Merge pull request github#8675 from michaelnebel/csharp/capturemodelimprovement

michaelnebel · web-flow · commit 0ec5aa6095f3 · 2022-04-21T15:16:35.000+02:00
C#: CaptureModel improvements
diff --git a/csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll b/csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
@@ -7,6 +7,7 @@ private import semmle.code.csharp.commons.Util as Util
 private import semmle.code.csharp.commons.Collections as Collections
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 private import semmle.code.csharp.frameworks.System as System
+private import semmle.code.csharp.frameworks.system.linq.Expressions
 import semmle.code.csharp.dataflow.ExternalFlow as ExternalFlow
 import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
@@ -18,21 +19,11 @@ module TaintTracking = CS::TaintTracking;
 class Type = CS::Type;
 
 /**
- * Holds if `api` is an override or an interface implementation that
- * is irrelevant to the data flow analysis.
+ * Holds if any of the parameters of `api` are `System.Func<>`.
  */
-private predicate isIrrelevantOverrideOrImplementation(CS::Callable api) {
-  exists(CS::Callable exclude, CS::Method m |
-    (
-      api = m.getAnOverrider*().getUnboundDeclaration()
-      or
-      api = m.getAnUltimateImplementor().getUnboundDeclaration()
-    ) and
-    exclude = m.getUnboundDeclaration()
-  |
-    exists(System::SystemObjectClass c | exclude = [c.getGetHashCodeMethod(), c.getEqualsMethod()])
-    or
-    exists(System::SystemIEquatableTInterface i | exclude = i.getEqualsMethod())
+private predicate isHigherOrder(CS::Callable api) {
+  exists(Type t | t = api.getAParameter().getType().getUnboundDeclaration() |
+    t instanceof SystemLinqExpressions::DelegateExtType
   )
 }
 
@@ -44,7 +35,7 @@ private predicate isRelevantForModels(CS::Callable api) {
   api.getDeclaringType().getNamespace().getQualifiedName() != "" and
   not api instanceof CS::ConversionOperator and
   not api instanceof Util::MainMethod and
-  not isIrrelevantOverrideOrImplementation(api)
+  not isHigherOrder(api)
 }
 
 /**
@@ -65,8 +56,13 @@ predicate asPartialModel = DataFlowPrivate::Csv::asPartialModel/1;
 /**
  * Holds for type `t` for fields that are relevant as an intermediate
  * read or write step in the data flow analysis.
+ * That is, flow through any data-flow node that does not have a relevant type
+ * will be excluded.
  */
-predicate isRelevantType(CS::Type t) { not t instanceof CS::Enum }
+predicate isRelevantType(CS::Type t) {
+  not t instanceof CS::SimpleType and
+  not t instanceof CS::Enum
+}
 
