C#: Improve some existing manual models. by michaelnebel · Pull Request #19940 · github/codeql · GitHub | Latest TMZ Celebrity News & Gossip | Watch TMZ Live
Skip to content

C#: Improve some existing manual models. #19940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

C#: Improve some existing manual models. #19940

wants to merge 10 commits into from
+208 −149

Conversation

michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Jul 1, 2025
edited
Loading

In this PR we improve the models as data modelling across multiple classes.

  • Explicitly added summary models for all overloads of System.Xml.XmlDictionaryReader.CreateBinaryReader.
  • Added models for some of the methods and properties in System.Runtime.Serialization.SerializationInfo and System.Runtime.Serialization.SerializationInfoEnumerator.
  • Updated models for System.Text.Encoding.GetBytes, System.Text.Encoding.GetChars and the constructor for System.IO.MemoryStream.

Also convert the deserialization tests to inline expectations.

The new findings in mono/mono for cs/cleartext-storage-of-sensitive-information and
cs/exposure-of-sensitive-information are both related to the improved models for GetBytes (where taint is propagated to another parameter instead of the return).

@github-actions github-actions bot added the C# label Jul 1, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 1, 2025
edited
Loading

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    System,"``System.*``, ``System``",47,12139,54,5
+    System,"``System.*``, ``System``",47,12165,54,5
-    Totals,,107,14403,407,9
+    Totals,,107,14429,407,9
  • Changes to framework-coverage-csharp.csv:
- System,54,47,12139,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5903,6236
+ System,54,47,12165,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5929,6236

@michaelnebel michaelnebel marked this pull request as ready for review July 3, 2025 13:26
@Copilot Copilot AI review requested due to automatic review settings July 3, 2025 13:26
@michaelnebel michaelnebel requested a review from a team as a code owner July 3, 2025 13:26
Copilot
Copilot AI reviewed Jul 3, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances security test queries by converting deserialization tests to inline alert annotations and improves the library’s manual summary models to reduce false negatives.

  • Converted multiple unsafe/unsafe-untrusted-deserialization tests to use inline // $ Alert[...] comments.
  • Renamed and expanded binary‐formatter test classes for broader coverage.
  • Added and refined summary models for XmlDictionaryReader.CreateBinaryReader, Encoding.GetBytes/GetChars, MemoryStream constructors, and serialization APIs.

Reviewed Changes

Copilot reviewed 22 out of 29 changed files in this pull request and generated no comments.

Show a summary per file
File Description
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/Test.cs Moved JSON unsafe-deserialization alert to inline comment.
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlSerializerUntrustedInputBad.cs Added inline alert annotation after the return call.
csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/BinaryFormatterUntrustedInputBad.cs Renamed BadBinaryFormatter class and added a second test class.
csharp/ql/src/change-notes/2025-07-01-improve-summary-models.md Documented the new and updated summary models.
csharp/ql/lib/ext/System.Xml.model.yml Added summary models for all XmlDictionaryReader.CreateBinaryReader overloads.
csharp/ql/lib/ext/System.Text.model.yml Updated taint mappings for Encoding.GetBytes/GetChars.
csharp/ql/lib/ext/System.Runtime.Serialization.model.yml Added models for SerializationInfo and SerializationInfoEnumerator.
csharp/ql/lib/ext/System.IO.model.yml Adjusted MemoryStream taint model to use .Element for byte arrays.
Files not reviewed (7)
  • csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected: Language not supported
  • csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected: Language not supported
  • csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref: Language not supported
  • csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.qlref: Language not supported
  • csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.expected: Language not supported
  • csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.qlref: Language not supported
  • csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.qlref: Language not supported
Comments suppressed due to low confidence (2)

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/Test.cs:17

  • The $ Alert annotation is placed on the JsonSerializerSettings line rather than on the DeserializeObject invocation itself. Move the inline comment to the line starting with return JsonConvert.DeserializeObject(...) to ensure the test framework picks up the alert.
        return JsonConvert.DeserializeObject(data.Text, new JsonSerializerSettings // $ Alert[cs/unsafe-deserialization-untrusted-input]

csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/BinaryFormatterUntrustedInputBad.cs:7

  • The test harness expects a class named BadBinaryFormatter, but this has been renamed to BadBinaryFormatter1. Rename it back to BadBinaryFormatter to maintain compatibility with the test matcher.
class BadBinaryFormatter1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C# documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@michaelnebel

TMZ Celebrity News – Breaking Stories, Videos & Gossip

Looking for the latest TMZ celebrity news? You've come to the right place. From shocking Hollywood scandals to exclusive videos, TMZ delivers it all in real time.

Whether it’s a red carpet slip-up, a viral paparazzi moment, or a legal drama involving your favorite stars, TMZ news is always first to break the story. Stay in the loop with daily updates, insider tips, and jaw-dropping photos.

🎥 Watch TMZ Live

TMZ Live brings you daily celebrity news and interviews straight from the TMZ newsroom. Don’t miss a beat—watch now and see what’s trending in Hollywood.