-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
C#: Adding synthetic implicit ToString calls in binary- and string interpolation expressions. #18446
base: main
Are you sure you want to change the base?
Conversation
7ba7af1
to
9959976
Compare
bf46c42
to
825c64f
Compare
825c64f
to
9ebee34
Compare
Click to show differences in coveragecsharpGenerated file changes for csharp
- Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",61,2074,152,4
+ Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",61,2075,152,4
- Totals,,108,12900,400,9
+ Totals,,108,12901,400,9
+ Microsoft.AspNetCore.Http,,,1,,,,,,,,,,,,,,,,,,,1, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 35 out of 50 changed files in this pull request and generated no comments.
Files not reviewed (15)
- csharp/ql/examples/snippets/ternary_conditional.ql: Language not supported
- csharp/ql/lib/semmle/code/csharp/PrintAst.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/commons/Constants.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/commons/Strings.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/exprs/Call.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll: Language not supported
- csharp/ql/src/Bad Practices/VirtualCallInConstructorOrDestructor.ql: Language not supported
- csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql: Language not supported
- csharp/ql/src/Likely Bugs/ObjectComparison.ql: Language not supported
- csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected: Language not supported
- csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs: Evaluated as low risk
- csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs: Evaluated as low risk
- csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs: Evaluated as low risk
Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
…ring calls into account.
…ons and generated ToString calls.
…ons, if the type implements IFormattable.
dbc7a80
to
0c5c2a3
Compare
In this PR we get the ball rolling on synthesizing compiler generated
ToString
calls.We introduce
ToString
calls in binary expressions for concatenating strings and string interpolation expressions:That is,
This is expected to increase accuracy of the data flow analysis, but there are some pitfalls:
ToString
that is implicitly called is not in source code and if we don't have a model for it.Object.ToString
is the one being implicitly called and there exists aToString
implementation that contains a source for a query. In this case we might get false positives due to dynamic dispatch. DCA reports a couple of results like that (cs/web/xss
,cs/log-forging
andcs/information-exposure-through-exception
on ASP.NET andcs/cleartext-storage-of-sensitive-information
andcs/exposure-of-sensitive-information
on mono). In any case, this is an anti pattern that should generally be avoided (there is also a quality query for this). We could consider not to extract the implicit to string call when the target isToString
is onSystem.Object
?The extra result on ASP.NET for
cs/web/unvalidated-url-redirection
is due to the summary model added forPathString.ToString
.According to DCA til change does not affect performance.