Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 0427b1e

Browse files
geoffw0geoffw0
committed
C#: Fix more tests.
1 parent e331a24 commit 0427b1e

8 files changed

Lines changed: 16 additions & 64 deletions

File tree

csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/AssembltyPathInjection.expected

Lines changed: 0 additions & 1 deletion
This file was deleted.

csharp/ql/test/query-tests/Security Features/CWE-114/AssemblyPathInjection/Test.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ public class DLLInjectionHandler : IHttpHandler {
88
public void ProcessRequest(HttpContext ctx) {
99
string libraryName = ctx.Request.QueryString["libraryName"];
1010

11-
// BAD: Load DLL based on user input
11+
// BAD: Load DLL based on user input [NOT DETECTED]
1212
var badDLL = Assembly.LoadFile(libraryName);
1313

1414
// GOOD: Load DLL using fixed string

csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.cs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -38,16 +38,16 @@ static void Main(string[] args)
3838

3939
var iv = new byte[] { 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 };
4040

41-
// BAD: hard-coded key passed to Encrypt
41+
// BAD: hard-coded key passed to Encrypt [NOT DETECTED]
4242
var ct = Encrypt("Test string here", c, iv);
4343

44-
// BAD: hard-coded key converted from string and passed to Encrypt
44+
// BAD: hard-coded key converted from string and passed to Encrypt [NOT DETECTED]
4545
var ct1 = Encrypt("Test string here", byteArrayFromString, iv);
4646

4747
// GOOD (this function hashes password)
4848
var de = DecryptWithPassword(ct, c, iv);
4949

50-
// Bad
50+
// BAD [NOT DETECTED]
5151
CreateCryptographicKey(null, byteArrayFromString);
5252

5353
// GOOD

csharp/ql/test/query-tests/Security Features/CWE-321/HardcodedSymmetricEncryptionKey/HardcodedSymmetricEncryptionKey.expected

Lines changed: 6 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -1,40 +1,6 @@
1-
edges
2-
| HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d |
3-
| HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:37:37:37:37 | access to local variable d |
4-
| HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:42:50:42:50 | access to local variable c |
5-
| HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | HardcodedSymmetricEncryptionKey.cs:45:51:45:69 | access to local variable byteArrayFromString |
6-
| HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | HardcodedSymmetricEncryptionKey.cs:51:42:51:60 | access to local variable byteArrayFromString |
7-
| HardcodedSymmetricEncryptionKey.cs:37:37:37:37 | access to local variable d | HardcodedSymmetricEncryptionKey.cs:81:57:81:59 | key |
8-
| HardcodedSymmetricEncryptionKey.cs:42:50:42:50 | access to local variable c | HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key |
9-
| HardcodedSymmetricEncryptionKey.cs:45:51:45:69 | access to local variable byteArrayFromString | HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key |
10-
| HardcodedSymmetricEncryptionKey.cs:51:42:51:60 | access to local variable byteArrayFromString | HardcodedSymmetricEncryptionKey.cs:111:96:111:100 | bytes |
11-
| HardcodedSymmetricEncryptionKey.cs:81:57:81:59 | key | HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key |
12-
| HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key | HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key |
13-
| HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key | HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key |
14-
| HardcodedSymmetricEncryptionKey.cs:111:96:111:100 | bytes | HardcodedSymmetricEncryptionKey.cs:114:41:114:46 | access to local variable buffer |
15-
nodes
16-
| HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] |
17-
| HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] |
18-
| HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] |
19-
| HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" |
20-
| HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d |
21-
| HardcodedSymmetricEncryptionKey.cs:37:37:37:37 | access to local variable d |
22-
| HardcodedSymmetricEncryptionKey.cs:42:50:42:50 | access to local variable c |
23-
| HardcodedSymmetricEncryptionKey.cs:45:51:45:69 | access to local variable byteArrayFromString |
24-
| HardcodedSymmetricEncryptionKey.cs:51:42:51:60 | access to local variable byteArrayFromString |
25-
| HardcodedSymmetricEncryptionKey.cs:81:57:81:59 | key |
26-
| HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key |
27-
| HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key |
28-
| HardcodedSymmetricEncryptionKey.cs:90:63:90:65 | key |
29-
| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key |
30-
| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key |
31-
| HardcodedSymmetricEncryptionKey.cs:111:96:111:100 | bytes |
32-
| HardcodedSymmetricEncryptionKey.cs:114:41:114:46 | access to local variable buffer |
33-
#select
34-
| HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in 'Key' property assignment. | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | key |
35-
| HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in 'Key' property assignment. | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | key |
36-
| HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d | Hard-coded symmetric $@ is used in symmetric algorithm in 'Key' property assignment. | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
37-
| HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in 'Key' property assignment. | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
38-
| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV). | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
39-
| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV). | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | key |
40-
| HardcodedSymmetricEncryptionKey.cs:114:41:114:46 | access to local variable buffer | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | HardcodedSymmetricEncryptionKey.cs:114:41:114:46 | access to local variable buffer | Hard-coded symmetric $@ is used in symmetric algorithm in CreateSymmetricKey(IBuffer keyMaterial). | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | key |
1+
| HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:18:21:18:97 | array creation of type Byte[] | key |
2+
| HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:23:23:23:99 | array creation of type Byte[] | key |
3+
| HardcodedSymmetricEncryptionKey.cs:32:21:32:21 | access to local variable d | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
4+
| HardcodedSymmetricEncryptionKey.cs:86:23:86:25 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Key property assignment | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
5+
| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:26:21:26:97 | array creation of type Byte[] | key |
6+
| HardcodedSymmetricEncryptionKey.cs:99:87:99:89 | access to parameter key | Hard-coded symmetric $@ is used in symmetric algorithm in Encryptor(rgbKey, IV) | HardcodedSymmetricEncryptionKey.cs:29:62:29:115 | "Hello, world: here is a very bad way to create a key" | key |

csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.cs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,15 +34,15 @@ public void StringInBuilderProperty()
3434

3535
public void TriggerThis()
3636
{
37-
// BAD, Encrypt not specified
37+
// BAD, Encrypt not specified [NOT DETECTED]
3838
SqlConnection conn = new SqlConnection("Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;");
3939
}
4040

4141
void Test4()
4242
{
4343
string connectString =
4444
"Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd";
45-
// BAD, Encrypt not specified
45+
// BAD, Encrypt not specified [NOT DETECTED]
4646
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString);
4747
var conn = new SqlConnection(builder.ConnectionString);
4848
}
@@ -51,7 +51,7 @@ void Test5()
5151
{
5252
string connectString =
5353
"Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false";
54-
// BAD, Encrypt set to false
54+
// BAD, Encrypt set to false [NOT DETECTED]
5555
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString);
5656
var conn = new SqlConnection(builder.ConnectionString);
5757
}

csharp/ql/test/query-tests/Security Features/CWE-327/InsecureSQLConnection/InsecureSQLConnection.expected

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +0,0 @@
1-
edges
2-
| InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString |
3-
| InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString |
4-
nodes
5-
| InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" |
6-
| InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" |
7-
| InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString |
8-
| InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" |
9-
| InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString |
10-
#select
11-
| InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to here and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string |
12-
| InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | $@ flows to here and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string |
13-
| InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | $@ flows to here and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | Connection string |

csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
../../../../../queries/csharp/Security/Serialization/DeserializedDelegate.ql
1+
Security Features/CWE-502/DeserializedDelegate.ql

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
edges
22
| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text |
33
nodes
4-
| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox |
5-
| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text |
4+
| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | semmle.label | access to parameter textBox |
5+
| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | semmle.label | access to property Text |
66
#select
77
| UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:48 | access to property Text | $@ flows to unsafe deserializer. | UnsafeDeserializationUntrustedInputBad.cs:10:37:10:43 | access to parameter textBox | User-provided data |

0 commit comments

Comments
 (0)