From 0062eb12099f09ebd67837b41343037c542a8605 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 30 Mar 2026 11:24:55 +0200 Subject: [PATCH 01/10] C#: Update remote flow sources test to also report tainted members. --- .../dataflow/flowsources/remote/remoteFlowSource.expected | 2 ++ .../dataflow/flowsources/remote/remoteFlowSource.ql | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected index f5f541d73d53..d115e08c8634 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected +++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected @@ -1,3 +1,5 @@ +remoteFlowSourceMembers +remoteFlowSources | Controller.cs:11:43:11:52 | sampleData | ASP.NET MVC action method parameter | | Controller.cs:11:62:11:66 | taint | ASP.NET MVC action method parameter | | Controller.cs:16:43:16:52 | sampleData | ASP.NET MVC action method parameter | diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.ql b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.ql index fdea5323d5cb..f6d87eb9ff4f 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.ql +++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.ql @@ -1,5 +1,7 @@ import semmle.code.csharp.security.dataflow.flowsources.Remote -from RemoteFlowSource source -where source.getLocation().getFile().fromSource() -select source, source.getSourceType() +query predicate remoteFlowSourceMembers(TaintTracking::TaintedMember m) { m.fromSource() } + +query predicate remoteFlowSources(RemoteFlowSource source, string type) { + source.getLocation().getFile().fromSource() and type = source.getSourceType() +} From 77da545ab439c46924495c14088660956f25dd9e Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 30 Mar 2026 12:53:17 +0200 Subject: [PATCH 02/10] C#: Reclassify some sources as AspNetRemoteFlowSource. --- .../code/csharp/security/dataflow/flowsources/Remote.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll index 2906fde4e1de..e2ec595cd6d4 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll @@ -104,7 +104,7 @@ class WcfRemoteFlowSource extends RemoteFlowSource, DataFlow::ParameterNode { } /** A data flow source of remote user input (ASP.NET web service). */ -class AspNetServiceRemoteFlowSource extends RemoteFlowSource, DataFlow::ParameterNode { +class AspNetServiceRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ParameterNode { AspNetServiceRemoteFlowSource() { exists(Method m | m.getAParameter() = this.getParameter() and @@ -116,7 +116,8 @@ class AspNetServiceRemoteFlowSource extends RemoteFlowSource, DataFlow::Paramete } /** A data flow source of remote user input (ASP.NET request message). */ -class SystemNetHttpRequestMessageRemoteFlowSource extends RemoteFlowSource, DataFlow::ExprNode { +class SystemNetHttpRequestMessageRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode +{ SystemNetHttpRequestMessageRemoteFlowSource() { this.getType() instanceof SystemWebHttpRequestMessageClass } @@ -166,7 +167,7 @@ class MicrosoftOwinRequestRemoteFlowSource extends RemoteFlowSource, DataFlow::E } /** A parameter to an Mvc controller action method, viewed as a source of remote user input. */ -class ActionMethodParameter extends RemoteFlowSource, DataFlow::ParameterNode { +class ActionMethodParameter extends AspNetRemoteFlowSource, DataFlow::ParameterNode { ActionMethodParameter() { exists(Parameter p | p = this.getParameter() and From dba1b7539f48b298e28616c03a50bf03f1990795 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 30 Mar 2026 14:48:41 +0200 Subject: [PATCH 03/10] C#: Taint members of types used in ASP.NET remote flow source context. --- .../security/dataflow/flowsources/Remote.qll | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll index e2ec595cd6d4..2aa18c0d2a80 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll @@ -115,6 +115,40 @@ class AspNetServiceRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::Pa override string getSourceType() { result = "ASP.NET web service input" } } +/** + * Taint members (transitively) on types used in + * 1. Action method parameters. + * 2. WebMethod parameters. + * + * Note, that this also impacts uses of such types in other contexts. + */ +private class AspNetRemoteFlowSourceMember extends TaintTracking::TaintedMember { + AspNetRemoteFlowSourceMember() { + exists(Type t, Type t0 | t = this.getDeclaringType() | + (t = t0 or t = t0.