Skip to content

Commit f3c0ead

Browse files
michaelnebelmichaelnebel
committed
C#: Fix the existing callableFlow for JObject to target the inherited ToString methods from JToken.
1 parent 58f36e4 commit f3c0ead

File tree

5 files changed

+11
-5
lines changed

5 files changed

+11
-5
lines changed

csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -233,7 +233,7 @@ module JsonNET {
233233
boolean preservesValue
234234
) {
235235
// ToString method
236-
c = this.getAMethod("ToString") and
236+
c = this.getBaseClass().getBaseClass().getAMethod("ToString") and
237237
source instanceof CallableFlowSourceQualifier and
238238
sink instanceof CallableFlowSinkReturn and
239239
preservesValue = false

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,8 @@
5656
| Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String);;Argument[-1];ReturnValue;taint |
5757
| Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,Newtonsoft.Json.Linq.JsonSelectSettings);;Argument[-1];ReturnValue;taint |
5858
| Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,System.Boolean);;Argument[-1];ReturnValue;taint |
59+
| Newtonsoft.Json.Linq;JToken;false;ToString;();;Argument[-1];ReturnValue;taint |
60+
| Newtonsoft.Json.Linq;JToken;false;ToString;(Newtonsoft.Json.Formatting,Newtonsoft.Json.JsonConverter[]);;Argument[-1];ReturnValue;taint |
5961
| Newtonsoft.Json.Linq;JToken;false;explicit conversion;(Newtonsoft.Json.Linq.JToken);;Argument[0];ReturnValue;taint |
6062
| Newtonsoft.Json;JsonConvert;false;DeserializeAnonymousType<>;(System.String,T);;Argument[0];ReturnValue;taint |
6163
| Newtonsoft.Json;JsonConvert;false;DeserializeAnonymousType<>;(System.String,T,Newtonsoft.Json.JsonSerializerSettings);;Argument[0];ReturnValue;taint |

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,8 @@
4949
| Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String);;Argument[-1];ReturnValue;taint |
5050
| Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,Newtonsoft.Json.Linq.JsonSelectSettings);;Argument[-1];ReturnValue;taint |
5151
| Newtonsoft.Json.Linq;JToken;false;SelectToken;(System.String,System.Boolean);;Argument[-1];ReturnValue;taint |
52+
| Newtonsoft.Json.Linq;JToken;false;ToString;();;Argument[-1];ReturnValue;taint |
53+
| Newtonsoft.Json.Linq;JToken;false;ToString;(Newtonsoft.Json.Formatting,Newtonsoft.Json.JsonConverter[]);;Argument[-1];ReturnValue;taint |
5254
| Newtonsoft.Json.Linq;JToken;false;explicit conversion;(Newtonsoft.Json.Linq.JToken);;Argument[0];ReturnValue;taint |
5355
| Newtonsoft.Json;JsonConvert;false;DeserializeAnonymousType<>;(System.String,T);;Argument[0];ReturnValue;taint |
5456
| Newtonsoft.Json;JsonConvert;false;DeserializeAnonymousType<>;(System.String,T,Newtonsoft.Json.JsonSerializerSettings);;Argument[0];ReturnValue;taint |

csharp/ql/test/library-tests/frameworks/JsonNET/Json.cs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ void F()
4343
Sink(jobject["1"]);
4444
Sink(jobject["1"]["2"]);
4545
Sink((string)jobject["1"]["2"]);
46+
Sink(jobject.ToString());
4647

4748
// Linq JToken tests
4849
Sink(jobject.First((JToken i) => true));

csharp/ql/test/library-tests/frameworks/JsonNET/Json.expected

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@
1010
| Json.cs:16:24:16:32 | "tainted" | Json.cs:43:18:43:29 | access to indexer |
1111
| Json.cs:16:24:16:32 | "tainted" | Json.cs:44:18:44:34 | access to indexer |
1212
| Json.cs:16:24:16:32 | "tainted" | Json.cs:45:18:45:42 | call to operator explicit conversion |
13-
| Json.cs:16:24:16:32 | "tainted" | Json.cs:48:18:48:50 | call to method First<JToken> |
14-
| Json.cs:16:24:16:32 | "tainted" | Json.cs:49:18:49:46 | call to method First<JToken> |
15-
| Json.cs:16:24:16:32 | "tainted" | Json.cs:50:18:50:51 | call to method First<JToken> |
16-
| Json.cs:16:24:16:32 | "tainted" | Json.cs:51:18:51:61 | call to method SelectToken |
13+
| Json.cs:16:24:16:32 | "tainted" | Json.cs:46:18:46:35 | call to method ToString |
14+
| Json.cs:16:24:16:32 | "tainted" | Json.cs:49:18:49:50 | call to method First<JToken> |
15+
| Json.cs:16:24:16:32 | "tainted" | Json.cs:50:18:50:46 | call to method First<JToken> |
16+
| Json.cs:16:24:16:32 | "tainted" | Json.cs:51:18:51:51 | call to method First<JToken> |
17+
| Json.cs:16:24:16:32 | "tainted" | Json.cs:52:18:52:61 | call to method SelectToken |

0 commit comments

Comments
 (0)