C#: Add sources and sinks in Winforms. Update some queries with new sources and sinks.

calumgrant · calumgrant · commit c9ffb38e4bfa · 2019-01-18T15:42:44.000Z
diff --git a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
@@ -14,7 +14,13 @@ import csharp
 import semmle.code.csharp.security.dataflow.SqlInjection::SqlInjection
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
+string getSourceType(DataFlow::Node node) {
+  result = node.(RemoteFlowSource).getSourceType()
+  or
+  result = node.(LocalFlowSource).getSourceType()
+}
+
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Query might include code from $@.", source,
-  ("this " + source.getNode().(RemoteFlowSource).getSourceType())
+  ("this " + getSourceType(source.getNode()))
diff --git a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
@@ -12,14 +12,19 @@
 
 import csharp
 import semmle.code.csharp.dataflow.flowsources.Remote
+import semmle.code.csharp.dataflow.flowsources.Local
 import semmle.code.csharp.dataflow.TaintTracking
 import semmle.code.csharp.frameworks.Format
 import DataFlow::PathGraph
 
 class FormatStringConfiguration extends TaintTracking::Configuration {
   FormatStringConfiguration() { this = "FormatStringConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalFlowSource
+  }
 
   override predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(FormatCall call).getFormatExpr()
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/flowsources/Local.qll b/csharp/ql/src/semmle/code/csharp/dataflow/flowsources/Local.qll
@@ -0,0 +1,24 @@
+/**
+ * Provides classes representing sources of local input.
+ */
+
+import csharp
+private import semmle.code.csharp.frameworks.system.windows.Forms
+
+/** A data flow source of local data. */
+abstract class LocalFlowSource extends DataFlow::Node {
+  /** Gets a string that describes the type of this local flow source. */
+  abstract string getSourceType();
+}
+
+/** A data flow source of local user input. */
+abstract class LocalUserInputSource extends LocalFlowSource { }
+
+/** The text of a `TextBox`. */
+class TextFieldSource extends LocalUserInputSource {
+  TextFieldSource() {
+    this.asExpr() = any(TextControl control).getARead()
+  }
+
+  override string getSourceType() { result = "TextBox text" }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/system/windows/Forms.qll b/csharp/ql/src/semmle/code/csharp/frameworks/system/windows/Forms.qll
@@ -23,3 +23,78 @@ class SystemWindowsFormsHtmlElement extends SystemWindowsFormsClass {
   /** Gets the `SetAttribute` method. */
   Method getSetAttributeMethod() { result = this.getAMethod("SetAttribute") }
 }
+
+/** The `System.Windows.Forms.TextBoxBase` class. */
+class SystemWindowsFormsTextBoxBase extends SystemWindowsFormsClass {
+  SystemWindowsFormsTextBoxBase() {
+    this.hasName("TextBoxBase")
+  }
+
+  /** Gets the `Text` property. */
+  Property getTextProperty() { result = this.getProperty("Text") }
+}
+
+/** The `System.Windows.Forms.RichTextBox` class. */
+class SystemWindowsFormsRichTextBox extends SystemWindowsFormsClass {
+  SystemWindowsFormsRichTextBox() {
+    this.hasName("RichTextBox")
+  }
+
+  /** Gets the `Rtf` property. */
+  Property getRtfProperty() { result = this.getProperty("Rtf") }
+
+  /** Gets the `SelectedText` property. */
+  Property getSelectedTextProperty() { result = this.getProperty("SelectedText") }
+
+  /** Gets the 'SelectedRtf' property. */
+  Property getSelectedRtfProperty() { result = this.getProperty("SelectedRtf") }
+}
+
+/** The `System.Windows.Forms.HtmlDocument` class. */
+class SystemWindowsFormsHtmlDocumentClass extends SystemWindowsFormsClass {
+  SystemWindowsFormsHtmlDocumentClass() {
+    this.hasName("HtmlDocument")
+  }
+
+  /** Gets the `Write` method. */
+  Method getWriteMethod() { result = this.getAMethod() and result.hasName("Write") }  
+}
+
+/** The `System.Windows.Forms.WebBrowser` class. */
+class SystemWindowsFormsWebBrowserClass extends SystemWindowsFormsClass {
+  SystemWindowsFormsWebBrowserClass() {
+    this.hasName("WebBrowser")
+  }
+
+  /** Gets the `DocumentText` property. */
+  Property getDocumentTextProperty() { result = this.getProperty("DocumentText") }
+}
+
+private class TextProperty extends Property {
+  TextProperty() {
+    exists(SystemWindowsFormsRichTextBox c |
+      this = c.getRtfProperty() or
+      this = c.getSelectedTextProperty() or
+      this = c.getSelectedRtfProperty()
+    )
+    or
+    exists(SystemWindowsFormsTextBoxBase tb |
+      this = tb.getTextProperty().getAnOverrider*()
+    )
+  }
+}
+
+/** A field that contains a text control. */
+class TextControl extends Field
+{
+  TextControl() {
+    this.getType().(ValueOrRefType).getBaseClass*() instanceof SystemWindowsFormsTextBoxBase
+  }
+
+  /** Gets a read of the text property. */
+  PropertyRead getARead() {
+    result.getTarget() instanceof TextProperty
+    and
+    result.getQualifier() = this.getAnAccess()
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/security/PrivateData.qll b/csharp/ql/src/semmle/code/csharp/security/PrivateData.qll
@@ -10,6 +10,7 @@
  */
 