(ArrayType).getElementType()) and + ( + t0 = any(AspNetRemoteFlowSourceMember m).getType() + or + t0 = any(ActionMethodParameter p).getType() + or + t0 = any(AspNetServiceRemoteFlowSource source).getType() + ) + ) and + this.isPublic() and + not this.isStatic() and + ( + this = + any(Property p | + p.isAutoImplemented() and + p.getGetter().isPublic() and + p.getSetter().isPublic() + ) + or + this = any(Field f | f.isPublic()) + ) + } +} + /** A data flow source of remote user input (ASP.NET request message). */ class SystemNetHttpRequestMessageRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::ExprNode { From 921d93e42707eef0b7a88544b93e6c070843d871 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Mon, 30 Mar 2026 12:44:07 +0200 Subject: [PATCH 04/10] C#: Add an ASP.NET flow source example when using the WebMethod attribute. --- .../flowsources/remote/RemoteFlowSource.cs | 48 +++++++++++++++++++ .../remote/remoteFlowSource.expected | 10 ++++ csharp/ql/test/resources/stubs/System.Web.cs | 5 ++ 3 files changed, 63 insertions(+) diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs b/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs index 5889183f5257..3c7cbcba04a2 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs +++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs @@ -54,3 +54,51 @@ public static async void M3(System.Net.WebSockets.WebSocket webSocket) } } } + +namespace AspRemoteFlowSource +{ + using System.Web.Services; + + public class MySubData + { + public string SubDataProp { get; set; } + } + + public class MyElementSubData + { + public string ElementSubDataProp { get; set; } + } + + public class MyData + { + public string DataField; + public string DataProp { get; set; } + public MySubData SubData { get; set; } + public MyElementSubData[] Elements { get; set; } + } + + public class MyDataElement + { + public string Prop { get; set; } + } + + + public class MyService + { + [WebMethod] + public void MyMethod(MyData data) + { + Use(data.DataProp); + Use(data.SubData.SubDataProp); + Use(data.Elements[0].ElementSubDataProp); + } + + [WebMethod] + public void MyMethod2(MyDataElement[] data) + { + Use(data[0].Prop); + } + + public static void Use(object o) { } + } +} diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected index d115e08c8634..ef70ca9ad93a 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected +++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected @@ -1,4 +1,12 @@ remoteFlowSourceMembers +| Controller.cs:6:19:6:25 | Tainted | +| RemoteFlowSource.cs:64:23:64:33 | SubDataProp | +| RemoteFlowSource.cs:69:23:69:40 | ElementSubDataProp | +| RemoteFlowSource.cs:74:23:74:31 | DataField | +| RemoteFlowSource.cs:75:23:75:30 | DataProp | +| RemoteFlowSource.cs:76:26:76:32 | SubData | +| RemoteFlowSource.cs:77:35:77:42 | Elements | +| RemoteFlowSource.cs:82:23:82:26 | Prop | remoteFlowSources | Controller.cs:11:43:11:52 | sampleData | ASP.NET MVC action method parameter | | Controller.cs:11:62:11:66 | taint | ASP.NET MVC action method parameter | @@ -12,3 +20,5 @@ remoteFlowSources | RemoteFlowSource.cs:45:17:45:23 | access to parameter request | ASP.NET query string | | RemoteFlowSource.cs:45:17:45:42 | access to property RawUrl | ASP.NET unvalidated request data | | RemoteFlowSource.cs:52:55:52:61 | [post] access to local variable segment | external | +| RemoteFlowSource.cs:89:37:89:40 | data | ASP.NET web service input | +| RemoteFlowSource.cs:97:47:97:50 | data | ASP.NET web service input | diff --git a/csharp/ql/test/resources/stubs/System.Web.cs b/csharp/ql/test/resources/stubs/System.Web.cs index c15b871095ff..23ae0f298cf4 100644 --- a/csharp/ql/test/resources/stubs/System.Web.cs +++ b/csharp/ql/test/resources/stubs/System.Web.cs @@ -454,3 +454,8 @@ public class SimpleTypeResolver : System.Web.Script.Serialization.JavaScriptType public SimpleTypeResolver() => throw null; } } + +namespace System.Web.Services +{ + public class WebMethodAttribute : Attribute { } +} From 8060d2ff24a9aa9ef0cc771c5e906dfba3e62f02 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 1 Apr 2026 11:06:15 +0200 Subject: [PATCH 05/10] C#: Streamline the implementation for ASP.NET Core tainted members. --- .../security/dataflow/flowsources/Remote.qll | 51 +++++++++++-------- .../aspremote/AspRemoteFlowSource.cs | 2 +- .../aspremote/aspRemoteFlowSource.expected | 1 + 3 files changed, 33 insertions(+), 21 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll index 2aa18c0d2a80..4fab2e8f5482 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll @@ -115,6 +115,23 @@ class AspNetServiceRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::Pa override string getSourceType() { result = "ASP.NET web service input" } } +private class CandidateMembersToTaint extends Member { + CandidateMembersToTaint() { + this.isPublic() and + not this.isStatic() and + ( + this = + any(Property p | + p.isAutoImplemented() and + p.getGetter().isPublic() and + p.getSetter().isPublic() + ) + or + this = any(Field f | f.isPublic()) + ) + } +} + /** * Taint members (transitively) on types used in * 1. Action method parameters. @@ -122,7 +139,9 @@ class AspNetServiceRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::Pa * * Note, that this also impacts uses of such types in other contexts. */ -private class AspNetRemoteFlowSourceMember extends TaintTracking::TaintedMember { +private class AspNetRemoteFlowSourceMember extends TaintTracking::TaintedMember, + CandidateMembersToTaint +{ AspNetRemoteFlowSourceMember() { exists(Type t, Type t0 | t = this.getDeclaringType() | (t = t0 or t = t0.(ArrayType).getElementType()) and @@ -133,18 +152,6 @@ private class AspNetRemoteFlowSourceMember extends TaintTracking::TaintedMember or t0 = any(AspNetServiceRemoteFlowSource source).getType() ) - ) and - this.isPublic() and - not this.isStatic() and - ( - this = - any(Property p | - p.isAutoImplemented() and - p.getGetter().isPublic() and - p.getSetter().isPublic() - ) - or - this = any(Field f | f.isPublic()) ) } } @@ -253,14 +260,18 @@ class AspNetCoreRoutingMethodParameter extends AspNetCoreRemoteFlowSource, DataF * Flow is defined from any ASP.NET Core remote source object to any of its member * properties. */ -private class AspNetCoreRemoteFlowSourceMember extends TaintTracking::TaintedMember, Property { +private class AspNetCoreRemoteFlowSourceMember extends TaintTracking::TaintedMember, + CandidateMembersToTaint +{ AspNetCoreRemoteFlowSourceMember() { - this.getDeclaringType() = any(AspNetCoreRemoteFlowSource source).getType() and - this.isPublic() and - not this.isStatic() and - this.isAutoImplemented() and - this.getGetter().isPublic() and - this.getSetter().isPublic() + exists(Type t, Type t0 | t = this.getDeclaringType() | + (t = t0 or t = t0.(ArrayType).getElementType()) and + ( + t0 = any(AspNetCoreRemoteFlowSourceMember m).getType() + or + t0 = any(AspNetCoreRemoteFlowSource m).getType() + ) + ) } } diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/aspremote/AspRemoteFlowSource.cs b/csharp/ql/test/library-tests/dataflow/flowsources/aspremote/AspRemoteFlowSource.cs index 176f95e4a89d..e554f25f2064 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/aspremote/AspRemoteFlowSource.cs +++ b/csharp/ql/test/library-tests/dataflow/flowsources/aspremote/AspRemoteFlowSource.cs @@ -8,7 +8,7 @@ namespace Testing public class ViewModel { public string RequestId { get; set; } // Considered tainted. - public object RequestIdField; // Not considered tainted as it is a field. + public object RequestIdField; // Considered tainted. public string RequestIdOnlyGet { get; } // Not considered tainted as there is no setter. public string RequestIdPrivateSet { get; private set; } // Not considered tainted as it has a private setter. public static object RequestIdStatic { get; set; } // Not considered tainted as it is static. diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/aspremote/aspRemoteFlowSource.expected b/csharp/ql/test/library-tests/dataflow/flowsources/aspremote/aspRemoteFlowSource.expected index a7442a80839c..d729eb939d28 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/aspremote/aspRemoteFlowSource.expected +++ b/csharp/ql/test/library-tests/dataflow/flowsources/aspremote/aspRemoteFlowSource.expected @@ -1,5 +1,6 @@ remoteFlowSourceMembers | AspRemoteFlowSource.cs:10:23:10:31 | RequestId | +| AspRemoteFlowSource.cs:11:23:11:36 | RequestIdField | | AspRemoteFlowSource.cs:28:23:28:29 | Tainted | remoteFlowSources | AspRemoteFlowSource.cs:20:42:20:50 | viewModel | From dc0e7d4988e08f611906a059635ad6b6f2fc9144 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 1 Apr 2026 11:23:12 +0200 Subject: [PATCH 06/10] C#: Add change-note. --- csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md diff --git a/csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md b/csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md new file mode 100644 index 000000000000..52f3f721e9fa --- /dev/null +++ b/csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively. From 105508430587e29281bd893e2a86728b6c6781c1 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 1 Apr 2026 13:23:06 +0200 Subject: [PATCH 07/10] C#: Address review comments. --- .../semmle/code/csharp/security/dataflow/flowsources/Remote.