C#: Match any {digit} in the format string.

michaelnebel · michaelnebel · commit 1bb6f4962d42 · 2024-01-22T14:03:37.000+01:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
@@ -184,8 +184,12 @@ private class InterpolationSanitizer extends Sanitizer {
  */
 private class StringFormatSanitizer extends Sanitizer {
   StringFormatSanitizer() {
-    exists(FormatCall c, Expr e | c = this.getExpr() and e = c.getFormatExpr() |
-      e.(StringLiteral).getValue().splitAt("{0}", 0).matches("%?%")
+    exists(FormatCall c, Expr e, int index, string format |
+      c = this.getExpr() and e = c.getFormatExpr()
+    |
+      format = e.(StringLiteral).getValue() and
+      exists(format.regexpFind("\\{[0-9]+\\}", 0, index)) and
+      format.substring(0, index).matches("%?%")
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -184,8 +184,12 @@ private class InterpolationSanitizer extends Sanitizer {`
`184`	`184`	`*/`
`185`	`185`	`private class StringFormatSanitizer extends Sanitizer {`
`186`	`186`	`StringFormatSanitizer() {`
`187`		`- exists(FormatCall c, Expr e \| c = this.getExpr() and e = c.getFormatExpr() \|`
`188`		`- e.(StringLiteral).getValue().splitAt("{0}", 0).matches("%?%")`
	`187`	`+ exists(FormatCall c, Expr e, int index, string format \|`
	`188`	`+ c = this.getExpr() and e = c.getFormatExpr()`
	`189`	`+ \|`
	`190`	`+ format = e.(StringLiteral).getValue() and`
	`191`	`+ exists(format.regexpFind("\\{[0-9]+\\}", 0, index)) and`
	`192`	`+ format.substring(0, index).matches("%?%")`
`189`	`193`	`)`
`190`	`194`	`}`
`191`	`195`	`}`