Merge pull request #21024 from MathiasVP/csharp-implicit-map-value-reads

C#: Add implicit `System.Collections.Generic.KeyValuePair2.Value` reads at taint sinks

Author: MathiasVP

csharp/ql/lib/change-notes/2025-12-03-implicit-map-value-reads.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll

@@ -24,14 +24,25 @@ predicate defaultTaintSanitizer(DataFlow::Node node) {
   )
 }
 
+/**
+ * Gets the (unbound) property `System.Collections.Generic.KeyValuePair.Value`.
+ */
+private Property keyValuePairValue() {
+  result.hasFullyQualifiedName("System.Collections.Generic", "KeyValuePair`2", "Value")
+}
+
 /**
  * Holds if default `TaintTracking::Configuration`s should allow implicit reads
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
 predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) {
   exists(node) and
-  c.isElement()
+  (
+    c.isElement()
+    or
+    c.isProperty(keyValuePairValue())
+  )
 }
 
 private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityConfiguration {

csharp/ql/test/library-tests/dataflow/collections/CollectionDataFlow.expected

@@ -2,20 +2,9 @@
  * @kind path-problem
  */
 
-import csharp
+import CollectionFlowCommon
 import utils.test.ProvenancePathGraph::ShowProvenance<ArrayFlow::PathNode, ArrayFlow::PathGraph>
 
-module ArrayFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ObjectCreation }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(MethodCall mc |
-      mc.getTarget().hasUndecoratedName("Sink") and
-      mc.getAnArgument() = sink.asExpr()
-    )
-  }
-}
-
 module ArrayFlow = DataFlow::Global<ArrayFlowConfig>;
 
 from ArrayFlow::PathNode source, ArrayFlow::PathNode sink

…s/dataflow/collections/CollectionFlow.ql …taflow/collections/CollectionDataFlow.qlcsharp/ql/test/library-tests/dataflow/collections/CollectionFlow.ql renamed to csharp/ql/test/library-tests/dataflow/collections/CollectionDataFlow.ql csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.ql renamed to csharp/ql/test/library-tests/dataflow/collections/CollectionDataFlow.ql

@@ -550,4 +550,10 @@ public void ReadOnlySpanConstructorFlow()
         ReadOnlySpan<A> span = new ReadOnlySpan<A>(new[] { a });
         Sink(span[0]); // flow
     }
+
+    public void ImplicitMapValueRead(Dictionary<int, A> dict) {
+        var a = new A();
+        dict[0] = a;
+        Sink(dict); // taint flow
+    }
 }

csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.cs

@@ -0,0 +1,12 @@
+import csharp
+
+module ArrayFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ObjectCreation }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc |
+      mc.getTarget().hasUndecoratedName("Sink") and
+      mc.getAnArgument() = sink.asExpr()
+    )
+  }
+}

csharp/ql/test/library-tests/dataflow/collections/CollectionFlowCommon.qll

@@ -0,0 +1,12 @@
+/**
+ * @kind path-problem
+ */
+
+import CollectionFlowCommon
+import utils.test.ProvenancePathGraph::ShowProvenance<ArrayFlow::PathNode, ArrayFlow::PathGraph>
+
+module ArrayFlow = TaintTracking::Global<ArrayFlowConfig>;
+
+from ArrayFlow::PathNode source, ArrayFlow::PathNode sink
+where ArrayFlow::flowPath(source, sink)
+select source, source, sink, "$@", sink, sink.toString()