github
diff --git a/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll‎
Lines changed: 39 additions & 48 deletions b/‎csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll‎
Lines changed: 39 additions & 48 deletions
@@ -873,6 +873,10 @@ private predicate nodeCand2(
   read = false
   or
   nodeCandFwd2(node, _, _, unbindBool(read), unbind(config)) and
+  // not exists(LTDF::LibraryTypeDataFlow ltdf, LTDF::CallableFlowSource source, Call call |
+  //   ltdf.clearsContent(source, _, call.getTarget().getSourceDeclaration()) and
+  //   node.asExpr() = source.getSource(call)
+  // ) and
   (
     exists(Node mid |
       localFlowStepNodeCand1(node, mid, config) and
@@ -1198,17 +1202,26 @@ private predicate flowCandFwd(
 ) {
   flowCandFwd0(node, fromArg, argApf, apf, config) and
   not apf.isClearedAt(node) and
+  // not exists(LTDF::LibraryTypeDataFlow ltdf, LTDF::CallableFlowSource source, Call call |
+  //   ltdf.clearsContent(source, _, call.getTarget().getSourceDeclaration()) and
+  //   node.asExpr() = source.getSource(call)
+  // ) and
   if node instanceof CastingNode
   then compatibleTypes(getErasedNodeTypeBound(node), apf.getType())
   else any()
 }
 
 import csharp
-private predicate sdfflowCandFwd(
-  Node node, AccessPathFront apf, Method clear
-) {
+import semmle.code.csharp.dataflow.LibraryTypeDataFlow as LTDF
+
+private predicate sdfflowCandFwd(Node node, AccessPathFront apf, Content c) {
   flowCandFwd(node, _, _, apf, _) and
-  node.asExpr() = any(MethodCall mc | mc.getTarget() = clear and clear.hasName("Clear")).getQualifier()
+  //node.asExpr() = any(MethodCall mc | mc.getTarget() = clear and clear.hasName("Clear")).getQualifier() and
+  //clearsContent(node, c)
+  exists(LTDF::LibraryTypeDataFlow ltdf, LTDF::CallableFlowSource source, Call call |
+    ltdf.clearsContent(source, c, call.getTarget().getSourceDeclaration()) and
+    node.asExpr() = source.getSource(call)
+  )
 }
 
 pragma[nomagic]
@@ -2996,73 +3009,62 @@ module ZipSlip {
   import csharp
 
   /**
- * A `DataFlow::Configuration` for tracking `Strings passed to SqlConnectionStringBuilder` instances.
- */
-class TaintTrackingConfiguration extends TaintTracking::Configuration {
-  TaintTrackingConfiguration() { this = "TaintTrackingConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(string s | s = source.asExpr().(StringLiteral).getValue().toLowerCase() |
-      s.matches("%encrypt=false%")
-      or
-      not s.matches("%encrypt=%")
-    )
-  }
+   * A `DataFlow::Configuration` for tracking `Strings passed to SqlConnectionStringBuilder` instances.
+   */
+  class TaintTrackingConfiguration extends TaintTracking::Configuration {
+    TaintTrackingConfiguration() { this = "TaintTrackingConfiguration" }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ObjectCreation oc |
-      oc.getRuntimeArgument(0) = sink.asExpr() and
-      (
-        oc.getType().getName() = "SqlConnectionStringBuilder"
+    override predicate isSource(DataFlow::Node source) {
+      exists(string s | s = source.asExpr().(StringLiteral).getValue().toLowerCase() |
+        s.matches("%encrypt=false%")
         or
-        oc.getType().getName() = "SqlConnection"
+        not s.matches("%encrypt=%")
       )
-    )
-  }
+    }
 