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll index 4fab2e8f5482..2a74c7844b12 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll @@ -137,7 +137,7 @@ private class CandidateMembersToTaint extends Member { * 1. Action method parameters. * 2. WebMethod parameters. * - * Note, that this also impacts uses of such types in other contexts. + * Note that this also impacts uses of such types in other contexts. */ private class AspNetRemoteFlowSourceMember extends TaintTracking::TaintedMember, CandidateMembersToTaint From f826262f1d1e0be30bab3ebd895d3fc38da15c6d Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 21 Apr 2026 13:36:43 +0200 Subject: [PATCH 08/10] C#: Re-factor CollectionType into an abstract class and introduce getElementType predicate. --- .../code/csharp/commons/Collections.qll | 41 +++++++++++++++---- 1 file changed, 32 insertions(+), 9 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/commons/Collections.qll b/csharp/ql/lib/semmle/code/csharp/commons/Collections.qll index b33c0f73d60d..c0752a720b26 100644 --- a/csharp/ql/lib/semmle/code/csharp/commons/Collections.qll +++ b/csharp/ql/lib/semmle/code/csharp/commons/Collections.qll @@ -54,21 +54,44 @@ private string genericCollectionTypeName() { ] } -/** A collection type. */ -class CollectionType extends RefType { - CollectionType() { +/** A collection type */ +abstract private class CollectionTypeImpl extends RefType { + /** + * Gets the element type of this collection, for example `int` in `List`. + */ + abstract Type getElementType(); +} + +private class GenericCollectionType extends CollectionTypeImpl { + private ConstructedType base; + + GenericCollectionType() { + base = this.getABaseType*() and + base.getUnboundGeneric() + .hasFullyQualifiedName(genericCollectionNamespaceName(), genericCollectionTypeName()) + } + + override Type getElementType() { + result = base.getTypeArgument(0) and base.getNumberOfTypeArguments() = 1 + } +} + +private class NonGenericCollectionType extends CollectionTypeImpl { + NonGenericCollectionType() { exists(RefType base | base = this.getABaseType*() | base.hasFullyQualifiedName(collectionNamespaceName(), collectionTypeName()) - or - base.(ConstructedType) - .getUnboundGeneric() - .hasFullyQualifiedName(genericCollectionNamespaceName(), genericCollectionTypeName()) ) - or - this instanceof ArrayType } + + override Type getElementType() { none() } } +private class ArrayCollectionType extends CollectionTypeImpl instanceof ArrayType { + override Type getElementType() { result = ArrayType.super.getElementType() } +} + +final class CollectionType = CollectionTypeImpl; + /** * A collection type that can be used as a `params` parameter type. */ From 2d6197fd7da9e534ea8eccb6462945915405b672 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 21 Apr 2026 14:06:36 +0200 Subject: [PATCH 09/10] C#: Generalize ASP.NET taint members to collection types. --- .../csharp/security/dataflow/flowsources/Remote.qll | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll index 2a74c7844b12..aa8c8536556e 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll @@ -3,6 +3,7 @@ */ import csharp +private import semmle.code.csharp.commons.Collections private import semmle.code.csharp.frameworks.system.Net private import semmle.code.csharp.frameworks.system.Web private import semmle.code.csharp.frameworks.system.web.Http @@ -115,8 +116,8 @@ class AspNetServiceRemoteFlowSource extends AspNetRemoteFlowSource, DataFlow::Pa override string getSourceType() { result = "ASP.NET web service input" } } -private class CandidateMembersToTaint extends Member { - CandidateMembersToTaint() { +private class CandidateMemberToTaint extends Member { + CandidateMemberToTaint() { this.isPublic() and not this.isStatic() and ( @@ -140,11 +141,11 @@ private class CandidateMembersToTaint extends Member { * Note that this also impacts uses of such types in other contexts. */ private class AspNetRemoteFlowSourceMember extends TaintTracking::TaintedMember, - CandidateMembersToTaint + CandidateMemberToTaint { AspNetRemoteFlowSourceMember() { exists(Type t, Type t0 | t = this.getDeclaringType() | - (t = t0 or t = t0.