C#: Only track taint through conversion operators defined in libraries

Author: hvitved

csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll

@@ -115,7 +115,7 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon
         )
       or
       e2 = any(OperatorCall oc |
-          oc.getTarget() instanceof ConversionOperator and
+          oc.getTarget().(ConversionOperator).fromLibrary() and
           e1 = oc.getAnArgument() and
           isSuccessor = true
         )

csharp/ql/test/library-tests/dataflow/local/DataFlow.expected

@@ -10,7 +10,7 @@
 | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
 | LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 |
 | LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 |
-| LocalDataFlow.cs:478:15:478:21 | access to parameter tainted |
+| LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
 | SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
 | SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
 | SSA.cs:43:15:43:22 | access to local variable ssaSink2 |

csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -498,8 +498,6 @@
 | LocalDataFlow.cs:373:13:373:33 | SSA def(sink66) | LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 |
 | LocalDataFlow.cs:373:22:373:27 | access to local variable sink65 | LocalDataFlow.cs:373:22:373:33 | access to property Value |
 | LocalDataFlow.cs:373:22:373:33 | access to property Value | LocalDataFlow.cs:373:13:373:33 | SSA def(sink66) |
-| LocalDataFlow.cs:374:15:374:20 | [post] access to local variable sink66 | LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 |
-| LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 | LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 |
 | LocalDataFlow.cs:377:22:377:30 | SSA def(nonSink17) | LocalDataFlow.cs:378:19:378:27 | access to local variable nonSink17 |
 | LocalDataFlow.cs:377:35:377:42 | access to local variable nonSink4 | LocalDataFlow.cs:379:33:379:40 | access to local variable nonSink4 |
 | LocalDataFlow.cs:379:21:379:56 | SSA def(nonSink18) | LocalDataFlow.cs:380:15:380:23 | access to local variable nonSink18 |
@@ -579,21 +577,18 @@
 | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... | LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) |
 | LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
-| LocalDataFlow.cs:446:15:446:20 | [post] access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 |
-| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 |
-| LocalDataFlow.cs:448:23:448:37 | SSA def(sink75) | LocalDataFlow.cs:449:15:449:20 | access to local variable sink75 |
-| LocalDataFlow.cs:448:32:448:37 | call to operator implicit conversion | LocalDataFlow.cs:448:23:448:37 | SSA def(sink75) |
-| LocalDataFlow.cs:451:23:451:52 | SSA def(sink76) | LocalDataFlow.cs:452:15:452:20 | access to local variable sink76 |
-| LocalDataFlow.cs:451:32:451:52 | call to operator implicit conversion | LocalDataFlow.cs:451:23:451:52 | SSA def(sink76) |
-| LocalDataFlow.cs:470:28:470:30 | this | LocalDataFlow.cs:470:41:470:45 | this access |
-| LocalDataFlow.cs:470:50:470:52 | this | LocalDataFlow.cs:470:56:470:60 | this access |
-| LocalDataFlow.cs:470:50:470:52 | value | LocalDataFlow.cs:470:64:470:68 | access to parameter value |
-| LocalDataFlow.cs:476:41:476:47 | tainted | LocalDataFlow.cs:478:15:478:21 | access to parameter tainted |
-| LocalDataFlow.cs:481:44:481:53 | nonTainted | LocalDataFlow.cs:483:15:483:24 | access to parameter nonTainted |
-| LocalDataFlow.cs:486:44:486:44 | x | LocalDataFlow.cs:489:21:489:21 | access to parameter x |
-| LocalDataFlow.cs:486:67:486:68 | os | LocalDataFlow.cs:492:32:492:33 | access to parameter os |
-| LocalDataFlow.cs:489:21:489:21 | access to parameter x | LocalDataFlow.cs:489:16:489:21 | ... = ... |
-| LocalDataFlow.cs:492:32:492:33 | access to parameter os | LocalDataFlow.cs:492:26:492:33 | ... = ... |
+| LocalDataFlow.cs:464:28:464:30 | this | LocalDataFlow.cs:464:41:464:45 | this access |
+| LocalDataFlow.cs:464:50:464:52 | this | LocalDataFlow.cs:464:56:464:60 | this access |
+| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:64:464:68 | access to parameter value |
+| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
+| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:477:15:477:24 | access to parameter nonTainted |
+| LocalDataFlow.cs:480:44:480:44 | x | LocalDataFlow.cs:483:21:483:21 | access to parameter x |
+| LocalDataFlow.cs:480:67:480:68 | os | LocalDataFlow.cs:486:32:486:33 | access to parameter os |
+| LocalDataFlow.cs:483:21:483:21 | access to parameter x | LocalDataFlow.cs:483:16:483:21 | ... = ... |
+| LocalDataFlow.cs:486:32:486:33 | access to parameter os | LocalDataFlow.cs:486:26:486:33 | ... = ... |
+| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:493:29:493:32 | access to parameter args |
+| LocalDataFlow.cs:493:29:493:32 | [post] access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
+| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
 | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
 | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
 | SSA.cs:5:26:5:32 | tainted | SSA.cs:8:24:8:30 | access to parameter tainted |