 /**
  * Gets the CSV string representation of the qualifier.
diff --git a/csharp/ql/test/utils/model-generator/CaptureSummaryModels.expected b/csharp/ql/test/utils/model-generator/CaptureSummaryModels.expected
@@ -1,5 +1,5 @@
-| NoSummaries;PublicClassFlow;false;PublicReturn;(System.Int32);;Argument[0];ReturnValue;generated:taint |
-| Summaries;BaseClassFlow;true;ReturnParam;(System.Int32);;Argument[0];ReturnValue;generated:taint |
+| NoSummaries;PublicClassFlow;false;PublicReturn;(System.Object);;Argument[0];ReturnValue;generated:taint |
+| Summaries;BaseClassFlow;true;ReturnParam;(System.Object);;Argument[0];ReturnValue;generated:taint |
 | Summaries;BasicFlow;false;ReturnField;();;Argument[Qualifier];ReturnValue;generated:taint |
 | Summaries;BasicFlow;false;ReturnParam0;(System.String,System.Object);;Argument[0];ReturnValue;generated:taint |
 | Summaries;BasicFlow;false;ReturnParam1;(System.String,System.Object);;Argument[1];ReturnValue;generated:taint |
@@ -11,14 +11,14 @@
 | Summaries;CollectionFlow;false;AddFieldToList;(System.Collections.Generic.List<System.String>);;Argument[Qualifier];Argument[0].Element;generated:taint |
 | Summaries;CollectionFlow;false;AddToList;(System.Collections.Generic.List<System.Object>,System.Object);;Argument[1];Argument[0].Element;generated:taint |
 | Summaries;CollectionFlow;false;AssignFieldToArray;(System.Object[]);;Argument[Qualifier];Argument[0].Element;generated:taint |
-| Summaries;CollectionFlow;false;AssignToArray;(System.Int32,System.Int32[]);;Argument[0];Argument[1].Element;generated:taint |
-| Summaries;CollectionFlow;false;ReturnArrayElement;(System.Int32[]);;Argument[0].Element;ReturnValue;generated:taint |
+| Summaries;CollectionFlow;false;AssignToArray;(System.Object,System.Object[]);;Argument[0];Argument[1].Element;generated:taint |
+| Summaries;CollectionFlow;false;ReturnArrayElement;(System.Object[]);;Argument[0].Element;ReturnValue;generated:taint |
 | Summaries;CollectionFlow;false;ReturnFieldInAList;();;Argument[Qualifier];ReturnValue;generated:taint |
 | Summaries;CollectionFlow;false;ReturnListElement;(System.Collections.Generic.List<System.Object>);;Argument[0].Element;ReturnValue;generated:taint |
-| Summaries;DerivedClass1Flow;false;ReturnParam1;(System.Int32,System.Int32);;Argument[1];ReturnValue;generated:taint |
-| Summaries;DerivedClass2Flow;false;ReturnParam0;(System.Int32,System.Int32);;Argument[0];ReturnValue;generated:taint |
-| Summaries;DerivedClass2Flow;false;ReturnParam;(System.Int32);;Argument[0];ReturnValue;generated:taint |
-| Summaries;EqualsGetHashCodeNoFlow;false;Equals;(System.Int32);;Argument[0];ReturnValue;generated:taint |
+| Summaries;DerivedClass1Flow;false;ReturnParam1;(System.String,System.String);;Argument[1];ReturnValue;generated:taint |
+| Summaries;DerivedClass2Flow;false;ReturnParam0;(System.String,System.Int32);;Argument[0];ReturnValue;generated:taint |
+| Summaries;DerivedClass2Flow;false;ReturnParam;(System.Object);;Argument[0];ReturnValue;generated:taint |
+| Summaries;EqualsGetHashCodeNoFlow;false;Equals;(System.String);;Argument[0];ReturnValue;generated:taint |
 | Summaries;GenericFlow<>;false;AddFieldToGenericList;(System.Collections.Generic.List<T>);;Argument[Qualifier];Argument[0].Element;generated:taint |
 | Summaries;GenericFlow<>;false;AddToGenericList<>;(System.Collections.Generic.List<S>,S);;Argument[1];Argument[0].Element;generated:taint |
 | Summaries;GenericFlow<>;false;ReturnFieldInGenericList;();;Argument[Qualifier];ReturnValue;generated:taint |
diff --git a/csharp/ql/test/utils/model-generator/NoSummaries.cs b/csharp/ql/test/utils/model-generator/NoSummaries.cs
@@ -6,27 +6,27 @@ namespace NoSummaries;
 // Just to prove that, if a method like this is correctly exposed, a flow summary will be captured.
 public class PublicClassFlow
 {
-    public int PublicReturn(int input)
+    public object PublicReturn(object input)
     {
         return input;
     }
 }
 
 public sealed class PublicClassNoFlow
 {
-    private int PrivateReturn(int input)
+    private object PrivateReturn(object input)
     {
         return input;
     }
 
-    internal int InternalReturn(int input)
+    internal object InternalReturn(object input)
     {
         return input;
     }
 
     private class PrivateClassNoFlow
     {
-        public int ReturnParam(int input)
+        public object ReturnParam(object input)
         {
             return input;
         }
@@ -36,18 +36,18 @@ private class PrivateClassNestedPublicClassNoFlow
     {
         public class NestedPublicClassFlow
         {
-            public int ReturnParam(int input)
+            public object ReturnParam(object input)
             {
                 return input;
             }
         }
     }
 }
 
-public class EquatableBound : IEquatable<int>
+public class EquatableBound : IEquatable<object>
 {
     public readonly bool tainted;
-    public bool Equals(int other)
+    public bool Equals(object other)
     {
         return tainted;
     }
@@ -60,4 +60,42 @@ public bool Equals(T? other)
     {
         return tainted;
     }
+}
+
+// No methods in this class will have generated flow summaries as
+// simple types are used.
+public class SimpleTypes
+{
+    public bool M1(bool b)
+    {
+        return b;
+    }
+
+    public Boolean M2(Boolean b)
+    {
+        return b;
+    }
+
+    public int M3(int i)
+    {
+        return i;
+    }
+
+    public Int32 M4(Int32 i)
+    {
+        return i;
+    }
+}
+
+public class HigherOrderParameters
+{
+    public string M1(string s, Func<string, string> map)
+    {
+        return s;
+    }
+
+    public object M2(Func<object, object> map, object o)
+    {
+        return map(o);
+    }
 }
diff --git a/csharp/ql/test/utils/model-generator/Summaries.cs b/csharp/ql/test/utils/model-generator/Summaries.cs
@@ -48,12 +48,12 @@ public class CollectionFlow
 {
     private string tainted;
 