 import csharp
+import semmle.code.csharp.frameworks.system.windows.Forms
 
 /** A string for `match` that identifies strings that look like they represent private data. */
 private string privateNames() {
@@ -58,3 +59,10 @@ class PrivateVariableAccess extends PrivateDataExpr, VariableAccess {
     exists(string s | this.getTarget().getName().toLowerCase() = s | s.matches(privateNames()))
   }
 }
+
+/** Reading the text property of a control that might contain private data. */
+class PrivateControlAccess extends PrivateDataExpr {
+  PrivateControlAccess() {
+    exists(TextControl c | this = c.getARead() and c.getName().toLowerCase().matches(privateNames()))
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/security/SensitiveActions.qll b/csharp/ql/src/semmle/code/csharp/security/SensitiveActions.qll
@@ -10,6 +10,7 @@
  */
 
 import csharp
+import semmle.code.csharp.frameworks.system.windows.Forms
 
 /**
  * A string for `match` that identifies strings that look like they represent secret data.
@@ -108,7 +109,11 @@ private predicate expressionHasName(Expr expr, string name) {
 
 /** An expression that may contain a password. */
 class PasswordExpr extends Expr {
-  PasswordExpr() { exists(string name | expressionHasName(this, name) and isPassword(name)) }
+  PasswordExpr() {
+    exists(string name | expressionHasName(this, name) and isPassword(name))
+    or
+    this instanceof PasswordTextboxText
+  }
 }
 
 /** An expression that might contain sensitive data. */
@@ -130,6 +135,26 @@ class SensitiveVariableAccess extends SensitiveExpr, VariableAccess {
   SensitiveVariableAccess() { isSuspicious(this.getTarget().getName()) }
 }
 
+/** Reading the `Text` property of a password text box. */
+class PasswordTextboxText extends SensitiveExpr, PropertyRead {
+  PasswordTextboxText() {
+    this = any(PasswordField p).getARead()
+  }
+}
+
+/** A field containing a text box used as a password. */
+class PasswordField extends TextControl
+{
+  PasswordField() {
+    isSuspicious(this.getName())
+    or
+    exists(PropertyWrite write | write.getQualifier() = this.getAnAccess() |
+        write.getTarget().getName() = "UseSystemPasswordChar" or
+        write.getTarget().getName() = "PasswordChar"
+    )
+  }
+}
+
 /** A method that may produce sensitive data. */
 abstract class SensitiveDataMethod extends Method { }
 
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/CodeInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/CodeInjection.qll
@@ -6,6 +6,7 @@ import csharp
 
 module CodeInjection {
   import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.dataflow.flowsources.Local
   import semmle.code.csharp.frameworks.system.codedom.Compiler
   import semmle.code.csharp.security.Sanitizers
 
@@ -40,6 +41,9 @@ module CodeInjection {
   /** A source of remote user input. */
   class RemoteSource extends Source { RemoteSource() { this instanceof RemoteFlowSource } }
 