csharp/ql/test/library-tests/dataflow/local/LocalDataFlow.cs

@@ -444,12 +444,6 @@ public async void M(bool b)
         var sink74 = sink0 ?? nonSink0;
         Check(sink73);
         Check(sink74);
-
-        LocalDataFlow sink75 = sink74;
-        Check(sink75);
-
-        LocalDataFlow sink76 = (LocalDataFlow)sink66;
-        Check(sink76);
     }
 
     static void Check<T>(T x) { }
@@ -492,7 +486,11 @@ public void AssignmentFlow(IDisposable x, IEnumerable<object> os)
         foreach(var o in os2 = os) { }
     }
 
-    public static implicit operator LocalDataFlow(string s) => null;
+    public static implicit operator LocalDataFlow(string[] args) => null;
 
-    public static explicit operator LocalDataFlow(int x) => null;
+    public void ConversionFlow(string[] args)
+    {
+        Span<object> span = args; // flow (library operator)
+        LocalDataFlow x = args; // no flow (source code operator)
+    }
 }

csharp/ql/test/library-tests/dataflow/local/TaintTracking.expected

@@ -64,9 +64,7 @@
 | LocalDataFlow.cs:430:23:430:28 | access to local variable sink72 |
 | LocalDataFlow.cs:445:15:445:20 | access to local variable sink73 |
 | LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 |
-| LocalDataFlow.cs:449:15:449:20 | access to local variable sink75 |
-| LocalDataFlow.cs:452:15:452:20 | access to local variable sink76 |
-| LocalDataFlow.cs:478:15:478:21 | access to parameter tainted |
+| LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
 | SSA.cs:9:15:9:22 | access to local variable ssaSink0 |
 | SSA.cs:25:15:25:22 | access to local variable ssaSink1 |
 | SSA.cs:43:15:43:22 | access to local variable ssaSink2 |

csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected

@@ -636,8 +636,6 @@
 | LocalDataFlow.cs:373:13:373:33 | SSA def(sink66) | LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 |
 | LocalDataFlow.cs:373:22:373:27 | access to local variable sink65 | LocalDataFlow.cs:373:22:373:33 | access to property Value |
 | LocalDataFlow.cs:373:22:373:33 | access to property Value | LocalDataFlow.cs:373:13:373:33 | SSA def(sink66) |
-| LocalDataFlow.cs:374:15:374:20 | [post] access to local variable sink66 | LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 |
-| LocalDataFlow.cs:374:15:374:20 | access to local variable sink66 | LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 |
 | LocalDataFlow.cs:377:22:377:30 | SSA def(nonSink17) | LocalDataFlow.cs:378:19:378:27 | access to local variable nonSink17 |
 | LocalDataFlow.cs:377:35:377:42 | access to local variable nonSink4 | LocalDataFlow.cs:377:22:377:30 | SSA def(nonSink17) |
 | LocalDataFlow.cs:377:35:377:42 | access to local variable nonSink4 | LocalDataFlow.cs:379:33:379:40 | access to local variable nonSink4 |
@@ -724,28 +722,25 @@
 | LocalDataFlow.cs:444:22:444:26 | access to local variable sink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... | LocalDataFlow.cs:444:13:444:38 | SSA def(sink74) |
 | LocalDataFlow.cs:444:31:444:38 | access to local variable nonSink0 | LocalDataFlow.cs:444:22:444:38 | ... ?? ... |
-| LocalDataFlow.cs:446:15:446:20 | [post] access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 |
-| LocalDataFlow.cs:446:15:446:20 | access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 |
-| LocalDataFlow.cs:448:23:448:37 | SSA def(sink75) | LocalDataFlow.cs:449:15:449:20 | access to local variable sink75 |
-| LocalDataFlow.cs:448:32:448:37 | access to local variable sink74 | LocalDataFlow.cs:448:32:448:37 | call to operator implicit conversion |
-| LocalDataFlow.cs:448:32:448:37 | call to operator implicit conversion | LocalDataFlow.cs:448:23:448:37 | SSA def(sink75) |
-| LocalDataFlow.cs:451:23:451:52 | SSA def(sink76) | LocalDataFlow.cs:452:15:452:20 | access to local variable sink76 |
-| LocalDataFlow.cs:451:32:451:52 | call to operator implicit conversion | LocalDataFlow.cs:451:23:451:52 | SSA def(sink76) |
-| LocalDataFlow.cs:451:47:451:52 | access to local variable sink66 | LocalDataFlow.cs:451:32:451:52 | call to operator implicit conversion |
-| LocalDataFlow.cs:470:28:470:30 | this | LocalDataFlow.cs:470:41:470:45 | this access |
-| LocalDataFlow.cs:470:50:470:52 | this | LocalDataFlow.cs:470:56:470:60 | this access |
-| LocalDataFlow.cs:470:50:470:52 | value | LocalDataFlow.cs:470:50:470:52 | value |
-| LocalDataFlow.cs:470:50:470:52 | value | LocalDataFlow.cs:470:64:470:68 | access to parameter value |
-| LocalDataFlow.cs:476:41:476:47 | tainted | LocalDataFlow.cs:476:41:476:47 | tainted |
-| LocalDataFlow.cs:476:41:476:47 | tainted | LocalDataFlow.cs:478:15:478:21 | access to parameter tainted |
-| LocalDataFlow.cs:481:44:481:53 | nonTainted | LocalDataFlow.cs:481:44:481:53 | nonTainted |
-| LocalDataFlow.cs:481:44:481:53 | nonTainted | LocalDataFlow.cs:483:15:483:24 | access to parameter nonTainted |
-| LocalDataFlow.cs:486:44:486:44 | x | LocalDataFlow.cs:486:44:486:44 | x |
-| LocalDataFlow.cs:486:44:486:44 | x | LocalDataFlow.cs:489:21:489:21 | access to parameter x |
-| LocalDataFlow.cs:486:67:486:68 | os | LocalDataFlow.cs:486:67:486:68 | os |
-| LocalDataFlow.cs:486:67:486:68 | os | LocalDataFlow.cs:492:32:492:33 | access to parameter os |
-| LocalDataFlow.cs:489:21:489:21 | access to parameter x | LocalDataFlow.cs:489:16:489:21 | ... = ... |
-| LocalDataFlow.cs:492:32:492:33 | access to parameter os | LocalDataFlow.cs:492:26:492:33 | ... = ... |
+| LocalDataFlow.cs:464:28:464:30 | this | LocalDataFlow.cs:464:41:464:45 | this access |
+| LocalDataFlow.cs:464:50:464:52 | this | LocalDataFlow.cs:464:56:464:60 | this access |
+| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:50:464:52 | value |
+| LocalDataFlow.cs:464:50:464:52 | value | LocalDataFlow.cs:464:64:464:68 | access to parameter value |
+| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:470:41:470:47 | tainted |
+| LocalDataFlow.cs:470:41:470:47 | tainted | LocalDataFlow.cs:472:15:472:21 | access to parameter tainted |
+| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:475:44:475:53 | nonTainted |
+| LocalDataFlow.cs:475:44:475:53 | nonTainted | LocalDataFlow.cs:477:15:477:24 | access to parameter nonTainted |
+| LocalDataFlow.cs:480:44:480:44 | x | LocalDataFlow.cs:480:44:480:44 | x |
+| LocalDataFlow.cs:480:44:480:44 | x | LocalDataFlow.cs:483:21:483:21 | access to parameter x |
+| LocalDataFlow.cs:480:67:480:68 | os | LocalDataFlow.cs:480:67:480:68 | os |
+| LocalDataFlow.cs:480:67:480:68 | os | LocalDataFlow.cs:486:32:486:33 | access to parameter os |
+| LocalDataFlow.cs:483:21:483:21 | access to parameter x | LocalDataFlow.cs:483:16:483:21 | ... = ... |
+| LocalDataFlow.cs:486:32:486:33 | access to parameter os | LocalDataFlow.cs:486:26:486:33 | ... = ... |
+| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:491:41:491:44 | args |
+| LocalDataFlow.cs:491:41:491:44 | args | LocalDataFlow.cs:493:29:493:32 | access to parameter args |
+| LocalDataFlow.cs:493:29:493:32 | [post] access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
+| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:493:29:493:32 | call to operator implicit conversion |
+| LocalDataFlow.cs:493:29:493:32 | access to parameter args | LocalDataFlow.cs:494:27:494:30 | access to parameter args |
 | SSA.cs:5:17:5:17 | SSA entry def(this.S) | SSA.cs:67:9:67:14 | access to field S |
 | SSA.cs:5:17:5:17 | this | SSA.cs:67:9:67:12 | this access |
 | SSA.cs:5:26:5:32 | tainted | SSA.cs:5:26:5:32 | tainted |