admin管理员组

文章数量:1293936

I want to write a codeql query in which the sourceNode is a parameter of a class and the sink is any object it affects (for my personal usecase I want to get all instances where the value eventually feeds into a different variable but for the sake of debugging I just want everything it feeds to). However, I notice that none of my paths propagate through a method returning an object that is affected by my source.

As part of debugging I made the following

public class RandomDataClass
 {
     public int SomeInt { get; set; }
     public string SomeStr { get; set; }
 }
 public class Class2
 {
     public const string randomStr = "random";
     public RandomDataClass ReturnsSomeData()
     {
         var data = new RandomDataClass();
         data.SomeStr = "randomStr";
         return data;
     }
 }

 [TestClass]
 public sealed class Test1
 {
     [TestMethod]
     public void TestMethod1()
     {
         Class2 c = new Class2();
         var data = c.ReturnsSomeData();
         Console.Write(data.SomeStr);
     }
 }

in which I have a method that returns a class that is affected by the string "random". However, when I write the following taintflow:

/**
 * @id cs/test
 * @description cs test file
 * @name cs test file
 * @kind path-problem
 * @precision medium
 * @tags security
 * @problem.severity warning
 */

 import csharp
 import DataFlow
//  from Variable v
//  where v.fromSource()
//  select v
 module ExDF implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
    exists(Variable v |
         source.asExpr() = v.getAnAccess() and
         v.getName() = "randomStr"
    )
   }
   predicate isSink(DataFlow::Node sink) {
        exists( Expr expr |  sink.asExpr() = expr)
        or 
        exists (Parameter p | sink.asParameter() = p)
        or 
        exists (AssignableDefinition d| sink.asDefinition() = d)
   }
 }
 
 module ExTrackingExpr = TaintTracking::Global<ExDF>;
 
 import ExTrackingExpr::PathGraph

 from
   ExTrackingExpr::PathNode source, ExTrackingExpr::PathNode sink
 where ExTrackingExpr::flowPath(source, sink)
 select sink, source, sink, "Min ex"

I get 0 results, even though the "var data" should be affected by the source

本文标签: cGlobal taintflow not marking objects as tainted from sourceNode when returned from a methodStack Overflow

版权声明:本文标题:c# - Global taintflow not marking objects as tainted from sourceNode when returned from a method - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741585984a2386849.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。