Skip to content

C#: Allow implicit collection reads in sink nodes. #20089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 21, 2025
Merged

C#: Allow implicit collection reads in sink nodes. #20089

merged 8 commits into from
Aug 21, 2025

Conversation

@michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Jul 18, 2025
edited
Loading

And additional flow steps (for default taint tracking configurations).

DCA shows a couple of extra alerts, where the added step looks sounds. The alerts show up in various cases where the elements of a collection are tainted and the sink receives the entire collection as input.

@michaelnebel michaelnebel changed the title C#: Allow implicit collection reads in sinks for default taint tracking configurations. C#: Allow implicit collection reads in sinks nodes. Jul 18, 2025
@github-actions github-actions bot added the C# label Jul 18, 2025
@michaelnebel michaelnebel changed the title C#: Allow implicit collection reads in sinks nodes. C#: Allow implicit collection reads in sink nodes. Aug 18, 2025
@michaelnebel michaelnebel force-pushed the csharp/allowsinkimplicitread branch from 0956459 to ca5a0dc Compare August 18, 2025 09:57
@michaelnebel michaelnebel marked this pull request as ready for review August 18, 2025 10:35
@michaelnebel michaelnebel requested a review from a team as a code owner August 18, 2025 10:35
Copilot AI review requested due to automatic review settings August 18, 2025 10:35
Copilot AI reviewed Aug 18, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables implicit collection reads in C# taint tracking sink nodes to improve flow coverage and reduce false negatives. The change allows taint tracking to recognize when tainted elements within a collection can flow to sinks that receive the entire collection.

  • Adds implicit collection reads for argument nodes at sinks and flow steps
  • Updates default taint tracking configuration to handle collection element flows
  • Enhances external model flow detection for collection-based operations

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
TaintTrackingPrivate.qll Implements the core logic for implicit collection reads at argument nodes
HashWithoutSalt.ql Adds collection interface support for CopyTo method detection
ExternalFlow.expected Updates test expectations with new flow detection results
ExternalFlow.cs Updates test comment to reflect new flow behavior
CollectionTaintTracking.* Adds new test cases for collection taint tracking scenarios
change-notes/* Documents the analysis improvement

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@michaelnebel michaelnebel requested a review from hvitved August 18, 2025 10:35
aschackmull
aschackmull previously approved these changes Aug 18, 2025
View reviewed changes
hvitved
hvitved reviewed Aug 18, 2025
View reviewed changes
csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll Outdated
Comment on lines 34 to 35
node instanceof ArgumentNode and
Collections::isCollectionType(node.getType()) and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I would have thought that this was simply exists(node).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added these extra criteria to narrow it as much as possible (primarily interested in adding the implicit reads on sink method calls - note that the predicate is also used to allow implicit reads on inputs to additional taint steps). Will try with your suggestion and see what DCA says.

@michaelnebel michaelnebel force-pushed the csharp/allowsinkimplicitread branch from ca5a0dc to b42c366 Compare August 20, 2025 06:52
hvitved
hvitved reviewed Aug 20, 2025
View reviewed changes
csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll Outdated
private import semmle.code.csharp.dataflow.internal.ControlFlowReachability
private import semmle.code.csharp.dispatch.Dispatch
private import semmle.code.csharp.commons.ComparisonTest
private import semmle.code.csharp.commons.Collections as Collections
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This import is now redundant.

@michaelnebel michaelnebel requested a review from hvitved August 21, 2025 07:58
@michaelnebel michaelnebel merged commit c89f2e3 into github:main Aug 21, 2025
24 checks passed
@michaelnebel michaelnebel deleted the csharp/allowsinkimplicitread branch August 21, 2025 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hvitved hvitved hvitved approved these changes

@aschackmull aschackmull aschackmull left review comments

Assignees

No one assigned

Labels

C# documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michaelnebel @hvitved @aschackmull