Add test cases for missing flow with interpolated strings and StringBuilder

Author: tamasvajk

csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected

@@ -166,10 +166,18 @@
 | GlobalDataFlow.cs:545:17:545:33 | object creation of type SimpleClass | normal | GlobalDataFlow.cs:545:17:545:33 | object creation of type SimpleClass |
 | GlobalDataFlow.cs:558:44:558:47 | delegate call | normal | GlobalDataFlow.cs:558:44:558:47 | delegate call |
 | GlobalDataFlowStringBuilder.cs:19:9:19:20 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:19:9:19:20 | call to method Append |
-| GlobalDataFlowStringBuilder.cs:24:18:24:36 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:24:18:24:36 | object creation of type StringBuilder |
-| GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString |
-| GlobalDataFlowStringBuilder.cs:29:9:29:18 | call to method Clear | normal | GlobalDataFlowStringBuilder.cs:29:9:29:18 | call to method Clear |
-| GlobalDataFlowStringBuilder.cs:30:23:30:35 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:30:23:30:35 | call to method ToString |
+| GlobalDataFlowStringBuilder.cs:24:9:24:27 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:24:9:24:27 | call to method Append |
+| GlobalDataFlowStringBuilder.cs:29:18:29:36 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:29:18:29:36 | object creation of type StringBuilder |
+| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString |
+| GlobalDataFlowStringBuilder.cs:34:19:34:37 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:34:19:34:37 | object creation of type StringBuilder |
+| GlobalDataFlowStringBuilder.cs:35:9:35:22 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:35:9:35:22 | call to method Append |
+| GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:36:21:36:34 | call to method ToString |
+| GlobalDataFlowStringBuilder.cs:39:19:39:37 | object creation of type StringBuilder | normal | GlobalDataFlowStringBuilder.cs:39:19:39:37 | object creation of type StringBuilder |
+| GlobalDataFlowStringBuilder.cs:40:9:40:27 | call to method Append | normal | GlobalDataFlowStringBuilder.cs:40:9:40:27 | call to method Append |
+| GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:41:21:41:34 | call to method ToString |
+| GlobalDataFlowStringBuilder.cs:44:9:44:18 | call to method Clear | normal | GlobalDataFlowStringBuilder.cs:44:9:44:18 | call to method Clear |
+| GlobalDataFlowStringBuilder.cs:45:23:45:35 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:45:23:45:35 | call to method ToString |
+| GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString | normal | GlobalDataFlowStringBuilder.cs:49:21:49:33 | call to method ToString |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> | normal | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> |
 | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> | normal | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> |
 | Splitting.cs:20:22:20:30 | call to method Return<String> | normal | Splitting.cs:20:22:20:30 | call to method Return<String> |

csharp/ql/test/library-tests/dataflow/global/GlobalDataFlowStringBuilder.cs

@@ -19,15 +19,34 @@ static void AppendToStringBuilder(StringBuilder sb, string s)
         sb.Append(s);
     }
 
+    static void AppendToStringBuilderInterpolated(StringBuilder sb, string s)
+    {
+        sb.Append($"a{s}b");
+    }
+
     void TestStringBuilderFlow()
     {
         var sb = new StringBuilder();
         AppendToStringBuilder(sb, "taint source");
-        var sink43 = sb.ToString();
-        Check(sink43);
+        var sink0 = sb.ToString();
+        Check(sink0);
+
+        var sb1 = new StringBuilder();
+        sb1.Append(sb);
+        var sink1 = sb1.ToString();
+        Check(sink1);
+
+        var sb2 = new StringBuilder();
+        sb2.Append($"{sb}");
+        var sink2 = sb2.ToString();
+        Check(sink2);
 
         sb.Clear();
         var nonSink = sb.ToString();
         Check(nonSink);
+
+        AppendToStringBuilderInterpolated(sb, "taint source");
+        var sink3 = sb.ToString();
+        Check(sink3);
     }
 }

csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected

@@ -72,7 +72,7 @@
 | GlobalDataFlow.cs:533:15:533:21 | access to field field |
 | GlobalDataFlow.cs:539:15:539:22 | access to field field |
 | GlobalDataFlow.cs:547:15:547:21 | access to field field |
-| GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 |
+| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 |
 | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
 | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x |
 | Splitting.cs:11:19:11:19 | access to local variable x |

csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected

@@ -328,11 +328,11 @@ edges
 | GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String |
 | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String |
 | GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder |
-| GlobalDataFlowStringBuilder.cs:25:31:25:32 | [post] access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:26:22:26:23 | access to local variable sb : StringBuilder |
-| GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String |
-| GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:25:31:25:32 | [post] access to local variable sb : StringBuilder |
-| GlobalDataFlowStringBuilder.cs:26:22:26:23 | access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString : String |
-| GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString : String | GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 |
+| GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder |
+| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String |
+| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder |
+| GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder | GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String |
+| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String | GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String |
 | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x |
@@ -657,11 +657,11 @@ nodes
 | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | semmle.label | s : String |
 | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder | semmle.label | [post] access to parameter sb : StringBuilder |
 | GlobalDataFlowStringBuilder.cs:19:19:19:19 | access to parameter s : String | semmle.label | access to parameter s : String |
-| GlobalDataFlowStringBuilder.cs:25:31:25:32 | [post] access to local variable sb : StringBuilder | semmle.label | [post] access to local variable sb : StringBuilder |
-| GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | semmle.label | "taint source" : String |
-| GlobalDataFlowStringBuilder.cs:26:22:26:23 | access to local variable sb : StringBuilder | semmle.label | access to local variable sb : StringBuilder |
-| GlobalDataFlowStringBuilder.cs:26:22:26:34 | call to method ToString : String | semmle.label | call to method ToString : String |
-| GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 | semmle.label | access to local variable sink43 |
+| GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder | semmle.label | [post] access to local variable sb : StringBuilder |
+| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | semmle.label | "taint source" : String |
+| GlobalDataFlowStringBuilder.cs:31:21:31:22 | access to local variable sb : StringBuilder | semmle.label | access to local variable sb : StringBuilder |
+| GlobalDataFlowStringBuilder.cs:31:21:31:33 | call to method ToString : String | semmle.label | call to method ToString : String |
+| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | semmle.label | access to local variable sink0 |
 | Splitting.cs:3:28:3:34 | tainted : String | semmle.label | tainted : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String | semmle.label | [b (line 3): false] call to method Return<String> : String |
 | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String | semmle.label | [b (line 3): true] call to method Return<String> : String |
@@ -708,7 +708,7 @@ subpaths
 | GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:298:26:298:26 | x : String | GlobalDataFlow.cs:301:16:301:41 | ... ? ... : ... : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
 | GlobalDataFlow.cs:389:18:389:18 | access to parameter x : String | GlobalDataFlow.cs:300:27:300:28 | x0 : String | GlobalDataFlow.cs:300:33:300:34 | access to parameter x0 : String | GlobalDataFlow.cs:389:16:389:19 | delegate call : String |
 | GlobalDataFlow.cs:558:46:558:46 | access to local variable x : String | GlobalDataFlow.cs:81:79:81:79 | x : String | GlobalDataFlow.cs:81:84:81:84 | access to parameter x : String | GlobalDataFlow.cs:558:44:558:47 | delegate call : String |
-| GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder | GlobalDataFlowStringBuilder.cs:25:31:25:32 | [post] access to local variable sb : StringBuilder |
+| GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:17:64:17:64 | s : String | GlobalDataFlowStringBuilder.cs:19:9:19:10 | [post] access to parameter sb : StringBuilder | GlobalDataFlowStringBuilder.cs:30:31:30:32 | [post] access to local variable sb : StringBuilder |
 | Splitting.cs:8:24:8:30 | [b (line 3): false] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): false] call to method Return<String> : String |
 | Splitting.cs:8:24:8:30 | [b (line 3): true] access to parameter tainted : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:8:17:8:31 | [b (line 3): true] call to method Return<String> : String |
 | Splitting.cs:20:29:20:29 | access to parameter s : String | Splitting.cs:16:26:16:26 | x : String | Splitting.cs:16:32:16:32 | access to parameter x : String | Splitting.cs:20:22:20:30 | call to method Return<String> : String |
@@ -790,7 +790,7 @@ subpaths
 | GlobalDataFlow.cs:533:15:533:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:533:15:533:21 | access to field field | access to field field |
 | GlobalDataFlow.cs:539:15:539:22 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:539:15:539:22 | access to field field | access to field field |
 | GlobalDataFlow.cs:547:15:547:21 | access to field field | GlobalDataFlow.cs:483:20:483:33 | "taint source" : String | GlobalDataFlow.cs:547:15:547:21 | access to field field | access to field field |
-| GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 | GlobalDataFlowStringBuilder.cs:25:35:25:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:27:15:27:20 | access to local variable sink43 | access to local variable sink43 |
+| GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | GlobalDataFlowStringBuilder.cs:30:35:30:48 | "taint source" : String | GlobalDataFlowStringBuilder.cs:32:15:32:19 | access to local variable sink0 | access to local variable sink0 |
 | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): false] access to local variable x | [b (line 3): false] access to local variable x |
 | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:9:15:9:15 | [b (line 3): true] access to local variable x | [b (line 3): true] access to local variable x |
 | Splitting.cs:11:19:11:19 | access to local variable x | Splitting.cs:3:28:3:34 | tainted : String | Splitting.cs:11:19:11:19 | access to local variable x | access to local variable x |