tainted.getLocation().getFile().getExtension() = "h" and
side = "AST only"
or
IR::TaintedWithPath::taintedWithPath(source, tainted, _, _) and
not AST::taintedIncludingGlobalVars(source, tainted, _) and
not tainted.getLocation().getFile().getExtension() = "h" and
side = "IR only"
select source, tainted, side

48
cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.expected
Просмотреть файл

@ -1,48 +0,0 @@
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_ir.ql:3,35-50)
WARNING: Module TaintedWithPath has been deprecated and may be removed in future (tainted_ir.ql:9,3-18)
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:28 | call to getenv |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:23:23:23:40 | (const char *)... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:6:25:29 | ! ... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:12 | call to strcmp |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:7:25:29 | (bool)... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:25:14:25:19 | envStr |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:6:29:28 | ! ... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:12 | call to strcmp |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:7:29:28 | (bool)... |
| test.cpp:23:23:23:28 | call to getenv | test.cpp:29:14:29:19 | envStr |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:28 | call to getenv |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:38:23:38:40 | (const char *)... |
| test.cpp:38:23:38:28 | call to getenv | test.cpp:40:14:40:19 | envStr |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:28 | call to getenv |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:49:23:49:40 | (const char *)... |
| test.cpp:49:23:49:28 | call to getenv | test.cpp:52:16:52:21 | envStr |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:34 | call to getenv |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:60:29:60:47 | (const char *)... |
| test.cpp:60:29:60:34 | call to getenv | test.cpp:64:25:64:32 | userName |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:33 | call to getenv |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:68:28:68:46 | (const char *)... |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:70:18:70:25 | userName |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | array to pointer conversion |
| test.cpp:68:28:68:33 | call to getenv | test.cpp:71:12:71:15 | copy |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:15:75:18 | call to atoi |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:25 | call to getenv |
| test.cpp:75:20:75:25 | call to getenv | test.cpp:75:20:75:45 | (const char *)... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:33 | call to getenv |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:83:28:83:46 | (const char *)... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:86:15:86:22 | userName |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:6:88:27 | ! ... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:12 | call to strcmp |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:7:88:27 | (bool)... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | (const char *)... |
| test.cpp:83:28:83:33 | call to getenv | test.cpp:88:14:88:17 | copy |
| test.cpp:100:12:100:15 | call to gets | test.cpp:100:12:100:15 | call to gets |
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | array to pointer conversion |
| test.cpp:100:17:100:22 | buffer | test.cpp:100:17:100:22 | buffer |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:33 | call to getenv |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:106:28:106:46 | (const char *)... |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:109:15:109:22 | userName |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:6:111:27 | ! ... |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:12 | call to strcmp |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:7:111:27 | (bool)... |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | (const char *)... |
| test.cpp:106:28:106:33 | call to getenv | test.cpp:111:14:111:17 | copy |

11
cpp/ql/test/library-tests/dataflow/security-taint/tainted_ir.ql
Просмотреть файл

@ -1,11 +0,0 @@
import semmle.code.cpp.ir.dataflow.DefaultTaintTracking
class SourceConfiguration extends TaintedWithPath::TaintTrackingConfiguration {
override predicate isSink(Element e) { any() }
}
from Expr source, Element tainted
where
TaintedWithPath::taintedWithPath(source, tainted, _, _) and
not tainted.getLocation().getFile().getExtension() = "h"
select source, tainted

114
cpp/ql/test/library-tests/dataflow/security-taint/test.cpp
Просмотреть файл

@ -1,114 +0,0 @@
// Test for the general-purpose taint-tracking
// mechanism that is used by several of the security queries.
///// Library functions //////
typedef unsigned long size_t;
int strcmp(const char *s1, const char *s2);
char *getenv(const char *name);
size_t strlen(const char *s);
char *strcpy(char *s1, const char *s2);
void *malloc(size_t size);
int atoi(const char *nptr);
//// Test code /////
bool isAdmin = false;
void test1()
{
const char *envStr = getenv("USERINFO");
if (!strcmp(envStr, "admin")) {
isAdmin = true;
}
if (!strcmp(envStr, "none")) {
isAdmin = false;
}
}
extern const char *specialUser;
void test2()
{
const char *envStr = getenv("USERINFO");
if (!strcmp(envStr, specialUser)) {
isAdmin = true;
}
}
const char *envStrGlobal;
void test3()
{
const char *envStr = getenv("USERINFO");
const char **envStr_ptr = &envStrGlobal;
*envStr_ptr = envStr;
if (!strcmp(envStrGlobal, "admin")) {
isAdmin = true;
}
}
void bugWithBinop() {
const char *userName = getenv("USER_NAME");
// The following is tainted, but should not cause
// the whole program to be considered tainted.
int bytes = strlen(userName) + 1;
}
char* copying() {
const char *userName = getenv("USER_NAME");
char copy[1024];
strcpy(copy, userName);
return copy; // copy should be tainted
}
void guard() {
int len = atoi(getenv("FOOBAZ_BRANCHING"));
if (len > 1000) return;
char **node = (char **) malloc(len * sizeof(char *));
}
const char *alias_global;
void mallocBuffer() {
const char *userName = getenv("USER_NAME");
char *alias = (char*)malloc(4096);
char *copy = (char*)malloc(4096);
strcpy(copy, userName);
alias_global = alias; // to force a Chi node on all aliased memory
if (!strcmp(copy, "admin")) { // copy should be tainted
isAdmin = true;
}
}
char *gets(char *s);
void test_gets()
{
char buffer[1024];
char *pointer;
pointer = gets(buffer);
}
const char *alias_global_new;
void newBuffer() {
const char *userName = getenv("USER_NAME");
char *alias = new char[4096];
char *copy = new char[4096];
strcpy(copy, userName);
alias_global_new = alias; // to force a Chi node on all aliased memory
if (!strcmp(copy, "admin")) { // copy should be tainted
isAdmin = true;
}
}

18
csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/StubVisitor.cs
Просмотреть файл

@ -203,10 +203,12 @@ internal sealed class StubVisitor : SymbolVisitor
private static readonly HashSet<string> attributeAllowList = new() {
"System.FlagsAttribute",
"System.AttributeUsageAttribute"
"System.AttributeUsageAttribute",
"System.Runtime.CompilerServices.InterpolatedStringHandlerAttribute",
"System.Runtime.CompilerServices.InterpolatedStringHandlerArgumentAttribute",
};
private void StubAttribute(AttributeData a, string prefix)
private void StubAttribute(AttributeData a, string prefix, bool addNewLine)
{
if (a.AttributeClass is not INamedTypeSymbol @class)
return;
@ -232,14 +234,18 @@ internal sealed class StubVisitor : SymbolVisitor
});
stubWriter.Write(")");
}
stubWriter.WriteLine("]");
stubWriter.Write("]");
if (addNewLine)
{
stubWriter.WriteLine();
}
}
public void StubAttributes(IEnumerable<AttributeData> a, string prefix = "")
public void StubAttributes(IEnumerable<AttributeData> a, string prefix = "", bool addNewLine = true)
{
foreach (var attribute in a)
{
StubAttribute(attribute, prefix);
StubAttribute(attribute, prefix, addNewLine);
}
}
@ -513,6 +519,8 @@ internal sealed class StubVisitor : SymbolVisitor
{
WriteCommaSep(parameters, parameter =>
{
StubAttributes(parameter.GetAttributes(), addNewLine: false);
switch (parameter.RefKind)
{
case RefKind.None:

7
csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
Просмотреть файл

@ -214,7 +214,7 @@ namespace Semmle.Extraction.CSharp.Entities
if (type.SpecialType is SpecialType.None)
{
return ImplicitCast.CreateGenerated(cx, parent, childIndex, type, defaultValue, location);
return ImplicitCast.CreateGeneratedConversion(cx, parent, childIndex, type, defaultValue, location);
}
if (type.SpecialType is SpecialType.System_DateTime)
@ -222,6 +222,11 @@ namespace Semmle.Extraction.CSharp.Entities
return DateTimeObjectCreation.CreateGenerated(cx, parent, childIndex, type, defaultValue, location);
}
if (type.SpecialType is SpecialType.System_IntPtr || type.SpecialType is SpecialType.System_UIntPtr)
{
return ImplicitCast.CreateGenerated(cx, parent, childIndex, type, defaultValue, location);
}
// const literal:
return Literal.CreateGenerated(cx, parent, childIndex, type, defaultValue, location);
}

28
csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs
Просмотреть файл

@ -51,8 +51,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
)
.FirstOrDefault();
// Creates a new generated expression with an implicit cast added, if needed.
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, ITypeSymbol type, object value,
/// <summary>
/// Creates a new generated expression with an implicit conversion added.
/// </summary>
public static Expression CreateGeneratedConversion(Context cx, IExpressionParentEntity parent, int childIndex, ITypeSymbol type, object value,
Extraction.Entities.Location location)
{
ExpressionInfo create(ExprKind kind, string? v) =>
@ -79,7 +81,27 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
}
}
// Creates a new expression, adding casts as required.
/// <summary>
/// Creates a new generated cast expression.
/// </summary>
public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, ITypeSymbol type, object value,
Extraction.Entities.Location location)
{
var info = new ExpressionInfo(cx,
AnnotatedTypeSymbol.CreateNotAnnotated(type),
location,
ExprKind.CAST,
parent,
childIndex,
true,
ValueAsString(value));
return new Expression(info);
}
/// <summary>
/// Creates a new expression, adding casts as required.
/// </summary>
public static Expression Create(ExpressionNodeInfo info)
{
var resolvedType = info.ResolvedType;

5
csharp/ql/lib/change-notes/2023-12-07-stringbuilder.md Normal file
Просмотреть файл

@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* The dataflow models for the `System.Text.StringBuilder` class have been reworked. New summaries have been added for `Append` and `AppendLine`. With the changes, we expect queries that use taint tracking to find more results when interpolated strings or `StringBuilder` instances are passed to `Append` or `AppendLine`.

95
csharp/ql/lib/ext/System.Text.model.yml
Просмотреть файл

@ -25,81 +25,90 @@ extensions:
- ["System.Text", "StringBuilder", False, "Append", "(System.Char)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Char*,System.Int32)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Char,System.Int32)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Char[])", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Char[])", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Char[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Char[],System.Int32,System.Int32)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Char[],System.Int32,System.Int32)", "", "Argument[0].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Char[],System.Int32,System.Int32)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Decimal)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Double)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Int16)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Int32)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Int64)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Object)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Object)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.ReadOnlyMemory<System.Char>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.ReadOnlySpan<System.Char>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.SByte)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Single)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.String)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.String)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.String,System.Int32,System.Int32)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.String,System.Int32,System.Int32)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.String,System.Int32,System.Int32)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Text.StringBuilder)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Text.StringBuilder)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Text.StringBuilder,System.Int32,System.Int32)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Text.StringBuilder,System.Int32,System.Int32)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.UInt16)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.UInt32)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.UInt64)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object)", "", "Argument[2]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Text.StringBuilder+AppendInterpolatedStringHandler)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.Text.StringBuilder+AppendInterpolatedStringHandler)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Append", "(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object)", "", "Argument[2]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object)", "", "Argument[3]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object)", "", "Argument[3]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[2]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[3]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[4]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[3]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[4]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object[])", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object[])", "", "Argument[2].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object[])", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object[])", "", "Argument[2].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.IFormatProvider,System.String,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object)", "", "Argument[2]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[2]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[3]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[2]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[3]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object,System.Object,System.Object)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object[])", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object[])", "", "Argument[1].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendFormat", "(System.String,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.Object[])", "", "Argument[1].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.Object[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.String[])", "", "Argument[1].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.String[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.Char,System.String[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.Object[])", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.Object[])", "", "Argument[1].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.Object[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.Object[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.Object[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.String[])", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.String[])", "", "Argument[1].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.String[])", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.String[])", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin", "(System.String,System.String[])", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.Char,System.Collections.Generic.IEnumerable<T>)", "", "Argument[1].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.Char,System.Collections.Generic.IEnumerable<T>)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.Char,System.Collections.Generic.IEnumerable<T>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.String,System.Collections.Generic.IEnumerable<T>)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.String,System.Collections.Generic.IEnumerable<T>)", "", "Argument[1].Element", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.String,System.Collections.Generic.IEnumerable<T>)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.String,System.Collections.Generic.IEnumerable<T>)", "", "Argument[1].Element", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendJoin<T>", "(System.String,System.Collections.Generic.IEnumerable<T>)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendLine", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendLine", "(System.String)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendLine", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendLine", "(System.String)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "Clear", "()", "", "Argument[this].WithoutElement", "Argument[this]", "value", "manual"]
- ["System.Text", "StringBuilder", False, "StringBuilder", "(System.String)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "StringBuilder", "(System.String,System.Int32)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "StringBuilder", "(System.String,System.Int32,System.Int32,System.Int32)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["System.Text", "StringBuilder", False, "ToString", "()", "", "Argument[this].Element", "ReturnValue", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "ToString", "(System.Int32,System.Int32)", "", "Argument[this].Element", "ReturnValue", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendLine", "(System.Text.StringBuilder+AppendInterpolatedStringHandler)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendLine", "(System.Text.StringBuilder+AppendInterpolatedStringHandler)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "AppendLine", "(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler)", "", "Argument[this]", "ReturnValue", "value", "manual"]
- ["System.Text", "StringBuilder", False, "AppendLine", "(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler)", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "StringBuilder", "(System.String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "StringBuilder", "(System.String,System.Int32)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "StringBuilder", "(System.String,System.Int32,System.Int32,System.Int32)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "ToString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["System.Text", "StringBuilder", False, "ToString", "(System.Int32,System.Int32)", "", "Argument[this]", "ReturnValue", "taint", "manual"]

21
csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
Просмотреть файл

@ -18,7 +18,13 @@ private import semmle.code.csharp.security.dataflow.flowsources.Remote
* Holds if `node` should be a sanitizer in all global taint flow configurations
* but not in local taint.
*/
predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
predicate defaultTaintSanitizer(DataFlow::Node node) {
exists(MethodCall mc |
mc.getTarget().hasFullyQualifiedName("System.Text.StringBuilder", "Clear")
|
node.asExpr() = mc.getQualifier()
)
}
/**
* Holds if default `TaintTracking::Configuration`s should allow implicit reads
@ -81,6 +87,19 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon
or
e1 = e2.(AwaitExpr).getExpr() and
scope = e2
or
// Taint flows from the operand of a cast to the cast expression if the cast is to an interpolated string handler.
e2 =
any(CastExpr ce |
e1 = ce.getExpr() and
scope = ce and
ce.getTargetType()
.(Attributable)
.getAnAttribute()
.getType()
.hasFullyQualifiedName("System.Runtime.CompilerServices",
"InterpolatedStringHandlerAttribute")
)
)
}
}

28
csharp/ql/test/library-tests/dataflow/global/DataFlow.expected
Просмотреть файл

@ -51,21 +51,21 @@
| GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:404:15:404:20 | access to local variable sink11 |
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
| GlobalDataFlow.cs:508:15:508:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:22 | access to field field |
| GlobalDataFlow.cs:515:15:515:22 | access to field field |
| GlobalDataFlow.cs:516:15:516:22 | access to field field |
| GlobalDataFlow.cs:517:15:517:22 | access to field field |
| GlobalDataFlow.cs:526:15:526:21 | access to field field |
| GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 |
| GlobalDataFlow.cs:469:32:469:32 | access to parameter s |
| GlobalDataFlow.cs:491:15:491:22 | access to field field |
| GlobalDataFlow.cs:492:15:492:22 | access to field field |
| GlobalDataFlow.cs:498:15:498:22 | access to field field |
| GlobalDataFlow.cs:499:15:499:22 | access to field field |
| GlobalDataFlow.cs:500:15:500:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:21 | access to field field |
| GlobalDataFlow.cs:516:15:516:21 | access to field field |
| GlobalDataFlow.cs:517:15:517:21 | access to field field |
| GlobalDataFlow.cs:531:15:531:21 | access to field field |
| GlobalDataFlow.cs:532:15:532:21 | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:534:15:534:21 | access to field field |
| GlobalDataFlow.cs:548:15:548:21 | access to field field |
| GlobalDataFlow.cs:549:15:549:21 | access to field field |
| GlobalDataFlow.cs:550:15:550:21 | access to field field |
| GlobalDataFlow.cs:556:15:556:22 | access to field field |
| GlobalDataFlow.cs:564:15:564:21 | access to field field |
| GlobalDataFlow.cs:539:15:539:22 | access to field field |
| GlobalDataFlow.cs:547:15:547:21 | access to field field |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |

268
csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
Просмотреть файл

@ -129,7 +129,7 @@ edges
| GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:82:15:82:20 | access to local variable sink13 |
| GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:83:59:83:64 | access to local variable sink13 : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> : IEnumerable<T> [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:570:71:570:71 | e : null [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:553:71:553:71 | e : null [element] : String |
| GlobalDataFlow.cs:81:57:81:65 | { ..., ... } : null [element] : String | GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String |
| GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } : null [element] : String |
| GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String |
@ -250,63 +250,63 @@ edges
| GlobalDataFlow.cs:405:16:405:21 | access to local variable sink11 : String | GlobalDataFlow.cs:167:22:167:43 | call to method TaintedParam : String |
| GlobalDataFlow.cs:427:9:427:11 | value : String | GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
| GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | GlobalDataFlow.cs:201:22:201:32 | access to property OutProperty : String |
| GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> : Task<T> [property Result] : String | GlobalDataFlow.cs:475:25:475:28 | access to local variable task : Task<T> [property Result] : String |
| GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> : Task<T> [property Result] : String |
| GlobalDataFlow.cs:475:25:475:28 | access to local variable task : Task<T> [property Result] : String | GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String |
| GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String | GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 |
| GlobalDataFlow.cs:483:53:483:55 | arg : String | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String |
| GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
| GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | GlobalDataFlow.cs:486:21:486:21 | s : String |
| GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:483:53:483:55 | arg : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 : SimpleClass [field field] : String | GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 : SimpleClass [field field] : String | GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 : SimpleClass [field field] : String | GlobalDataFlow.cs:508:15:508:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 : SimpleClass [field field] : String | GlobalDataFlow.cs:509:15:509:22 | access to field field |
| GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:515:15:515:22 | access to field field |
| GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:22 | access to field field |
| GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:22 | access to field field |
| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:21 | access to field field |
| GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:534:15:534:15 | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:534:15:534:15 | access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:534:15:534:21 | access to field field |
| GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:548:15:548:15 | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:549:15:549:15 | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z : SimpleClass [field field] : String | GlobalDataFlow.cs:550:15:550:15 | access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:548:15:548:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:548:15:548:21 | access to field field |
| GlobalDataFlow.cs:549:15:549:15 | access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:549:15:549:21 | access to field field |
| GlobalDataFlow.cs:550:15:550:15 | access to local variable z : SimpleClass [field field] : String | GlobalDataFlow.cs:550:15:550:21 | access to field field |
| GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:556:15:556:16 | access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:556:15:556:16 | access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:556:15:556:22 | access to field field |
| GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:564:15:564:15 | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:564:15:564:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:564:15:564:21 | access to field field |
| GlobalDataFlow.cs:570:71:570:71 | e : null [element] : String | GlobalDataFlow.cs:573:27:573:27 | access to parameter e : null [element] : String |
| GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String | GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String |
| GlobalDataFlow.cs:573:27:573:27 | access to parameter e : null [element] : String | GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
| GlobalDataFlow.cs:457:20:457:49 | call to method Run<String> : Task<T> [property Result] : String | GlobalDataFlow.cs:458:25:458:28 | access to local variable task : Task<T> [property Result] : String |
| GlobalDataFlow.cs:457:35:457:48 | "taint source" : String | GlobalDataFlow.cs:457:20:457:49 | call to method Run<String> : Task<T> [property Result] : String |
| GlobalDataFlow.cs:458:25:458:28 | access to local variable task : Task<T> [property Result] : String | GlobalDataFlow.cs:458:25:458:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:458:25:458:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:459:23:459:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:459:23:459:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:459:23:459:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:459:23:459:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:460:22:460:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:460:22:460:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:460:22:460:40 | call to method GetResult : String |
| GlobalDataFlow.cs:460:22:460:40 | call to method GetResult : String | GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 |
| GlobalDataFlow.cs:466:53:466:55 | arg : String | GlobalDataFlow.cs:470:15:470:17 | access to parameter arg : String |
| GlobalDataFlow.cs:469:21:469:21 | s : String | GlobalDataFlow.cs:469:32:469:32 | access to parameter s |
| GlobalDataFlow.cs:470:15:470:17 | access to parameter arg : String | GlobalDataFlow.cs:469:21:469:21 | s : String |
| GlobalDataFlow.cs:473:28:473:41 | "taint source" : String | GlobalDataFlow.cs:466:53:466:55 | arg : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:490:25:490:26 | [post] access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:490:30:490:31 | [post] access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:497:31:497:32 | [post] access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:497:36:497:37 | [post] access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:497:42:497:43 | [post] access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:508:33:508:33 | [post] access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:515:20:515:20 | [post] access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:515:25:515:25 | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:527:20:527:20 | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:528:20:528:20 | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:529:18:529:18 | [post] access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:538:20:538:21 | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:546:24:546:24 | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:490:25:490:26 | [post] access to local variable x1 : SimpleClass [field field] : String | GlobalDataFlow.cs:491:15:491:16 | access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:490:30:490:31 | [post] access to local variable x2 : SimpleClass [field field] : String | GlobalDataFlow.cs:492:15:492:16 | access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:491:15:491:16 | access to local variable x1 : SimpleClass [field field] : String | GlobalDataFlow.cs:491:15:491:22 | access to field field |
| GlobalDataFlow.cs:492:15:492:16 | access to local variable x2 : SimpleClass [field field] : String | GlobalDataFlow.cs:492:15:492:22 | access to field field |
| GlobalDataFlow.cs:497:31:497:32 | [post] access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:498:15:498:16 | access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:497:36:497:37 | [post] access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:499:15:499:16 | access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:497:42:497:43 | [post] access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:500:15:500:16 | access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:498:15:498:16 | access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:498:15:498:22 | access to field field |
| GlobalDataFlow.cs:499:15:499:16 | access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:499:15:499:22 | access to field field |
| GlobalDataFlow.cs:500:15:500:16 | access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:500:15:500:22 | access to field field |
| GlobalDataFlow.cs:508:33:508:33 | [post] access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:509:15:509:15 | access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:509:15:509:15 | access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:509:15:509:21 | access to field field |
| GlobalDataFlow.cs:515:20:515:20 | [post] access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:15 | access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:25:515:25 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:15 | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:516:15:516:15 | access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:21 | access to field field |
| GlobalDataFlow.cs:517:15:517:15 | access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:21 | access to field field |
| GlobalDataFlow.cs:527:20:527:20 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:531:15:531:15 | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:528:20:528:20 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:532:15:532:15 | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:529:18:529:18 | [post] access to local variable z : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:15 | access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:531:15:531:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:531:15:531:21 | access to field field |
| GlobalDataFlow.cs:532:15:532:15 | access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:532:15:532:21 | access to field field |
| GlobalDataFlow.cs:533:15:533:15 | access to local variable z : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:538:20:538:21 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:539:15:539:16 | access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:539:15:539:16 | access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:539:15:539:22 | access to field field |
| GlobalDataFlow.cs:546:24:546:24 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:547:15:547:15 | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:547:15:547:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:547:15:547:21 | access to field field |
| GlobalDataFlow.cs:553:71:553:71 | e : null [element] : String | GlobalDataFlow.cs:556:27:556:27 | access to parameter e : null [element] : String |
| GlobalDataFlow.cs:556:22:556:22 | SSA def(x) : String | GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String |
| GlobalDataFlow.cs:556:27:556:27 | access to parameter e : null [element] : String | GlobalDataFlow.cs:556:22:556:22 | SSA def(x) : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@ -548,66 +548,66 @@ nodes
| GlobalDataFlow.cs:427:9:427:11 | value : String | semmle.label | value : String |
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 | semmle.label | access to local variable sink20 |
| GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> : Task<T> [property Result] : String | semmle.label | call to method Run<String> : Task<T> [property Result] : String |
| GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:475:25:475:28 | access to local variable task : Task<T> [property Result] : String | semmle.label | access to local variable task : Task<T> [property Result] : String |
| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String | semmle.label | call to method GetResult : String |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | semmle.label | access to local variable sink45 |
| GlobalDataFlow.cs:483:53:483:55 | arg : String | semmle.label | arg : String |
| GlobalDataFlow.cs:486:21:486:21 | s : String | semmle.label | s : String |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s | semmle.label | access to parameter s |
| GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | semmle.label | access to parameter arg : String |
| GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | semmle.label | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 : SimpleClass [field field] : String | semmle.label | [post] access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 : SimpleClass [field field] : String | semmle.label | [post] access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 : SimpleClass [field field] : String | semmle.label | access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:508:15:508:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 : SimpleClass [field field] : String | semmle.label | access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:509:15:509:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 : SimpleClass [field field] : String | semmle.label | access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:15:515:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 : SimpleClass [field field] : String | semmle.label | access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:516:15:516:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String | semmle.label | access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:517:15:517:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | semmle.label | [post] access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | semmle.label | access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:526:15:526:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | semmle.label | [post] access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String | semmle.label | access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:457:20:457:49 | call to method Run<String> : Task<T> [property Result] : String | semmle.label | call to method Run<String> : Task<T> [property Result] : String |
| GlobalDataFlow.cs:457:35:457:48 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:458:25:458:28 | access to local variable task : Task<T> [property Result] : String | semmle.label | access to local variable task : Task<T> [property Result] : String |
| GlobalDataFlow.cs:458:25:458:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:459:23:459:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:459:23:459:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:460:22:460:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:460:22:460:40 | call to method GetResult : String | semmle.label | call to method GetResult : String |
| GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 | semmle.label | access to local variable sink45 |
| GlobalDataFlow.cs:466:53:466:55 | arg : String | semmle.label | arg : String |
| GlobalDataFlow.cs:469:21:469:21 | s : String | semmle.label | s : String |
| GlobalDataFlow.cs:469:32:469:32 | access to parameter s | semmle.label | access to parameter s |
| GlobalDataFlow.cs:470:15:470:17 | access to parameter arg : String | semmle.label | access to parameter arg : String |
| GlobalDataFlow.cs:473:28:473:41 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | semmle.label | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:490:25:490:26 | [post] access to local variable x1 : SimpleClass [field field] : String | semmle.label | [post] access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:490:30:490:31 | [post] access to local variable x2 : SimpleClass [field field] : String | semmle.label | [post] access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:491:15:491:16 | access to local variable x1 : SimpleClass [field field] : String | semmle.label | access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:491:15:491:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:492:15:492:16 | access to local variable x2 : SimpleClass [field field] : String | semmle.label | access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:492:15:492:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:497:31:497:32 | [post] access to local variable y1 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:497:36:497:37 | [post] access to local variable y2 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:497:42:497:43 | [post] access to local variable y3 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:498:15:498:16 | access to local variable y1 : SimpleClass [field field] : String | semmle.label | access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:498:15:498:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:499:15:499:16 | access to local variable y2 : SimpleClass [field field] : String | semmle.label | access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:499:15:499:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:500:15:500:16 | access to local variable y3 : SimpleClass [field field] : String | semmle.label | access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:15:500:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:508:33:508:33 | [post] access to local variable x : SubSimpleClass [field field] : String | semmle.label | [post] access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:509:15:509:15 | access to local variable x : SubSimpleClass [field field] : String | semmle.label | access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:509:15:509:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:515:20:515:20 | [post] access to parameter x : SimpleClass [field field] : String | semmle.label | [post] access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:25:515:25 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:516:15:516:15 | access to parameter x : SimpleClass [field field] : String | semmle.label | access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:516:15:516:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:517:15:517:15 | access to local variable y : SimpleClass [field field] : String | semmle.label | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:517:15:517:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:527:20:527:20 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:528:20:528:20 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:529:18:529:18 | [post] access to local variable z : SimpleClass [field field] : String | semmle.label | [post] access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:531:15:531:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:531:15:531:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:532:15:532:15 | access to local variable y : SimpleClass [field field] : String | semmle.label | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:532:15:532:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:533:15:533:15 | access to local variable z : SimpleClass [field field] : String | semmle.label | access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:534:15:534:15 | access to local variable y : SimpleClass [field field] : String | semmle.label | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:534:15:534:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z : SimpleClass [field field] : String | semmle.label | [post] access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:548:15:548:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:548:15:548:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:549:15:549:15 | access to local variable y : SimpleClass [field field] : String | semmle.label | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:549:15:549:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:550:15:550:15 | access to local variable z : SimpleClass [field field] : String | semmle.label | access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:550:15:550:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc : SimpleClass [field field] : String | semmle.label | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:556:15:556:16 | access to parameter sc : SimpleClass [field field] : String | semmle.label | access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:556:15:556:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:564:15:564:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:564:15:564:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:570:71:570:71 | e : null [element] : String | semmle.label | e : null [element] : String |
| GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
| GlobalDataFlow.cs:573:27:573:27 | access to parameter e : null [element] : String | semmle.label | access to parameter e : null [element] : String |
| GlobalDataFlow.cs:575:44:575:47 | delegate call : String | semmle.label | delegate call : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | semmle.label | access to local variable x : String |
| GlobalDataFlow.cs:538:20:538:21 | [post] access to parameter sc : SimpleClass [field field] : String | semmle.label | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:539:15:539:16 | access to parameter sc : SimpleClass [field field] : String | semmle.label | access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:539:15:539:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:546:24:546:24 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:547:15:547:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:547:15:547:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:553:71:553:71 | e : null [element] : String | semmle.label | e : null [element] : String |
| GlobalDataFlow.cs:556:22:556:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
| GlobalDataFlow.cs:556:27:556:27 | access to parameter e : null [element] : String | semmle.label | access to parameter e : null [element] : String |
| GlobalDataFlow.cs:558:44:558:47 | delegate call : String | semmle.label | delegate call : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | semmle.label | access to local variable x : String |
| Splitting.cs:3:28:3:34 | tainted : String | semmle.label | tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | semmle.label | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | semmle.label | [b (line 3): true] call to method Return<String> : String |
@ -645,7 +645,7 @@ subpaths
| GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
| GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
| GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:570:71:570:71 | e : null [element] : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> : IEnumerable<T> [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:553:71:553:71 | e : null [element] : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> : IEnumerable<T> [element] : String |
| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
| GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
| GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |
@ -653,7 +653,7 @@ subpaths
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
@ -666,19 +666,19 @@ subpaths
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | access to field SinkField0 |
| GlobalDataFlow.cs:508:15:508:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:508:15:508:22 | access to field field | access to field field |
| GlobalDataFlow.cs:509:15:509:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:509:15:509:22 | access to field field | access to field field |
| GlobalDataFlow.cs:515:15:515:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:515:15:515:22 | access to field field | access to field field |
| GlobalDataFlow.cs:516:15:516:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:516:15:516:22 | access to field field | access to field field |
| GlobalDataFlow.cs:517:15:517:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:517:15:517:22 | access to field field | access to field field |
| GlobalDataFlow.cs:526:15:526:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:526:15:526:21 | access to field field | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | access to field field |
| GlobalDataFlow.cs:534:15:534:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:534:15:534:21 | access to field field | access to field field |
| GlobalDataFlow.cs:548:15:548:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:548:15:548:21 | access to field field | access to field field |
| GlobalDataFlow.cs:549:15:549:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:549:15:549:21 | access to field field | access to field field |
| GlobalDataFlow.cs:550:15:550:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:550:15:550:21 | access to field field | access to field field |
| GlobalDataFlow.cs:556:15:556:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:556:15:556:22 | access to field field | access to field field |
| GlobalDataFlow.cs:564:15:564:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:564:15:564:21 | access to field field | access to field field |
| GlobalDataFlow.cs:491:15:491:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:491:15:491:22 | access to field field | access to field field |
| GlobalDataFlow.cs:492:15:492:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:492:15:492:22 | access to field field | access to field field |
| GlobalDataFlow.cs:498:15:498:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:498:15:498:22 | access to field field | access to field field |
| GlobalDataFlow.cs:499:15:499:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:499:15:499:22 | access to field field | access to field field |
| GlobalDataFlow.cs:500:15:500:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:500:15:500:22 | access to field field | access to field field |
| GlobalDataFlow.cs:509:15:509:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:509:15:509:21 | access to field field | access to field field |
| GlobalDataFlow.cs:516:15:516:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:516:15:516:21 | access to field field | access to field field |
| GlobalDataFlow.cs:517:15:517:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:517:15:517:21 | access to field field | access to field field |
| GlobalDataFlow.cs:531:15:531:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:531:15:531:21 | access to field field | access to field field |
| GlobalDataFlow.cs:532:15:532:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:532:15:532:21 | access to field field | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | access to field field |
| GlobalDataFlow.cs:539:15:539:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:539:15:539:22 | access to field field | access to field field |
| GlobalDataFlow.cs:547:15:547:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:547:15:547:21 | access to field field | access to field field |
| Splitting.cs:41:19:41:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s | access to local variable s |
| Splitting.cs:50:19:50:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s | access to local variable s |
| Splitting.cs:52:19:52:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s | access to local variable s |
@ -715,7 +715,7 @@ subpaths
| Capture.cs:122:15:122:20 | access to local variable sink40 | Capture.cs:115:26:115:39 | "taint source" : String | Capture.cs:122:15:122:20 | access to local variable sink40 | access to local variable sink40 |
| GlobalDataFlow.cs:243:15:243:20 | access to local variable sink41 | GlobalDataFlow.cs:241:35:241:48 | "taint source" : String | GlobalDataFlow.cs:243:15:243:20 | access to local variable sink41 | access to local variable sink41 |
| GlobalDataFlow.cs:245:15:245:20 | access to local variable sink42 | GlobalDataFlow.cs:241:35:241:48 | "taint source" : String | GlobalDataFlow.cs:245:15:245:20 | access to local variable sink42 | access to local variable sink42 |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | access to local variable sink45 |
| GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 | GlobalDataFlow.cs:457:35:457:48 | "taint source" : String | GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 | access to local variable sink45 |
| GlobalDataFlow.cs:148:15:148:19 | access to local variable sink5 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:148:15:148:19 | access to local variable sink5 | access to local variable sink5 |
| GlobalDataFlow.cs:158:15:158:19 | access to local variable sink6 | GlobalDataFlow.cs:341:16:341:29 | "taint source" : String | GlobalDataFlow.cs:158:15:158:19 | access to local variable sink6 | access to local variable sink6 |
| GlobalDataFlow.cs:161:15:161:19 | access to local variable sink7 | GlobalDataFlow.cs:346:13:346:26 | "taint source" : String | GlobalDataFlow.cs:161:15:161:19 | access to local variable sink7 | access to local variable sink7 |
@ -723,7 +723,7 @@ subpaths
| GlobalDataFlow.cs:185:15:185:19 | access to local variable sink9 | GlobalDataFlow.cs:183:35:183:48 | "taint source" : String | GlobalDataFlow.cs:185:15:185:19 | access to local variable sink9 | access to local variable sink9 |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |
| Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s | access to parameter s |
| GlobalDataFlow.cs:469:32:469:32 | access to parameter s | GlobalDataFlow.cs:473:28:473:41 | "taint source" : String | GlobalDataFlow.cs:469:32:469:32 | access to parameter s | access to parameter s |
| Capture.cs:57:27:57:32 | access to parameter sink39 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:57:27:57:32 | access to parameter sink39 | access to parameter sink39 |
| GlobalDataFlow.cs:260:15:260:24 | access to parameter sinkParam0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:260:15:260:24 | access to parameter sinkParam0 | access to parameter sinkParam0 |
| GlobalDataFlow.cs:265:15:265:24 | access to parameter sinkParam1 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:265:15:265:24 | access to parameter sinkParam1 | access to parameter sinkParam1 |

54
csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
Просмотреть файл

@ -147,29 +147,37 @@
| GlobalDataFlow.cs:249:24:249:34 | access to property Result | normal | GlobalDataFlow.cs:249:24:249:34 | access to property Result |
| GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> | normal | GlobalDataFlow.cs:300:17:300:38 | call to method ApplyFunc<T,T> |
| GlobalDataFlow.cs:389:16:389:19 | delegate call | normal | GlobalDataFlow.cs:389:16:389:19 | delegate call |
| GlobalDataFlow.cs:448:9:448:20 | call to method Append | normal | GlobalDataFlow.cs:448:9:448:20 | call to method Append |
| GlobalDataFlow.cs:453:18:453:36 | object creation of type StringBuilder | normal | GlobalDataFlow.cs:453:18:453:36 | object creation of type StringBuilder |
| GlobalDataFlow.cs:455:22:455:34 | call to method ToString | normal | GlobalDataFlow.cs:455:22:455:34 | call to method ToString |
| GlobalDataFlow.cs:458:9:458:18 | call to method Clear | normal | GlobalDataFlow.cs:458:9:458:18 | call to method Clear |
| GlobalDataFlow.cs:459:23:459:35 | call to method ToString | normal | GlobalDataFlow.cs:459:23:459:35 | call to method ToString |
| GlobalDataFlow.cs:465:22:465:65 | call to method Join | normal | GlobalDataFlow.cs:465:22:465:65 | call to method Join |
| GlobalDataFlow.cs:468:23:468:65 | call to method Join | normal | GlobalDataFlow.cs:468:23:468:65 | call to method Join |
| GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> | normal | GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> |
| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait | normal | GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait |
| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter | normal | GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter |
| GlobalDataFlow.cs:477:22:477:40 | call to method GetResult | normal | GlobalDataFlow.cs:477:22:477:40 | call to method GetResult |
| GlobalDataFlow.cs:505:18:505:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:505:18:505:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:506:18:506:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:506:18:506:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:511:18:511:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:511:18:511:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:512:18:512:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:512:18:512:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:513:18:513:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:513:18:513:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:524:17:524:36 | object creation of type SubSimpleClass | normal | GlobalDataFlow.cs:524:17:524:36 | object creation of type SubSimpleClass |
| GlobalDataFlow.cs:531:17:531:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:531:17:531:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:539:17:539:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:539:17:539:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:540:17:540:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:540:17:540:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:541:17:541:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:541:17:541:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:562:17:562:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:562:17:562:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:575:44:575:47 | delegate call | normal | GlobalDataFlow.cs:575:44:575:47 | delegate call |
| GlobalDataFlow.cs:448:22:448:65 | call to method Join | normal | GlobalDataFlow.cs:448:22:448:65 | call to method Join |
| GlobalDataFlow.cs:451:23:451:65 | call to method Join | normal | GlobalDataFlow.cs:451:23:451:65 | call to method Join |
| GlobalDataFlow.cs:457:20:457:49 | call to method Run<String> | normal | GlobalDataFlow.cs:457:20:457:49 | call to method Run<String> |
| GlobalDataFlow.cs:458:25:458:50 | call to method ConfigureAwait | normal | GlobalDataFlow.cs:458:25:458:50 | call to method ConfigureAwait |
| GlobalDataFlow.cs:459:23:459:44 | call to method GetAwaiter | normal | GlobalDataFlow.cs:459:23:459:44 | call to method GetAwaiter |
| GlobalDataFlow.cs:460:22:460:40 | call to method GetResult | normal | GlobalDataFlow.cs:460:22:460:40 | call to method GetResult |
| GlobalDataFlow.cs:488:18:488:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:488:18:488:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:489:18:489:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:489:18:489:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:494:18:494:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:494:18:494:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:495:18:495:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:495:18:495:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:496:18:496:34 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:496:18:496:34 | object creation of type SimpleClass |
| GlobalDataFlow.cs:507:17:507:36 | object creation of type SubSimpleClass | normal | GlobalDataFlow.cs:507:17:507:36 | object creation of type SubSimpleClass |
| GlobalDataFlow.cs:514:17:514:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:514:17:514:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:522:17:522:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:522:17:522:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:523:17:523:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:523:17:523:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:524:17:524:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:524:17:524:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:545:17:545:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:545:17:545:33 | object creation of type SimpleClass |
| GlobalDataFlow.cs:558:44:558:47 | delegate call | normal | GlobalDataFlow.cs:558:44:558:47 | delegate call |
| GlobalDataFlowStringBuilder.cs:19:9:19:20 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:19:9:19:20 | call to method Append |
| GlobalDataFlowStringBuilder.cs:24:9:24:27 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:24:9:24:27 | call to method Append |
| GlobalDataFlowStringBuilder.cs:29:18:29:36 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:29:18:29:36 | object creation of type StringBuilder |
| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:34:19:34:37 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:34:19:34:37 | object creation of type StringBuilder |
| GlobalDataFlowStringBuilder.cs:35:9:35:22 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:35:9:35:22 | call to method Append |
| GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:39:19:39:37 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:39:19:39:37 | object creation of type StringBuilder |
| GlobalDataFlowStringBuilder.cs:40:9:40:27 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:40:9:40:27 | call to method Append |
| GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:44:9:44:18 | call to method Clear | normal | GlobalDataFlowStringBuilder.cs:44:9:44:18 | call to method Clear |
| GlobalDataFlowStringBuilder.cs:45:23:45:35 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:45:23:45:35 | call to method ToString |
| GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> | normal | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> | normal | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> |
| Splitting.cs:20:22:20:30 | call to method Return<String> | normal | Splitting.cs:20:22:20:30 | call to method Return<String> |

