Merge pull request github#3366 from hvitved/csharp/dataflow/arrays

C#: Precise data-flow for collections

Author: calumgrant

csharp/ql/src/Language Abuse/ForeachCapture.ql

@@ -75,15 +75,13 @@ Element getAssignmentTarget(Expr e) {
 Element getCollectionAssignmentTarget(Expr e) {
   // Store into collection via method
   exists(
-    MethodCall mc, Method m, IEnumerableFlow ief, CallableFlowSourceArg source,
-    CallableFlowSinkQualifier sink, int i
+    MethodCall mc, Method m, LibraryTypeDataFlow ltdf, CallableFlowSource source,
+    CallableFlowSink sink
   |
-    mc.getQualifier() = result.(Variable).getAnAccess() and
-    ief = mc.getQualifier().getType().getSourceDeclaration() and
     m = mc.getTarget().getSourceDeclaration() and
-    ief.callableFlow(source, sink, m, _) and
-    source.getArgumentIndex() = i and
-    e = mc.getArgument(i)
+    ltdf.callableFlow(source, AccessPath::empty(), sink, AccessPath::element(), m, _) and
+    e = source.getSource(mc) and
+    result.(Variable).getAnAccess() = sink.getSink(mc)
   )
   or
   // Array initializer

csharp/ql/src/semmle/code/csharp/Assignable.qll

@@ -29,8 +29,10 @@ class Assignable extends Declaration, @assignable {
  * An assignable that is also a member. Either a field (`Field`), a
  * property (`Property`), an indexer (`Indexer`), or an event (`Event`).
  */
-class AssignableMember extends Member, Assignable {
+class AssignableMember extends Member, Assignable, Attributable {
   override AssignableMemberAccess getAnAccess() { result = Assignable.super.getAnAccess() }
+
+  override string toString() { result = Assignable.super.toString() }
 }
 
 /**

csharp/ql/src/semmle/code/csharp/Caching.qll

@@ -58,7 +58,7 @@ module Stages {
 
     cached
     private predicate forceCachingInSameStageRev() {
-      localAdditionalTaintStep(_, _)
+      defaultAdditionalTaintStep(_, _)
       or
       any(ArgumentNode n).argumentOf(_, _)
       or