Merge pull request #7370 from michaelnebel/csharp-mad-textreader

C#: Flow summaries for virtual members in abstract classes should also apply to overrides.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/Member.qll

@@ -362,14 +362,22 @@ class Virtualizable extends Member, @virtualizable {
   /** Holds if this member implements (transitively) an interface member. */
   predicate implements() { exists(this.getAnUltimateImplementee()) }
 
+  /**
+   * Holds if this member overrides or implements (transitively)
+   * `that` member.
+   */
+  predicate overridesOrImplements(Virtualizable that) {
+    this.getOverridee+() = that or
+    this.getAnUltimateImplementee() = that
+  }
+
   /**
    * Holds if this member overrides or implements (reflexively, transitively)
    * `that` member.
    */
   predicate overridesOrImplementsOrEquals(Virtualizable that) {
     this = that or
-    this.getOverridee+() = that or
-    this.getAnUltimateImplementee() = that
+    this.overridesOrImplements(that)
   }
 }
 

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -98,6 +98,7 @@ private module Frameworks {
   private import semmle.code.csharp.frameworks.system.collections.Generic
   private import semmle.code.csharp.frameworks.system.web.ui.WebControls
   private import semmle.code.csharp.frameworks.JsonNET
+  private import semmle.code.csharp.frameworks.system.IO
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll

@@ -503,37 +503,6 @@ private module FrameworkDataFlowAdaptor {
   }
 }
 
-/** Data flow for `System.IO.StringReader`. */
-class SystemIOStringReaderFlow extends LibraryTypeDataFlow, SystemIOStringReaderClass {
-  override predicate callableFlow(
-    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationCallable c,
-    boolean preservesValue
-  ) {
-    (
-      this.constructorFlow(source, sink, c)
-      or
-      this.methodFlow(source, sink, c)
-    ) and
-    preservesValue = false
-  }
-
-  private predicate constructorFlow(CallableFlowSource source, CallableFlowSink sink, Constructor c) {
-    c = this.getAMember() and
-    c.getParameter(0).getType() instanceof StringType and
-    source = TCallableFlowSourceArg(0) and
-    sink = TCallableFlowSinkReturn()
-  }
-
-  private predicate methodFlow(
-    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationMethod m
-  ) {
-    m.getDeclaringType() = this.getABaseType*() and
-    m.getName().matches("Read%") and
-    source = TCallableFlowSourceQualifier() and
-    sink = TCallableFlowSinkReturn()
-  }
-}
-
 /** Data flow for `System.Text.StringBuilder`. */
 class SystemTextStringBuilderFlow extends LibraryTypeDataFlow, SystemTextStringBuilderClass {
   override predicate clearsContent(

csharp/ql/lib/semmle/code/csharp/frameworks/system/IO.qll

@@ -2,6 +2,7 @@
 
 import csharp
 private import semmle.code.csharp.frameworks.System
+private import semmle.code.csharp.dataflow.ExternalFlow
 
 /** The `System.IO` namespace. */
 class SystemIONamespace extends Namespace {
@@ -41,11 +42,40 @@ class SystemIOPathClass extends SystemIOClass {
   SystemIOPathClass() { this.hasName("Path") }
 }
 
+/** Data flow for `System.IO.TextReader`. */
+private class SystemIOTextReaderFlowModelCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "System.IO;TextReader;true;Read;();;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;Read;(System.Char[],System.Int32,System.Int32);;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;Read;(System.Span<System.Char>);;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadAsync;(System.Char[],System.Int32,System.Int32);;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadAsync;(System.Memory<System.Char>,System.Threading.CancellationToken);;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadBlock;(System.Char[],System.Int32,System.Int32);;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadBlock;(System.Span<System.Char>);;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadBlockAsync;(System.Char[],System.Int32,System.Int32);;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadBlockAsync;(System.Memory<System.Char>,System.Threading.CancellationToken);;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadLine;();;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadLineAsync;();;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadToEnd;();;Argument[-1];ReturnValue;taint",
+        "System.IO;TextReader;true;ReadToEndAsync;();;Argument[-1];ReturnValue;taint",
+      ]
+  }
+}
+
 /** The `System.IO.StringReader` class. */
 class SystemIOStringReaderClass extends SystemIOClass {
   SystemIOStringReaderClass() { this.hasName("StringReader") }
 }
 
+/** Data flow for `System.IO.StringReader` */
+private class SystemIOStringReaderFlowModelCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = "System.IO;StringReader;false;StringReader;(System.String);;Argument[0];ReturnValue;taint"
+  }
+}
+
 /** The `System.IO.Stream` class. */
 class SystemIOStreamClass extends SystemIOClass {
   SystemIOStreamClass() { this.hasName("Stream") }