C#: Allow implicit collection reads in sink nodes. #20089
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michaelnebel
changed the title
…d additional flow steps) for default taint tracking configurations.
…y accident before as we didn't allow implicit element reads at sinks.
michaelnebel
changed the title
michaelnebel
force-pushed
the
csharp/allowsinkimplicitread
branch
from
0956459 to
ca5a0dc
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR enables implicit collection reads in C# taint tracking sink nodes to improve flow coverage and reduce false negatives. The change allows taint tracking to recognize when tainted elements within a collection can flow to sinks that receive the entire collection.
- Adds implicit collection reads for argument nodes at sinks and flow steps
- Updates default taint tracking configuration to handle collection element flows
- Enhances external model flow detection for collection-based operations
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| TaintTrackingPrivate.qll | Implements the core logic for implicit collection reads at argument nodes |
| HashWithoutSalt.ql | Adds collection interface support for CopyTo method detection |
| ExternalFlow.expected | Updates test expectations with new flow detection results |
| ExternalFlow.cs | Updates test comment to reflect new flow behavior |
| CollectionTaintTracking.* | Adds new test cases for collection taint tracking scenarios |
| change-notes/* | Documents the analysis improvement |
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
aschackmull
approved these changes
Aug 18, 2025
hvitved
reviewed
Aug 18, 2025
Comment on lines
+34
to
+35
| node instanceof ArgumentNode and | ||
| Collections::isCollectionType(node.getType()) and |
There was a problem hiding this comment.
Actually, I would have thought that this was simply exists(node).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
And additional flow steps (for default taint tracking configurations).
DCA shows a couple of extra alerts, where the added step looks sounds. The alerts show up in various cases where the elements of a collection are tainted and the sink receives the entire collection as input.