зеркало из https://github.com/github/codeql.git
C#: Update CIL data flow tests
This commit is contained in:
Tom Hvitved
Anders Schack-Mulligen
Родитель
f6541811d2
Коммит
bef05f885c
|
|
@ -1,4 +1,23 @@
|
|||
edges
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint2 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint3 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint5 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint6 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of TaintIndirect : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String | DataFlow.dll:0:0:0:0 | ldarg.2 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 2 of TaintIndirect : String | DataFlow.dll:0:0:0:0 | ldarg.2 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint5 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint6 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.2 : String | DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.2 : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.2 : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| dataflow.cs:16:18:16:26 | "tainted" : String | dataflow.cs:16:18:16:37 | call to method ToString |
|
||||
| dataflow.cs:18:27:18:27 | 2 : Int32 | dataflow.cs:18:18:18:31 | call to method Max |
|
||||
| dataflow.cs:18:30:18:30 | 3 : Int32 | dataflow.cs:18:18:18:31 | call to method Max |
|
||||
|
|
@ -6,12 +25,19 @@ edges
|
|||
| dataflow.cs:20:45:20:53 | "tainted" : String | dataflow.cs:20:18:20:54 | call to method GetFullPath |
|
||||
| dataflow.cs:27:44:27:46 | 1 : Double | dataflow.cs:27:18:27:52 | call to method IEEERemainder |
|
||||
| dataflow.cs:27:49:27:51 | 2 : Double | dataflow.cs:27:18:27:52 | call to method IEEERemainder |
|
||||
| dataflow.cs:38:34:38:37 | "d1" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String |
|
||||
| dataflow.cs:38:34:38:37 | "d1" : String | dataflow.cs:38:18:38:38 | call to method Taint1 |
|
||||
| dataflow.cs:39:34:39:37 | "d2" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint2 : String |
|
||||
| dataflow.cs:39:34:39:37 | "d2" : String | dataflow.cs:39:18:39:38 | call to method Taint2 |
|
||||
| dataflow.cs:40:34:40:37 | "d3" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint3 : String |
|
||||
| dataflow.cs:40:34:40:37 | "d3" : String | dataflow.cs:40:18:40:38 | call to method Taint3 |
|
||||
| dataflow.cs:44:28:44:32 | "t1a" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String |
|
||||
| dataflow.cs:44:28:44:32 | "t1a" : String | dataflow.cs:44:18:44:40 | call to method Taint1 |
|
||||
| dataflow.cs:44:35:44:39 | "t1b" : String | DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String |
|
||||
| dataflow.cs:44:35:44:39 | "t1b" : String | dataflow.cs:44:18:44:40 | call to method Taint1 |
|
||||
| dataflow.cs:47:35:47:38 | "t6" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of TaintIndirect : String |
|
||||
| dataflow.cs:47:35:47:38 | "t6" : String | dataflow.cs:47:18:47:45 | call to method TaintIndirect |
|
||||
| dataflow.cs:47:41:47:44 | "t6" : String | DataFlow.dll:0:0:0:0 | Parameter 2 of TaintIndirect : String |
|
||||
| dataflow.cs:47:41:47:44 | "t6" : String | dataflow.cs:47:18:47:45 | call to method TaintIndirect |
|
||||
| dataflow.cs:72:21:72:34 | call to method NullFunction : null | dataflow.cs:72:21:72:52 | ... ?? ... |
|
||||
| dataflow.cs:72:39:72:52 | call to method IndirectNull : null | dataflow.cs:72:21:72:52 | ... ?? ... |
|
||||
|
|
@ -24,6 +50,30 @@ edges
|
|||
| dataflow.cs:108:16:108:16 | access to local variable x : null | dataflow.cs:72:21:72:34 | call to method NullFunction : null |
|
||||
| dataflow.cs:108:16:108:16 | access to local variable x : null | dataflow.cs:87:31:87:44 | call to method NullFunction : null |
|
||||
nodes
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | semmle.label | Parameter 1 of Taint1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | semmle.label | Parameter 1 of Taint1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint2 : String | semmle.label | Parameter 1 of Taint2 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint3 : String | semmle.label | Parameter 1 of Taint3 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint5 : String | semmle.label | Parameter 1 of Taint5 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of Taint6 : String | semmle.label | Parameter 1 of Taint6 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 1 of TaintIndirect : String | semmle.label | Parameter 1 of TaintIndirect : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String | semmle.label | Parameter 2 of Taint1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | Parameter 2 of TaintIndirect : String | semmle.label | Parameter 2 of TaintIndirect : String |
|
