C#: Add default taint step from an implicit operator call to its argument.#21400
Open
michaelnebel wants to merge 6 commits intogithub:mainfrom
Open
C#: Add default taint step from an implicit operator call to its argument.#21400michaelnebel wants to merge 6 commits intogithub:mainfrom
michaelnebel wants to merge 6 commits intogithub:mainfrom
Conversation
michaelnebel
force-pushed
the
csharp/implicitconversionreverseflowtaint
branch
from
77dbe2c to
c3f0d4a
Compare
michaelnebel
force-pushed
the
csharp/implicitconversionreverseflowtaint
branch
from
c3f0d4a to
cfd4be6
Compare
Contributor
Author
|
@hvitved : Is this an acceptable approach for solving the problem? |
hvitved
requested changes
Mar 4, 2026
Contributor
hvitved
left a comment
hvitved
left a comment
There was a problem hiding this comment.
LGTM, just one minor suggestion.
csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
Outdated
Show resolved
Hide resolved
…ngPrivate.qll Co-authored-by: Tom Hvitved <hvitved@github.com>
hvitved
approved these changes
Mar 4, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates C# taint tracking to handle implicit conversion operator calls in method arguments by adding a default reverse taint step from the post-update node of an implicit conversion to its argument, and adds a regression test plus changelog entry.
Changes:
- Add a default reverse taint step for post-update nodes of implicit conversion operator calls.
- Add a new library-test (QL + C# source) and corresponding
.expectedoutput to cover the new flow behavior. - Add a changelog entry documenting the analysis improvement.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll |
Adds the new default reverse taint step logic for implicit conversion operator post-update nodes. |
csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql |
New taint path-problem test that treats the post-update node as a source and checks flow to the original argument. |
csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected |
Expected path output for the new test. |
csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs |
C# fixture exercising implicit conversion from byte[] to ArraySegment<byte>. |
csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md |
Change note for the new reverse taint flow behavior. |
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+191
to
+193
| // Allow reverse update flow for implicit conversion operator calls. | ||
| // This is needed to support flow out of method call arguments, where an implicit conversion is applied | ||
| // to a call argument. |
There was a problem hiding this comment.
The new comment says "reverse update flow" but this predicate is adding a default taint step. Consider rewording to "reverse taint flow" (and/or explicitly mentioning post-update nodes) to avoid confusion with the data-flow reverse-step logic in DataFlowPrivate.
Suggested change
| // Allow reverse update flow for implicit conversion operator calls. | |
| // This is needed to support flow out of method call arguments, where an implicit conversion is applied | |
| // to a call argument. | |
| // Allow reverse taint flow between post-update and pre-update nodes for implicit conversion operator calls. | |
| // This is needed to support taint flow out of method call arguments where an implicit conversion is applied | |
| // to the argument expression. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consider this flow source row:
and this snippet:
On the second line there's a call to operator an implicit conversion which means that
bufferis not an argument towebSocket.ReceiveAsync, but rather an argument to the call to an implicit conversion (which is then an argument toReceiveAsync). However, we would likebufferto be tainted after the call toReceiveAsync.This is solved by adding a reverse update default taint step for post-update nodes for implicit conversion calls.
That is, for
f(implicit_conv(x))we add a step from the post-update ofimplicit_conv(x)tox.DCA looks good.