+  /** A source of local user input. */
+  class LocalSource extends Source { LocalSource() { this instanceof LocalFlowSource } }
+
   private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
 
   private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ResourceInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ResourceInjection.qll
@@ -6,6 +6,7 @@ import csharp
 
 module ResourceInjection {
   import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.dataflow.flowsources.Local
   import semmle.code.csharp.frameworks.system.Data
   import semmle.code.csharp.security.Sanitizers
 
@@ -40,6 +41,9 @@ module ResourceInjection {
   /** A source of remote user input. */
   class RemoteSource extends Source { RemoteSource() { this instanceof RemoteFlowSource } }
 
+  /** A source of local user input. */
+  class LocalSource extends Source { LocalSource() { this instanceof LocalFlowSource } }
+
   /** An argument to the `ConnectionString` property on a data connection class. */
   class SqlConnectionStringSink extends Sink {
     SqlConnectionStringSink() {
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/SqlInjection.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/SqlInjection.qll
@@ -6,6 +6,7 @@ import csharp
 
 module SqlInjection {
   import semmle.code.csharp.dataflow.flowsources.Remote
+  import semmle.code.csharp.dataflow.flowsources.Local
   import semmle.code.csharp.frameworks.Sql
   import semmle.code.csharp.security.Sanitizers
 
@@ -40,6 +41,9 @@ module SqlInjection {
   /** A source of remote user input. */
   class RemoteSource extends Source { RemoteSource() { this instanceof RemoteFlowSource } }
 
+  /** A source of local user input. */
+  class LocalSource extends Source { LocalSource() { this instanceof LocalFlowSource } }
+
   /** An SQL expression passed to an API call that executes SQL. */
   class SqlInjectionExprSink extends Sink {
     SqlInjectionExprSink() { exists(SqlExpr s | this.getExpr() = s.getSql()) }
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/XSS.qll
@@ -572,9 +572,7 @@ module XSS {
     }
   }
 
-  /**
-   * HtmlString that may be rendered as is need to have sanitized value
-   */
+  /** `HtmlString` that may be rendered as is need to have sanitized value. */
   class MicrosoftAspNetHtmlStringSink extends AspNetCoreSink {
     MicrosoftAspNetHtmlStringSink() {
       exists(ObjectCreation c, MicrosoftAspNetCoreHttpHtmlString s |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs
@@ -1,4 +1,4 @@
-// semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll ${testdir}/../../../resources/stubs/EntityFramework.cs ${testdir}/../../../resources/stubs/System.Data.cs
+// semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll ${testdir}/../../../resources/stubs/EntityFramework.cs ${testdir}/../../../resources/stubs/System.Data.cs ${testdir}/../../../resources/stubs/System.Windows.cs
 
 using System;
 
@@ -79,6 +79,18 @@ public void GetDataSetByCategory()
                     context.Database.ExecuteSqlCommand(query2, categoryTextBox.Text);
                 }
             }
+
+            // BAD: Text from a local textbox
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + box1.Text + "' ORDER BY PRICE";
+                var adapter = new SqlDataAdapter(query1, connection);
+                var result = new DataSet();
+                adapter.Fill(result);
+            }
         }
+
+        System.Windows.Forms.TextBox box1;
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected
@@ -18,6 +18,7 @@ edges
 | SqlInjection.cs:61:62:61:81 | access to property Text | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
+| SqlInjection.cs:87:21:87:29 | access to property Text | SqlInjection.cs:88:50:88:55 | access to local variable query1 |
 nodes
 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox |
 | SqlInjection.cs:39:50:39:55 | access to local variable query1 |
@@ -28,6 +29,8 @@ nodes
 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox |
 | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
 | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
+| SqlInjection.cs:87:21:87:29 | access to property Text |
+| SqlInjection.cs:88:50:88:55 | access to local variable query1 |
 #select
 | SqlInjection.cs:39:50:39:55 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input |
 | SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox | this ASP.NET user input |
@@ -38,3 +41,4 @@ nodes
 | SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:49:62:49:76 | access to field categoryTextBox | this ASP.NET user input |
 | SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:61:62:61:76 | access to field categoryTextBox | this ASP.NET user input |
 | SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox | this ASP.NET user input |
+| SqlInjection.cs:88:50:88:55 | access to local variable query1 | SqlInjection.cs:87:21:87:29 | access to property Text | SqlInjection.cs:88:50:88:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:87:21:87:29 | access to property Text | this TextBox text |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.cs
@@ -1,4 +1,4 @@
-// semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/Microsoft.CSharp.cs /r:System.ComponentModel.Primitives.dll
+// semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/Microsoft.CSharp.cs /r:System.ComponentModel.Primitives.dll ${testdir}/../../../resources/stubs/System.Windows.cs
 