||||
| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | call : String | semmle.label | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | semmle.label | ldarg.1 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.2 : String | semmle.label | ldarg.2 : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.2 : String | semmle.label | ldarg.2 : String |
|
||||
| dataflow.cs:16:18:16:26 | "tainted" : String | semmle.label | "tainted" : String |
|
||||
| dataflow.cs:16:18:16:37 | call to method ToString | semmle.label | call to method ToString |
|
||||
| dataflow.cs:18:18:18:31 | call to method Max | semmle.label | call to method Max |
|
||||
|
|
@ -58,6 +108,18 @@ nodes
|
|||
| dataflow.cs:106:20:106:33 | call to method IndirectNull : null | semmle.label | call to method IndirectNull : null |
|
||||
| dataflow.cs:107:23:107:26 | null : null | semmle.label | null : null |
|
||||
| dataflow.cs:108:16:108:16 | access to local variable x : null | semmle.label | access to local variable x : null |
|
||||
subpaths
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | call : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint5 : String | DataFlow.dll:0:0:0:0 | call : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint6 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| DataFlow.dll:0:0:0:0 | ldarg.2 : String | DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String | DataFlow.dll:0:0:0:0 | call : String | DataFlow.dll:0:0:0:0 | call : String |
|
||||
| dataflow.cs:38:34:38:37 | "d1" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String | dataflow.cs:38:18:38:38 | call to method Taint1 : String |
|
||||
| dataflow.cs:39:34:39:37 | "d2" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint2 : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:39:18:39:38 | call to method Taint2 : String |
|
||||
| dataflow.cs:40:34:40:37 | "d3" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint3 : String | DataFlow.dll:0:0:0:0 | ldarg.1 : String | dataflow.cs:40:18:40:38 | call to method Taint3 : String |
|
||||
| dataflow.cs:44:28:44:32 | "t1a" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of Taint1 : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:44:18:44:40 | call to method Taint1 : String |
|
||||
| dataflow.cs:44:35:44:39 | "t1b" : String | DataFlow.dll:0:0:0:0 | Parameter 2 of Taint1 : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:44:18:44:40 | call to method Taint1 : String |
|
||||
| dataflow.cs:47:35:47:38 | "t6" : String | DataFlow.dll:0:0:0:0 | Parameter 1 of TaintIndirect : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:47:18:47:45 | call to method TaintIndirect : String |
|
||||
| dataflow.cs:47:41:47:44 | "t6" : String | DataFlow.dll:0:0:0:0 | Parameter 2 of TaintIndirect : String | DataFlow.dll:0:0:0:0 | call : String | dataflow.cs:47:18:47:45 | call to method TaintIndirect : String |
|
||||
#select
|
||||
| dataflow.cs:16:18:16:26 | "tainted" : String | dataflow.cs:16:18:16:37 | call to method ToString | dataflow.cs:16:18:16:37 | call to method ToString | $@ | dataflow.cs:16:18:16:37 | call to method ToString | call to method ToString |
|
||||
| dataflow.cs:18:27:18:27 | 2 : Int32 | dataflow.cs:18:18:18:31 | call to method Max | dataflow.cs:18:18:18:31 | call to method Max | $@ | dataflow.cs:18:18:18:31 | call to method Max | call to method Max |
|
||||
|
|
|
|||
|
|
@ -4,7 +4,33 @@
|
|||
|
||||
import csharp
|
||||
import DataFlow
|
||||
import DataFlow::PathGraph
|
||||
|
||||
private predicate relevantPathNode(PathNode n) {
|
||||
exists(File f | f = n.getNode().getLocation().getFile() |
|
||||
f.fromSource()
|
||||
or
|
||||
f.getBaseName() = "DataFlow.dll"
|
||||
)
|
||||
}
|
||||
|
||||
query predicate edges(PathNode a, PathNode b) {
|
||||
PathGraph::edges(a, b) and
|
||||
relevantPathNode(a) and
|
||||
relevantPathNode(b)
|
||||
}
|
||||
|
||||
query predicate nodes(PathNode n, string key, string val) {
|
||||
PathGraph::nodes(n, key, val) and
|
||||
relevantPathNode(n)
|
||||
}
|
||||
|
||||
query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
|
||||
PathGraph::subpaths(arg, par, ret, out) and
|
||||
relevantPathNode(arg) and
|
||||
relevantPathNode(par) and
|
||||
relevantPathNode(ret) and
|
||||
relevantPathNode(out)
|
||||
}
|
||||
|
||||
class FlowConfig extends Configuration {
|
||||
FlowConfig() { this = "FlowConfig" }
|
||||
|
|
@ -16,6 +42,6 @@ class FlowConfig extends Configuration {
|
|||
}
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, FlowConfig config
|
||||
from PathNode source, PathNode sink, FlowConfig config
|
||||
where config.hasFlowPath(source, sink)
|
||||
select source, sink, sink, "$@", sink, sink.toString()
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче