C#: Address QL review comments.

calumgrant · calumgrant · commit 6b2e339ec5e7 · 2018-11-22T11:45:41.000Z
diff --git a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
@@ -13,25 +13,22 @@
 import csharp
 import semmle.code.csharp.dataflow.flowsources.Remote
 import semmle.code.csharp.dataflow.TaintTracking
-import semmle.code.csharp.frameworks.System
+import semmle.code.csharp.frameworks.Format
 import DataFlow::PathGraph
 
-class FormatStringConfiguration extends TaintTracking::Configuration
-{
+class FormatStringConfiguration extends TaintTracking::Configuration {
   FormatStringConfiguration() { this = "FormatStringConfiguration" }
   
   override predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodCall call | sink.asExpr() = call.getArgumentForName("format") and
-      call.getTarget() = any(SystemStringClass s).getFormatMethod()
-    )
+    sink.asExpr() = any(FormatCall call).getFormatExpr()
   }
 }
 
 from FormatStringConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "$@ flows to here and is used to format 'String.Format'.", source.getNode(), source.getNode().toString()
+  "$@ flows to here and is used as a format string.", source.getNode(), source.getNode().toString()
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected
@@ -2,7 +2,15 @@ edges
 | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path |
 | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
 | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
+nodes
+| UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString |
+| UncontrolledFormatString.cs:14:23:14:26 | access to local variable path |
+| UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
+| UncontrolledFormatString.cs:20:23:20:38 | "Do not do this" |
+| UncontrolledFormatString.cs:23:46:23:61 | "Do not do this" |
+| UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString |
+| UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
 #select
-| UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | $@ flows to here and is used to format 'String.Format'. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
-| UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | $@ flows to here and is used to format 'String.Format'. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
-| UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | $@ flows to here and is used to format 'String.Format'. | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | access to property QueryString |
+| UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
+| UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
+| UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | $@ flows to here and is used as a format string. | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString | access to property QueryString |
