C#: Consider Enums and System.DateTimeOffset as having a sanitizing effect.

michaelnebel · michaelnebel · commit cf75493fe9b6 · 2025-04-02T11:21:05.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
@@ -756,6 +756,11 @@ class SystemDateTimeStruct extends SystemStruct {
   SystemDateTimeStruct() { this.hasName("DateTime") }
 }
 
+/** The `System.DateTimeOffset` struct. */
+class SystemDateTimeOffsetStruct extends SystemStruct {
+  SystemDateTimeOffsetStruct() { this.hasName("DateTimeOffset") }
+}
+
 /** The `System.Span<T>` struct. */
 class SystemSpanStruct extends SystemUnboundGenericStruct {
   SystemSpanStruct() {
diff --git a/csharp/ql/lib/semmle/code/csharp/security/Sanitizers.qll b/csharp/ql/lib/semmle/code/csharp/security/Sanitizers.qll
@@ -57,8 +57,9 @@ class SimpleTypeSanitizedExpr extends DataFlow::ExprNode {
   SimpleTypeSanitizedExpr() {
     exists(Type t | t = this.getType() or t = this.getType().(NullableType).getUnderlyingType() |
       t instanceof SimpleType or
-      t instanceof SystemDateTimeStruct
-      // or t instanceof Enum
+      t instanceof SystemDateTimeStruct or
+      t instanceof SystemDateTimeOffsetStruct or
+      t instanceof Enum
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -57,8 +57,9 @@ class SimpleTypeSanitizedExpr extends DataFlow::ExprNode {`
`57`	`57`	`SimpleTypeSanitizedExpr() {`
`58`	`58`	`exists(Type t \| t = this.getType() or t = this.getType().(NullableType).getUnderlyingType() \|`
`59`	`59`	`t instanceof SimpleType or`
`60`		`- t instanceof SystemDateTimeStruct`
`61`		`- // or t instanceof Enum`
	`60`	`+ t instanceof SystemDateTimeStruct or`
	`61`	`+ t instanceof SystemDateTimeOffsetStruct or`
	`62`	`+ t instanceof Enum`
`62`	`63`	`)`
`63`	`64`	`}`
`64`	`65`	`}`