(ArrayType).getElementType()) and + (t = t0 or t = t0.(CollectionType).getElementType()) and ( t0 = any(AspNetRemoteFlowSourceMember m).getType() or @@ -261,11 +262,11 @@ class AspNetCoreRoutingMethodParameter extends AspNetCoreRemoteFlowSource, DataF * properties. */ private class AspNetCoreRemoteFlowSourceMember extends TaintTracking::TaintedMember, - CandidateMembersToTaint + CandidateMemberToTaint { AspNetCoreRemoteFlowSourceMember() { exists(Type t, Type t0 | t = this.getDeclaringType() | - (t = t0 or t = t0.(ArrayType).getElementType()) and + (t = t0 or t = t0.(CollectionType).getElementType()) and ( t0 = any(AspNetCoreRemoteFlowSourceMember m).getType() or From 8b93ce274707c2ddcd83d348c3ee82cb8dfaf02f Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Tue, 21 Apr 2026 14:07:22 +0200 Subject: [PATCH 10/10] C#: Add ASP.NET test case for a collection type. --- .../flowsources/remote/RemoteFlowSource.cs | 16 +++++++++++---- .../remote/remoteFlowSource.expected | 20 ++++++++++--------- 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs b/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs index 3c7cbcba04a2..d54a359aca0c 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs +++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs @@ -58,15 +58,21 @@ public static async void M3(System.Net.WebSockets.WebSocket webSocket) namespace AspRemoteFlowSource { using System.Web.Services; + using System.Collections.Generic; public class MySubData { public string SubDataProp { get; set; } } - public class MyElementSubData + public class ArrayElementData + { + public string ArrayElementDataProp { get; set; } + } + + public class ListElementData { - public string ElementSubDataProp { get; set; } + public string ListElementDataProp { get; set; } } public class MyData @@ -74,7 +80,8 @@ public class MyData public string DataField; public string DataProp { get; set; } public MySubData SubData { get; set; } - public MyElementSubData[] Elements { get; set; } + public ArrayElementData[] Elements { get; set; } + public List List; } public class MyDataElement @@ -90,7 +97,8 @@ public void MyMethod(MyData data) { Use(data.DataProp); Use(data.SubData.SubDataProp); - Use(data.Elements[0].ElementSubDataProp); + Use(data.Elements[0].ArrayElementDataProp); + Use(data.List[0].ListElementDataProp); } [WebMethod] diff --git a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected index ef70ca9ad93a..242080e6bda2 100644 --- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected +++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected @@ -1,12 +1,14 @@ remoteFlowSourceMembers | Controller.cs:6:19:6:25 | Tainted | -| RemoteFlowSource.cs:64:23:64:33 | SubDataProp | -| RemoteFlowSource.cs:69:23:69:40 | ElementSubDataProp | -| RemoteFlowSource.cs:74:23:74:31 | DataField | -| RemoteFlowSource.cs:75:23:75:30 | DataProp | -| RemoteFlowSource.cs:76:26:76:32 | SubData | -| RemoteFlowSource.cs:77:35:77:42 | Elements | -| RemoteFlowSource.cs:82:23:82:26 | Prop | +| RemoteFlowSource.cs:65:23:65:33 | SubDataProp | +| RemoteFlowSource.cs:70:23:70:42 | ArrayElementDataProp | +| RemoteFlowSource.cs:75:23:75:41 | ListElementDataProp | +| RemoteFlowSource.cs:80:23:80:31 | DataField | +| RemoteFlowSource.cs:81:23:81:30 | DataProp | +| RemoteFlowSource.cs:82:26:82:32 | SubData | +| RemoteFlowSource.cs:83:35:83:42 | Elements | +| RemoteFlowSource.cs:84:38:84:41 | List | +| RemoteFlowSource.cs:89:23:89:26 | Prop | remoteFlowSources | Controller.cs:11:43:11:52 | sampleData | ASP.NET MVC action method parameter | | Controller.cs:11:62:11:66 | taint | ASP.NET MVC action method parameter | @@ -20,5 +22,5 @@ remoteFlowSources | RemoteFlowSource.cs:45:17:45:23 | access to parameter request | ASP.NET query string | | RemoteFlowSource.cs:45:17:45:42 | access to property RawUrl | ASP.NET unvalidated request data | | RemoteFlowSource.cs:52:55:52:61 | [post] access to local variable segment | external | -| RemoteFlowSource.cs:89:37:89:40 | data | ASP.NET web service input | -| RemoteFlowSource.cs:97:47:97:50 | data | ASP.NET web service input | +| RemoteFlowSource.cs:96:37:96:40 | data | ASP.NET web service input | +| RemoteFlowSource.cs:105:47:105:50 | data | ASP.NET web service input |