Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C#: Introduce flow summaries for StringValues. #7465

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

C#: Introduce flow summaries for StringValues. #7465

wants to merge 10 commits into from

Conversation

@michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Dec 21, 2021
edited

The purpose of this PR is to introduce flow summarries for the StringValues struct.
Currently, the FlowSummaries test cases do not include a stub for the StringValues struct.

That is, in this PR we

  • Generate a stub for Microsoft.Extensions.Primitives as this contains the StringValues struct.
  • Include the Microsoft.Extensions.Primitives project into the compilation used for FlowSummaries(Filtered)?.expected.
  • Generate Flow Summaries for StringValues.
  • Convert the flow summaries to CSV format and hardcode in Primitives.qll.
  • Delete flow implementation from LibraryTypeDataFlow.
  • Fix other testcases that include a stub for StringValues to use the generic stub (this includes copying the query files to the test directories as they need to "import csharp", where csharp is the test module that will ensure that flow for operatores defined in resources/stubs will be taken into account).

@hvitved : Added some description of the purpose of this PR.
@github-actions github-actions bot added the C# label Dec 21, 2021
@michaelnebel michaelnebel force-pushed the csharp-stringvalues-csv branch from 9898525 to cfffe9e Dec 22, 2021
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 22, 2021

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,95,131,
+    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,131,
-    Totals,,3,2438,353,5
+    Totals,,3,2492,353,5
  • Changes to framework-coverage-csharp.csv:
+ Microsoft.Extensions.Primitives,,,54,,,,,,,54,

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 22, 2021

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,95,131,
+    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,131,
-    Totals,,3,2438,353,5
+    Totals,,3,2492,353,5
  • Changes to framework-coverage-csharp.csv:
+ Microsoft.Extensions.Primitives,,,54,,,,,,,54,

michaelnebel
michaelnebel reviewed Dec 22, 2021
View changes
csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/UrlRedirect.expected
@@ -4,15 +4,12 @@ edges
| UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:37:44:37:74 | access to indexer |
| UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:47:38:77 | access to indexer |
| UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:16:22:16:26 | access to parameter value |
| UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:19:44:19:48 | access to parameter value : String |
| UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:25:46:25:50 | access to parameter value : String |
| UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion |
Copy link
Contributor Author

@michaelnebel michaelnebel Dec 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hvitved : This looks like some kind of edge contraction (where the access and the implicit operator call now have been turned into a single edge), but that the equivalent flows have been identified. Do you know more about this?

hvitved
hvitved reviewed Dec 22, 2021
View changes
csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/extensions/Primitives.qll Outdated
private import semmle.code.csharp.dataflow.ExternalFlow

/** Data flow for `Microsoft.Extensions.Primitives.StringValues`. */
private class MicrosoftVisualBasicCollectionFlowModelCsv extends SummaryModelCsv {
Copy link
Contributor

@hvitved hvitved Dec 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy-paste typo

Copy link
Contributor Author

@michaelnebel michaelnebel Dec 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Will fix.

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
@@ -1,3 +1,66 @@
| Microsoft.Extensions.Primitives;StringTokenizer;false;GetEnumerator;();;Element of Argument[-1];Property[System.Collections.Generic.IEnumerator<>.Current] of ReturnValue;value |
Copy link
Contributor

@hvitved hvitved Dec 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why were these not in the output before?

Copy link
Contributor Author

@michaelnebel michaelnebel Dec 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The struct StringTokenizer stub has just been included as a part of Microsoft.Extensions.Primitives (note that these are derived summaries).

Copy link
Contributor

@hvitved hvitved Dec 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why has FlowSummariesFiltered.expected then changed?

Copy link
Contributor Author

@michaelnebel michaelnebel Dec 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Microsoft.Extensions.Primitives was included because it contains the StringValues struct. Before the FlowSummaries test didn't know about this struct and couldn't generate any test output for it.

@michaelnebel michaelnebel force-pushed the csharp-stringvalues-csv branch from 824f147 to 20dbeb1 Dec 22, 2021
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 22, 2021

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,95,131,
+    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,131,
-    Totals,,3,2438,353,5
+    Totals,,3,2492,353,5
  • Changes to framework-coverage-csharp.csv:
+ Microsoft.Extensions.Primitives,,,54,,,,,,,54,

@michaelnebel michaelnebel force-pushed the csharp-stringvalues-csv branch from 20dbeb1 to e7ba73e Dec 22, 2021
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 22, 2021

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,95,131,
+    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,131,
-    Totals,,3,2438,353,5
+    Totals,,3,2492,353,5
  • Changes to framework-coverage-csharp.csv:
+ Microsoft.Extensions.Primitives,,,54,,,,,,,54,

michaelnebel added 10 commits Dec 22, 2021
@michaelnebel michaelnebel force-pushed the csharp-stringvalues-csv branch from e7ba73e to 7d9b85b Dec 22, 2021
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 22, 2021

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,95,131,
+    Others,"``Dapper``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.Extensions.Primitives``, ``Microsoft.VisualBasic``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``",,149,131,
-    Totals,,3,2438,353,5
+    Totals,,3,2492,353,5
  • Changes to framework-coverage-csharp.csv:
+ Microsoft.Extensions.Primitives,,,54,,,,,,,54,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hvitved hvitved

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C#
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@michaelnebel @hvitved