 using Microsoft.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Scripting;
@@ -49,4 +49,12 @@ public bool IsReusable
             return true;
         }
     }
+
+    System.Windows.Forms.RichTextBox box1;
+
+    void OnButtonClicked()
+    {
+        // BAD: Use the Roslyn APIs to dynamically evaluate C#
+    	CSharpScript.EvaluateAsync(box1.Text);
+    }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-094/CodeInjection.expected
@@ -5,6 +5,8 @@ nodes
 | CodeInjection.cs:25:23:25:45 | access to property QueryString |
 | CodeInjection.cs:31:64:31:67 | access to local variable code |
 | CodeInjection.cs:42:36:42:39 | access to local variable code |
+| CodeInjection.cs:58:33:58:41 | access to property Text |
 #select
 | CodeInjection.cs:31:64:31:67 | access to local variable code | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:31:64:31:67 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value |
 | CodeInjection.cs:42:36:42:39 | access to local variable code | CodeInjection.cs:25:23:25:45 | access to property QueryString | CodeInjection.cs:42:36:42:39 | access to local variable code | $@ flows to here and is compiled as code. | CodeInjection.cs:25:23:25:45 | access to property QueryString | User-provided value |
+| CodeInjection.cs:58:33:58:41 | access to property Text | CodeInjection.cs:58:33:58:41 | access to property Text | CodeInjection.cs:58:33:58:41 | access to property Text | $@ flows to here and is compiled as code. | CodeInjection.cs:58:33:58:41 | access to property Text | User-provided value |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.cs b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.cs
@@ -1,4 +1,4 @@
-// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/System.Web.cs
+// semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/System.Web.cs ${testdir}/../../../resources/stubs/System.Windows.cs
 
 using System;
 using System.IO;
@@ -22,4 +22,12 @@ public void ProcessRequest(HttpContext ctx)
         // GOOD: Not the format string.
         String.Format((IFormatProvider)null, "Do not do this", path);
     }
+
+    System.Windows.Forms.TextBox box1;
+
+    void OnButtonClicked()
+    {
+    	// BAD: Uncontrolled format string.
+    	String.Format(box1.Text, "Do not do this");
+    }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected
@@ -8,9 +8,11 @@ nodes
 | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
 | UncontrolledFormatString.cs:20:23:20:38 | "Do not do this" |
 | UncontrolledFormatString.cs:23:46:23:61 | "Do not do this" |
+| UncontrolledFormatString.cs:31:20:31:28 | access to property Text |
 | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString |
 | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
 #select
 | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
 | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
+| UncontrolledFormatString.cs:31:20:31:28 | access to property Text | UncontrolledFormatString.cs:31:20:31:28 | access to property Text | UncontrolledFormatString.cs:31:20:31:28 | access to property Text | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:31:20:31:28 | access to property Text | access to property Text |
 | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | $@ flows to here and is used as a format string. | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | access to property QueryString |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.cs b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.cs
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected b/csharp/ql/test/query-tests/Security Features/CWE-312/CleartextStorage.expected
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.cs b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.cs
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected b/csharp/ql/test/query-tests/Security Features/CWE-359/ExposureOfPrivateInformation.expected
diff --git a/csharp/ql/test/resources/stubs/System.Windows.cs b/csharp/ql/test/resources/stubs/System.Windows.cs

Original file line number	Diff line number	Diff line change
`@@ -572,9 +572,7 @@ module XSS {`
`572`	`572`	`}`
`573`	`573`	`}`
`574`	`574`
`575`		`- /**`
`576`		`- * HtmlString that may be rendered as is need to have sanitized value`
`577`		`- */`
	`575`	+ /** `HtmlString` that may be rendered as is need to have sanitized value. */
`578`	`576`	`class MicrosoftAspNetHtmlStringSink extends AspNetCoreSink {`
`579`	`577`	`MicrosoftAspNetHtmlStringSink() {`
`580`	`578`	`exists(ObjectCreation c, MicrosoftAspNetCoreHttpHtmlString s \|`