C#: Add missing data-flow for switch expressions

hvitved · hvitved · commit 31816af11efd · 2020-10-07T17:10:29.000+02:00
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -171,6 +171,10 @@ module LocalFlow {
         e1 = e2.(ArrayCreation).getInitializer() and
         scope = e2 and
         isSuccessor = false
+        or
+        e1 = e2.(SwitchExpr).getACase().getBody() and
+        scope = e2 and
+        isSuccessor = false
       )
     }
 
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlow.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlow.expected
@@ -60,3 +60,5 @@
 | Splitting.cs:34:19:34:19 | access to local variable x |
 | Splitting.cs:41:19:41:19 | access to local variable s |
 | Splitting.cs:43:19:43:19 | access to local variable s |
+| Splitting.cs:50:19:50:19 | access to local variable s |
+| Splitting.cs:52:19:52:19 | access to local variable s |
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
@@ -242,6 +242,8 @@ edges
 | Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
 | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s |
 | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s |
+| Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s |
+| Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s |
 nodes
 | Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
 | Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
@@ -448,6 +450,9 @@ nodes
 | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | semmle.label | [b (line 37): true] "taint source" : String |
 | Splitting.cs:41:19:41:19 | access to local variable s | semmle.label | access to local variable s |
 | Splitting.cs:43:19:43:19 | access to local variable s | semmle.label | access to local variable s |
+| Splitting.cs:48:36:48:49 | "taint source" : String | semmle.label | "taint source" : String |
+| Splitting.cs:50:19:50:19 | access to local variable s | semmle.label | access to local variable s |
+| Splitting.cs:52:19:52:19 | access to local variable s | semmle.label | access to local variable s |
 #select
 | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:32:15:32:15 | [b (line 24): false] access to local variable x | [b (line 24): false] access to local variable x |
 | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:32:15:32:15 | [b (line 24): true] access to local variable x | [b (line 24): true] access to local variable x |
@@ -456,6 +461,8 @@ nodes
 | GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:19:15:19:29 | access to field SinkField0 | access to field SinkField0 |
 | Splitting.cs:41:19:41:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s | access to local variable s |
 | Splitting.cs:43:19:43:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s | access to local variable s |
+| Splitting.cs:50:19:50:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s | access to local variable s |
+| Splitting.cs:52:19:52:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s | access to local variable s |
 | GlobalDataFlow.cs:72:15:72:19 | access to local variable sink0 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:72:15:72:19 | access to local variable sink0 | access to local variable sink0 |
 | GlobalDataFlow.cs:74:15:74:19 | access to local variable sink1 | GlobalDataFlow.cs:18:27:18:40 | "taint source" : String | GlobalDataFlow.cs:74:15:74:19 | access to local variable sink1 | access to local variable sink1 |
 | GlobalDataFlow.cs:191:15:191:20 | access to local variable sink10 | GlobalDataFlow.cs:338:16:338:29 | "taint source" : String | GlobalDataFlow.cs:191:15:191:20 | access to local variable sink10 | access to local variable sink10 |
diff --git a/csharp/ql/test/library-tests/dataflow/global/Splitting.cs b/csharp/ql/test/library-tests/dataflow/global/Splitting.cs
@@ -47,8 +47,8 @@ void M4(bool b)
     {
         var s = b switch { true => "taint source", false => "not tainted" };
         if (b)
-            Check(s); // flow [MISSING]
+            Check(s); // flow
         else
-            Check(s); // no flow
+            Check(s); // no flow [FALSE POSITIVE]
     }
 }
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected
@@ -64,3 +64,5 @@
 | Splitting.cs:34:19:34:19 | access to local variable x |
 | Splitting.cs:41:19:41:19 | access to local variable s |
 | Splitting.cs:43:19:43:19 | access to local variable s |
+| Splitting.cs:50:19:50:19 | access to local variable s |
+| Splitting.cs:52:19:52:19 | access to local variable s |
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
@@ -249,6 +249,8 @@ edges
 | Splitting.cs:31:19:31:25 | [b (line 24): true] access to parameter tainted : String | Splitting.cs:31:17:31:26 | [b (line 24): true] dynamic access to element : String |
 | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s |
 | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s |
+| Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s |
+| Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s |
 nodes
 | Capture.cs:7:20:7:26 | tainted : String | semmle.label | tainted : String |
 | Capture.cs:12:19:12:24 | access to local variable sink27 | semmle.label | access to local variable sink27 |
@@ -462,6 +464,9 @@ nodes
 | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | semmle.label | [b (line 37): true] "taint source" : String |
 | Splitting.cs:41:19:41:19 | access to local variable s | semmle.label | access to local variable s |
 | Splitting.cs:43:19:43:19 | access to local variable s | semmle.label | access to local variable s |
+| Splitting.cs:48:36:48:49 | "taint source" : String | semmle.label | "taint source" : String |
+| Splitting.cs:50:19:50:19 | access to local variable s | semmle.label | access to local variable s |
+| Splitting.cs:52:19:52:19 | access to local variable s | semmle.label | access to local variable s |
 #select
 | Capture.cs:12:19:12:24 | access to local variable sink27 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:12:19:12:24 | access to local variable sink27 | access to local variable sink27 |
 | Capture.cs:21:23:21:28 | access to local variable sink28 | Capture.cs:7:20:7:26 | tainted : String | Capture.cs:21:23:21:28 | access to local variable sink28 | access to local variable sink28 |
@@ -529,3 +534,5 @@ nodes
 | Splitting.cs:34:19:34:19 | access to local variable x | Splitting.cs:24:28:24:34 | tainted : String | Splitting.cs:34:19:34:19 | access to local variable x | access to local variable x |
 | Splitting.cs:41:19:41:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:41:19:41:19 | access to local variable s | access to local variable s |
 | Splitting.cs:43:19:43:19 | access to local variable s | Splitting.cs:39:21:39:34 | [b (line 37): true] "taint source" : String | Splitting.cs:43:19:43:19 | access to local variable s | access to local variable s |
+| Splitting.cs:50:19:50:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:50:19:50:19 | access to local variable s | access to local variable s |
+| Splitting.cs:52:19:52:19 | access to local variable s | Splitting.cs:48:36:48:49 | "taint source" : String | Splitting.cs:52:19:52:19 | access to local variable s | access to local variable s |

Original file line number	Diff line number	Diff line change
`@@ -171,6 +171,10 @@ module LocalFlow {`
`171`	`171`	`e1 = e2.(ArrayCreation).getInitializer() and`
`172`	`172`	`scope = e2 and`
`173`	`173`	`isSuccessor = false`
	`174`	`+ or`
	`175`	`+ e1 = e2.(SwitchExpr).getACase().getBody() and`
	`176`	`+ scope = e2 and`
	`177`	`+ isSuccessor = false`
`174`	`178`	`)`
`175`	`179`	`}`
`176`	`180`
Original file line number	Diff line number	Diff line change
`@@ -47,8 +47,8 @@ void M4(bool b)`
`47`	`47`	`{`
`48`	`48`	`var s = b switch { true => "taint source", false => "not tainted" };`
`49`	`49`	`if (b)`
`50`		`- Check(s); // flow [MISSING]`
	`50`	`+ Check(s); // flow`
`51`	`51`	`else`
`52`		`- Check(s); // no flow`
	`52`	`+ Check(s); // no flow [FALSE POSITIVE]`
`53`	`53`	`}`
`54`	`54`	`}`