Skip to content

Commit 3431fcf

Browse files
tamasvajktamasvajk
authored
Merge pull request #15025 from tamasvajk/feature/change-stringbuilder-modeling
C#: Change `StringBuilder` flow models to not use `Element` access path
2 parents a8bd6b8 + c1db689 commit 3431fcf

File tree

7 files changed

+157
-154
lines changed

7 files changed

+157
-154
lines changed

csharp/ql/lib/ext/System.Text.model.yml

Lines changed: 42 additions & 43 deletions
Large diffs are not rendered by default.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,13 @@ private import semmle.code.csharp.security.dataflow.flowsources.Remote
1818
* Holds if `node` should be a sanitizer in all global taint flow configurations
1919
* but not in local taint.
2020
*/
21-
predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
21+
predicate defaultTaintSanitizer(DataFlow::Node node) {
22+
exists(MethodCall mc |
23+
mc.getTarget().hasFullyQualifiedName("System.Text.StringBuilder", "Clear")
24+
|
25+
node.asExpr() = mc.getQualifier()
26+
)
27+
}
2228

2329
/**
2430
* Holds if default `TaintTracking::Configuration`s should allow implicit reads

csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -268,11 +268,11 @@ edges
268268
| GlobalDataFlow.cs:427:9:427:11 | value : String | GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 |
269269
| GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | GlobalDataFlow.cs:201:22:201:32 | access to property OutProperty : String |
270270
| GlobalDataFlow.cs:446:64:446:64 | s : String | GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String |
271-
| GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder [element] : String |
272-
| GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder [element] : String | GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder [element] : String |
271+
| GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder |
272+
| GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder | GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder |
273273
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:446:64:446:64 | s : String |
274-
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder [element] : String |
275-
| GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder [element] : String | GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String |
274+
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder |
275+
| GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder | GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String |
276276
| GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String | GlobalDataFlow.cs:456:15:456:20 | access to local variable sink43 |
277277
| GlobalDataFlow.cs:465:22:465:65 | call to method Join : String | GlobalDataFlow.cs:466:15:466:20 | access to local variable sink44 |
278278
| GlobalDataFlow.cs:465:51:465:64 | "taint source" : String | GlobalDataFlow.cs:465:22:465:65 | call to method Join : String |
@@ -592,11 +592,11 @@ nodes
592592
| GlobalDataFlow.cs:427:41:427:46 | access to local variable sink20 | semmle.label | access to local variable sink20 |
593593
| GlobalDataFlow.cs:438:22:438:35 | "taint source" : String | semmle.label | "taint source" : String |
594594
| GlobalDataFlow.cs:446:64:446:64 | s : String | semmle.label | s : String |
595-
| GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder [element] : String | semmle.label | [post] access to parameter sb : StringBuilder [element] : String |
595+
| GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder | semmle.label | [post] access to parameter sb : StringBuilder |
596596
| GlobalDataFlow.cs:448:19:448:19 | access to parameter s : String | semmle.label | access to parameter s : String |
597-
| GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder [element] : String | semmle.label | [post] access to local variable sb : StringBuilder [element] : String |
597+
| GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder | semmle.label | [post] access to local variable sb : StringBuilder |
598598
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | semmle.label | "taint source" : String |
599-
| GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder [element] : String | semmle.label | access to local variable sb : StringBuilder [element] : String |
599+
| GlobalDataFlow.cs:455:22:455:23 | access to local variable sb : StringBuilder | semmle.label | access to local variable sb : StringBuilder |
600600
| GlobalDataFlow.cs:455:22:455:34 | call to method ToString : String | semmle.label | call to method ToString : String |
601601
| GlobalDataFlow.cs:456:15:456:20 | access to local variable sink43 | semmle.label | access to local variable sink43 |
602602
| GlobalDataFlow.cs:465:22:465:65 | call to method Join : String | semmle.label | call to method Join : String |
@@ -707,7 +707,7 @@ subpaths
707707
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
708708
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
709709
| GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
710-
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:446:64:446:64 | s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder [element] : String | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder [element] : String |
710+
| GlobalDataFlow.cs:454:35:454:48 | "taint source" : String | GlobalDataFlow.cs:446:64:446:64 | s : String | GlobalDataFlow.cs:448:9:448:10 | [post] access to parameter sb : StringBuilder | GlobalDataFlow.cs:454:31:454:32 | [post] access to local variable sb : StringBuilder |
711711
| GlobalDataFlow.cs:575:46:575:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:575:44:575:47 | delegate call : String |
712712
| Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
713713
| Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |

0 commit comments

Comments
 (0)