-
Notifications
You must be signed in to change notification settings - Fork 1.9k
C#: Add default taint step from an implicit operator call to its argument. #21400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
michaelnebel
merged 6 commits into
github:main
from
michaelnebel:csharp/implicitconversionreverseflowtaint
Mar 4, 2026
+75
−0
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
8807217
C#: Add implicit conversion operator taint example.
michaelnebel 93a28cb
C#: Add default (reverse update) taint step from implicit operator ca…
michaelnebel cfd4be6
C#: Update test expected output.
michaelnebel 4e2a93d
C#: Remove comment.
michaelnebel a604a68
C#: Add change-note.
michaelnebel fbf40ef
Update csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTracki…
michaelnebel File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * Added reverse taint flow from implicit conversion operator calls to their arguments. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletions
14
csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| using System; | ||
|
|
||
| public class TestImplicitConversionOperator | ||
| { | ||
| static void Sink(object o) { } | ||
| static void TaintArgument(ArraySegment<byte> segment) { } | ||
|
|
||
| public void M1() | ||
| { | ||
| byte[] bytes = new byte[1]; | ||
| TaintArgument(bytes); | ||
| Sink(bytes); | ||
| } | ||
| } |
8 changes: 8 additions & 0 deletions
8
csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| edges | ||
| | ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | provenance | | | ||
| nodes | ||
| | ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | semmle.label | [post] call to operator implicit conversion : ArraySegment<Byte> | | ||
| | ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | semmle.label | access to local variable bytes | | ||
| subpaths | ||
| #select | ||
| | ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | $@ | ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | [post] call to operator implicit conversion : ArraySegment<Byte> | |
29 changes: 29 additions & 0 deletions
29
csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| /** | ||
| * @kind path-problem | ||
| */ | ||
|
|
||
| import csharp | ||
| import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate | ||
| import Taint::PathGraph | ||
|
|
||
| module TaintConfig implements DataFlow::ConfigSig { | ||
| predicate isSource(DataFlow::Node src) { | ||
| exists(MethodCall mc | | ||
| mc.getTarget().hasName("TaintArgument") and | ||
| mc.getAnArgument() = src.(DataFlowPrivate::PostUpdateNode).getPreUpdateNode().asExpr() | ||
| ) | ||
| } | ||
|
|
||
| predicate isSink(DataFlow::Node sink) { | ||
| exists(MethodCall mc | | ||
| mc.getTarget().hasName("Sink") and | ||
| mc.getAnArgument() = sink.asExpr() | ||
| ) | ||
| } | ||
| } | ||
|
|
||
| module Taint = TaintTracking::Global<TaintConfig>; | ||
|
|
||
| from Taint::PathNode source, Taint::PathNode sink | ||
| where Taint::flowPath(source, sink) | ||
| select sink, source, sink, "$@", source, source.toString() |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new comment says "reverse update flow" but this predicate is adding a default taint step. Consider rewording to "reverse taint flow" (and/or explicitly mentioning post-update nodes) to avoid confusion with the data-flow reverse-step logic in DataFlowPrivate.