C#: Improve cs/invalid-string-formatting and add to the Code Quality suite.
#19148
Conversation
michaelnebel
force-pushed
the
csharp/invalid-string-format
branch
5 times, most recently
from
cfe6cbd to
286ae79
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
michaelnebel
force-pushed
the
csharp/invalid-string-format
branch
2 times, most recently
from
852eab9 to
e8f8145
Compare
|
DCA
|
michaelnebel
force-pushed
the
csharp/invalid-string-format
branch
from
51a03d2 to
be8d379
Compare
michaelnebel
changed the title
cs/invalid-string-formatting and add to the codeql quality suite.
michaelnebel
force-pushed
the
csharp/invalid-string-format
branch
from
be8d379 to
5c6b1dd
Compare
michaelnebel
changed the title
cs/invalid-string-formatting and add to the codeql quality suite.cs/invalid-string-formatting and add to the Code Quality suite.
hvitved
left a comment
hvitved
left a comment
There was a problem hiding this comment.
Great work, thanks for breaking up into individual commits, that made reviewing a lot easier.
| String.Format("{0} {1} {2} {3}", 0, 1, 2, 3); | ||
|
|
||
| helper("{1}"); | ||
| helper("{1}"); // $ Source |
There was a problem hiding this comment.
I think this should be e.g. Source=source1 and then $ Alert=source1 further down.
|
|
||
| // BAD: Invalid format string | ||
| String.Format("%d", 1); | ||
| String.Format("%d", 1); // $ Alert Sink |
There was a problem hiding this comment.
I don't think the Sink part is needed when it is on the same line as the alert.
There was a problem hiding this comment.
The Sink and Alert doesn't have the exact same location (only the same line numbers), so the test fails, if we don't add both tags.
There was a problem hiding this comment.
There was a problem hiding this comment.
CoPilot managed to do it 😸
| class FormatMethod extends Method { | ||
| FormatMethod() { | ||
| exists(Class declType | declType = this.getDeclaringType() | | ||
| abstract class FormatMethod extends Method { |
There was a problem hiding this comment.
Now we are exposing an abstract method, which is not backwards-compatible (and also not best practice). So Instead replace the current abstract FormatMethod class with a private FormatMethodImpl class, and add final class FormatMethod = FormatMethodImpl;.
There was a problem hiding this comment.
Never mind, I see that you did exactly this in a subsequent commit.
| void TestCompositeFormatMissingArgument() | ||
| { | ||
| var format0 = CompositeFormat.Parse("{0}"); | ||
| var format1 = CompositeFormat.Parse("{1}"); // $ Source |
There was a problem hiding this comment.
Again, it is better to uniquely identify the sources so we can match them up against the alerts.
I think it is fine to keep as-is. |
michaelnebel
force-pushed
the
csharp/invalid-string-format
branch
from
5c6b1dd to
b9183ff
Compare
michaelnebel
force-pushed
the
csharp/invalid-string-format
branch
from
c10b5ce to
b9183ff
Compare
…tions and adjust some of the testcases.
…valid-string-format.
michaelnebel
force-pushed
the
csharp/invalid-string-format
branch
from
b9183ff to
65ac951
Compare
2 participants
In this PR we
cs/invalid-string-formattingto the code quality suite.Improve the
cs/invalid-string-formattingquery bystring.Formatwhere no additional arguments are provided (for instancestring.Format("{")). Also start takingCompositeFormatversions ofFormatmethods into account and considerSystem.Text.CompositeFormat.Parsea method that parses format strings and might throw exceptions and cause a runtime crash.string.FormatandStringBuilder.AppendFormatand also add support forMemoryExtensions.TryWrite.Console.WriteLine(string)and friends (methods that itsn't format methods).Review commit by commit is encouraged.
@hvitved : The data flow configurations are quite similar. Is it a better approach to use flow state to track calls to
CompositeFormat.Parse? (instead of merging two similar graphs).