C#: Include exception property accesses in the exception information exposure query.

michaelnebel · michaelnebel · commit 062a2ad97ddf · 2024-10-23T13:08:08.000+02:00
diff --git a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
@@ -23,16 +23,17 @@ import ExceptionInformationExposure::PathGraph
  */
 module ExceptionInformationExposureConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    exists(Expr exceptionExpr |
+    exists(Expr expr |
       // Writing an exception directly is bad
-      source.asExpr() = exceptionExpr
+      source.asExpr() = expr
+      or
+      // Writing a property of an exception is bad
+      source.asExpr().(PropertyAccess).getQualifier() = expr
     |
       // Expr has type `System.Exception`.
-      exceptionExpr.getType().(RefType).getABaseType*() instanceof SystemExceptionClass and
+      expr.getType().(RefType).getABaseType*() instanceof SystemExceptionClass and
       // And is not within an exception callable.
-      not exists(Callable enclosingCallable |
-        enclosingCallable = exceptionExpr.getEnclosingCallable()
-      |
+      not exists(Callable enclosingCallable | enclosingCallable = expr.getEnclosingCallable() |
         enclosingCallable.getDeclaringType().getABaseType*() instanceof SystemExceptionClass
       )
     )
