Merge branch 'main' into rust-df-try-expr

Author: paldepind

csharp/ql/lib/change-notes/2024-12-03-dynamic-field-flow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for data-flow through member accesses of objects with `dynamic` types.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -883,6 +883,17 @@ private predicate fieldOrPropertyStore(Expr e, ContentSet c, Expr src, Expr q, b
         )
       )
   )
+  or
+  // A write to a dynamic property
+  exists(DynamicMemberAccess dma, AssignableDefinition def, DynamicProperty dp |
+    def.getTargetAccess() = dma and
+    dp.getAnAccess() = dma and
+    c.isDynamicProperty(dp) and
+    src = def.getSource() and
+    q = dma.getQualifier() and
+    e = def.getExpr() and
+    postUpdate = true
+  )
 }
 
 /**
@@ -894,6 +905,18 @@ private predicate fieldOrPropertyRead(Expr e1, ContentSet c, FieldOrPropertyRead
   c = e2.getTarget().(FieldOrProperty).getContentSet()
 }
 
+/**
+ * Holds if `e2` is an expression that reads the dynamic property `c` from
+ * expression `e1`.
+ */
+private predicate dynamicPropertyRead(Expr e1, ContentSet c, DynamicMemberRead e2) {
+  exists(DynamicPropertyContent dpc |
+    e1 = e2.getQualifier() and
+    dpc.getAnAccess() = e2 and
+    c.isDynamicProperty(dpc.getName())
+  )
+}
+
 /**
  * Holds if `ce` is a collection expression that adds `src` to the collection `ce`.
  */
@@ -1099,6 +1122,8 @@ private module Cached {
         |
           fieldOrPropertyRead(e, _, read)
           or
+          dynamicPropertyRead(e, _, read)
+          or
           arrayRead(e, read)
         )
       )
@@ -1140,6 +1165,7 @@ private module Cached {
   newtype TContent =
     TFieldContent(Field f) { f.isUnboundDeclaration() } or
     TPropertyContent(Property p) { p.isUnboundDeclaration() } or
+    TDynamicPropertyContent(DynamicProperty dp) or
     TElementContent() or
     TSyntheticFieldContent(SyntheticField f) or
     TPrimaryConstructorParameterContent(Parameter p) {
@@ -1154,12 +1180,16 @@ private module Cached {
   cached
   newtype TContentSet =
     TSingletonContent(Content c) { not c instanceof PropertyContent } or
-    TPropertyContentSet(Property p) { p.isUnboundDeclaration() }
+    TPropertyContentSet(Property p) { p.isUnboundDeclaration() } or
+    TDynamicPropertyContentSet(DynamicProperty dp)
 
   cached
   newtype TContentApprox =
     TFieldApproxContent(string firstChar) { firstChar = approximateFieldContent(_) } or
     TPropertyApproxContent(string firstChar) { firstChar = approximatePropertyContent(_) } or
+    TDynamicPropertyApproxContent(string firstChar) {
+      firstChar = approximateDynamicPropertyContent(_)
+    } or
     TElementApproxContent() or
     TSyntheticFieldApproxContent() or
     TPrimaryConstructorParameterApproxContent(string firstChar) {
@@ -2084,6 +2114,18 @@ class FieldOrProperty extends Assignable, Modifiable {
   }
 }
 
+/** A string that is a reference to a late-bound target of a dynamic member access. */
+class DynamicProperty extends string {
+  private DynamicMemberAccess dma;
+
+  DynamicProperty() { this = dma.getLateBoundTargetName() }
+
+  ContentSet getContentSet() { result.isDynamicProperty(this) }
+
+  /** Gets an access of this dynamic property. */
+  DynamicMemberAccess getAnAccess() { result = dma }
+}
+
 private class InstanceFieldOrProperty extends FieldOrProperty {
   InstanceFieldOrProperty() { not this.isStatic() }
 }
@@ -2342,6 +2384,11 @@ private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration
     or
     exactScope = false and
     isSuccessor = true and
+    dynamicPropertyRead(e1, _, e2) and
+    scope = e2
+    or
+    exactScope = false and
+    isSuccessor = true and
     arrayRead(e1, e2) and
     scope = e2
     or
@@ -2474,6 +2521,8 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
   exists(ReadStepConfiguration x | hasNodePath(x, node1, node2) |
     fieldOrPropertyRead(node1.asExpr(), c, node2.asExpr())
     or
+    dynamicPropertyRead(node1.asExpr(), c, node2.asExpr())
+    or
     node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
     c = getResultContent()
   )
@@ -3064,6 +3113,11 @@ class ContentApprox extends TContentApprox {
       this = TPropertyApproxContent(firstChar) and result = "approximated property " + firstChar
     )
     or
+    exists(string firstChar |
+      this = TDynamicPropertyApproxContent(firstChar) and
+      result = "approximated dynamic property " + firstChar
+    )
+    or
     this = TElementApproxContent() and result = "element"
     or
     this = TSyntheticFieldApproxContent() and result = "approximated synthetic field"
@@ -3095,6 +3149,11 @@ private string approximatePropertyContent(PropertyContent pc) {
   result = pc.getProperty().getName().prefix(1)
 }
 