-  override predicate isSanitizer(Node node) {
-    node.asExpr() = any(MethodCall mc | mc.getTarget() = any(Method clear | clear.hasName("Clear") and clear.getLocation().getFile().getStem() = ["DataTable", "RootCodeDomSerializer","HttpResponseStream","CssStyleCollection","IList"])).getQualifier()
+    override predicate isSink(DataFlow::Node sink) {
+      exists(ObjectCreation oc |
+        oc.getRuntimeArgument(0) = sink.asExpr() and
+        (
+          oc.getType().getName() = "SqlConnectionStringBuilder"
+          or
+          oc.getType().getName() = "SqlConnection"
+        )
+      )
+    }
+    // override predicate isSanitizer(Node node) {
+    //   node.asExpr() = any(MethodCall mc | mc.getTarget() = any(Method clear | clear.hasName("Clear") /*and clear.getLocation().getFile().getStem() = ["DataTable", "RootCodeDomSerializer","HttpResponseStream","CssStyleCollection","IList"]*/)).getQualifier()
+    // }
   }
-}
 
   // import semmle.code.csharp.controlflow.Guards
   // import semmle.code.csharp.security.Sanitizers
-
   // /**
   //  * A data flow source for unsafe zip extraction.
   //  */
   // abstract class Source extends DataFlow::Node { }
-
   // /**
   //  * A data flow sink for unsafe zip extraction.
   //  */
   // abstract class Sink extends DataFlow::ExprNode { }
-
   // /**
   //  * A sanitizer for unsafe zip extraction.
   //  */
   // abstract class Sanitizer extends DataFlow::ExprNode { }
-
   // /**
   //  * A guard for unsafe zip extraction.
   //  */
   // abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
-
   // /** A taint tracking configuration for Zip Slip */
   // class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //   TaintTrackingConfiguration() { this = "ZipSlipTaintTracking" }
-
   //   override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
   //   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
   //   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
   //   override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
   //     guard instanceof SanitizerGuard
   //   }
   // }
-
   // /** An access to the `FullName` property of a `ZipArchiveEntry`. */
   // class ArchiveFullNameSource extends Source {
   //   ArchiveFullNameSource() {
@@ -3072,7 +3074,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //     )
   //   }
   // }
-
   // /** An argument to the `ExtractToFile` extension method. */
   // class ExtractToFileArgSink extends Sink {
   //   ExtractToFileArgSink() {
@@ -3082,7 +3083,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //     )
   //   }
   // }
-
   // /** A path argument to a `File.Open`, `File.OpenWrite`, or `File.Create` method call. */
   // class FileOpenArgSink extends Sink {
   //   FileOpenArgSink() {
@@ -3095,7 +3095,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //     )
   //   }
   // }
-
   // /** A path argument to a call to the `FileStream` constructor. */
   // class FileStreamArgSink extends Sink {
   //   FileStreamArgSink() {
@@ -3106,7 +3105,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //     )
   //   }
   // }
-
   // /**
   //  * A path argument to a call to the `FileStream` constructor.
   //  *
@@ -3121,7 +3119,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //     )
   //   }
   // }
-
   // /**
   //  * A call to `GetFileName`.
   //  *
@@ -3134,7 +3131,6 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //     )
   //   }
   // }
-
   // /**
   //  * A call to `Substring`.
   //  *
@@ -3148,14 +3144,12 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //     )
   //   }
   // }
-
   // /**
   //  * A call to `String.StartsWith()` that indicates that the tainted path value is being
   //  * validated to ensure that it occurs within a permitted output path.
   //  */
   // class StringCheckGuard extends SanitizerGuard, MethodCall {
   //   private Expr q;
-
   //   StringCheckGuard() {
   //     this.getTarget().hasQualifiedName("System.String", "StartsWith") and
   //     this.getQualifier() = q and
@@ -3166,15 +3160,12 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
   //       DataFlow::localExprFlow(combineCall, q)
   //     )
   //   }
-
   //   override predicate checks(Expr e, AbstractValue v) {
   //     e = q and
   //     v.(AbstractValues::BooleanValue).getValue() = true
   //   }
   // }
-
   // private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
-
   predicate qqfinal(int pns) { pns = count(PathNode pn) }
 
   predicate qqstats(