-    public int ReturnArrayElement(int[] input)
+    public object ReturnArrayElement(object[] input)
     {
         return input[0];
     }
 
-    public void AssignToArray(int data, int[] target)
+    public void AssignToArray(object data, object[] target)
     {
         target[0] = data;
     }
@@ -146,28 +146,28 @@ public void AddToGenericList<S>(List<S> input, S data)
 
 public abstract class BaseClassFlow
 {
-    public virtual int ReturnParam(int input)
+    public virtual object ReturnParam(object input)
     {
         return input;
     }
 }
 
 public class DerivedClass1Flow : BaseClassFlow
 {
-    public int ReturnParam1(int input0, int input1)
+    public string ReturnParam1(string input0, string input1)
     {
         return input1;
     }
 }
 
 public class DerivedClass2Flow : BaseClassFlow
 {
-    public override int ReturnParam(int input)
+    public override object ReturnParam(object input)
     {
         return input;
     }
 
-    public int ReturnParam0(int input0, int input1)
+    public string ReturnParam0(string input0, int input1)
     {
         return input0;
     }
@@ -195,13 +195,13 @@ public OperatorFlow(object o)
     }
 
     // No flow summary as this is an implicit conversion operator.
-    public static implicit operator OperatorFlow(int i)
+    public static implicit operator OperatorFlow(string s)
     {
-        return new OperatorFlow(i);
+        return new OperatorFlow(s);
     }
 
     // No flow summary as this is an explicit conversion operator.
-    public static explicit operator OperatorFlow(byte b)
+    public static explicit operator OperatorFlow(string[] b)
     {
         return new OperatorFlow(b);
     }
@@ -220,9 +220,9 @@ public override bool Equals(object obj)
     }
 
     // Flow summary as this is not an override of the object Equals method.
-    public int Equals(int i)
+    public string Equals(string s)
     {
-        return i;
+        return s;
     }
 
     // No flow summary as this is an override of the GetHashCode method.