+/** Gets a string for approximating the name of a dynamic property. */
+private string approximateDynamicPropertyContent(DynamicPropertyContent dpc) {
+  result = dpc.getName().prefix(1)
+}
+
 /**
  * Gets a string for approximating the name of a synthetic field corresponding
  * to a primary constructor parameter.
@@ -3110,6 +3169,8 @@ ContentApprox getContentApprox(Content c) {
   or
   result = TPropertyApproxContent(approximatePropertyContent(c))
   or
+  result = TDynamicPropertyApproxContent(approximateDynamicPropertyContent(c))
+  or
   c instanceof ElementContent and result = TElementApproxContent()
   or
   c instanceof SyntheticFieldContent and result = TSyntheticFieldApproxContent()

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll

@@ -239,6 +239,23 @@ class PropertyContent extends Content, TPropertyContent {
   override Location getLocation() { result = p.getLocation() }
 }
 
+/** A reference to a dynamic property. */
+class DynamicPropertyContent extends Content, TDynamicPropertyContent {
+  private DynamicProperty name;
+
+  DynamicPropertyContent() { this = TDynamicPropertyContent(name) }
+
+  /** Gets an access of this dynamic property. */
+  DynamicMemberAccess getAnAccess() { result = name.getAnAccess() }
+
+  override string toString() { result = "dynamic property " + name }
+
+  override EmptyLocation getLocation() { any() }
+
+  /** Gets the name that is referenced. */
+  string getName() { result = name }
+}
+
 /**
  * A reference to the index of an argument of a delegate call.
  */
@@ -324,6 +341,9 @@ class ContentSet extends TContentSet {
    */
   predicate isProperty(Property p) { this = TPropertyContentSet(p) }
 
+  /** Holds if this content set represents the dynamic property `name`. */
+  predicate isDynamicProperty(string name) { this = TDynamicPropertyContentSet(name) }
+
   /**
    * Holds if this content set represents the `i`th argument of a delegate call.
    */
@@ -348,6 +368,8 @@ class ContentSet extends TContentSet {
     this.isSingleton(result)
     or
     this.isProperty(result.(PropertyContent).getProperty())
+    or
+    this.isDynamicProperty(result.(DynamicPropertyContent).getName())
   }
 
   /** Gets a content that may be read from when reading from this set. */
@@ -362,6 +384,17 @@ class ContentSet extends TContentSet {
       or
       overridesOrImplementsSourceDecl(p1, p2)
     )
+    or
+    exists(FieldOrProperty p |
+      this = p.getContentSet() and
+      result.(DynamicPropertyContent).getName() = p.getName()
+    )
+    or
+    this.isDynamicProperty([
+        result.(DynamicPropertyContent).getName(),
+        result.(PropertyContent).getProperty().getName(),
+        result.(FieldContent).getField().getName()
+      ])
   }
 
   /** Gets a textual representation of this content set. */
@@ -375,6 +408,11 @@ class ContentSet extends TContentSet {
       this.isProperty(p) and
       result = "property " + p.getName()
     )
+    or
+    exists(string name |
+      this.isDynamicProperty(name) and
+      result = "dynamic property " + name
+    )
   }
 
   /** Gets the location of this content set. */
@@ -388,5 +426,8 @@ class ContentSet extends TContentSet {
       this.isProperty(p) and
       result = p.getLocation()
     )
+    or
+    this.isDynamicProperty(_) and
+    result instanceof EmptyLocation
   }
 }