From 3a1d5a0af8dc31076eeb16d785bcc004899b53ca Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Wed, 30 Oct 2019 15:36:24 +0800 Subject: [PATCH 1/2] Remove constant char array out of SourceInfos. --- .../Security/DoNotHardCodeCertificateTests.cs | 41 +++++++++---------- .../DoNotHardCodeEncryptionKeyTests.cs | 39 +++++++++--------- .../HardcodedBytesSources.cs | 7 ---- 3 files changed, 39 insertions(+), 48 deletions(-) diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs index d78af5ec51..c169fa02ce 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs @@ -116,27 +116,6 @@ public void TestMethod(byte[] bytes, string path) GetCSharpResultAt(12, 9, 10, 38, "X509Certificate.X509Certificate(string fileName)", "void TestClass.TestMethod(byte[] bytes, string path)", "string chars", "int ASCIIEncoding.GetBytes(string chars, int charIndex, int charCount, byte[] bytes, int byteIndex)")); } - [Fact] - public void Test_Source_ASCIIEncodingGetBytes_WithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_WithConstantCharArray_Diagnostic() - { - VerifyCSharp(@" -using System.IO; -using System.Text; -using System.Security.Cryptography.X509Certificates; - -class TestClass -{ - public void TestMethod(byte[] bytes, string path) - { - char[] chars = new char[] {'1', '2', '3'}; - new ASCIIEncoding().GetBytes(chars, 0, 3, bytes, 0); - File.WriteAllBytes(path, bytes); - new X509Certificate(path); - } -}", - GetCSharpResultAt(13, 9, 10, 24, "X509Certificate.X509Certificate(string fileName)", "void TestClass.TestMethod(byte[] bytes, string path)", "char[]", "void TestClass.TestMethod(byte[] bytes, string path)")); - } - [Fact] public void Test_Sink_X509Certificate_WithStringAndSecureStringAndX509KeyStorageFlagsParameters_Diagnostic() { @@ -347,6 +326,26 @@ public void TestMethod(string s, string path) }"); } + [Fact] + public void Test_Source_ASCIIEncodingGetBytes_WithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_WithConstantCharArray_NoDiagnostic() + { + VerifyCSharp(@" +using System.IO; +using System.Text; +using System.Security.Cryptography.X509Certificates; + +class TestClass +{ + public void TestMethod(byte[] bytes, string path) + { + char[] chars = new char[] {'1', '2', '3'}; + new ASCIIEncoding().GetBytes(chars, 0, 3, bytes, 0); + File.WriteAllBytes(path, bytes); + new X509Certificate(path); + } +}"); + } + protected override DiagnosticAnalyzer GetBasicDiagnosticAnalyzer() { return new DoNotHardCodeCertificate(); diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs index e67e42ef92..bf7f516c2e 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs @@ -155,26 +155,6 @@ public void TestMethod(byte[] key, byte[] someOtherBytesForIV) GetCSharpResultAt(11, 9, 9, 38, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)", "string chars", "int ASCIIEncoding.GetBytes(string chars, int charIndex, int charCount, byte[] bytes, int byteIndex)")); } - [Fact] - public void Test_ASCIIEncodingGetBytesWithCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_CreateEncryptor_Diagnostic() - { - VerifyCSharp(@" -using System.Text; -using System.Security.Cryptography; - -class TestClass -{ - public void TestMethod(byte[] key, byte[] someOtherBytesForIV) - { - char[] chars = new char[] {'1', '2', '3'}; - new ASCIIEncoding().GetBytes(chars, 0, 3, key, 0); - SymmetricAlgorithm rijn = SymmetricAlgorithm.Create(); - rijn.CreateEncryptor(key, someOtherBytesForIV); - } -}", - GetCSharpResultAt(12, 9, 9, 24, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)", "char[]", "void TestClass.TestMethod(byte[] key, byte[] someOtherBytesForIV)")); - } - [Fact] public void Test_HardcodedInStringWithVariable_CreateEncryptor_Diagnostic() { @@ -668,6 +648,25 @@ public void TestMethod(char[] chars, byte[] key, byte[] someOtherBytesForIV) }"); } + [Fact] + public void Test_ASCIIEncodingGetBytesWithConstantCharArrayAndInt32AndInt32AndByteArrayAndInt32Parameters_CreateEncryptor_NoDiagnostic() + { + VerifyCSharp(@" +using System.Text; +using System.Security.Cryptography; + +class TestClass +{ + public void TestMethod(byte[] key, byte[] someOtherBytesForIV) + { + char[] chars = new char[] {'1', '2', '3'}; + new ASCIIEncoding().GetBytes(chars, 0, 3, key, 0); + SymmetricAlgorithm rijn = SymmetricAlgorithm.Create(); + rijn.CreateEncryptor(key, someOtherBytesForIV); + } +}"); + } + [Fact] public void Test_ElementTypeIsTypeParameter_NoDiagnostic() { diff --git a/src/Utilities/FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/HardcodedBytesSources.cs b/src/Utilities/FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/HardcodedBytesSources.cs index 6d9e820543..c9f913f408 100644 --- a/src/Utilities/FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/HardcodedBytesSources.cs +++ b/src/Utilities/FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/HardcodedBytesSources.cs @@ -96,13 +96,6 @@ static HardcodedBytesSources() taintedMethodsNeedsPointsToAnalysis: null, taintedMethodsNeedsValueContentAnalysis: null, taintConstantArray: true); - builder.AddSourceInfo( - WellKnownTypeNames.SystemChar, - isInterface: false, - taintedProperties: null, - taintedMethodsNeedsPointsToAnalysis: null, - taintedMethodsNeedsValueContentAnalysis: null, - taintConstantArray: true); SourceInfos = builder.ToImmutableAndFree(); } From f8fdccd67f1eb34c9fb2363d42a87c0c46607d6b Mon Sep 17 00:00:00 2001 From: LingxiaChen Date: Wed, 30 Oct 2019 17:31:19 +0800 Subject: [PATCH 2/2] Fix formatting error. --- .../UnitTests/Security/DoNotHardCodeCertificateTests.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs index ba44fb716e..dd4a837207 100644 --- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs +++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs @@ -344,7 +344,8 @@ public void TestMethod(string s, string path) } }"); } - + + [Fact] public void Test_X509Certificate2_NoDiagnostic() { VerifyCSharp(@"