17
csharp/ql/test/library-tests/dataflow/global/GlobalDataFlow.cs
Просмотреть файл

@ -443,23 +443,6 @@ public class DataFlow
get { return ""; }
}
static void AppendToStringBuilder(StringBuilder sb, string s)
{
sb.Append(s);
}
void TestStringBuilderFlow()
{
var sb = new StringBuilder();
AppendToStringBuilder(sb, "taint source");
var sink43 = sb.ToString();
Check(sink43);
sb.Clear();
var nonSink = sb.ToString();
Check(nonSink);
}
void TestStringFlow()
{
var sink44 = string.Join(",", "whatever", "taint source");

52
csharp/ql/test/library-tests/dataflow/global/GlobalDataFlowStringBuilder.cs Normal file
Просмотреть файл

@ -0,0 +1,52 @@
using System;
using System.Text;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
/// <summary>
/// All (tainted) sinks are named `sink[Param|Field|Property]N`, for some N, and all
/// non-sinks are named `nonSink[Param|Field|Property]N`, for some N.
/// Both sinks and non-sinks are passed to the method `Check` for convenience in the
/// test query.
/// </summary>
public class DataFlowStringBuilder
{
static void Check<T>(T x) { }
static void AppendToStringBuilder(StringBuilder sb, string s)
{
sb.Append(s);
}
static void AppendToStringBuilderInterpolated(StringBuilder sb, string s)
{
sb.Append($"a{s}b");
}
void TestStringBuilderFlow()
{
var sb = new StringBuilder();
AppendToStringBuilder(sb, "taint source");
var sink0 = sb.ToString();
Check(sink0);
var sb1 = new StringBuilder();
sb1.Append(sb);
var sink1 = sb1.ToString();
Check(sink1);
var sb2 = new StringBuilder();
sb2.Append($"{sb}");
var sink2 = sb2.ToString();
Check(sink2);
sb.Clear();
var nonSink = sb.ToString();
Check(nonSink);
AppendToStringBuilderInterpolated(sb, "taint source");
var sink3 = sb.ToString();
Check(sink3);
}
}

35
csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected
Просмотреть файл

@ -56,23 +56,26 @@
| GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:404:15:404:20 | access to local variable sink11 |
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
| GlobalDataFlow.cs:456:15:456:20 | access to local variable sink43 |
| GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
| GlobalDataFlow.cs:508:15:508:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:22 | access to field field |
| GlobalDataFlow.cs:515:15:515:22 | access to field field |
| GlobalDataFlow.cs:516:15:516:22 | access to field field |
| GlobalDataFlow.cs:517:15:517:22 | access to field field |
| GlobalDataFlow.cs:526:15:526:21 | access to field field |
| GlobalDataFlow.cs:449:15:449:20 | access to local variable sink44 |
| GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 |
| GlobalDataFlow.cs:469:32:469:32 | access to parameter s |
| GlobalDataFlow.cs:491:15:491:22 | access to field field |
| GlobalDataFlow.cs:492:15:492:22 | access to field field |
| GlobalDataFlow.cs:498:15:498:22 | access to field field |
| GlobalDataFlow.cs:499:15:499:22 | access to field field |
| GlobalDataFlow.cs:500:15:500:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:21 | access to field field |
| GlobalDataFlow.cs:516:15:516:21 | access to field field |
| GlobalDataFlow.cs:517:15:517:21 | access to field field |
| GlobalDataFlow.cs:531:15:531:21 | access to field field |
| GlobalDataFlow.cs:532:15:532:21 | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:534:15:534:21 | access to field field |
| GlobalDataFlow.cs:548:15:548:21 | access to field field |
| GlobalDataFlow.cs:549:15:549:21 | access to field field |
| GlobalDataFlow.cs:550:15:550:21 | access to field field |
| GlobalDataFlow.cs:556:15:556:22 | access to field field |
| GlobalDataFlow.cs:564:15:564:21 | access to field field |
| GlobalDataFlow.cs:539:15:539:22 | access to field field |
| GlobalDataFlow.cs:547:15:547:21 | access to field field |
| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 |
| GlobalDataFlowStringBuilder.cs:37:15:37:19 | access to local variable sink1 |
| GlobalDataFlowStringBuilder.cs:42:15:42:19 | access to local variable sink2 |
| GlobalDataFlowStringBuilder.cs:50:15:50:19 | access to local variable sink3 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x |

