C#: Add missinq QlDoc for Serialization classes, remove unused DangerousCallable

tamasvajk · tamasvajk · commit 048428a6fa75 · 2020-08-26T11:21:44.000+02:00
diff --git a/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll b/csharp/ql/src/semmle/code/csharp/serialization/Deserializers.qll
@@ -8,6 +8,9 @@ import csharp
 /** An unsafe deserializer. */
 abstract class UnsafeDeserializer extends Callable { }
 
+/**
+ * Known unsafe deserializer methods in the `System.*` namespace.
+ */
 class SystemDeserializer extends UnsafeDeserializer {
   SystemDeserializer() {
     this
@@ -48,12 +51,19 @@ class SystemDeserializer extends UnsafeDeserializer {
   }
 }
 
+/**
+ * Known unsafe deserializer methods in the `Microsoft.*` namespace.
+ */
 class MicrosoftDeserializer extends UnsafeDeserializer {
   MicrosoftDeserializer() {
     this.hasQualifiedName("Microsoft.Web.Design.Remote.ProxyObject", "DecodeValue")
   }
 }
 
+/**
+ * Unsafe deserializer methods that call unsafe deserializers on the
+ * parameters.
+ */
 class WrapperDeserializer extends UnsafeDeserializer {
   WrapperDeserializer() {
     exists(Call call |
diff --git a/csharp/ql/src/semmle/code/csharp/serialization/Serialization.qll b/csharp/ql/src/semmle/code/csharp/serialization/Serialization.qll
@@ -1,5 +1,14 @@
+/**
+ * Provides classes to identify any .Net serializable type such as types
+ * attributed with `SerializableAttribute` and types implementing the
+ * `ISerializable` interface.
+ */
+
 import csharp
 
+/**
+ * A constructor with `SerializationInfo` and `StreamingContext` parameters.
+ */
 class SerializationConstructor extends Constructor {
   SerializationConstructor() {
     this.getNumberOfParameters() = 2 and
@@ -91,16 +100,3 @@ class CustomBinarySerializableType extends BinarySerializableType {
     result.(SerializationConstructor).getDeclaringType() = this
   }
 }
-
-class DangerousCallable extends Callable {
-  DangerousCallable() {
-    //files
-    this.(Method).getQualifiedName().matches("System.IO.File.Write%") or
-    this.(Method).getQualifiedName().matches("System.IO.File.%Copy%") or
-    this.(Method).getQualifiedName().matches("System.IO.File.%Move%") or
-    this.(Method).getQualifiedName().matches("System.IO.File.%Append%") or
-    this.(Method).getQualifiedName().matches("System.IO.%.%Delete%") or
-    //assembly
-    this.(Method).getQualifiedName().matches("System.Reflection.Assembly.%Load%")
-  }
-}
