Merge pull request #15367 from michaelnebel/csharp/nullablesimpletypesanitizer

C#: Consider nullable simple types as sanitizers.

Author: michaelnebel

csharp/ql/lib/change-notes/2024-01-18-simpletype-sanitizer.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed a Log forging false positive when logging the value of a nullable simple type. This fix also applies to all other queries that use the simple type sanitizer.

csharp/ql/lib/semmle/code/csharp/security/Sanitizers.qll

@@ -55,7 +55,7 @@ class UrlSanitizedExpr extends Expr {
  */
 class SimpleTypeSanitizedExpr extends DataFlow::ExprNode {
   SimpleTypeSanitizedExpr() {
-    exists(Type t | t = this.getType() |
+    exists(Type t | t = this.getType() or t = this.getType().(NullableType).getUnderlyingType() |
       t instanceof SimpleType or
       t instanceof SystemDateTimeStruct
     )

csharp/ql/test/query-tests/Security Features/CWE-117/LogForgingAsp.cs

@@ -18,4 +18,24 @@ public void Action1(DateTime date)
         // GOOD: DateTime is a sanitizer.
         logger.Warn($"Warning about the date: {date:yyyy-MM-dd}");
     }
+
+    public void Action2(DateTime? date)
+    {
+        var logger = new ILogger();
+        if (date is not null)
+        {
+            // GOOD: DateTime? is a sanitizer.
+            logger.Warn($"Warning about the date: {date:yyyy-MM-dd}");
+        }
+    }
+
+    public void Action2(bool? b)
+    {
+        var logger = new ILogger();
+        if (b is not null)
+        {
+            // GOOD: Boolean? is a sanitizer.
+            logger.Warn($"Warning about the bool: {b}");
+        }
+    }
 }