Merge branch 'rc/1.22' into master

Author: hvitved

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -97,8 +97,8 @@ private module Cached {
     TImplicitDelegateCall(ControlFlow::Nodes::ElementNode cfn, DelegateArgumentToLibraryCallable arg) {
       cfn.getElement() = arg
     } or
-    TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn) {
-      transitiveCapturedCallTarget(cfn, _)
+    TTransitiveCapturedCall(ControlFlow::Nodes::ElementNode cfn, Callable target) {
+      transitiveCapturedCallTarget(cfn, target)
     } or
     TCilCall(CIL::Call call) {
       // No need to include calls that are compiled from source
@@ -416,10 +416,11 @@ class ImplicitDelegateDataFlowCall extends DelegateDataFlowCall, TImplicitDelega
  */
 class TransitiveCapturedDataFlowCall extends DataFlowCall, TTransitiveCapturedCall {
   private ControlFlow::Nodes::ElementNode cfn;
+  private Callable target;
 
-  TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn) }
+  TransitiveCapturedDataFlowCall() { this = TTransitiveCapturedCall(cfn, target) }
 
-  override Callable getARuntimeTarget() { transitiveCapturedCallTarget(cfn, result) }
+  override Callable getARuntimeTarget() { result = target }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNode() { result = cfn }
 

csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -991,7 +991,7 @@ private module OutNodes {
         additionalCalls = false and
         call.(ImplicitDelegateDataFlowCall).isArgumentOf(csharpCall(_, cfn), _)
         or
-        additionalCalls = true and call = TTransitiveCapturedCall(cfn)
+        additionalCalls = true and call = TTransitiveCapturedCall(cfn, n.getEnclosingCallable())
       )
     }
 

csharp/ql/test/library-tests/dataflow/global/Capture.cs

@@ -47,6 +47,18 @@ void M()
             };
         };
         CaptureIn2NotCalled();
+        void CaptureTest(string nonSink0, string sink39)
+        {
+            RunAction(() =>       // Check each lambda captures the correct arguments
+            {
+                Check(nonSink0);
+                RunAction(() =>
+                {
+                    Check(sink39);
+                });
+            });
+        }
+        CaptureTest("not tainted", tainted);
     }
 
     void Out()
@@ -96,6 +108,18 @@ void M()
         };
         CaptureOut2NotCalled();
         Check(nonSink0);
+        string sink40 = "";
+        void CaptureOutMultipleLambdas()
+        {
+            RunAction(() => {
+                sink40 = "taint source";
+            });
+            RunAction(() => {
+                nonSink0 = "not tainted";
+            });
+        };
+        CaptureOutMultipleLambdas();
+        Check(sink40); Check(nonSink0);
     }
 
     void Through(string tainted)
@@ -174,4 +198,9 @@ string Id(string s)
     }
 
     static void Check<T>(T x) { }
+
+    static void RunAction(Action a)
+    {
+        a.Invoke();
+    }
 }

csharp/ql/test/library-tests/dataflow/global/DataFlow.expected

@@ -1,15 +1,17 @@
 | Capture.cs:12:19:12:24 | access to local variable sink27 |
 | Capture.cs:21:23:21:28 | access to local variable sink28 |
 | Capture.cs:30:19:30:24 | access to local variable sink29 |
-| Capture.cs:60:15:60:20 | access to local variable sink30 |
-| Capture.cs:72:15:72:20 | access to local variable sink31 |
-| Capture.cs:81:15:81:20 | access to local variable sink32 |
-| Capture.cs:109:15:109:20 | access to local variable sink33 |
-| Capture.cs:121:15:121:20 | access to local variable sink34 |
-| Capture.cs:130:15:130:20 | access to local variable sink35 |
-| Capture.cs:137:15:137:20 | access to local variable sink36 |
-| Capture.cs:145:15:145:20 | access to local variable sink37 |
-| Capture.cs:171:15:171:20 | access to local variable sink38 |
+| Capture.cs:57:27:57:32 | access to parameter sink39 |
+| Capture.cs:72:15:72:20 | access to local variable sink30 |
+| Capture.cs:84:15:84:20 | access to local variable sink31 |
+| Capture.cs:93:15:93:20 | access to local variable sink32 |
+| Capture.cs:122:15:122:20 | access to local variable sink40 |
+| Capture.cs:133:15:133:20 | access to local variable sink33 |
+| Capture.cs:145:15:145:20 | access to local variable sink34 |
+| Capture.cs:154:15:154:20 | access to local variable sink35 |
+| Capture.cs:161:15:161:20 | access to local variable sink36 |
+| Capture.cs:169:15:169:20 | access to local variable sink37 |
+| Capture.cs:195:15:195:20 | access to local variable sink38 |
 | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
 | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
 | GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |

csharp/ql/test/library-tests/dataflow/global/DataFlowEdges.expected

@@ -2,29 +2,35 @@
 | Capture.cs:33:9:33:40 | call to method Select | yield return | Capture.cs:33:9:33:40 | call to method Select |
 | Capture.cs:33:9:33:50 | call to method ToArray | return | Capture.cs:33:9:33:50 | call to method ToArray |
 | Capture.cs:33:30:33:39 | [implicit call] access to local variable captureIn3 | return | Capture.cs:33:30:33:39 | [output] access to local variable captureIn3 |
-| Capture.cs:59:9:59:21 | call to local function CaptureOut1 | captured sink30 | Capture.cs:59:9:59:21 | SSA call def(sink30) |
-| Capture.cs:71:9:71:21 | [transitive] call to local function CaptureOut2 | captured sink31 | Capture.cs:71:9:71:21 | SSA call def(sink31) |
-| Capture.cs:71:9:71:21 | call to local function CaptureOut2 | captured sink31 | Capture.cs:71:9:71:21 | SSA call def(sink31) |
-| Capture.cs:80:9:80:41 | call to method Select | captured sink32 | Capture.cs:80:9:80:41 | SSA call def(sink32) |
-| Capture.cs:80:9:80:41 | call to method Select | return | Capture.cs:80:9:80:41 | call to method Select |
-| Capture.cs:80:9:80:41 | call to method Select | yield return | Capture.cs:80:9:80:41 | call to method Select |
-| Capture.cs:80:9:80:51 | call to method ToArray | return | Capture.cs:80:9:80:51 | call to method ToArray |
-| Capture.cs:80:30:80:40 | [implicit call] access to local variable captureOut3 | captured sink32 | Capture.cs:80:9:80:41 | SSA call def(sink32) |
-| Capture.cs:80:30:80:40 | [implicit call] access to local variable captureOut3 | return | Capture.cs:80:30:80:40 | [output] access to local variable captureOut3 |
-| Capture.cs:108:9:108:25 | call to local function CaptureThrough1 | captured sink33 | Capture.cs:108:9:108:25 | SSA call def(sink33) |
-| Capture.cs:120:9:120:25 | [transitive] call to local function CaptureThrough2 | captured sink34 | Capture.cs:120:9:120:25 | SSA call def(sink34) |
-| Capture.cs:120:9:120:25 | call to local function CaptureThrough2 | captured sink34 | Capture.cs:120:9:120:25 | SSA call def(sink34) |
-| Capture.cs:129:9:129:45 | call to method Select | captured sink35 | Capture.cs:129:9:129:45 | SSA call def(sink35) |
-| Capture.cs:129:9:129:45 | call to method Select | return | Capture.cs:129:9:129:45 | call to method Select |
-| Capture.cs:129:9:129:45 | call to method Select | yield return | Capture.cs:129:9:129:45 | call to method Select |
-| Capture.cs:129:9:129:55 | call to method ToArray | return | Capture.cs:129:9:129:55 | call to method ToArray |
-| Capture.cs:129:30:129:44 | [implicit call] access to local variable captureThrough3 | captured sink35 | Capture.cs:129:9:129:45 | SSA call def(sink35) |
-| Capture.cs:129:30:129:44 | [implicit call] access to local variable captureThrough3 | return | Capture.cs:129:30:129:44 | [output] access to local variable captureThrough3 |
-| Capture.cs:136:22:136:38 | call to local function CaptureThrough4 | return | Capture.cs:136:22:136:38 | call to local function CaptureThrough4 |
-| Capture.cs:144:9:144:32 | call to local function CaptureThrough5 | captured sink37 | Capture.cs:144:9:144:32 | SSA call def(sink37) |
-| Capture.cs:167:20:167:22 | call to local function M | return | Capture.cs:167:20:167:22 | call to local function M |
-| Capture.cs:170:22:170:32 | call to local function Id | return | Capture.cs:170:22:170:32 | call to local function Id |
-| Capture.cs:172:20:172:25 | call to local function Id | return | Capture.cs:172:20:172:25 | call to local function Id |
+| Capture.cs:71:9:71:21 | call to local function CaptureOut1 | captured sink30 | Capture.cs:71:9:71:21 | SSA call def(sink30) |
+| Capture.cs:83:9:83:21 | [transitive] call to local function CaptureOut2 | captured sink31 | Capture.cs:83:9:83:21 | SSA call def(sink31) |
+| Capture.cs:83:9:83:21 | call to local function CaptureOut2 | captured sink31 | Capture.cs:83:9:83:21 | SSA call def(sink31) |
+| Capture.cs:92:9:92:41 | call to method Select | captured sink32 | Capture.cs:92:9:92:41 | SSA call def(sink32) |
+| Capture.cs:92:9:92:41 | call to method Select | return | Capture.cs:92:9:92:41 | call to method Select |
+| Capture.cs:92:9:92:41 | call to method Select | yield return | Capture.cs:92:9:92:41 | call to method Select |
+| Capture.cs:92:9:92:51 | call to method ToArray | return | Capture.cs:92:9:92:51 | call to method ToArray |
+| Capture.cs:92:30:92:40 | [implicit call] access to local variable captureOut3 | captured sink32 | Capture.cs:92:9:92:41 | SSA call def(sink32) |
+| Capture.cs:92:30:92:40 | [implicit call] access to local variable captureOut3 | return | Capture.cs:92:30:92:40 | [output] access to local variable captureOut3 |
+| Capture.cs:121:9:121:35 | [transitive] call to local function CaptureOutMultipleLambdas | captured nonSink0 | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:121:9:121:35 | [transitive] call to local function CaptureOutMultipleLambdas | captured nonSink0 | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:121:9:121:35 | [transitive] call to local function CaptureOutMultipleLambdas | captured sink40 | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:121:9:121:35 | [transitive] call to local function CaptureOutMultipleLambdas | captured sink40 | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:121:9:121:35 | call to local function CaptureOutMultipleLambdas | captured nonSink0 | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:121:9:121:35 | call to local function CaptureOutMultipleLambdas | captured sink40 | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:132:9:132:25 | call to local function CaptureThrough1 | captured sink33 | Capture.cs:132:9:132:25 | SSA call def(sink33) |
+| Capture.cs:144:9:144:25 | [transitive] call to local function CaptureThrough2 | captured sink34 | Capture.cs:144:9:144:25 | SSA call def(sink34) |
+| Capture.cs:144:9:144:25 | call to local function CaptureThrough2 | captured sink34 | Capture.cs:144:9:144:25 | SSA call def(sink34) |
+| Capture.cs:153:9:153:45 | call to method Select | captured sink35 | Capture.cs:153:9:153:45 | SSA call def(sink35) |
+| Capture.cs:153:9:153:45 | call to method Select | return | Capture.cs:153:9:153:45 | call to method Select |
+| Capture.cs:153:9:153:45 | call to method Select | yield return | Capture.cs:153:9:153:45 | call to method Select |
+| Capture.cs:153:9:153:55 | call to method ToArray | return | Capture.cs:153:9:153:55 | call to method ToArray |
+| Capture.cs:153:30:153:44 | [implicit call] access to local variable captureThrough3 | captured sink35 | Capture.cs:153:9:153:45 | SSA call def(sink35) |
+| Capture.cs:153:30:153:44 | [implicit call] access to local variable captureThrough3 | return | Capture.cs:153:30:153:44 | [output] access to local variable captureThrough3 |
+| Capture.cs:160:22:160:38 | call to local function CaptureThrough4 | return | Capture.cs:160:22:160:38 | call to local function CaptureThrough4 |
+| Capture.cs:168:9:168:32 | call to local function CaptureThrough5 | captured sink37 | Capture.cs:168:9:168:32 | SSA call def(sink37) |
+| Capture.cs:191:20:191:22 | call to local function M | return | Capture.cs:191:20:191:22 | call to local function M |
+| Capture.cs:194:22:194:32 | call to local function Id | return | Capture.cs:194:22:194:32 | call to local function Id |
+| Capture.cs:196:20:196:25 | call to local function Id | return | Capture.cs:196:20:196:25 | call to local function Id |
 | GlobalDataFlow.cs:25:9:25:26 | access to property SinkProperty0 | return | GlobalDataFlow.cs:25:9:25:26 | access to property SinkProperty0 |
 | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 | return | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
 | GlobalDataFlow.cs:29:9:29:29 | access to property NonSinkProperty0 | return | GlobalDataFlow.cs:29:9:29:29 | access to property NonSinkProperty0 |

csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected

@@ -1,15 +1,17 @@
 | Capture.cs:12:19:12:24 | access to local variable sink27 |
 | Capture.cs:21:23:21:28 | access to local variable sink28 |
 | Capture.cs:30:19:30:24 | access to local variable sink29 |
-| Capture.cs:60:15:60:20 | access to local variable sink30 |
-| Capture.cs:72:15:72:20 | access to local variable sink31 |
-| Capture.cs:81:15:81:20 | access to local variable sink32 |
-| Capture.cs:109:15:109:20 | access to local variable sink33 |
-| Capture.cs:121:15:121:20 | access to local variable sink34 |
-| Capture.cs:130:15:130:20 | access to local variable sink35 |
-| Capture.cs:137:15:137:20 | access to local variable sink36 |
-| Capture.cs:145:15:145:20 | access to local variable sink37 |
-| Capture.cs:171:15:171:20 | access to local variable sink38 |
+| Capture.cs:57:27:57:32 | access to parameter sink39 |
+| Capture.cs:72:15:72:20 | access to local variable sink30 |
+| Capture.cs:84:15:84:20 | access to local variable sink31 |
+| Capture.cs:93:15:93:20 | access to local variable sink32 |
+| Capture.cs:122:15:122:20 | access to local variable sink40 |
+| Capture.cs:133:15:133:20 | access to local variable sink33 |
+| Capture.cs:145:15:145:20 | access to local variable sink34 |
+| Capture.cs:154:15:154:20 | access to local variable sink35 |
+| Capture.cs:161:15:161:20 | access to local variable sink36 |
+| Capture.cs:169:15:169:20 | access to local variable sink37 |
+| Capture.cs:195:15:195:20 | access to local variable sink38 |
 | GlobalDataFlow.cs:18:15:18:29 | access to field SinkField0 |
 | GlobalDataFlow.cs:26:15:26:32 | access to property SinkProperty0 |
 | GlobalDataFlow.cs:44:50:44:59 | access to parameter sinkParam2 |