C#: Fix the existing callableFlow for JObject to target the inherited ToString methods from JToken.

csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll

@@ -233,7 +233,7 @@ module JsonNET {
       boolean preservesValue
     ) {
       // ToString method
-      c = this.getAMethod("ToString") and
+      c = this.getBaseClass().getBaseClass().getAMethod("ToString") and
       source instanceof CallableFlowSourceQualifier and
       sink instanceof CallableFlowSinkReturn and
       preservesValue = false

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected

@@ -56,6 +56,8 @@
 | Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String);;Argument[-1];ReturnValue;taint |
 | Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,Newtonsoft.Json.Linq.JsonSelectSettings);;Argument[-1];ReturnValue;taint |
 | Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,System.Boolean);;Argument[-1];ReturnValue;taint |
+| Newtonsoft.Json.Linq;JToken;false;ToString;();;Argument[-1];ReturnValue;taint |
+| Newtonsoft.Json.Linq;JToken;false;ToString;(Newtonsoft.Json.Formatting,Newtonsoft.Json.JsonConverter[]);;Argument[-1];ReturnValue;taint |
 | Newtonsoft.Json.Linq;JToken;false;explicit conversion;(Newtonsoft.Json.Linq.JToken);;Argument[0];ReturnValue;taint |
 | Newtonsoft.Json;JsonConvert;false;DeserializeAnonymousType<>;(System.String,T);;Argument[0];ReturnValue;taint |
 | Newtonsoft.Json;JsonConvert;false;DeserializeAnonymousType<>;(System.String,T,Newtonsoft.Json.JsonSerializerSettings);;Argument[0];ReturnValue;taint |

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected

@@ -49,6 +49,8 @@
 | Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String);;Argument[-1];ReturnValue;taint |
 | Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,Newtonsoft.Json.Linq.JsonSelectSettings);;Argument[-1];ReturnValue;taint |
 | Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,System.Boolean);;Argument[-1];ReturnValue;taint |
+| Newtonsoft.Json.Linq;JToken;false;ToString;();;Argument[-1];ReturnValue;taint |
+| Newtonsoft.Json.Linq;JToken;false;ToString;(Newtonsoft.Json.Formatting,Newtonsoft.Json.JsonConverter[]);;Argument[-1];ReturnValue;taint |
 | Newtonsoft.Json.Linq;JToken;false;explicit conversion;(Newtonsoft.Json.Linq.JToken);;Argument[0];ReturnValue;taint |
 | Newtonsoft.Json;JsonConvert;false;DeserializeAnonymousType<>;(System.String,T);;Argument[0];ReturnValue;taint |
 | Newtonsoft.Json;JsonConvert;false;DeserializeAnonymousType<>;(System.String,T,Newtonsoft.Json.JsonSerializerSettings);;Argument[0];ReturnValue;taint |

csharp/ql/test/library-tests/frameworks/JsonNET/Json.cs

@@ -43,6 +43,7 @@ namespace JsonTest
             Sink(jobject["1"]);
             Sink(jobject["1"]["2"]);
             Sink((string)jobject["1"]["2"]);
+            Sink(jobject.ToString());
 
             // Linq JToken tests
             Sink(jobject.First((JToken i) => true));

csharp/ql/test/library-tests/frameworks/JsonNET/Json.expected

@@ -10,7 +10,8 @@
 | Json.cs:16:24:16:32 | "tainted" | Json.cs:43:18:43:29 | access to indexer |
 | Json.cs:16:24:16:32 | "tainted" | Json.cs:44:18:44:34 | access to indexer |
 | Json.cs:16:24:16:32 | "tainted" | Json.cs:45:18:45:42 | call to operator explicit conversion |
-| Json.cs:16:24:16:32 | "tainted" | Json.cs:48:18:48:50 | call to method First<JToken> |
-| Json.cs:16:24:16:32 | "tainted" | Json.cs:49:18:49:46 | call to method First<JToken> |
-| Json.cs:16:24:16:32 | "tainted" | Json.cs:50:18:50:51 | call to method First<JToken> |
-| Json.cs:16:24:16:32 | "tainted" | Json.cs:51:18:51:61 | call to method SelectToken |
+| Json.cs:16:24:16:32 | "tainted" | Json.cs:46:18:46:35 | call to method ToString |
+| Json.cs:16:24:16:32 | "tainted" | Json.cs:49:18:49:50 | call to method First<JToken> |
+| Json.cs:16:24:16:32 | "tainted" | Json.cs:50:18:50:46 | call to method First<JToken> |
+| Json.cs:16:24:16:32 | "tainted" | Json.cs:51:18:51:51 | call to method First<JToken> |
+| Json.cs:16:24:16:32 | "tainted" | Json.cs:52:18:52:61 | call to method SelectToken |