353
csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
Просмотреть файл

@ -129,7 +129,7 @@ edges
| GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:82:15:82:20 | access to local variable sink13 |
| GlobalDataFlow.cs:81:22:81:93 | call to method First<String> : String | GlobalDataFlow.cs:83:59:83:64 | access to local variable sink13 : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> : IEnumerable<T> [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:570:71:570:71 | e : null [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:553:71:553:71 | e : null [element] : String |
| GlobalDataFlow.cs:81:57:81:65 | { ..., ... } : null [element] : String | GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String |
| GlobalDataFlow.cs:81:59:81:63 | access to local variable sink3 : String | GlobalDataFlow.cs:81:57:81:65 | { ..., ... } : null [element] : String |
| GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String |
@ -267,72 +267,89 @@ edges
| GlobalDataFlow.cs:405:16:405:21 | access to local variable sink11 : String | GlobalDataFlow.cs:167:22:167:43 | call to method TaintedParam : String |
| GlobalDataFlow.cs:427:9:427:11 | value : String | GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
| GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | GlobalDataFlow.cs:201:22:201:32 | access to property OutProperty : String |
| GlobalDataFlow.cs:446:64:446:64 | s : String | GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String |
| GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder [element] : String |
| GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder [element] : String | GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder [element] : String |
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:446:64:446:64 | s : String |
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder [element] : String |
| GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder [element] : String | GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String |
| GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String | GlobalDataFlow.cs:456:15:456:20 | access to local variable sink43 |
| GlobalDataFlow.cs:465:22:465:65 | call to method Join : String | GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 |
| GlobalDataFlow.cs:465:51:465:64 | "taint source" : String | GlobalDataFlow.cs:465:22:465:65 | call to method Join : String |
| GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> : Task<T> [property Result] : String | GlobalDataFlow.cs:475:25:475:28 | access to local variable task : Task<T> [property Result] : String |
| GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> : Task<T> [property Result] : String |
| GlobalDataFlow.cs:475:25:475:28 | access to local variable task : Task<T> [property Result] : String | GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String |
| GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String | GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 |
| GlobalDataFlow.cs:483:53:483:55 | arg : String | GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String |
| GlobalDataFlow.cs:486:21:486:21 | s : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s |
| GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | GlobalDataFlow.cs:486:21:486:21 | s : String |
| GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:483:53:483:55 | arg : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 : SimpleClass [field field] : String | GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 : SimpleClass [field field] : String | GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 : SimpleClass [field field] : String | GlobalDataFlow.cs:508:15:508:22 | access to field field |
| GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 : SimpleClass [field field] : String | GlobalDataFlow.cs:509:15:509:22 | access to field field |
| GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:515:15:515:22 | access to field field |
| GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:22 | access to field field |
| GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:22 | access to field field |
| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:526:15:526:21 | access to field field |
| GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:534:15:534:15 | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:534:15:534:15 | access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:534:15:534:21 | access to field field |
| GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:548:15:548:15 | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:549:15:549:15 | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z : SimpleClass [field field] : String | GlobalDataFlow.cs:550:15:550:15 | access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:548:15:548:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:548:15:548:21 | access to field field |
| GlobalDataFlow.cs:549:15:549:15 | access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:549:15:549:21 | access to field field |
| GlobalDataFlow.cs:550:15:550:15 | access to local variable z : SimpleClass [field field] : String | GlobalDataFlow.cs:550:15:550:21 | access to field field |
| GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:556:15:556:16 | access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:556:15:556:16 | access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:556:15:556:22 | access to field field |
| GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:564:15:564:15 | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:564:15:564:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:564:15:564:21 | access to field field |
| GlobalDataFlow.cs:570:71:570:71 | e : null [element] : String | GlobalDataFlow.cs:573:27:573:27 | access to parameter e : null [element] : String |
| GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String | GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String |
| GlobalDataFlow.cs:573:27:573:27 | access to parameter e : null [element] : String | GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
| GlobalDataFlow.cs:448:22:448:65 | call to method Join : String | GlobalDataFlow.cs:449:15:449:20 | access to local variable sink44 |
| GlobalDataFlow.cs:448:51:448:64 | "taint source" : String | GlobalDataFlow.cs:448:22:448:65 | call to method Join : String |
| GlobalDataFlow.cs:457:20:457:49 | call to method Run<String> : Task<T> [property Result] : String | GlobalDataFlow.cs:458:25:458:28 | access to local variable task : Task<T> [property Result] : String |
| GlobalDataFlow.cs:457:35:457:48 | "taint source" : String | GlobalDataFlow.cs:457:20:457:49 | call to method Run<String> : Task<T> [property Result] : String |
| GlobalDataFlow.cs:458:25:458:28 | access to local variable task : Task<T> [property Result] : String | GlobalDataFlow.cs:458:25:458:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:458:25:458:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:459:23:459:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:459:23:459:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:459:23:459:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:459:23:459:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:460:22:460:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:460:22:460:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | GlobalDataFlow.cs:460:22:460:40 | call to method GetResult : String |
| GlobalDataFlow.cs:460:22:460:40 | call to method GetResult : String | GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 |
| GlobalDataFlow.cs:466:53:466:55 | arg : String | GlobalDataFlow.cs:470:15:470:17 | access to parameter arg : String |
| GlobalDataFlow.cs:469:21:469:21 | s : String | GlobalDataFlow.cs:469:32:469:32 | access to parameter s |
| GlobalDataFlow.cs:470:15:470:17 | access to parameter arg : String | GlobalDataFlow.cs:469:21:469:21 | s : String |
| GlobalDataFlow.cs:473:28:473:41 | "taint source" : String | GlobalDataFlow.cs:466:53:466:55 | arg : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:490:25:490:26 | [post] access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:490:30:490:31 | [post] access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:497:31:497:32 | [post] access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:497:36:497:37 | [post] access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:497:42:497:43 | [post] access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:508:33:508:33 | [post] access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:515:20:515:20 | [post] access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:515:25:515:25 | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:527:20:527:20 | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:528:20:528:20 | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:529:18:529:18 | [post] access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:538:20:538:21 | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:546:24:546:24 | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:490:25:490:26 | [post] access to local variable x1 : SimpleClass [field field] : String | GlobalDataFlow.cs:491:15:491:16 | access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:490:30:490:31 | [post] access to local variable x2 : SimpleClass [field field] : String | GlobalDataFlow.cs:492:15:492:16 | access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:491:15:491:16 | access to local variable x1 : SimpleClass [field field] : String | GlobalDataFlow.cs:491:15:491:22 | access to field field |
| GlobalDataFlow.cs:492:15:492:16 | access to local variable x2 : SimpleClass [field field] : String | GlobalDataFlow.cs:492:15:492:22 | access to field field |
| GlobalDataFlow.cs:497:31:497:32 | [post] access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:498:15:498:16 | access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:497:36:497:37 | [post] access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:499:15:499:16 | access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:497:42:497:43 | [post] access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:500:15:500:16 | access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:498:15:498:16 | access to local variable y1 : SimpleClass [field field] : String | GlobalDataFlow.cs:498:15:498:22 | access to field field |
| GlobalDataFlow.cs:499:15:499:16 | access to local variable y2 : SimpleClass [field field] : String | GlobalDataFlow.cs:499:15:499:22 | access to field field |
| GlobalDataFlow.cs:500:15:500:16 | access to local variable y3 : SimpleClass [field field] : String | GlobalDataFlow.cs:500:15:500:22 | access to field field |
| GlobalDataFlow.cs:508:33:508:33 | [post] access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:509:15:509:15 | access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:509:15:509:15 | access to local variable x : SubSimpleClass [field field] : String | GlobalDataFlow.cs:509:15:509:21 | access to field field |
| GlobalDataFlow.cs:515:20:515:20 | [post] access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:15 | access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:25:515:25 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:15 | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:516:15:516:15 | access to parameter x : SimpleClass [field field] : String | GlobalDataFlow.cs:516:15:516:21 | access to field field |
| GlobalDataFlow.cs:517:15:517:15 | access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:517:15:517:21 | access to field field |
| GlobalDataFlow.cs:527:20:527:20 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:531:15:531:15 | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:528:20:528:20 | [post] access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:532:15:532:15 | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:529:18:529:18 | [post] access to local variable z : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:15 | access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:531:15:531:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:531:15:531:21 | access to field field |
| GlobalDataFlow.cs:532:15:532:15 | access to local variable y : SimpleClass [field field] : String | GlobalDataFlow.cs:532:15:532:21 | access to field field |
| GlobalDataFlow.cs:533:15:533:15 | access to local variable z : SimpleClass [field field] : String | GlobalDataFlow.cs:533:15:533:21 | access to field field |
| GlobalDataFlow.cs:538:20:538:21 | [post] access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:539:15:539:16 | access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:539:15:539:16 | access to parameter sc : SimpleClass [field field] : String | GlobalDataFlow.cs:539:15:539:22 | access to field field |
| GlobalDataFlow.cs:546:24:546:24 | [post] access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:547:15:547:15 | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:547:15:547:15 | access to local variable x : SimpleClass [field field] : String | GlobalDataFlow.cs:547:15:547:21 | access to field field |
| GlobalDataFlow.cs:553:71:553:71 | e : null [element] : String | GlobalDataFlow.cs:556:27:556:27 | access to parameter e : null [element] : String |
| GlobalDataFlow.cs:556:22:556:22 | SSA def(x) : String | GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String |
| GlobalDataFlow.cs:556:27:556:27 | access to parameter e : null [element] : String | GlobalDataFlow.cs:556:22:556:22 | SSA def(x) : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String |
| GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String |
| GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:22:76:22:76 | s : String | GlobalDataFlowStringBuilder.cs:24:19:24:26 | (...) ... : AppendInterpolatedStringHandler |
| GlobalDataFlowStringBuilder.cs:24:19:24:26 | (...) ... : AppendInterpolatedStringHandler | GlobalDataFlowStringBuilder.cs:24:9:24:10 | [post] access to parameter sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:35:20:35:21 | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:40:20:40:26 | (...) ... : AppendInterpolatedStringHandler |
| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String |
| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String | GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 |
| GlobalDataFlowStringBuilder.cs:35:9:35:11 | [post] access to local variable sb1 : StringBuilder | GlobalDataFlowStringBuilder.cs:36:21:36:23 | access to local variable sb1 : StringBuilder |
| GlobalDataFlowStringBuilder.cs:35:20:35:21 | access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:35:9:35:11 | [post] access to local variable sb1 : StringBuilder |
| GlobalDataFlowStringBuilder.cs:36:21:36:23 | access to local variable sb1 : StringBuilder | GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString : String | GlobalDataFlowStringBuilder.cs:37:15:37:19 | access to local variable sink1 |
| GlobalDataFlowStringBuilder.cs:40:9:40:11 | [post] access to local variable sb2 : StringBuilder | GlobalDataFlowStringBuilder.cs:41:21:41:23 | access to local variable sb2 : StringBuilder |
| GlobalDataFlowStringBuilder.cs:40:20:40:26 | (...) ... : AppendInterpolatedStringHandler | GlobalDataFlowStringBuilder.cs:40:9:40:11 | [post] access to local variable sb2 : StringBuilder |
| GlobalDataFlowStringBuilder.cs:41:21:41:23 | access to local variable sb2 : StringBuilder | GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString : String | GlobalDataFlowStringBuilder.cs:42:15:42:19 | access to local variable sink2 |
| GlobalDataFlowStringBuilder.cs:48:43:48:44 | [post] access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:49:21:49:22 | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:48:47:48:60 | "taint source" : String | GlobalDataFlowStringBuilder.cs:22:76:22:76 | s : String |
| GlobalDataFlowStringBuilder.cs:48:47:48:60 | "taint source" : String | GlobalDataFlowStringBuilder.cs:48:43:48:44 | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:49:21:49:22 | access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString : String | GlobalDataFlowStringBuilder.cs:50:15:50:19 | access to local variable sink3 |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
| Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@ -591,77 +608,95 @@ nodes
| GlobalDataFlow.cs:427:9:427:11 | value : String | semmle.label | value : String |
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 | semmle.label | access to local variable sink20 |
| GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:446:64:446:64 | s : String | semmle.label | s : String |
| GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder [element] : String | semmle.label | [post] access to parameter sb : StringBuilder [element] : String |
| GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String | semmle.label | access to parameter s : String |
| GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder [element] : String | semmle.label | [post] access to local variable sb : StringBuilder [element] : String |
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder [element] : String | semmle.label | access to local variable sb : StringBuilder [element] : String |
| GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String | semmle.label | call to method ToString : String |
| GlobalDataFlow.cs:456:15:456:20 | access to local variable sink43 | semmle.label | access to local variable sink43 |
| GlobalDataFlow.cs:465:22:465:65 | call to method Join : String | semmle.label | call to method Join : String |
| GlobalDataFlow.cs:465:51:465:64 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 | semmle.label | access to local variable sink44 |
| GlobalDataFlow.cs:474:20:474:49 | call to method Run<String> : Task<T> [property Result] : String | semmle.label | call to method Run<String> : Task<T> [property Result] : String |
| GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:475:25:475:28 | access to local variable task : Task<T> [property Result] : String | semmle.label | access to local variable task : Task<T> [property Result] : String |
| GlobalDataFlow.cs:475:25:475:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:476:23:476:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:476:23:476:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:477:22:477:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:477:22:477:40 | call to method GetResult : String | semmle.label | call to method GetResult : String |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | semmle.label | access to local variable sink45 |
| GlobalDataFlow.cs:483:53:483:55 | arg : String | semmle.label | arg : String |
| GlobalDataFlow.cs:486:21:486:21 | s : String | semmle.label | s : String |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s | semmle.label | access to parameter s |
| GlobalDataFlow.cs:487:15:487:17 | access to parameter arg : String | semmle.label | access to parameter arg : String |
| GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:500:9:500:10 | [post] access to parameter sc : SimpleClass [field field] : String | semmle.label | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:507:25:507:26 | [post] access to local variable x1 : SimpleClass [field field] : String | semmle.label | [post] access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:507:30:507:31 | [post] access to local variable x2 : SimpleClass [field field] : String | semmle.label | [post] access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:508:15:508:16 | access to local variable x1 : SimpleClass [field field] : String | semmle.label | access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:508:15:508:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:509:15:509:16 | access to local variable x2 : SimpleClass [field field] : String | semmle.label | access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:509:15:509:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:514:31:514:32 | [post] access to local variable y1 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:514:36:514:37 | [post] access to local variable y2 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:514:42:514:43 | [post] access to local variable y3 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:15:515:16 | access to local variable y1 : SimpleClass [field field] : String | semmle.label | access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:15:515:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:516:15:516:16 | access to local variable y2 : SimpleClass [field field] : String | semmle.label | access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:516:15:516:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:517:15:517:16 | access to local variable y3 : SimpleClass [field field] : String | semmle.label | access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:517:15:517:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:525:33:525:33 | [post] access to local variable x : SubSimpleClass [field field] : String | semmle.label | [post] access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:526:15:526:15 | access to local variable x : SubSimpleClass [field field] : String | semmle.label | access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:526:15:526:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:532:20:532:20 | [post] access to parameter x : SimpleClass [field field] : String | semmle.label | [post] access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:532:25:532:25 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:533:15:533:15 | access to parameter x : SimpleClass [field field] : String | semmle.label | access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:448:22:448:65 | call to method Join : String | semmle.label | call to method Join : String |
| GlobalDataFlow.cs:448:51:448:64 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:449:15:449:20 | access to local variable sink44 | semmle.label | access to local variable sink44 |
| GlobalDataFlow.cs:457:20:457:49 | call to method Run<String> : Task<T> [property Result] : String | semmle.label | call to method Run<String> : Task<T> [property Result] : String |
| GlobalDataFlow.cs:457:35:457:48 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:458:25:458:28 | access to local variable task : Task<T> [property Result] : String | semmle.label | access to local variable task : Task<T> [property Result] : String |
| GlobalDataFlow.cs:458:25:458:50 | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method ConfigureAwait : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:459:23:459:31 | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaitable : ConfiguredTaskAwaitable<T> [synthetic m_configuredTaskAwaiter, synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:459:23:459:44 | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | call to method GetAwaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:460:22:460:28 | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String | semmle.label | access to local variable awaiter : ConfiguredTaskAwaitable<T>.ConfiguredTaskAwaiter [synthetic m_task_configured_task_awaitable, property Result] : String |
| GlobalDataFlow.cs:460:22:460:40 | call to method GetResult : String | semmle.label | call to method GetResult : String |
| GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 | semmle.label | access to local variable sink45 |
| GlobalDataFlow.cs:466:53:466:55 | arg : String | semmle.label | arg : String |
| GlobalDataFlow.cs:469:21:469:21 | s : String | semmle.label | s : String |
| GlobalDataFlow.cs:469:32:469:32 | access to parameter s | semmle.label | access to parameter s |
| GlobalDataFlow.cs:470:15:470:17 | access to parameter arg : String | semmle.label | access to parameter arg : String |
| GlobalDataFlow.cs:473:28:473:41 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:483:9:483:10 | [post] access to parameter sc : SimpleClass [field field] : String | semmle.label | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlow.cs:490:25:490:26 | [post] access to local variable x1 : SimpleClass [field field] : String | semmle.label | [post] access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:490:30:490:31 | [post] access to local variable x2 : SimpleClass [field field] : String | semmle.label | [post] access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:491:15:491:16 | access to local variable x1 : SimpleClass [field field] : String | semmle.label | access to local variable x1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:491:15:491:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:492:15:492:16 | access to local variable x2 : SimpleClass [field field] : String | semmle.label | access to local variable x2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:492:15:492:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:497:31:497:32 | [post] access to local variable y1 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:497:36:497:37 | [post] access to local variable y2 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:497:42:497:43 | [post] access to local variable y3 : SimpleClass [field field] : String | semmle.label | [post] access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:498:15:498:16 | access to local variable y1 : SimpleClass [field field] : String | semmle.label | access to local variable y1 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:498:15:498:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:499:15:499:16 | access to local variable y2 : SimpleClass [field field] : String | semmle.label | access to local variable y2 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:499:15:499:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:500:15:500:16 | access to local variable y3 : SimpleClass [field field] : String | semmle.label | access to local variable y3 : SimpleClass [field field] : String |
| GlobalDataFlow.cs:500:15:500:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:508:33:508:33 | [post] access to local variable x : SubSimpleClass [field field] : String | semmle.label | [post] access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:509:15:509:15 | access to local variable x : SubSimpleClass [field field] : String | semmle.label | access to local variable x : SubSimpleClass [field field] : String |
| GlobalDataFlow.cs:509:15:509:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:515:20:515:20 | [post] access to parameter x : SimpleClass [field field] : String | semmle.label | [post] access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:515:25:515:25 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:516:15:516:15 | access to parameter x : SimpleClass [field field] : String | semmle.label | access to parameter x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:516:15:516:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:517:15:517:15 | access to local variable y : SimpleClass [field field] : String | semmle.label | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:517:15:517:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:527:20:527:20 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:528:20:528:20 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:529:18:529:18 | [post] access to local variable z : SimpleClass [field field] : String | semmle.label | [post] access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:531:15:531:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:531:15:531:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:532:15:532:15 | access to local variable y : SimpleClass [field field] : String | semmle.label | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:532:15:532:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:533:15:533:15 | access to local variable z : SimpleClass [field field] : String | semmle.label | access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:534:15:534:15 | access to local variable y : SimpleClass [field field] : String | semmle.label | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:534:15:534:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:544:20:544:20 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:545:20:545:20 | [post] access to local variable y : SimpleClass [field field] : String | semmle.label | [post] access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:546:18:546:18 | [post] access to local variable z : SimpleClass [field field] : String | semmle.label | [post] access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:548:15:548:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:548:15:548:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:549:15:549:15 | access to local variable y : SimpleClass [field field] : String | semmle.label | access to local variable y : SimpleClass [field field] : String |
| GlobalDataFlow.cs:549:15:549:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:550:15:550:15 | access to local variable z : SimpleClass [field field] : String | semmle.label | access to local variable z : SimpleClass [field field] : String |
| GlobalDataFlow.cs:550:15:550:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:555:20:555:21 | [post] access to parameter sc : SimpleClass [field field] : String | semmle.label | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:556:15:556:16 | access to parameter sc : SimpleClass [field field] : String | semmle.label | access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:556:15:556:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:563:24:563:24 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:564:15:564:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:564:15:564:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:570:71:570:71 | e : null [element] : String | semmle.label | e : null [element] : String |
| GlobalDataFlow.cs:573:22:573:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
| GlobalDataFlow.cs:573:27:573:27 | access to parameter e : null [element] : String | semmle.label | access to parameter e : null [element] : String |
| GlobalDataFlow.cs:575:44:575:47 | delegate call : String | semmle.label | delegate call : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | semmle.label | access to local variable x : String |
| GlobalDataFlow.cs:538:20:538:21 | [post] access to parameter sc : SimpleClass [field field] : String | semmle.label | [post] access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:539:15:539:16 | access to parameter sc : SimpleClass [field field] : String | semmle.label | access to parameter sc : SimpleClass [field field] : String |
| GlobalDataFlow.cs:539:15:539:22 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:546:24:546:24 | [post] access to local variable x : SimpleClass [field field] : String | semmle.label | [post] access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:547:15:547:15 | access to local variable x : SimpleClass [field field] : String | semmle.label | access to local variable x : SimpleClass [field field] : String |
| GlobalDataFlow.cs:547:15:547:21 | access to field field | semmle.label | access to field field |
| GlobalDataFlow.cs:553:71:553:71 | e : null [element] : String | semmle.label | e : null [element] : String |
| GlobalDataFlow.cs:556:22:556:22 | SSA def(x) : String | semmle.label | SSA def(x) : String |
| GlobalDataFlow.cs:556:27:556:27 | access to parameter e : null [element] : String | semmle.label | access to parameter e : null [element] : String |
| GlobalDataFlow.cs:558:44:558:47 | delegate call : String | semmle.label | delegate call : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | semmle.label | access to local variable x : String |
| GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | semmle.label | s : String |
| GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder | semmle.label | [post] access to parameter sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String | semmle.label | access to parameter s : String |
| GlobalDataFlowStringBuilder.cs:22:76:22:76 | s : String | semmle.label | s : String |
| GlobalDataFlowStringBuilder.cs:24:9:24:10 | [post] access to parameter sb : StringBuilder | semmle.label | [post] access to parameter sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:24:19:24:26 | (...) ... : AppendInterpolatedStringHandler | semmle.label | (...) ... : AppendInterpolatedStringHandler |
| GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder | semmle.label | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder | semmle.label | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String | semmle.label | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | semmle.label | access to local variable sink0 |
| GlobalDataFlowStringBuilder.cs:35:9:35:11 | [post] access to local variable sb1 : StringBuilder | semmle.label | [post] access to local variable sb1 : StringBuilder |
| GlobalDataFlowStringBuilder.cs:35:20:35:21 | access to local variable sb : StringBuilder | semmle.label | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:36:21:36:23 | access to local variable sb1 : StringBuilder | semmle.label | access to local variable sb1 : StringBuilder |
| GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString : String | semmle.label | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:37:15:37:19 | access to local variable sink1 | semmle.label | access to local variable sink1 |
| GlobalDataFlowStringBuilder.cs:40:9:40:11 | [post] access to local variable sb2 : StringBuilder | semmle.label | [post] access to local variable sb2 : StringBuilder |
| GlobalDataFlowStringBuilder.cs:40:20:40:26 | (...) ... : AppendInterpolatedStringHandler | semmle.label | (...) ... : AppendInterpolatedStringHandler |
| GlobalDataFlowStringBuilder.cs:41:21:41:23 | access to local variable sb2 : StringBuilder | semmle.label | access to local variable sb2 : StringBuilder |
| GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString : String | semmle.label | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:42:15:42:19 | access to local variable sink2 | semmle.label | access to local variable sink2 |
| GlobalDataFlowStringBuilder.cs:48:43:48:44 | [post] access to local variable sb : StringBuilder | semmle.label | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:48:47:48:60 | "taint source" : String | semmle.label | "taint source" : String |
| GlobalDataFlowStringBuilder.cs:49:21:49:22 | access to local variable sb : StringBuilder | semmle.label | access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString : String | semmle.label | call to method ToString : String |
| GlobalDataFlowStringBuilder.cs:50:15:50:19 | access to local variable sink3 | semmle.label | access to local variable sink3 |
| Splitting.cs:3:28:3:34 | tainted : String | semmle.label | tainted : String |
| Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | semmle.label | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | semmle.label | [b (line 3): true] call to method Return<String> : String |
@ -699,7 +734,7 @@ subpaths
| GlobalDataFlow.cs:73:94:73:98 | access to local variable sink0 : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:73:29:73:101 | call to method Invoke : String |
| GlobalDataFlow.cs:76:19:76:23 | access to local variable sink1 : String | GlobalDataFlow.cs:304:32:304:32 | x : String | GlobalDataFlow.cs:306:9:306:13 | SSA def(y) : String | GlobalDataFlow.cs:76:30:76:34 | SSA def(sink2) : String |
| GlobalDataFlow.cs:79:19:79:23 | access to local variable sink2 : String | GlobalDataFlow.cs:310:32:310:32 | x : String | GlobalDataFlow.cs:312:9:312:13 | SSA def(y) : String | GlobalDataFlow.cs:79:30:79:34 | SSA def(sink3) : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:570:71:570:71 | e : null [element] : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> : IEnumerable<T> [element] : String |
| GlobalDataFlow.cs:81:23:81:65 | (...) ... : null [element] : String | GlobalDataFlow.cs:553:71:553:71 | e : null [element] : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String | GlobalDataFlow.cs:81:22:81:85 | call to method SelectEven<String,String> : IEnumerable<T> [element] : String |
| GlobalDataFlow.cs:138:63:138:63 | access to parameter x : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String |
| GlobalDataFlow.cs:139:29:139:33 | access to local variable sink3 : String | GlobalDataFlow.cs:138:40:138:40 | x : String | GlobalDataFlow.cs:138:45:138:64 | call to method ApplyFunc<String,String> : String | GlobalDataFlow.cs:139:21:139:34 | delegate call : String |
| GlobalDataFlow.cs:147:39:147:43 | access to local variable sink4 : String | GlobalDataFlow.cs:387:46:387:46 | x : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String | GlobalDataFlow.cs:147:21:147:44 | call to method ApplyFunc<String,String> : String |
@ -707,8 +742,9 @@ subpaths
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:446:64:446:64 | s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder [element] : String | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder [element] : String |
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
| GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String |
| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder | GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder |
| GlobalDataFlowStringBuilder.cs:48:47:48:60 | "taint source" : String | GlobalDataFlowStringBuilder.cs:22:76:22:76 | s : String | GlobalDataFlowStringBuilder.cs:24:9:24:10 | [post] access to parameter sb : StringBuilder | GlobalDataFlowStringBuilder.cs:48:43:48:44 | [post] access to local variable sb : StringBuilder |
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
| Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
@ -774,23 +810,26 @@ subpaths
| GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 | GlobalDataFlow.cs:211:46:211:59 | "taint source" : String | GlobalDataFlow.cs:329:15:329:25 | access to parameter sinkParam11 | access to parameter sinkParam11 |
| GlobalDataFlow.cs:404:15:404:20 | access to local variable sink11 | GlobalDataFlow.cs:401:39:401:45 | tainted : String | GlobalDataFlow.cs:404:15:404:20 | access to local variable sink11 | access to local variable sink11 |
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 | access to local variable sink20 |
| GlobalDataFlow.cs:456:15:456:20 | access to local variable sink43 | GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:456:15:456:20 | access to local variable sink43 | access to local variable sink43 |
| GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 | GlobalDataFlow.cs:465:51:465:64 | "taint source" : String | GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 | access to local variable sink44 |
| GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | GlobalDataFlow.cs:474:35:474:48 | "taint source" : String | GlobalDataFlow.cs:478:15:478:20 | access to local variable sink45 | access to local variable sink45 |
| GlobalDataFlow.cs:486:32:486:32 | access to parameter s | GlobalDataFlow.cs:490:28:490:41 | "taint source" : String | GlobalDataFlow.cs:486:32:486:32 | access to parameter s | access to parameter s |
| GlobalDataFlow.cs:508:15:508:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:508:15:508:22 | access to field field | access to field field |
| GlobalDataFlow.cs:509:15:509:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:509:15:509:22 | access to field field | access to field field |
| GlobalDataFlow.cs:515:15:515:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:515:15:515:22 | access to field field | access to field field |
| GlobalDataFlow.cs:516:15:516:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:516:15:516:22 | access to field field | access to field field |
| GlobalDataFlow.cs:517:15:517:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:517:15:517:22 | access to field field | access to field field |
| GlobalDataFlow.cs:526:15:526:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:526:15:526:21 | access to field field | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | access to field field |
| GlobalDataFlow.cs:534:15:534:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:534:15:534:21 | access to field field | access to field field |
| GlobalDataFlow.cs:548:15:548:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:548:15:548:21 | access to field field | access to field field |
| GlobalDataFlow.cs:549:15:549:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:549:15:549:21 | access to field field | access to field field |
| GlobalDataFlow.cs:550:15:550:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:550:15:550:21 | access to field field | access to field field |
| GlobalDataFlow.cs:556:15:556:22 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:556:15:556:22 | access to field field | access to field field |
| GlobalDataFlow.cs:564:15:564:21 | access to field field | GlobalDataFlow.cs:500:20:500:33 | "taint source" : String | GlobalDataFlow.cs:564:15:564:21 | access to field field | access to field field |
| GlobalDataFlow.cs:449:15:449:20 | access to local variable sink44 | GlobalDataFlow.cs:448:51:448:64 | "taint source" : String | GlobalDataFlow.cs:449:15:449:20 | access to local variable sink44 | access to local variable sink44 |
| GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 | GlobalDataFlow.cs:457:35:457:48 | "taint source" : String | GlobalDataFlow.cs:461:15:461:20 | access to local variable sink45 | access to local variable sink45 |
| GlobalDataFlow.cs:469:32:469:32 | access to parameter s | GlobalDataFlow.cs:473:28:473:41 | "taint source" : String | GlobalDataFlow.cs:469:32:469:32 | access to parameter s | access to parameter s |
| GlobalDataFlow.cs:491:15:491:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:491:15:491:22 | access to field field | access to field field |
| GlobalDataFlow.cs:492:15:492:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:492:15:492:22 | access to field field | access to field field |
| GlobalDataFlow.cs:498:15:498:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:498:15:498:22 | access to field field | access to field field |
| GlobalDataFlow.cs:499:15:499:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:499:15:499:22 | access to field field | access to field field |
| GlobalDataFlow.cs:500:15:500:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:500:15:500:22 | access to field field | access to field field |
| GlobalDataFlow.cs:509:15:509:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:509:15:509:21 | access to field field | access to field field |
| GlobalDataFlow.cs:516:15:516:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:516:15:516:21 | access to field field | access to field field |
| GlobalDataFlow.cs:517:15:517:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:517:15:517:21 | access to field field | access to field field |
| GlobalDataFlow.cs:531:15:531:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:531:15:531:21 | access to field field | access to field field |
| GlobalDataFlow.cs:532:15:532:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:532:15:532:21 | access to field field | access to field field |
| GlobalDataFlow.cs:533:15:533:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | access to field field |
| GlobalDataFlow.cs:539:15:539:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:539:15:539:22 | access to field field | access to field field |
| GlobalDataFlow.cs:547:15:547:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:547:15:547:21 | access to field field | access to field field |
| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | access to local variable sink0 |
| GlobalDataFlowStringBuilder.cs:37:15:37:19 | access to local variable sink1 | GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:37:15:37:19 | access to local variable sink1 | access to local variable sink1 |
| GlobalDataFlowStringBuilder.cs:42:15:42:19 | access to local variable sink2 | GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:42:15:42:19 | access to local variable sink2 | access to local variable sink2 |
| GlobalDataFlowStringBuilder.cs:50:15:50:19 | access to local variable sink3 | GlobalDataFlowStringBuilder.cs:48:47:48:60 | "taint source" : String | GlobalDataFlowStringBuilder.cs:50:15:50:19 | access to local variable sink3 | access to local variable sink3 |
| Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
| Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
| Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |

99
csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
Просмотреть файл

@ -12779,83 +12779,88 @@ summary
| System.Text;StringBuilder;false;Append;(System.Char);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char*,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char[]);;Argument[0].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char[]);;Argument[0].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Char[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char[],System.Int32,System.Int32);;Argument[0].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char[],System.Int32,System.Int32);;Argument[0].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Char[],System.Int32,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Decimal);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Double);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringBuilder;false;Append;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Int16);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Int64);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Object);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.Object);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.ReadOnlyMemory<System.Char>);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.ReadOnlySpan<System.Char>);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.SByte);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Single);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.String);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.String);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.String);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.String,System.Int32,System.Int32);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.String,System.Int32,System.Int32);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.String,System.Int32,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder,System.Int32,System.Int32);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder,System.Int32,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.UInt16);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.UInt32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.UInt64);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[3];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[3];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[3];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[4];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[3];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[4];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[2].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[2].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[3];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[3];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.Object[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.Object[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.Object[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.String[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.String[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.String[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.Char,System.Collections.Generic.IEnumerable<T>);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.Char,System.Collections.Generic.IEnumerable<T>);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.Char,System.Collections.Generic.IEnumerable<T>);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendLine;();;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;taint;df-generated |
| System.Text;StringBuilder;false;AppendLine;(System.String);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendLine;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.String);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendLine;(System.String);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;taint;df-generated |
| System.Text;StringBuilder;false;Clear;();;Argument[this].WithoutElement;Argument[this];value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendLine;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;GetChunks;();;Argument[this];ReturnValue;taint;df-generated |
| System.Text;StringBuilder;false;GetObjectData;(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext);;Argument[this];Argument[0];taint;df-generated |
| System.Text;StringBuilder;false;Insert;(System.Int32,System.Boolean);;Argument[this];ReturnValue;taint;df-generated |
@ -12882,11 +12887,11 @@ summary
| System.Text;StringBuilder;false;Replace;(System.Char,System.Char,System.Int32,System.Int32);;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringBuilder;false;Replace;(System.String,System.String);;Argument[this];ReturnValue;taint;df-generated |
| System.Text;StringBuilder;false;Replace;(System.String,System.String,System.Int32,System.Int32);;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringBuilder;false;StringBuilder;(System.String);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String,System.Int32);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String,System.Int32,System.Int32,System.Int32);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;ToString;();;Argument[this].Element;ReturnValue;taint;manual |
| System.Text;StringBuilder;false;ToString;(System.Int32,System.Int32);;Argument[this].Element;ReturnValue;taint;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String,System.Int32);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String,System.Int32,System.Int32,System.Int32);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;ToString;();;Argument[this];ReturnValue;taint;manual |
| System.Text;StringBuilder;false;ToString;(System.Int32,System.Int32);;Argument[this];ReturnValue;taint;manual |
| System.Text;StringRuneEnumerator;false;GetEnumerator;();;Argument[this].Element;ReturnValue.Property[System.Collections.Generic.IEnumerator`1.Current];value;manual |
| System.Text;StringRuneEnumerator;false;GetEnumerator;();;Argument[this].Element;ReturnValue.Property[System.Collections.IEnumerator.Current];value;manual |
| System.Text;StringRuneEnumerator;false;GetEnumerator;();;Argument[this];ReturnValue;value;df-generated |

99
csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected
Просмотреть файл

@ -10893,83 +10893,88 @@ summary
| System.Text;StringBuilder;false;Append;(System.Char);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char*,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char[]);;Argument[0].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char[]);;Argument[0].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Char[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char[],System.Int32,System.Int32);;Argument[0].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.Char[],System.Int32,System.Int32);;Argument[0].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Char[],System.Int32,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Decimal);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Double);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringBuilder;false;Append;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Int16);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Int64);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Object);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.Object);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.ReadOnlyMemory<System.Char>);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.ReadOnlySpan<System.Char>);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.SByte);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Single);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.String);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.String);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.String);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.String,System.Int32,System.Int32);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;Append;(System.String,System.Int32,System.Int32);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.String,System.Int32,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder,System.Int32,System.Int32);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;Append;(System.Text.StringBuilder,System.Int32,System.Int32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.UInt16);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.UInt32);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;Append;(System.UInt64);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[3];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[3];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[3];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[4];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[3];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[4];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object,System.Object,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[2].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[2].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.IFormatProvider,System.String,System.Object[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[1];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[2];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[3];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[2];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[3];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object,System.Object,System.Object);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendFormat;(System.String,System.Object[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.Object[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.Object[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.Object[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.String[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.String[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.Char,System.String[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.Object[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin;(System.String,System.String[]);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.Char,System.Collections.Generic.IEnumerable<T>);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.Char,System.Collections.Generic.IEnumerable<T>);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.Char,System.Collections.Generic.IEnumerable<T>);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[1].Element;Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[1].Element;Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendJoin<T>;(System.String,System.Collections.Generic.IEnumerable<T>);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendLine;();;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;taint;df-generated |
| System.Text;StringBuilder;false;AppendLine;(System.String);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[1];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendLine;(System.IFormatProvider,System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.String);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendLine;(System.String);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;taint;df-generated |
| System.Text;StringBuilder;false;Clear;();;Argument[this].WithoutElement;Argument[this];value;manual |
| System.Text;StringBuilder;false;AppendLine;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;AppendLine;(System.Text.StringBuilder+AppendInterpolatedStringHandler);;Argument[this];ReturnValue;value;manual |
| System.Text;StringBuilder;false;GetChunks;();;Argument[this];ReturnValue;taint;df-generated |
| System.Text;StringBuilder;false;GetObjectData;(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext);;Argument[this];Argument[0];taint;df-generated |
| System.Text;StringBuilder;false;Insert;(System.Int32,System.Boolean);;Argument[this];ReturnValue;taint;df-generated |
@ -10996,11 +11001,11 @@ summary
| System.Text;StringBuilder;false;Replace;(System.Char,System.Char,System.Int32,System.Int32);;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringBuilder;false;Replace;(System.String,System.String);;Argument[this];ReturnValue;taint;df-generated |
| System.Text;StringBuilder;false;Replace;(System.String,System.String,System.Int32,System.Int32);;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringBuilder;false;StringBuilder;(System.String);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String,System.Int32);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String,System.Int32,System.Int32,System.Int32);;Argument[0];Argument[this].Element;value;manual |
| System.Text;StringBuilder;false;ToString;();;Argument[this].Element;ReturnValue;taint;manual |
| System.Text;StringBuilder;false;ToString;(System.Int32,System.Int32);;Argument[this].Element;ReturnValue;taint;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String,System.Int32);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;StringBuilder;(System.String,System.Int32,System.Int32,System.Int32);;Argument[0];Argument[this];taint;manual |
| System.Text;StringBuilder;false;ToString;();;Argument[this];ReturnValue;taint;manual |
| System.Text;StringBuilder;false;ToString;(System.Int32,System.Int32);;Argument[this];ReturnValue;taint;manual |
| System.Text;StringRuneEnumerator;false;GetEnumerator;();;Argument[this];ReturnValue;value;df-generated |
| System.Text;StringRuneEnumerator;false;get_Current;();;Argument[this];ReturnValue;taint;df-generated |
| System.Threading.Channels;Channel;false;CreateBounded<T>;(System.Threading.Channels.BoundedChannelOptions,System.Action<T>);;Argument[1];Argument[1].Parameter[delegate-self];value;hq-generated |

4
csharp/ql/test/library-tests/parameters/Parameters.cs
Просмотреть файл

@ -27,6 +27,8 @@ public class Parameters
public void M19([Optional, DecimalConstant(1, 0, 0, 0, 103)] decimal arg9) => throw null;
public void M20([Optional, DefaultParameterValue(7)] MyStruct arg10) => throw null;
public void M21([Optional, DefaultParameterValue("mystring")] MyStruct arg10) => throw null;
public void M22(nuint arg11 = 0) => throw null;
public void M23(nint arg12 = 0) => throw null;
public struct MyStruct
{
@ -35,4 +37,4 @@ public class Parameters
}
public enum MyEnum { A = 1, B = 2 }
}
}

4
csharp/ql/test/library-tests/parameters/Parameters.cs_
Просмотреть файл

@ -27,6 +27,8 @@ public class ParametersDll
public void M19([Optional, DecimalConstant(1, 0, 0, 0, 103)] decimal arg9) => throw null;
public void M20([Optional, DefaultParameterValue(7)] MyStruct arg10) => throw null;
public void M21([Optional, DefaultParameterValue("mystring")] MyStruct arg10) => throw null;
public void M22(nuint arg11 = 0) => throw null;
public void M23(nint arg12 = 0) => throw null;
public struct MyStruct
{
@ -35,4 +37,4 @@ public class ParametersDll
}
public enum MyEnum { A = 1, B = 2 }
}
}

Двоичные данные
csharp/ql/test/library-tests/parameters/Parameters.dll
Просмотреть файл

Двоичный файл не отображается.

8
csharp/ql/test/library-tests/parameters/Parameters.expected
Просмотреть файл

@ -5,8 +5,8 @@ noDefaultValue
| Parameters.cs:8:17:8:18 | M2 | Parameters.cs:8:24:8:24 | a | 0 |
| Parameters.cs:12:17:12:18 | M6 | Parameters.cs:12:29:12:30 | s1 | 0 |
| Parameters.cs:13:17:13:18 | M7 | Parameters.cs:13:27:13:28 | e1 | 0 |
| Parameters.cs:33:32:33:39 | implicit conversion | Parameters.cs:33:54:33:54 | i | 0 |
| Parameters.cs:34:32:34:39 | implicit conversion | Parameters.cs:34:57:34:57 | s | 0 |
| Parameters.cs:35:32:35:39 | implicit conversion | Parameters.cs:35:54:35:54 | i | 0 |
| Parameters.cs:36:32:36:39 | implicit conversion | Parameters.cs:36:57:36:57 | s | 0 |
| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | a | 0 |
| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | b | 1 |
| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | c | 2 |
@ -45,6 +45,8 @@ withDefaultValue
| Parameters.cs:27:17:27:19 | M19 | Parameters.cs:27:74:27:77 | arg9 | 0 | Parameters.cs:27:21:27:77 | 10.3 | 10.3 |
| Parameters.cs:28:17:28:19 | M20 | Parameters.cs:28:67:28:71 | arg10 | 0 | Parameters.cs:28:21:28:71 | call to operator implicit conversion | - |
| Parameters.cs:29:17:29:19 | M21 | Parameters.cs:29:76:29:80 | arg10 | 0 | Parameters.cs:29:21:29:80 | call to operator implicit conversion | - |
| Parameters.cs:30:17:30:19 | M22 | Parameters.cs:30:27:30:31 | arg11 | 0 | Parameters.cs:30:35:30:35 | (...) ... | 0 |
| Parameters.cs:31:17:31:19 | M23 | Parameters.cs:31:26:31:30 | arg12 | 0 | Parameters.cs:31:34:31:34 | (...) ... | 0 |
| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | c | 2 | Parameters.dll:0:0:0:0 | "default string" | default string |
| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | a | 0 | Parameters.dll:0:0:0:0 | 1 | 1 |
@ -74,6 +76,8 @@ withDefaultValue
| Parameters.dll:0:0:0:0 | M19 | Parameters.dll:0:0:0:0 | arg9 | 0 | Parameters.dll:0:0:0:0 | 10.3 | 10.3 |
| Parameters.dll:0:0:0:0 | M20 | Parameters.dll:0:0:0:0 | arg10 | 0 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | - |
| Parameters.dll:0:0:0:0 | M21 | Parameters.dll:0:0:0:0 | arg10 | 0 | Parameters.dll:0:0:0:0 | call to operator implicit conversion | - |
| Parameters.dll:0:0:0:0 | M22 | Parameters.dll:0:0:0:0 | arg11 | 0 | Parameters.dll:0:0:0:0 | (...) ... | 0 |
| Parameters.dll:0:0:0:0 | M23 | Parameters.dll:0:0:0:0 | arg12 | 0 | Parameters.dll:0:0:0:0 | (...) ... | 0 |
dateTimeDefaults
| Parameters.cs:22:17:22:19 | M14 | Parameters.cs:22:64:22:67 | arg4 | Parameters.cs:22:21:22:67 | object creation of type DateTime | DateTime(long) | 14 |
| Parameters.cs:23:17:23:19 | M15 | Parameters.cs:23:68:23:71 | arg5 | Parameters.cs:23:21:23:71 | object creation of type DateTime | DateTime(long) | 10001 |

22
csharp/ql/test/query-tests/Security Features/CWE-079/XSSAsp/XSS.expected
Просмотреть файл

@ -1,12 +1,12 @@
edges
| XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder [element] : String | XSS.cs:26:32:26:40 | access to local variable userInput : StringBuilder [element] : String |
| XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder [element] : String | XSS.cs:27:29:27:37 | access to local variable userInput : StringBuilder [element] : String |
| XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder [element] : String | XSS.cs:28:26:28:34 | access to local variable userInput : StringBuilder [element] : String |
| XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder | XSS.cs:26:32:26:40 | access to local variable userInput : StringBuilder |
| XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder | XSS.cs:27:29:27:37 | access to local variable userInput : StringBuilder |
| XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder | XSS.cs:28:26:28:34 | access to local variable userInput : StringBuilder |
| XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | XSS.cs:25:48:25:67 | access to property Text : String |
| XSS.cs:25:48:25:67 | access to property Text : String | XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder [element] : String |
| XSS.cs:26:32:26:40 | access to local variable userInput : StringBuilder [element] : String | XSS.cs:26:32:26:51 | call to method ToString |
| XSS.cs:27:29:27:37 | access to local variable userInput : StringBuilder [element] : String | XSS.cs:27:29:27:48 | call to method ToString |
| XSS.cs:28:26:28:34 | access to local variable userInput : StringBuilder [element] : String | XSS.cs:28:26:28:45 | call to method ToString |
| XSS.cs:25:48:25:67 | access to property Text : String | XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder |
| XSS.cs:26:32:26:40 | access to local variable userInput : StringBuilder | XSS.cs:26:32:26:51 | call to method ToString |
| XSS.cs:27:29:27:37 | access to local variable userInput : StringBuilder | XSS.cs:27:29:27:48 | call to method ToString |
| XSS.cs:28:26:28:34 | access to local variable userInput : StringBuilder | XSS.cs:28:26:28:45 | call to method ToString |
| XSS.cs:37:27:37:53 | access to property QueryString : NameValueCollection | XSS.cs:37:27:37:61 | access to indexer : String |
| XSS.cs:37:27:37:53 | access to property QueryString : NameValueCollection | XSS.cs:38:36:38:39 | access to local variable name |
| XSS.cs:37:27:37:61 | access to indexer : String | XSS.cs:38:36:38:39 | access to local variable name |
@ -29,14 +29,14 @@ edges
| script.aspx:16:1:16:34 | <%= ... %> | script.aspx:16:1:16:34 | <%= ... %> |
| script.aspx:20:1:20:41 | <%= ... %> | script.aspx:20:1:20:41 | <%= ... %> |
nodes
| XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder [element] : String | semmle.label | [post] access to local variable userInput : StringBuilder [element] : String |
| XSS.cs:25:13:25:21 | [post] access to local variable userInput : StringBuilder | semmle.label | [post] access to local variable userInput : StringBuilder |
| XSS.cs:25:48:25:62 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
| XSS.cs:25:48:25:67 | access to property Text : String | semmle.label | access to property Text : String |
| XSS.cs:26:32:26:40 | access to local variable userInput : StringBuilder [element] : String | semmle.label | access to local variable userInput : StringBuilder [element] : String |
| XSS.cs:26:32:26:40 | access to local variable userInput : StringBuilder | semmle.label | access to local variable userInput : StringBuilder |
| XSS.cs:26:32:26:51 | call to method ToString | semmle.label | call to method ToString |
| XSS.cs:27:29:27:37 | access to local variable userInput : StringBuilder [element] : String | semmle.label | access to local variable userInput : StringBuilder [element] : String |
| XSS.cs:27:29:27:37 | access to local variable userInput : StringBuilder | semmle.label | access to local variable userInput : StringBuilder |
| XSS.cs:27:29:27:48 | call to method ToString | semmle.label | call to method ToString |
| XSS.cs:28:26:28:34 | access to local variable userInput : StringBuilder [element] : String | semmle.label | access to local variable userInput : StringBuilder [element] : String |
| XSS.cs:28:26:28:34 | access to local variable userInput : StringBuilder | semmle.label | access to local variable userInput : StringBuilder |
| XSS.cs:28:26:28:45 | call to method ToString | semmle.label | call to method ToString |
| XSS.cs:37:27:37:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
| XSS.cs:37:27:37:61 | access to indexer : String | semmle.label | access to indexer : String |

10
csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected
Просмотреть файл

@ -2,10 +2,10 @@ edges
| InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Byte | InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Byte |
| InsecureRandomness.cs:28:23:28:43 | (...) ... : Byte | InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Byte |
| InsecureRandomness.cs:28:29:28:43 | call to method Next : Int32 | InsecureRandomness.cs:28:23:28:43 | (...) ... : Byte |
| InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder [element] : String | InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder [element] : String |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString : String | InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder [element] : String |
| InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder | InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString : String | InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder |
| InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Byte | InsecureRandomness.cs:29:27:29:61 | call to method GetString : String |
| InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder [element] : String | InsecureRandomness.cs:31:16:31:32 | call to method ToString : String |
| InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder | InsecureRandomness.cs:31:16:31:32 | call to method ToString : String |
| InsecureRandomness.cs:31:16:31:32 | call to method ToString : String | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString |
| InsecureRandomness.cs:60:23:60:40 | access to array element : String | InsecureRandomness.cs:62:16:62:21 | access to local variable result : String |
| InsecureRandomness.cs:60:31:60:39 | call to method Next : Int32 | InsecureRandomness.cs:60:23:60:40 | access to array element : String |
@ -21,10 +21,10 @@ nodes
| InsecureRandomness.cs:28:13:28:16 | [post] access to local variable data : Byte[] [element] : Byte | semmle.label | [post] access to local variable data : Byte[] [element] : Byte |
| InsecureRandomness.cs:28:23:28:43 | (...) ... : Byte | semmle.label | (...) ... : Byte |
| InsecureRandomness.cs:28:29:28:43 | call to method Next : Int32 | semmle.label | call to method Next : Int32 |
| InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder [element] : String | semmle.label | [post] access to local variable result : StringBuilder [element] : String |
| InsecureRandomness.cs:29:13:29:18 | [post] access to local variable result : StringBuilder | semmle.label | [post] access to local variable result : StringBuilder |
| InsecureRandomness.cs:29:27:29:61 | call to method GetString : String | semmle.label | call to method GetString : String |
| InsecureRandomness.cs:29:57:29:60 | access to local variable data : Byte[] [element] : Byte | semmle.label | access to local variable data : Byte[] [element] : Byte |
| InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder [element] : String | semmle.label | access to local variable result : StringBuilder [element] : String |
| InsecureRandomness.cs:31:16:31:21 | access to local variable result : StringBuilder | semmle.label | access to local variable result : StringBuilder |
| InsecureRandomness.cs:31:16:31:32 | call to method ToString : String | semmle.label | call to method ToString : String |
| InsecureRandomness.cs:60:23:60:40 | access to array element : String | semmle.label | access to array element : String |
| InsecureRandomness.cs:60:31:60:39 | call to method Next : Int32 | semmle.label | call to method Next : Int32 |

5
csharp/ql/test/resources/stubs/_frameworks/Microsoft.NETCore.App/System.Memory.cs
Просмотреть файл

@ -436,8 +436,9 @@ namespace System
public static System.ReadOnlySpan<T> TrimStart<T>(this System.ReadOnlySpan<T> span, T trimElement) where T : System.IEquatable<T> => throw null;
public static System.Span<T> TrimStart<T>(this System.Span<T> span, System.ReadOnlySpan<T> trimElements) where T : System.IEquatable<T> => throw null;
public static System.Span<T> TrimStart<T>(this System.Span<T> span, T trimElement) where T : System.IEquatable<T> => throw null;
public static bool TryWrite(this System.Span<char> destination, ref System.MemoryExtensions.TryWriteInterpolatedStringHandler handler, out int charsWritten) => throw null;
public static bool TryWrite(this System.Span<char> destination, System.IFormatProvider provider, ref System.MemoryExtensions.TryWriteInterpolatedStringHandler handler, out int charsWritten) => throw null;
public static bool TryWrite(this System.Span<char> destination, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("destination")] ref System.MemoryExtensions.TryWriteInterpolatedStringHandler handler, out int charsWritten) => throw null;
public static bool TryWrite(this System.Span<char> destination, System.IFormatProvider provider, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument(new[] { "destination", "provider" })] ref System.MemoryExtensions.TryWriteInterpolatedStringHandler handler, out int charsWritten) => throw null;
[System.Runtime.CompilerServices.InterpolatedStringHandler]
public struct TryWriteInterpolatedStringHandler
{
public bool AppendFormatted(System.ReadOnlySpan<char> value) => throw null;

28
csharp/ql/test/resources/stubs/_frameworks/Microsoft.NETCore.App/System.Runtime.cs
Просмотреть файл

@ -2697,11 +2697,12 @@ namespace System
public static class Debug
{
public static void Assert(bool condition) => throw null;
public static void Assert(bool condition, ref System.Diagnostics.Debug.AssertInterpolatedStringHandler message) => throw null;
public static void Assert(bool condition, ref System.Diagnostics.Debug.AssertInterpolatedStringHandler message, ref System.Diagnostics.Debug.AssertInterpolatedStringHandler detailMessage) => throw null;
public static void Assert(bool condition, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("condition")] ref System.Diagnostics.Debug.AssertInterpolatedStringHandler message) => throw null;
public static void Assert(bool condition, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("condition")] ref System.Diagnostics.Debug.AssertInterpolatedStringHandler message, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("condition")] ref System.Diagnostics.Debug.AssertInterpolatedStringHandler detailMessage) => throw null;
public static void Assert(bool condition, string message) => throw null;
public static void Assert(bool condition, string message, string detailMessage) => throw null;
public static void Assert(bool condition, string message, string detailMessageFormat, params object[] args) => throw null;
[System.Runtime.CompilerServices.InterpolatedStringHandler]
public struct AssertInterpolatedStringHandler
{
public void AppendFormatted(object value, int alignment = default(int), string format = default(string)) => throw null;
@ -2731,12 +2732,13 @@ namespace System
public static void Write(object value, string category) => throw null;
public static void Write(string message) => throw null;
public static void Write(string message, string category) => throw null;
public static void WriteIf(bool condition, ref System.Diagnostics.Debug.WriteIfInterpolatedStringHandler message) => throw null;
public static void WriteIf(bool condition, ref System.Diagnostics.Debug.WriteIfInterpolatedStringHandler message, string category) => throw null;
public static void WriteIf(bool condition, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("condition")] ref System.Diagnostics.Debug.WriteIfInterpolatedStringHandler message) => throw null;
public static void WriteIf(bool condition, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("condition")] ref System.Diagnostics.Debug.WriteIfInterpolatedStringHandler message, string category) => throw null;
public static void WriteIf(bool condition, object value) => throw null;
public static void WriteIf(bool condition, object value, string category) => throw null;
public static void WriteIf(bool condition, string message) => throw null;
public static void WriteIf(bool condition, string message, string category) => throw null;
[System.Runtime.CompilerServices.InterpolatedStringHandler]
public struct WriteIfInterpolatedStringHandler
{
public void AppendFormatted(object value, int alignment = default(int), string format = default(string)) => throw null;
@ -2756,8 +2758,8 @@ namespace System
public static void WriteLine(string message) => throw null;
public static void WriteLine(string format, params object[] args) => throw null;
public static void WriteLine(string message, string category) => throw null;
public static void WriteLineIf(bool condition, ref System.Diagnostics.Debug.WriteIfInterpolatedStringHandler message) => throw null;
public static void WriteLineIf(bool condition, ref System.Diagnostics.Debug.WriteIfInterpolatedStringHandler message, string category) => throw null;
public static void WriteLineIf(bool condition, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("condition")] ref System.Diagnostics.Debug.WriteIfInterpolatedStringHandler message) => throw null;
public static void WriteLineIf(bool condition, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("condition")] ref System.Diagnostics.Debug.WriteIfInterpolatedStringHandler message, string category) => throw null;
public static void WriteLineIf(bool condition, object value) => throw null;
public static void WriteLineIf(bool condition, object value, string category) => throw null;
public static void WriteLineIf(bool condition, string message) => throw null;
@ -9036,6 +9038,7 @@ namespace System
public DefaultDependencyAttribute(System.Runtime.CompilerServices.LoadHint loadHintArgument) => throw null;
public System.Runtime.CompilerServices.LoadHint LoadHint { get => throw null; }
}
[System.Runtime.CompilerServices.InterpolatedStringHandler]
public struct DefaultInterpolatedStringHandler
{
public void AppendFormatted(object value, int alignment = default(int), string format = default(string)) => throw null;
@ -10876,8 +10879,8 @@ namespace System
public static string Copy(string str) => throw null;
public void CopyTo(int sourceIndex, char[] destination, int destinationIndex, int count) => throw null;
public void CopyTo(System.Span<char> destination) => throw null;
public static string Create(System.IFormatProvider provider, ref System.Runtime.CompilerServices.DefaultInterpolatedStringHandler handler) => throw null;
public static string Create(System.IFormatProvider provider, System.Span<char> initialBuffer, ref System.Runtime.CompilerServices.DefaultInterpolatedStringHandler handler) => throw null;
public static string Create(System.IFormatProvider provider, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("provider")] ref System.Runtime.CompilerServices.DefaultInterpolatedStringHandler handler) => throw null;
public static string Create(System.IFormatProvider provider, System.Span<char> initialBuffer, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument(new[] { "provider", "initialBuffer" })] ref System.Runtime.CompilerServices.DefaultInterpolatedStringHandler handler) => throw null;
public static string Create<TState>(int length, TState state, System.Buffers.SpanAction<char, TState> action) => throw null;
public unsafe String(char* value) => throw null;
public unsafe String(char* value, int startIndex, int length) => throw null;
@ -11419,7 +11422,7 @@ namespace System
public System.Text.StringBuilder Append(char[] value, int startIndex, int charCount) => throw null;
public System.Text.StringBuilder Append(decimal value) => throw null;
public System.Text.StringBuilder Append(double value) => throw null;
public System.Text.StringBuilder Append(System.IFormatProvider provider, ref System.Text.StringBuilder.AppendInterpolatedStringHandler handler) => throw null;
public System.Text.StringBuilder Append(System.IFormatProvider provider, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument(new[] { "", "provider" })] ref System.Text.StringBuilder.AppendInterpolatedStringHandler handler) => throw null;
public System.Text.StringBuilder Append(short value) => throw null;
public System.Text.StringBuilder Append(int value) => throw null;
public System.Text.StringBuilder Append(long value) => throw null;
@ -11432,7 +11435,7 @@ namespace System
public System.Text.StringBuilder Append(string value, int startIndex, int count) => throw null;
public System.Text.StringBuilder Append(System.Text.StringBuilder value) => throw null;
public System.Text.StringBuilder Append(System.Text.StringBuilder value, int startIndex, int count) => throw null;
public System.Text.StringBuilder Append(ref System.Text.StringBuilder.AppendInterpolatedStringHandler handler) => throw null;
public System.Text.StringBuilder Append([System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("")] ref System.Text.StringBuilder.AppendInterpolatedStringHandler handler) => throw null;
public System.Text.StringBuilder Append(ushort value) => throw null;
public System.Text.StringBuilder Append(uint value) => throw null;
public System.Text.StringBuilder Append(ulong value) => throw null;
@ -11444,6 +11447,7 @@ namespace System
public System.Text.StringBuilder AppendFormat(string format, object arg0, object arg1) => throw null;
public System.Text.StringBuilder AppendFormat(string format, object arg0, object arg1, object arg2) => throw null;
public System.Text.StringBuilder AppendFormat(string format, params object[] args) => throw null;
[System.Runtime.CompilerServices.InterpolatedStringHandler]
public struct AppendInterpolatedStringHandler
{
public void AppendFormatted(object value, int alignment = default(int), string format = default(string)) => throw null;
@ -11466,9 +11470,9 @@ namespace System
public System.Text.StringBuilder AppendJoin<T>(char separator, System.Collections.Generic.IEnumerable<T> values) => throw null;
public System.Text.StringBuilder AppendJoin<T>(string separator, System.Collections.Generic.IEnumerable<T> values) => throw null;
public System.Text.StringBuilder AppendLine() => throw null;
public System.Text.StringBuilder AppendLine(System.IFormatProvider provider, ref System.Text.StringBuilder.AppendInterpolatedStringHandler handler) => throw null;
public System.Text.StringBuilder AppendLine(System.IFormatProvider provider, [System.Runtime.CompilerServices.InterpolatedStringHandlerArgument(new[] { "", "provider" })] ref System.Text.StringBuilder.AppendInterpolatedStringHandler handler) => throw null;
public System.Text.StringBuilder AppendLine(string value) => throw null;
public System.Text.StringBuilder AppendLine(ref System.Text.StringBuilder.AppendInterpolatedStringHandler handler) => throw null;
public System.Text.StringBuilder AppendLine([System.Runtime.CompilerServices.InterpolatedStringHandlerArgument("")] ref System.Text.StringBuilder.AppendInterpolatedStringHandler handler) => throw null;
public int Capacity { get => throw null; set { } }
public struct ChunkEnumerator
{

2780
swift/downgrades/60be249ad164f6e4b43c203323f1b3956dc97c2f/old.dbscheme Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

2774
swift/downgrades/60be249ad164f6e4b43c203323f1b3956dc97c2f/swift.dbscheme Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

4
swift/downgrades/60be249ad164f6e4b43c203323f1b3956dc97c2f/upgrade.properties Normal file
Просмотреть файл

@ -0,0 +1,4 @@
description: Remove types for patterns
compatibility: partial
pattern_types.rel: delete

23
swift/extractor/translators/PatternTranslator.cpp
Просмотреть файл

@ -3,40 +3,41 @@
namespace codeql {
codeql::NamedPattern PatternTranslator::translateNamedPattern(const swift::NamedPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
entry.var_decl = dispatcher.fetchLabel(pattern.getDecl());
return entry;
}
codeql::TypedPattern PatternTranslator::translateTypedPattern(const swift::TypedPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
entry.sub_pattern = dispatcher.fetchLabel(pattern.getSubPattern());
entry.type_repr = dispatcher.fetchOptionalLabel(pattern.getTypeRepr(), pattern.getType());
return entry;
}
codeql::TuplePattern PatternTranslator::translateTuplePattern(const swift::TuplePattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
for (const auto& p : pattern.getElements()) {
entry.elements.push_back(dispatcher.fetchLabel(p.getPattern()));
}
return entry;
}
codeql::AnyPattern PatternTranslator::translateAnyPattern(const swift::AnyPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
return entry;
}
codeql::BindingPattern PatternTranslator::translateBindingPattern(
const swift::BindingPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
entry.sub_pattern = dispatcher.fetchLabel(pattern.getSubPattern());
return entry;
}
codeql::EnumElementPattern PatternTranslator::translateEnumElementPattern(
const swift::EnumElementPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
entry.element = dispatcher.fetchLabel(pattern.getElementDecl());
entry.sub_pattern = dispatcher.fetchOptionalLabel(pattern.getSubPattern());
return entry;
@ -44,13 +45,13 @@ codeql::EnumElementPattern PatternTranslator::translateEnumElementPattern(
codeql::OptionalSomePattern PatternTranslator::translateOptionalSomePattern(
const swift::OptionalSomePattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
entry.sub_pattern = dispatcher.fetchLabel(pattern.getSubPattern());
return entry;
}
codeql::IsPattern PatternTranslator::translateIsPattern(const swift::IsPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
entry.cast_type_repr =
dispatcher.fetchOptionalLabel(pattern.getCastTypeRepr(), pattern.getCastType());
entry.sub_pattern = dispatcher.fetchOptionalLabel(pattern.getSubPattern());
@ -58,7 +59,7 @@ codeql::IsPattern PatternTranslator::translateIsPattern(const swift::IsPattern&
}
codeql::ExprPattern PatternTranslator::translateExprPattern(const swift::ExprPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
if (auto match = pattern.getMatchExpr()) {
entry.sub_expr = dispatcher.fetchLabel(match);
} else {
@ -68,13 +69,13 @@ codeql::ExprPattern PatternTranslator::translateExprPattern(const swift::ExprPat
}
codeql::ParenPattern PatternTranslator::translateParenPattern(const swift::ParenPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
entry.sub_pattern = dispatcher.fetchLabel(pattern.getSubPattern());
return entry;
}
codeql::BoolPattern PatternTranslator::translateBoolPattern(const swift::BoolPattern& pattern) {
auto entry = dispatcher.createEntry(pattern);
auto entry = createPatternEntry(pattern);
entry.value = pattern.getValue();
return entry;
}

8
swift/extractor/translators/PatternTranslator.h
Просмотреть файл

@ -23,5 +23,13 @@ class PatternTranslator : public AstTranslatorBase<PatternTranslator> {
codeql::ExprPattern translateExprPattern(const swift::ExprPattern& pattern);
codeql::ParenPattern translateParenPattern(const swift::ParenPattern& pattern);
codeql::BoolPattern translateBoolPattern(const swift::BoolPattern& pattern);
private:
template <typename T>
TrapClassOf<T> createPatternEntry(const T& pattern) {
auto entry = dispatcher.createEntry(pattern);
entry.type = dispatcher.fetchOptionalLabel(pattern.getType());
return entry;
}
};
} // namespace codeql

6
swift/ql/.generated.list сгенерированный
Просмотреть файл

@ -407,10 +407,10 @@ lib/codeql/swift/generated/Locatable.qll 6cb437dd7ff7331429ec6586b0af50b1af15e4f
lib/codeql/swift/generated/Location.qll 3f3bad413be87d05a596fe7b8004f415c2caa98cb759021a6aad20b589b7d700 ed30ed646962b3ffb6b47c97c6434fe47a6b1ea8e3f2e0589577bea5cf96c88e
lib/codeql/swift/generated/MacroRole.qll aaf5631c49de81e046854955341202d6d3516713cd09bc2e7b870e40c261cc9f 6cd17d40cbf1d8fa4ef01dfb8b3462b7cee902e6058fb76417c2035be12481d1
lib/codeql/swift/generated/OtherAvailabilitySpec.qll 06393a08e8da36106c5ec6efb9f1bd56a5c7b3d3f3d0bcefc6fa07fa96860c31 06393a08e8da36106c5ec6efb9f1bd56a5c7b3d3f3d0bcefc6fa07fa96860c31
lib/codeql/swift/generated/ParentChild.qll 281ac5b565c0d8b2c9cfc1a524024e3a2514034a5266b7a7d75ab3770fc398d3 2829f5e61adbd863f4ad823ecfd7c1bb5eccaf14bb121b85ad460175b733fe30
lib/codeql/swift/generated/ParentChild.qll 523f0fdf11a8007a80b35d7f8b99f736face08513311c8e998ca20ae1e535ebe 2829f5e61adbd863f4ad823ecfd7c1bb5eccaf14bb121b85ad460175b733fe30
lib/codeql/swift/generated/PlatformVersionAvailabilitySpec.qll 5355be9da8b778d1d8ae60d25d9c3394477da24f94e8a6ab4484c6a16d07cd7c 075438c1762ec0a7775004b39032dcf85aada038a4269e6f428c34b8282786e9
lib/codeql/swift/generated/PureSynthConstructors.qll 40f5c0c573ce12f16322d9efb12306750f672254cbc36a200c298cb08e504229 40f5c0c573ce12f16322d9efb12306750f672254cbc36a200c298cb08e504229
lib/codeql/swift/generated/Raw.qll 1915a5a46c0ba57ebc8a0e41c4e49e3f3d9ee21cd863d1c9a8a0a455e5e9e24a 04f4a7eb8deb7f501e4a98563283094e1d53f8f0f8c82809ed05a5e99dff6787
lib/codeql/swift/generated/Raw.qll 252bb96829d1c284ec8036e54f14db83d5a3c9be1c2bdc05bc7add7cf46ca618 4cdc6643270b2fc78805635a738dfd506bdee9dc770bc74ec66558c1efff7697
lib/codeql/swift/generated/Synth.qll b8bf274c60f60df473ed9093b50906822613dee047bda19ad37d07c308f04564 692590b0b18556a23cc1de0c8a60fd17534791dccb876cab85170bbf78392bd1
lib/codeql/swift/generated/SynthConstructors.qll d3b4b5d93be989004d7c05bbc32a5b859eaad768b4a52cfb01a767c90542f9a4 d3b4b5d93be989004d7c05bbc32a5b859eaad768b4a52cfb01a767c90542f9a4
lib/codeql/swift/generated/UnknownFile.qll 5325944cf96a72d5d224597745e15960fb6a9448b96b6644ececd6344dfd9d74 5325944cf96a72d5d224597745e15960fb6a9448b96b6644ececd6344dfd9d74
@ -598,7 +598,7 @@ lib/codeql/swift/generated/pattern/IsPattern.qll e7f07b8788fa9146222bd2a11ee95ff
lib/codeql/swift/generated/pattern/NamedPattern.qll fe1a2a14423410c58bdfff496c50bbaf3990420ee72f3924d7bc190c9aee8dec a4acf22a77764575e1e7351dc99c682e9dba3df79adaeae1c716d4305b1e5fb9
lib/codeql/swift/generated/pattern/OptionalSomePattern.qll 91dacbff67ce93fac560eee6991729e12f00b768f3d55d8423840478f0aa10f6 3dab75289fe8e90eed5ddaad9b8064ffd4c5d74c25a6fa929d4406212f7371ca
lib/codeql/swift/generated/pattern/ParenPattern.qll 91d0cfe2cc1b1f321e252798469fb8f0dfcca91c8b1e1a120f3ffef317ef1391 ee1ceaa127d4fd5826e637f741d3a90fa9cf474ee8d4a4fdf39b4e680b7d7111
lib/codeql/swift/generated/pattern/Pattern.qll 09438ac3d6a84171b2d3b98d9a2331c0f5c14c9ef5df4cd5bc6650bd6a246032 f1ba81c3f87a71da3be416735026ff0e476ed74f017dced77a1cc78dfc0e2e68
lib/codeql/swift/generated/pattern/Pattern.qll 4da3547291a5078cc5c9d607440dd814a123302517087aa85b3c2f8da0437dbb 0ef78e49d9ec683559bf42fd5b3335a66a063afb29db6fc61467c703323cded4
lib/codeql/swift/generated/pattern/TuplePattern.qll d3477149a849f6e6076967d8369de531f9047ad0b8fa50081b9575337a8b97ea 8ae46d5e763e23e88a24b95731caa940f7b476a54d41f7fd35856266209a397a
lib/codeql/swift/generated/pattern/TypedPattern.qll 5831d67d800c60619de0043f61ba316fa8f3c6b6c135c7efbbabd918bf30d455 e6867d3501168c2953db83f3a69fd327b366a5e4038916afabdc7997b0c743bd
lib/codeql/swift/generated/stmt/BraceStmt.qll 8ba805c9798a7b5c83b30230f9eec5ad991fdbb0dc6060a15e7dd36579433cf2 7104211507d4f64056cf698d282778d68224240e79674085d1165fd25197fa92

5
swift/ql/lib/change-notes/2023-10-24-pattern-types.md Normal file
Просмотреть файл

@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* Tyes for patterns are now included in the database and made available through the `Pattern::getType()` method.

4
swift/ql/lib/change-notes/2023-12-05-seckey.md Normal file
Просмотреть файл

@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added a sensitive data model for `SecKeyCopyExternalRepresentation`.

13
swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Security.qll Normal file
Просмотреть файл

@ -0,0 +1,13 @@
/**
* Provides models for standard library Swift classses related to security
* (certificate, key and trust services).
*/
import swift
private import codeql.swift.dataflow.ExternalFlow
private class SensitiveSources extends SourceModelCsv {
override predicate row(string row) {
row = ";;false;SecKeyCopyExternalRepresentation(_:_:);;;ReturnValue;sensitive-credential"
}
}

1
swift/ql/lib/codeql/swift/frameworks/StandardLibrary/StandardLibrary.qll
Просмотреть файл

@ -19,6 +19,7 @@ private import NsUrl
private import Numeric
private import RawRepresentable
private import PointerTypes
private import Security
private import Sequence
private import Set
private import Stream

7
swift/ql/lib/codeql/swift/generated/Raw.qll сгенерированный
Просмотреть файл

@ -2552,7 +2552,12 @@ module Raw {
/**
* INTERNAL: Do not use.
*/
class Pattern extends @pattern, AstNode { }
class Pattern extends @pattern, AstNode {
/**
* Gets the type of this pattern, if it exists.
*/
Type getType() { pattern_types(this, result) }
}
/**
* INTERNAL: Do not use.

28
swift/ql/lib/codeql/swift/generated/pattern/Pattern.qll сгенерированный
Просмотреть файл

@ -7,6 +7,7 @@
private import codeql.swift.generated.Synth
private import codeql.swift.generated.Raw
import codeql.swift.elements.AstNode
import codeql.swift.elements.type.Type
/**
* INTERNAL: This module contains the fully generated definition of `Pattern` and should not
@ -17,5 +18,30 @@ module Generated {
* INTERNAL: Do not reference the `Generated::Pattern` class directly.
* Use the subclass `Pattern`, where the following predicates are available.
*/
class Pattern extends Synth::TPattern, AstNode { }
class Pattern extends Synth::TPattern, AstNode {
/**
* Gets the type of this pattern, if it exists.
*
* This includes nodes from the "hidden" AST. It can be overridden in subclasses to change the
* behavior of both the `Immediate` and non-`Immediate` versions.
*/
Type getImmediateType() {
result = Synth::convertTypeFromRaw(Synth::convertPatternToRaw(this).(Raw::Pattern).getType())
}
/**
* Gets the type of this pattern, if it exists.
*/
final Type getType() {
exists(Type immediate |
immediate = this.getImmediateType() and
if exists(this.getResolveStep()) then result = immediate else result = immediate.resolve()
)
}
/**
* Holds if `getType()` exists.
*/
final predicate hasType() { exists(this.getType()) }
}
}

14
swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
Просмотреть файл

@ -6,6 +6,8 @@
import swift
import internal.SensitiveDataHeuristics
private import codeql.swift.dataflow.DataFlow
private import codeql.swift.dataflow.ExternalFlow
private newtype TSensitiveDataType =
TCredential() or
@ -172,6 +174,18 @@ class SensitiveExpr extends Expr {
) and
// do not mark as sensitive it if it is probably safe
not label.regexpMatch(regexpProbablySafe())
or
(
// modeled sensitive credential
sourceNode(DataFlow::exprNode(this), "sensitive-credential") and
sensitiveType = TCredential() and
label = "credential"
or
// modeled sensitive private information
sourceNode(DataFlow::exprNode(this), "sensitive-private-info") and
sensitiveType = TPrivateInfo() and
label = "private information"
)
}
/**

6
swift/ql/lib/swift.dbscheme сгенерированный
Просмотреть файл

@ -1706,6 +1706,12 @@ integer_literal_exprs( //dir=expr
| @typed_pattern
;
#keyset[id]
pattern_types( //dir=pattern
int id: @pattern ref,
int type_: @type_or_none ref
);
any_patterns( //dir=pattern
unique int id: @any_pattern
);

2774
swift/ql/lib/upgrades/b83ff9c60c2bb4be2f3d1d4810268c557eb38f19/old.dbscheme Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

2780
swift/ql/lib/upgrades/b83ff9c60c2bb4be2f3d1d4810268c557eb38f19/swift.dbscheme Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

2
swift/ql/lib/upgrades/b83ff9c60c2bb4be2f3d1d4810268c557eb38f19/upgrade.properties Normal file
Просмотреть файл

@ -0,0 +1,2 @@
description: Add types for patterns
compatibility: partial

199
swift/ql/test/extractor-tests/patterns/types.expected Normal file
Просмотреть файл

@ -0,0 +1,199 @@
| patterns.swift:2:9:2:9 | an_int | Int |
| patterns.swift:3:9:3:9 | a_string | String |
| patterns.swift:3:9:3:19 | ... as ... | String |
| patterns.swift:4:9:4:17 | (...) | (Int, Int, Int) |
| patterns.swift:4:10:4:10 | x | Int |
| patterns.swift:4:13:4:13 | y | Int |
| patterns.swift:4:16:4:16 | z | Int |
| patterns.swift:5:9:5:9 | _ | String |
| patterns.swift:6:9:6:11 | (...) | String |
| patterns.swift:6:10:6:10 | _ | String |
| patterns.swift:10:9:10:9 | point | (Int, Int) |
| patterns.swift:12:10:12:21 | let ... | (Int, Int) |
| patterns.swift:12:14:12:21 | (...) | (Int, Int) |
| patterns.swift:12:15:12:15 | xx | Int |
| patterns.swift:12:19:12:19 | yy | Int |
| patterns.swift:16:10:16:14 | =~ ... | Int |
| patterns.swift:17:10:17:10 | _ | Int |
| patterns.swift:24:9:24:9 | v | Foo |
| patterns.swift:24:9:24:12 | ... as ... | Foo |
| patterns.swift:27:10:27:11 | .bar | Foo |
| patterns.swift:28:10:28:23 | let ... | Foo |
| patterns.swift:28:14:28:23 | .baz(...) | Foo |
| patterns.swift:28:18:28:23 | (...) | (Int, String) |
| patterns.swift:28:19:28:19 | i | Int |
| patterns.swift:28:22:28:22 | s | String |
| patterns.swift:31:9:31:9 | w | Int? |
| patterns.swift:31:9:31:15 | ... as ... | Int? |
| patterns.swift:34:10:34:15 | let ... | Int? |
| patterns.swift:34:14:34:14 | n | Int |
| patterns.swift:34:14:34:15 | let ...? | Int? |
| patterns.swift:35:10:35:10 | _ | Int? |
| patterns.swift:38:9:38:9 | a | Any |
| patterns.swift:38:9:38:12 | ... as ... | Any |
| patterns.swift:41:10:41:13 | ... is ... | Any |
| patterns.swift:42:10:42:19 | let ... | Any |
| patterns.swift:42:14:42:14 | x | String |
| patterns.swift:42:14:42:19 | ... is ... | Any |
| patterns.swift:43:10:43:10 | _ | Any |
| patterns.swift:46:9:46:9 | b | Bool |
| patterns.swift:49:10:49:10 | true | Bool |
| patterns.swift:50:10:50:10 | false | Bool |
| patterns.swift:55:9:55:9 | a | Int |
| patterns.swift:55:16:55:16 | b | Int |
| patterns.swift:55:23:55:23 | c | Int |
| patterns.swift:55:23:55:26 | ... as ... | Int |
| patterns.swift:57:8:57:20 | let ... | (Int, Int, Int) |
| patterns.swift:57:8:57:20 | let ...? | (Int, Int, Int)? |
| patterns.swift:57:12:57:20 | (...) | (Int, Int, Int) |
| patterns.swift:57:13:57:13 | a | Int |
| patterns.swift:57:16:57:16 | b | Int |
| patterns.swift:57:19:57:19 | c | Int |
| patterns.swift:58:13:58:29 | (...) | (Int, Int, Int) |
| patterns.swift:58:14:58:14 | =~ ... | Int |
| patterns.swift:58:17:58:21 | let ... | Int |
| patterns.swift:58:21:58:21 | b | Int |
| patterns.swift:58:24:58:28 | let ... | Int |
| patterns.swift:58:28:58:28 | c | Int |
| patterns.swift:61:14:61:14 | =~ ... | Int |
| patterns.swift:62:14:62:18 | let ... | Int |
| patterns.swift:62:18:62:18 | c | Int |
| patterns.swift:63:9:63:9 | _ | Int |
| patterns.swift:78:9:78:9 | a | MyEnum |
| patterns.swift:78:9:78:13 | ... as ... | MyEnum |
| patterns.swift:81:10:81:11 | .myNone | MyEnum |
| patterns.swift:83:10:83:25 | .mySingle(...) | MyEnum |
| patterns.swift:83:19:83:25 | (...) | (Int) |
| patterns.swift:83:20:83:24 | let ... | (Int) |
| patterns.swift:83:24:83:24 | a | (Int) |
| patterns.swift:85:10:85:30 | .myPair(...) | MyEnum |
| patterns.swift:85:17:85:30 | (...) | (Int, Int) |
| patterns.swift:85:18:85:22 | let ... | Int |
| patterns.swift:85:22:85:22 | a | Int |
| patterns.swift:85:25:85:29 | let ... | Int |
| patterns.swift:85:29:85:29 | b | Int |
| patterns.swift:88:10:88:26 | let ... | MyEnum |
| patterns.swift:88:14:88:26 | .myCons(...) | MyEnum |
| patterns.swift:88:21:88:26 | (...) | (Int, MyEnum) |
| patterns.swift:88:22:88:22 | a | Int |
| patterns.swift:88:25:88:25 | _ | MyEnum |
| patterns.swift:92:13:92:28 | .mySingle(...) | MyEnum |
| patterns.swift:92:22:92:28 | (...) | (Int) |
| patterns.swift:92:23:92:27 | let ... | (Int) |
| patterns.swift:92:27:92:27 | x | (Int) |
| patterns.swift:95:13:95:33 | .myPair(...) | MyEnum |
| patterns.swift:95:20:95:33 | (...) | (Int, Int) |
| patterns.swift:95:21:95:25 | let ... | Int |
| patterns.swift:95:25:95:25 | x | Int |
| patterns.swift:95:28:95:32 | let ... | Int |
| patterns.swift:95:32:95:32 | y | Int |
| patterns.swift:103:10:103:11 | .myNone | MyEnum |
| patterns.swift:105:10:105:25 | .mySingle(...) | MyEnum |
| patterns.swift:105:19:105:25 | (...) | (Int) |
| patterns.swift:105:20:105:24 | let ... | (Int) |
| patterns.swift:105:24:105:24 | a | (Int) |
| patterns.swift:107:10:107:30 | .myPair(...) | MyEnum |
| patterns.swift:107:17:107:30 | (...) | (Int, Int) |
| patterns.swift:107:18:107:22 | let ... | Int |
| patterns.swift:107:22:107:22 | a | Int |
| patterns.swift:107:25:107:29 | let ... | Int |
| patterns.swift:107:29:107:29 | b | Int |
| patterns.swift:110:10:110:26 | let ... | MyEnum |
| patterns.swift:110:14:110:26 | .myCons(...) | MyEnum |
| patterns.swift:110:21:110:26 | (...) | (Int, MyEnum) |
| patterns.swift:110:22:110:22 | a | Int |
| patterns.swift:110:25:110:25 | _ | MyEnum |
| patterns.swift:114:13:114:28 | .mySingle(...) | MyEnum |
| patterns.swift:114:22:114:28 | (...) | (Int) |
| patterns.swift:114:23:114:27 | let ... | (Int) |
| patterns.swift:114:27:114:27 | x | (Int) |
| patterns.swift:117:13:117:33 | .myPair(...) | MyEnum |
| patterns.swift:117:20:117:33 | (...) | (Int, Int) |
| patterns.swift:117:21:117:25 | let ... | Int |
| patterns.swift:117:25:117:25 | x | Int |
| patterns.swift:117:28:117:32 | let ... | Int |
| patterns.swift:117:32:117:32 | y | Int |
| patterns.swift:125:10:125:11 | .myNone | MyEnum |
| patterns.swift:127:10:127:25 | .mySingle(...) | MyEnum |
| patterns.swift:127:19:127:25 | (...) | (Int) |
| patterns.swift:127:20:127:24 | let ... | (Int) |
| patterns.swift:127:24:127:24 | a | (Int) |
| patterns.swift:129:10:129:30 | .myPair(...) | MyEnum |
| patterns.swift:129:17:129:30 | (...) | (Int, Int) |
| patterns.swift:129:18:129:22 | let ... | Int |
| patterns.swift:129:22:129:22 | a | Int |
| patterns.swift:129:25:129:29 | let ... | Int |
| patterns.swift:129:29:129:29 | b | Int |
| patterns.swift:132:10:132:26 | let ... | MyEnum |
| patterns.swift:132:14:132:26 | .myCons(...) | MyEnum |
| patterns.swift:132:21:132:26 | (...) | (Int, MyEnum) |
| patterns.swift:132:22:132:22 | a | Int |
| patterns.swift:132:25:132:25 | _ | MyEnum |
| patterns.swift:136:13:136:28 | .mySingle(...) | MyEnum |
| patterns.swift:136:22:136:28 | (...) | (Int) |
| patterns.swift:136:23:136:27 | let ... | (Int) |
| patterns.swift:136:27:136:27 | x | (Int) |
| patterns.swift:139:13:139:33 | .myPair(...) | MyEnum |
| patterns.swift:139:20:139:33 | (...) | (Int, Int) |
| patterns.swift:139:21:139:25 | let ... | Int |
| patterns.swift:139:25:139:25 | x | Int |
| patterns.swift:139:28:139:32 | let ... | Int |
| patterns.swift:139:32:139:32 | y | Int |
| patterns.swift:144:9:144:9 | b | MyEnum |
| patterns.swift:144:9:144:12 | ... as ... | MyEnum |
| patterns.swift:147:10:147:11 | .myNone | MyEnum |
| patterns.swift:149:10:149:25 | .mySingle(...) | MyEnum |
| patterns.swift:149:19:149:25 | (...) | (Int) |
| patterns.swift:149:20:149:24 | let ... | (Int) |
| patterns.swift:149:24:149:24 | a | (Int) |
| patterns.swift:151:10:151:30 | .myPair(...) | MyEnum |
| patterns.swift:151:17:151:30 | (...) | (Int, Int) |
| patterns.swift:151:18:151:22 | let ... | Int |
| patterns.swift:151:22:151:22 | a | Int |
| patterns.swift:151:25:151:29 | let ... | Int |
| patterns.swift:151:29:151:29 | b | Int |
| patterns.swift:154:10:154:38 | let ... | MyEnum |
| patterns.swift:154:14:154:38 | .myCons(...) | MyEnum |
| patterns.swift:154:21:154:38 | (...) | (Int, MyEnum) |
| patterns.swift:154:22:154:22 | a | Int |
| patterns.swift:154:25:154:37 | .myPair(...) | MyEnum |
| patterns.swift:154:32:154:37 | (...) | (Int, Int) |
| patterns.swift:154:33:154:33 | b | Int |
| patterns.swift:154:36:154:36 | c | Int |
| patterns.swift:158:10:158:26 | let ... | MyEnum |
| patterns.swift:158:14:158:26 | .myCons(...) | MyEnum |
| patterns.swift:158:21:158:26 | (...) | (Int, MyEnum) |
| patterns.swift:158:22:158:22 | a | Int |
| patterns.swift:158:25:158:25 | _ | MyEnum |
| patterns.swift:162:13:162:28 | .mySingle(...) | MyEnum |
| patterns.swift:162:22:162:28 | (...) | (Int) |
| patterns.swift:162:23:162:27 | let ... | (Int) |
| patterns.swift:162:27:162:27 | x | (Int) |
| patterns.swift:165:13:165:39 | .myPair(...) | MyEnum |
| patterns.swift:165:26:165:39 | (...) | (Int, Int) |
| patterns.swift:165:27:165:31 | let ... | Int |
| patterns.swift:165:31:165:31 | x | Int |
| patterns.swift:165:34:165:38 | let ... | Int |
| patterns.swift:165:38:165:38 | y | Int |
| patterns.swift:169:13:169:41 | let ... | MyEnum |
| patterns.swift:169:17:169:41 | .myCons(...) | MyEnum |
| patterns.swift:169:24:169:41 | (...) | (Int, MyEnum) |
| patterns.swift:169:25:169:25 | _ | Int |
| patterns.swift:169:28:169:40 | .myPair(...) | MyEnum |
| patterns.swift:169:35:169:40 | (...) | (Int, Int) |
| patterns.swift:169:36:169:36 | _ | Int |
| patterns.swift:169:39:169:39 | c | Int |
| patterns.swift:174:10:174:55 | let ... | (MyEnum, MyEnum) |
| patterns.swift:174:14:174:55 | (...) | (MyEnum, MyEnum) |
| patterns.swift:174:15:174:27 | .myPair(...) | MyEnum |
| patterns.swift:174:22:174:27 | (...) | (Int, Int) |
| patterns.swift:174:23:174:23 | a | Int |
| patterns.swift:174:26:174:26 | b | Int |
| patterns.swift:174:30:174:54 | .myCons(...) | MyEnum |
| patterns.swift:174:37:174:54 | (...) | (Int, MyEnum) |
| patterns.swift:174:38:174:38 | c | Int |
| patterns.swift:174:41:174:53 | .myPair(...) | MyEnum |
| patterns.swift:174:48:174:53 | (...) | (Int, Int) |
| patterns.swift:174:49:174:49 | d | Int |
| patterns.swift:174:52:174:52 | e | Int |
| patterns.swift:180:5:180:5 | _ | (MyEnum, MyEnum) |

7
swift/ql/test/extractor-tests/patterns/types.ql Normal file
Просмотреть файл

@ -0,0 +1,7 @@
import codeql.swift.elements
from Pattern p, string s
where
p.getFile().getBaseName() = "patterns.swift" and
if exists(p.getType()) then s = p.getType().toString() else s = "(none)"
select p, s

4
swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
Просмотреть файл

@ -555,6 +555,8 @@ nodes
| testCoreData.swift:95:15:95:15 | x | semmle.label | x |
| testCoreData.swift:96:15:96:15 | y | semmle.label | y |
| testCoreData.swift:97:15:97:15 | z | semmle.label | z |
| testCoreData.swift:128:15:128:33 | call to generateSecretKey() | semmle.label | call to generateSecretKey() |
| testCoreData.swift:129:15:129:30 | call to getCertificate() | semmle.label | call to getCertificate() |
| testGRDB.swift:73:56:73:65 | [...] | semmle.label | [...] |
| testGRDB.swift:73:56:73:65 | [...] [Collection element] | semmle.label | [...] [Collection element] |
| testGRDB.swift:73:57:73:57 | password | semmle.label | password |
@ -825,6 +827,8 @@ subpaths
| testCoreData.swift:95:15:95:15 | x | testCoreData.swift:91:10:91:10 | passwd | testCoreData.swift:95:15:95:15 | x | This operation stores 'x' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:91:10:91:10 | passwd | passwd |
| testCoreData.swift:96:15:96:15 | y | testCoreData.swift:92:10:92:10 | passwd | testCoreData.swift:96:15:96:15 | y | This operation stores 'y' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:92:10:92:10 | passwd | passwd |
| testCoreData.swift:97:15:97:15 | z | testCoreData.swift:93:10:93:10 | passwd | testCoreData.swift:97:15:97:15 | z | This operation stores 'z' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:93:10:93:10 | passwd | passwd |
| testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | This operation stores 'call to generateSecretKey()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:128:15:128:33 | call to generateSecretKey() | call to generateSecretKey() |
| testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | testCoreData.swift:129:15:129:30 | call to getCertificate() | This operation stores 'call to getCertificate()' in a database. It may contain unencrypted sensitive data from $@. | testCoreData.swift:129:15:129:30 | call to getCertificate() | call to getCertificate() |
| testGRDB.swift:73:56:73:65 | [...] | testGRDB.swift:73:57:73:57 | password | testGRDB.swift:73:56:73:65 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:73:57:73:57 | password | password |
| testGRDB.swift:76:42:76:51 | [...] | testGRDB.swift:76:43:76:43 | password | testGRDB.swift:76:42:76:51 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:76:43:76:43 | password | password |
| testGRDB.swift:81:44:81:53 | [...] | testGRDB.swift:81:45:81:45 | password | testGRDB.swift:81:44:81:53 | [...] | This operation stores '[...]' in a database. It may contain unencrypted sensitive data from $@. | testGRDB.swift:81:45:81:45 | password | password |

76
swift/ql/test/query-tests/Security/CWE-311/CleartextTransmission.expected
Просмотреть файл

@ -14,12 +14,20 @@ edges
| testSend.swift:86:7:86:7 | self | file://:0:0:0:0 | self |
| testSend.swift:94:27:94:30 | .password | testSend.swift:86:7:86:7 | self |
| testSend.swift:94:27:94:30 | .password | testSend.swift:94:27:94:39 | .value |
| testURL.swift:17:54:17:54 | passwd | testURL.swift:17:22:17:54 | ... .+(_:_:) ... |
| testURL.swift:19:55:19:55 | account_no | testURL.swift:19:22:19:55 | ... .+(_:_:) ... |
| testURL.swift:20:55:20:55 | credit_card_no | testURL.swift:20:22:20:55 | ... .+(_:_:) ... |
| testURL.swift:28:55:28:55 | e_mail | testURL.swift:28:22:28:55 | ... .+(_:_:) ... |
| testURL.swift:30:57:30:57 | a_homeaddr_z | testURL.swift:30:22:30:57 | ... .+(_:_:) ... |
| testURL.swift:32:55:32:55 | resident_ID | testURL.swift:32:22:32:55 | ... .+(_:_:) ... |
| testURL.swift:39:50:39:50 | passwd | testURL.swift:39:18:39:50 | ... .+(_:_:) ... |
| testURL.swift:41:51:41:51 | account_no | testURL.swift:41:18:41:51 | ... .+(_:_:) ... |
| testURL.swift:42:51:42:51 | credit_card_no | testURL.swift:42:18:42:51 | ... .+(_:_:) ... |
| testURL.swift:50:51:50:51 | e_mail | testURL.swift:50:18:50:51 | ... .+(_:_:) ... |
| testURL.swift:52:53:52:53 | a_homeaddr_z | testURL.swift:52:18:52:53 | ... .+(_:_:) ... |
| testURL.swift:54:51:54:51 | resident_ID | testURL.swift:54:18:54:51 | ... .+(_:_:) ... |
| testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... |
| testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... |
| testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." |
| testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:105:32:105:32 | data |
| testURL.swift:105:6:105:10 | let ...? [some:0] | testURL.swift:105:10:105:10 | string |
| testURL.swift:105:10:105:10 | string | testURL.swift:106:20:106:20 | "..." |
| testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] | testURL.swift:105:6:105:10 | let ...? [some:0] |
| testURL.swift:105:32:105:32 | data | testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] |
nodes
| file://:0:0:0:0 | .value | semmle.label | .value |
| file://:0:0:0:0 | self | semmle.label | self |
@ -52,19 +60,31 @@ nodes
| testSend.swift:86:7:86:7 | self | semmle.label | self |
| testSend.swift:94:27:94:30 | .password | semmle.label | .password |
| testSend.swift:94:27:94:39 | .value | semmle.label | .value |
| testURL.swift:17:22:17:54 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:17:54:17:54 | passwd | semmle.label | passwd |
| testURL.swift:19:22:19:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:19:55:19:55 | account_no | semmle.label | account_no |
| testURL.swift:20:22:20:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:20:55:20:55 | credit_card_no | semmle.label | credit_card_no |
| testURL.swift:24:22:24:22 | passwd | semmle.label | passwd |
| testURL.swift:28:22:28:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:28:55:28:55 | e_mail | semmle.label | e_mail |
| testURL.swift:30:22:30:57 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:30:57:30:57 | a_homeaddr_z | semmle.label | a_homeaddr_z |
| testURL.swift:32:22:32:55 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:32:55:32:55 | resident_ID | semmle.label | resident_ID |
| testURL.swift:39:18:39:50 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:39:50:39:50 | passwd | semmle.label | passwd |
| testURL.swift:41:18:41:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:41:51:41:51 | account_no | semmle.label | account_no |
| testURL.swift:42:18:42:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:42:51:42:51 | credit_card_no | semmle.label | credit_card_no |
| testURL.swift:46:22:46:22 | passwd | semmle.label | passwd |
| testURL.swift:50:18:50:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:50:51:50:51 | e_mail | semmle.label | e_mail |
| testURL.swift:52:18:52:53 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:52:53:52:53 | a_homeaddr_z | semmle.label | a_homeaddr_z |
| testURL.swift:54:18:54:51 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:54:51:54:51 | resident_ID | semmle.label | resident_ID |
| testURL.swift:73:18:73:67 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:73:52:73:67 | call to get_secret_key() | semmle.label | call to get_secret_key() |
| testURL.swift:75:18:75:69 | ... .+(_:_:) ... | semmle.label | ... .+(_:_:) ... |
| testURL.swift:75:53:75:69 | call to get_cert_string() | semmle.label | call to get_cert_string() |
| testURL.swift:96:18:96:18 | "..." | semmle.label | "..." |
| testURL.swift:96:51:96:51 | certificate | semmle.label | certificate |
| testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | semmle.label | call to SecKeyCopyExternalRepresentation(_:_:) |
| testURL.swift:105:6:105:10 | let ...? [some:0] | semmle.label | let ...? [some:0] |
| testURL.swift:105:10:105:10 | string | semmle.label | string |
| testURL.swift:105:19:105:53 | call to String.init(data:encoding:) [some:0] | semmle.label | call to String.init(data:encoding:) [some:0] |
| testURL.swift:105:32:105:32 | data | semmle.label | data |
| testURL.swift:106:20:106:20 | "..." | semmle.label | "..." |
subpaths
| testSend.swift:60:17:60:17 | password | testSend.swift:41:10:41:18 | data | testSend.swift:41:45:41:45 | data | testSend.swift:60:13:60:25 | call to pad(_:) |
| testSend.swift:94:27:94:30 | .password | testSend.swift:86:7:86:7 | self | file://:0:0:0:0 | .value | testSend.swift:94:27:94:39 | .value |
@ -85,10 +105,14 @@ subpaths
| testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | testSend.swift:79:27:79:30 | .BankCardNo | This operation transmits '.BankCardNo', which may contain unencrypted sensitive data from $@. | testSend.swift:79:27:79:30 | .BankCardNo | .BankCardNo |
| testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | testSend.swift:80:27:80:30 | .MyCreditRating | This operation transmits '.MyCreditRating', which may contain unencrypted sensitive data from $@. | testSend.swift:80:27:80:30 | .MyCreditRating | .MyCreditRating |
| testSend.swift:94:27:94:39 | .value | testSend.swift:94:27:94:30 | .password | testSend.swift:94:27:94:39 | .value | This operation transmits '.value', which may contain unencrypted sensitive data from $@. | testSend.swift:94:27:94:30 | .password | .password |
| testURL.swift:17:22:17:54 | ... .+(_:_:) ... | testURL.swift:17:54:17:54 | passwd | testURL.swift:17:22:17:54 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:17:54:17:54 | passwd | passwd |
| testURL.swift:19:22:19:55 | ... .+(_:_:) ... | testURL.swift:19:55:19:55 | account_no | testURL.swift:19:22:19:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:19:55:19:55 | account_no | account_no |
| testURL.swift:20:22:20:55 | ... .+(_:_:) ... | testURL.swift:20:55:20:55 | credit_card_no | testURL.swift:20:22:20:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:20:55:20:55 | credit_card_no | credit_card_no |
| testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | testURL.swift:24:22:24:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:24:22:24:22 | passwd | passwd |
| testURL.swift:28:22:28:55 | ... .+(_:_:) ... | testURL.swift:28:55:28:55 | e_mail | testURL.swift:28:22:28:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:28:55:28:55 | e_mail | e_mail |
| testURL.swift:30:22:30:57 | ... .+(_:_:) ... | testURL.swift:30:57:30:57 | a_homeaddr_z | testURL.swift:30:22:30:57 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:30:57:30:57 | a_homeaddr_z | a_homeaddr_z |
| testURL.swift:32:22:32:55 | ... .+(_:_:) ... | testURL.swift:32:55:32:55 | resident_ID | testURL.swift:32:22:32:55 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:32:55:32:55 | resident_ID | resident_ID |
| testURL.swift:39:18:39:50 | ... .+(_:_:) ... | testURL.swift:39:50:39:50 | passwd | testURL.swift:39:18:39:50 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:39:50:39:50 | passwd | passwd |
| testURL.swift:41:18:41:51 | ... .+(_:_:) ... | testURL.swift:41:51:41:51 | account_no | testURL.swift:41:18:41:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:41:51:41:51 | account_no | account_no |
| testURL.swift:42:18:42:51 | ... .+(_:_:) ... | testURL.swift:42:51:42:51 | credit_card_no | testURL.swift:42:18:42:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:42:51:42:51 | credit_card_no | credit_card_no |
| testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | testURL.swift:46:22:46:22 | passwd | This operation transmits 'passwd', which may contain unencrypted sensitive data from $@. | testURL.swift:46:22:46:22 | passwd | passwd |
| testURL.swift:50:18:50:51 | ... .+(_:_:) ... | testURL.swift:50:51:50:51 | e_mail | testURL.swift:50:18:50:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:50:51:50:51 | e_mail | e_mail |
| testURL.swift:52:18:52:53 | ... .+(_:_:) ... | testURL.swift:52:53:52:53 | a_homeaddr_z | testURL.swift:52:18:52:53 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:52:53:52:53 | a_homeaddr_z | a_homeaddr_z |
| testURL.swift:54:18:54:51 | ... .+(_:_:) ... | testURL.swift:54:51:54:51 | resident_ID | testURL.swift:54:18:54:51 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:54:51:54:51 | resident_ID | resident_ID |
| testURL.swift:73:18:73:67 | ... .+(_:_:) ... | testURL.swift:73:52:73:67 | call to get_secret_key() | testURL.swift:73:18:73:67 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:73:52:73:67 | call to get_secret_key() | call to get_secret_key() |
| testURL.swift:75:18:75:69 | ... .+(_:_:) ... | testURL.swift:75:53:75:69 | call to get_cert_string() | testURL.swift:75:18:75:69 | ... .+(_:_:) ... | This operation transmits '... .+(_:_:) ...', which may contain unencrypted sensitive data from $@. | testURL.swift:75:53:75:69 | call to get_cert_string() | call to get_cert_string() |
| testURL.swift:96:18:96:18 | "..." | testURL.swift:96:51:96:51 | certificate | testURL.swift:96:18:96:18 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:96:51:96:51 | certificate | certificate |
| testURL.swift:106:20:106:20 | "..." | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | testURL.swift:106:20:106:20 | "..." | This operation transmits '"..."', which may contain unencrypted sensitive data from $@. | testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | call to SecKeyCopyExternalRepresentation(_:_:) |

20
swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
Просмотреть файл

@ -87,6 +87,8 @@
| testCoreData.swift:91:10:91:10 | passwd | label:passwd, type:credential |
| testCoreData.swift:92:10:92:10 | passwd | label:passwd, type:credential |
| testCoreData.swift:93:10:93:10 | passwd | label:passwd, type:credential |
| testCoreData.swift:128:15:128:33 | call to generateSecretKey() | label:generateSecretKey, type:credential |
| testCoreData.swift:129:15:129:30 | call to getCertificate() | label:getCertificate, type:credential |
| testGRDB.swift:73:57:73:57 | password | label:password, type:credential |
| testGRDB.swift:76:43:76:43 | password | label:password, type:credential |
| testGRDB.swift:81:45:81:45 | password | label:password, type:credential |
@ -163,10 +165,14 @@
| testSend.swift:79:27:79:30 | .BankCardNo | label:BankCardNo, type:private information |
| testSend.swift:80:27:80:30 | .MyCreditRating | label:MyCreditRating, type:private information |
| testSend.swift:94:27:94:30 | .password | label:password, type:credential |
| testURL.swift:17:54:17:54 | passwd | label:passwd, type:credential |
| testURL.swift:19:55:19:55 | account_no | label:account_no, type:private information |
| testURL.swift:20:55:20:55 | credit_card_no | label:credit_card_no, type:private information |
| testURL.swift:24:22:24:22 | passwd | label:passwd, type:credential |
| testURL.swift:28:55:28:55 | e_mail | label:e_mail, type:private information |
| testURL.swift:30:57:30:57 | a_homeaddr_z | label:a_homeaddr_z, type:private information |
| testURL.swift:32:55:32:55 | resident_ID | label:resident_ID, type:private information |
| testURL.swift:39:50:39:50 | passwd | label:passwd, type:credential |
| testURL.swift:41:51:41:51 | account_no | label:account_no, type:private information |
| testURL.swift:42:51:42:51 | credit_card_no | label:credit_card_no, type:private information |
| testURL.swift:46:22:46:22 | passwd | label:passwd, type:credential |
| testURL.swift:50:51:50:51 | e_mail | label:e_mail, type:private information |
| testURL.swift:52:53:52:53 | a_homeaddr_z | label:a_homeaddr_z, type:private information |
| testURL.swift:54:51:54:51 | resident_ID | label:resident_ID, type:private information |
| testURL.swift:73:52:73:67 | call to get_secret_key() | label:get_secret_key, type:credential |
| testURL.swift:75:53:75:69 | call to get_cert_string() | label:get_cert_string, type:credential |
| testURL.swift:96:51:96:51 | certificate | label:certificate, type:credential |
| testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | label:credential, type:credential |

37
swift/ql/test/query-tests/Security/CWE-311/testCoreData.swift
Просмотреть файл

@ -77,10 +77,10 @@ func test3(obj : NSManagedObject, x : String) {
doSomething(password: x);
obj.setValue(x, forKey: "myKey") // BAD
var y = getPassword();
let y = getPassword();
obj.setValue(y, forKey: "myKey") // BAD
var z = MyClass()
let z = MyClass()
obj.setValue(z.harmless, forKey: "myKey") // GOOD (not sensitive)
obj.setValue(z.password, forKey: "myKey") // BAD
}
@ -104,3 +104,36 @@ func test4(obj : NSManagedObject, passwd : String) {
obj.setValue(y, forKey: "myKey") // GOOD (not sensitive)
obj.setValue(z, forKey: "myKey") // GOOD (not sensitive)
}
func createSecureKey() -> String { return "" }
func generateSecretKey() -> String { return "" }
func getCertificate() -> String { return "" }
class KeyGen {
func generate() -> String { return "" }
}
class KeyManager {
func generateKey() -> String { return "" }
}
class SecureKeyStore {
func getEncryptionKey() -> String { return "" }
}
func test5(obj : NSManagedObject) {
// more variants...
obj.setValue(createSecureKey(), forKey: "myKey") // BAD [NOT DETECTED]
obj.setValue(generateSecretKey(), forKey: "myKey") // BAD
obj.setValue(getCertificate(), forKey: "myKey") // BAD
let gen = KeyGen()
let v = gen.generate()
obj.setValue(KeyGen().generate(), forKey: "myKey") // BAD [NOT DETECTED]
obj.setValue(gen.generate(), forKey: "myKey") // BAD [NOT DETECTED]
obj.setValue(v, forKey: "myKey") // BAD [NOT DETECTED]
obj.setValue(KeyManager().generateKey(), forKey: "myKey") // BAD [NOT DETECTED]
obj.setValue(SecureKeyStore().getEncryptionKey(), forKey: "myKey") // BAD [NOT DETECTED]
}

98
swift/ql/test/query-tests/Security/CWE-311/testURL.swift
Просмотреть файл

@ -7,6 +7,28 @@ struct URL
init?(string: String, relativeTo: URL?) {}
}
class Data {
}
extension String {
struct Encoding {
static let utf8 = Encoding()
}
init?(data: Data, encoding: Encoding) { self.init() }
}
class SecKey {
}
class CFData {
}
class CFError {
}
func SecKeyCopyExternalRepresentation(_ key: SecKey, _ error: UnsafeMutablePointer<Unmanaged<CFError>?>?) -> CFData? { return nil }
// --- tests ---
var myString = ""
@ -14,20 +36,74 @@ func setMyString(str: String) { myString = str }
func getMyString() -> String { return myString }
func test1(passwd : String, encrypted_passwd : String, account_no : String, credit_card_no : String) {
let a = URL(string: "http://example.com/login?p=" + passwd); // BAD
let b = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive)
let c = URL(string: "http://example.com/login?ac=" + account_no); // BAD
let d = URL(string: "http://example.com/login?cc=" + credit_card_no); // BAD
_ = URL(string: "http://example.com/login?p=" + passwd); // BAD
_ = URL(string: "http://example.com/login?p=" + encrypted_passwd); // GOOD (not sensitive)
_ = URL(string: "http://example.com/login?ac=" + account_no); // BAD
_ = URL(string: "http://example.com/login?cc=" + credit_card_no); // BAD
let base = URL(string: "http://example.com/"); // GOOD (not sensitive)
let e = URL(string: "abc", relativeTo: base); // GOOD (not sensitive)
_ = URL(string: "abc", relativeTo: base); // GOOD (not sensitive)
let f = URL(string: passwd, relativeTo: base); // BAD
let g = URL(string: "abc", relativeTo: f); // BAD (reported on line above)
_ = URL(string: "abc", relativeTo: f); // BAD (reported on line above)
let e_mail = myString
let h = URL(string: "http://example.com/login?em=" + e_mail); // BAD
var a_homeaddr_z = getMyString()
let i = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // BAD
var resident_ID = getMyString()
let j = URL(string: "http://example.com/login?id=" + resident_ID); // BAD
_ = URL(string: "http://example.com/login?em=" + e_mail); // BAD
let a_homeaddr_z = getMyString()
_ = URL(string: "http://example.com/login?home=" + a_homeaddr_z); // BAD
let resident_ID = getMyString()
_ = URL(string: "http://example.com/login?id=" + resident_ID); // BAD
}
func get_private_key() -> String { return "" }
func get_aes_key() -> String { return "" }
func get_aws_key() -> String { return "" }
func get_access_key() -> String { return "" }
func get_secret_key() -> String { return "" }
func get_key_press() -> String { return "" }
func get_cert_string() -> String { return "" }
func get_certain() -> String { return "" }
func test2() {
// more variants...
_ = URL(string: "http://example.com/login?key=" + get_private_key()); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?key=" + get_aes_key()); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?key=" + get_aws_key()); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?key=" + get_access_key()); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?key=" + get_secret_key()); // BAD
_ = URL(string: "http://example.com/login?key=" + get_key_press()); // GOOD (not sensitive)
_ = URL(string: "http://example.com/login?cert=" + get_cert_string()); // BAD
_ = URL(string: "http://example.com/login?certain=" + get_certain()); // GOOD (not sensitive)
}
func get_string() -> String { return "" }
func test3() {
// more variants...
let priv_key = get_string()
let private_key = get_string()
let pub_key = get_string()
let certificate = get_string()
let secure_token = get_string()
let access_token = get_string()
let auth_token = get_string()
let next_token = get_string()
_ = URL(string: "http://example.com/login?key=\(priv_key)"); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?key=\(private_key)"); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?key=\(pub_key)"); // GOOD (not sensitive)
_ = URL(string: "http://example.com/login?cert=\(certificate)"); // BAD
_ = URL(string: "http://example.com/login?tok=\(secure_token)"); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?tok=\(access_token)"); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?tok=\(auth_token)"); // BAD [NOT DETECTED]
_ = URL(string: "http://example.com/login?tok=\(next_token)"); // GOOD (not sensitive)
}
func test4(key: SecKey) {
if let data = SecKeyCopyExternalRepresentation(key, nil) as? Data {
if let string = String(data: data, encoding: .utf8) {
_ = URL(string: "http://example.com/login?tok=\(string)"); // BAD
}
}
}

2
swift/schema.py
Просмотреть файл

@ -103,7 +103,7 @@ class Expr(AstNode):
@group("pattern")
@ql.hideable
class Pattern(AstNode):
pass
type: optional[Type]
@group("stmt")
class Stmt(AstNode):