Original file line number	Diff line number	Diff line change
`@@ -6,27 +6,27 @@ namespace NoSummaries;`
`6`	`6`	`// Just to prove that, if a method like this is correctly exposed, a flow summary will be captured.`
`7`	`7`	`public class PublicClassFlow`
`8`	`8`	`{`
`9`		`- public int PublicReturn(int input)`
	`9`	`+ public object PublicReturn(object input)`
`10`	`10`	`{`
`11`	`11`	`return input;`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`public sealed class PublicClassNoFlow`
`16`	`16`	`{`
`17`		`- private int PrivateReturn(int input)`
	`17`	`+ private object PrivateReturn(object input)`
`18`	`18`	`{`
`19`	`19`	`return input;`
`20`	`20`	`}`
`21`	`21`
`22`		`- internal int InternalReturn(int input)`
	`22`	`+ internal object InternalReturn(object input)`
`23`	`23`	`{`
`24`	`24`	`return input;`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`private class PrivateClassNoFlow`
`28`	`28`	`{`
`29`		`- public int ReturnParam(int input)`
	`29`	`+ public object ReturnParam(object input)`
`30`	`30`	`{`
`31`	`31`	`return input;`
`32`	`32`	`}`
`@@ -36,18 +36,18 @@ private class PrivateClassNestedPublicClassNoFlow`
`36`	`36`	`{`
`37`	`37`	`public class NestedPublicClassFlow`
`38`	`38`	`{`
`39`		`- public int ReturnParam(int input)`
	`39`	`+ public object ReturnParam(object input)`
`40`	`40`	`{`
`41`	`41`	`return input;`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`	`}`
`45`	`45`	`}`
`46`	`46`
`47`		`-public class EquatableBound : IEquatable<int>`
	`47`	`+public class EquatableBound : IEquatable<object>`
`48`	`48`	`{`
`49`	`49`	`public readonly bool tainted;`
`50`		`- public bool Equals(int other)`
	`50`	`+ public bool Equals(object other)`
`51`	`51`	`{`
`52`	`52`	`return tainted;`
`53`	`53`	`}`
`@@ -60,4 +60,42 @@ public bool Equals(T? other)`
`60`	`60`	`{`
`61`	`61`	`return tainted;`
`62`	`62`	`}`
	`63`	`+}`
	`64`	`+`
	`65`	`+// No methods in this class will have generated flow summaries as`
	`66`	`+// simple types are used.`
	`67`	`+public class SimpleTypes`
	`68`	`+{`
	`69`	`+ public bool M1(bool b)`
	`70`	`+ {`
	`71`	`+ return b;`
	`72`	`+ }`
	`73`	`+`
	`74`	`+ public Boolean M2(Boolean b)`
	`75`	`+ {`
	`76`	`+ return b;`
	`77`	`+ }`
	`78`	`+`
	`79`	`+ public int M3(int i)`
	`80`	`+ {`
	`81`	`+ return i;`
	`82`	`+ }`
	`83`	`+`
	`84`	`+ public Int32 M4(Int32 i)`
	`85`	`+ {`
	`86`	`+ return i;`
	`87`	`+ }`
	`88`	`+}`
	`89`	`+`
	`90`	`+public class HigherOrderParameters`
	`91`	`+{`
	`92`	`+ public string M1(string s, Func<string, string> map)`
	`93`	`+ {`
	`94`	`+ return s;`
	`95`	`+ }`
	`96`	`+`
	`97`	`+ public object M2(Func<object, object> map, object o)`
	`98`	`+ {`
	`99`	`+ return map(o);`
	`100`	`+ }`
`63`	`101`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,12 +48,12 @@ public class CollectionFlow`
`48`	`48`	`{`
`49`	`49`	`private string tainted;`
`50`	`50`
`51`		`- public int ReturnArrayElement(int[] input)`
	`51`	`+ public object ReturnArrayElement(object[] input)`
`52`	`52`	`{`
`53`	`53`	`return input[0];`
`54`	`54`	`}`
`55`	`55`
`56`		`- public void AssignToArray(int data, int[] target)`
	`56`	`+ public void AssignToArray(object data, object[] target)`
`57`	`57`	`{`
`58`	`58`	`target[0] = data;`
`59`	`59`	`}`
`@@ -146,28 +146,28 @@ public void AddToGenericList<S>(List<S> input, S data)`
`146`	`146`
`147`	`147`	`public abstract class BaseClassFlow`
`148`	`148`	`{`
`149`		`- public virtual int ReturnParam(int input)`
	`149`	`+ public virtual object ReturnParam(object input)`
`150`	`150`	`{`
`151`	`151`	`return input;`
`152`	`152`	`}`
`153`	`153`	`}`
`154`	`154`
`155`	`155`	`public class DerivedClass1Flow : BaseClassFlow`
`156`	`156`	`{`
`157`		`- public int ReturnParam1(int input0, int input1)`
	`157`	`+ public string ReturnParam1(string input0, string input1)`
`158`	`158`	`{`
`159`	`159`	`return input1;`
`160`	`160`	`}`
`161`	`161`	`}`
`162`	`162`
`163`	`163`	`public class DerivedClass2Flow : BaseClassFlow`
`164`	`164`	`{`
`165`		`- public override int ReturnParam(int input)`
	`165`	`+ public override object ReturnParam(object input)`
`166`	`166`	`{`
`167`	`167`	`return input;`
`168`	`168`	`}`
`169`	`169`
`170`		`- public int ReturnParam0(int input0, int input1)`
	`170`	`+ public string ReturnParam0(string input0, int input1)`
`171`	`171`	`{`
`172`	`172`	`return input0;`
`173`	`173`	`}`
`@@ -195,13 +195,13 @@ public OperatorFlow(object o)`
`195`	`195`	`}`
`196`	`196`
`197`	`197`	`// No flow summary as this is an implicit conversion operator.`
`198`		`- public static implicit operator OperatorFlow(int i)`
	`198`	`+ public static implicit operator OperatorFlow(string s)`
`199`	`199`	`{`
`200`		`- return new OperatorFlow(i);`
	`200`	`+ return new OperatorFlow(s);`
`201`	`201`	`}`
`202`	`202`
`203`	`203`	`// No flow summary as this is an explicit conversion operator.`
`204`		`- public static explicit operator OperatorFlow(byte b)`
	`204`	`+ public static explicit operator OperatorFlow(string[] b)`
`205`	`205`	`{`
`206`	`206`	`return new OperatorFlow(b);`
`207`	`207`	`}`
`@@ -220,9 +220,9 @@ public override bool Equals(object obj)`
`220`	`220`	`}`
`221`	`221`
`222`	`222`	`// Flow summary as this is not an override of the object Equals method.`
`223`		`- public int Equals(int i)`
	`223`	`+ public string Equals(string s)`
`224`	`224`	`{`
`225`		`- return i;`
	`225`	`+ return s;`
`226`	`226`	`}`
`227`	`227`
`228`	`228`	`// No flow summary as this is an override of the GetHashCode method.`