Skip to content

Commit 56d1cc4

Browse files
hvitvedhvitved
committed
stash2
1 parent 1960c29 commit 56d1cc4

6 files changed

Lines changed: 579 additions & 4 deletions

File tree

csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll

Lines changed: 39 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -355,6 +355,13 @@ abstract class LibraryTypeDataFlow extends Type {
355355
* needed for a summary specified by `callableFlow()`.
356356
*/
357357
predicate requiresAccessPath(Content head, AccessPath tail) { none() }
358+
359+
pragma[nomagic]
360+
predicate clearsContent(
361+
CallableFlowSource source, Content content, SourceDeclarationCallable callable
362+
) {
363+
none()
364+
}
358365
}
359366

360367
/** Data flow for `System.Int32`. */
@@ -630,8 +637,8 @@ class SystemStringFlow extends LibraryTypeDataFlow, SystemStringClass {
630637
/** Data flow for `System.Text.StringBuilder`. */
631638
class SystemTextStringBuilderFlow extends LibraryTypeDataFlow, SystemTextStringBuilderClass {
632639
override predicate callableFlow(
633-
CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp, SourceDeclarationCallable c,
634-
boolean preservesValue
640+
CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
641+
SourceDeclarationCallable c, boolean preservesValue
635642
) {
636643
(
637644
constructorFlow(source, sourceAp, sink, sinkAp, c)
@@ -641,7 +648,10 @@ class SystemTextStringBuilderFlow extends LibraryTypeDataFlow, SystemTextStringB
641648
preservesValue = false
642649
}
643650

644-
private predicate constructorFlow(CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp, Constructor c) {
651+
private predicate constructorFlow(
652+
CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
653+
Constructor c
654+
) {
645655
c = getAMember() and
646656
c.getParameter(0).getType() instanceof StringType and
647657
source = TCallableFlowSourceArg(0) and
@@ -651,7 +661,8 @@ class SystemTextStringBuilderFlow extends LibraryTypeDataFlow, SystemTextStringB
651661
}
652662

653663
private predicate methodFlow(
654-
CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp, SourceDeclarationMethod m
664+
CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
665+
SourceDeclarationMethod m
655666
) {
656667
exists(string name | m = this.getAMethod(name) |
657668
name = "ToString" and
@@ -673,6 +684,18 @@ class SystemTextStringBuilderFlow extends LibraryTypeDataFlow, SystemTextStringB
673684
)
674685
)
675686
}
687+
688+
override predicate clearsContent(
689+
CallableFlowSource source, Content content, SourceDeclarationCallable callable
690+
) {
691+
source = TCallableFlowSourceQualifier() and
692+
callable = this.getAMethod("Clear") and
693+
(
694+
content instanceof ElementContent
695+
// or
696+
// content = this.getAMember().(FieldOrProperty).getContent()
697+
)
698+
}
676699
}
677700

678701
/** Data flow for `System.Lazy<>`. */
@@ -1279,6 +1302,18 @@ class IEnumerableFlow extends LibraryTypeDataFlow, RefType {
12791302
name.regexpMatch("Find(All|Last)?")
12801303
)
12811304
}
1305+
1306+
override predicate clearsContent(
1307+
CallableFlowSource source, Content content, SourceDeclarationCallable callable
1308+
) {
1309+
source = TCallableFlowSourceQualifier() and
1310+
callable = this.getAMethod("Clear") and
1311+
(
1312+
content instanceof ElementContent
1313+
// or
1314+
// content = this.getAMember().(FieldOrProperty).getContent()
1315+
)
1316+
}
12821317
}
12831318

12841319
/** Data flow for `System.Collections.[Generic.]ICollection` (and sub types). */

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1203,6 +1203,14 @@ private predicate flowCandFwd(
12031203
else any()
12041204
}
12051205

1206+
import csharp
1207+
private predicate sdfflowCandFwd(
1208+
Node node, AccessPathFront apf, Method clear
1209+
) {
1210+
flowCandFwd(node, _, _, apf, _) and
1211+
node.asExpr() = any(MethodCall mc | mc.getTarget() = clear and clear.hasName("Clear")).getQualifier()
1212+
}
1213+
12061214
pragma[nomagic]
12071215
private predicate flowCandFwd0(
12081216
Node node, boolean fromArg, AccessPathFrontOption argApf, AccessPathFront apf,
@@ -3011,6 +3019,10 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
30113019
)
30123020
)
30133021
}
3022+
3023+
override predicate isSanitizer(Node node) {
3024+
node.asExpr() = any(MethodCall mc | mc.getTarget() = any(Method clear | clear.hasName("Clear") and clear.getLocation().getFile().getStem() = ["DataTable", "RootCodeDomSerializer","HttpResponseStream","CssStyleCollection","IList"])).getQualifier()
3025+
}
30143026
}
30153027

30163028
// import semmle.code.csharp.controlflow.Guards

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -753,6 +753,10 @@ abstract class AccessPathFront extends TAccessPathFront {
753753

754754
abstract boolean toBoolNonEmpty();
755755

756+
abstract predicate hasLocationInfo(
757+
string filepath, int startline, int startcolumn, int endline, int endcolumn
758+
) ;
759+
756760
predicate headUsesContent(TypedContent tc) { this = TFrontHead(tc) }
757761

758762
predicate isClearedAt(Node n) {
@@ -773,6 +777,12 @@ class AccessPathFrontNil extends AccessPathFront, TFrontNil {
773777
override DataFlowType getType() { result = t }
774778

775779
override boolean toBoolNonEmpty() { result = false }
780+
781+
override predicate hasLocationInfo(
782+
string filepath, int startline, int startcolumn, int endline, int endcolumn
783+
) {
784+
t.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
785+
}
776786
}
777787

778788
class AccessPathFrontHead extends AccessPathFront, TFrontHead {
@@ -785,6 +795,12 @@ class AccessPathFrontHead extends AccessPathFront, TFrontHead {
785795
override DataFlowType getType() { result = tc.getContainerType() }
786796

787797
override boolean toBoolNonEmpty() { result = true }
798+
799+
override predicate hasLocationInfo(
800+
string filepath, int startline, int startcolumn, int endline, int endcolumn
801+
) {
802+
tc.getContent().getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
803+
}
788804
}
789805

790806
/** An optional access path front. */

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -696,6 +696,14 @@ private module Cached {
696696
fieldOrPropertyStore(_, c, _, n.(ObjectInitializerNode).getInitializer(), false)
697697
or
698698
storeStepLibrary(n, c, _)
699+
or
700+
// or
701+
// n.asExpr() = any(MethodCall mc | mc.getTarget().hasName("Clear")).getQualifier() and
702+
// c instanceof ElementContent
703+
exists(LibraryTypeDataFlow ltdf, CallableFlowSource source, Call call |
704+
ltdf.clearsContent(source, c, call.getTarget().getSourceDeclaration()) and
705+
n.asExpr() = source.getSource(call)
706+
)
699707
}
700708

701709
/**

0 commit comments

Comments
 (0)