C#: Enhanced LogForgingQuery to treat C# Enums as simple types.

Author: ianroof

csharp/ql/lib/semmle/code/csharp/security/Sanitizers.qll

@@ -57,7 +57,8 @@ class SimpleTypeSanitizedExpr extends DataFlow::ExprNode {
   SimpleTypeSanitizedExpr() {
     exists(Type t | t = this.getType() or t = this.getType().(NullableType).getUnderlyingType() |
       t instanceof SimpleType or
-      t instanceof SystemDateTimeStruct
+      t instanceof SystemDateTimeStruct or 
+      t instanceof Enum
     )
   }
 }

csharp/ql/src/change-notes/2024-09-18-csharp-log-forging-enum.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Enhanced LogForgingQuery to treat C# Enums as simple types.

csharp/ql/test/query-tests/Security Features/CWE-117/LogForgingSimpleTypes.cs

@@ -0,0 +1,46 @@
+using System;
+using System.Diagnostics;
+using System.IO;
+using System.Net;
+using System.Web;
+using Microsoft.Extensions.Logging;
+
+class ILogger
+{
+    public void Warn(string message) { }
+}
+
+enum TestEnum
+{
+    TestEnumValue
+}
+
+public class LogForgingSimpleTypes
+{
+    public void Execute(HttpContext ctx)
+    {
+        // GOOD: int
+        logger.Warn("Logging simple type (int):" 1);
+
+        // GOOD: long
+        logger.Warn("Logging simple type (int):" 1L);
+
+        // GOOD: float
+        logger.Warn("Logging simple type (float):" 1.1);
+        
+        // GOOD: double
+        logger.Warn("Logging simple type (double):" 1.1d);
+        
+        // GOOD: decimal
+        logger.Warn("Logging simple type (double):" 1.1m);
+        
+        // GOOD: Enum
+        logger.Warn("Logging simple type (Enum):" TestEnum.TestEnumVAlue);
+        
+        // GOOD: DateTime
+        logger.Warn("Logging simple type (int):" new DateTime());
+
+        // GOOD: DateTimeOffset
+        logger.Warn("Logging simple type (int):" DateTimeOffset.UtcNow);
+    }
+}