public void IsSafeValueConcatinationReturnsTrueIfBothSidesOfConcatinationAreInSafeList()
{
string code = @"
using System;
public class TestClass
{
public void testMethod(string name)
{
string arguments1 = ""echo "" + name;
string arguments2 = arguments1;
System.Diagnostics.Process.Start(""CMD.exe"", arguments2);
}
}
";
IReadOnlyDictionary <Type, IReadOnlyCollection <Type> > safeConcatinationTypes = new Dictionary <Type, IReadOnlyCollection <Type> >
{
{ typeof(string), new List <Type> {
typeof(string)
}.AsReadOnly() }
};
CompilationUnitSyntax root = CSharpSyntaxTree.ParseText(code).GetCompilationUnitRoot();
ArgumentSyntax argument = root.DescendantNodes()
.OfType <ArgumentListSyntax>()
.Last()
.Arguments
.Last();
SyntaxNode concatination = ConcatinationUtilities.GetConcatinatedNode(argument);
bool result = ConcatinationUtilities.IsSafeValueConcatination(concatination as BinaryExpressionSyntax, safeConcatinationTypes);
Assert.True(result);
}
public override void VisitObjectCreationExpression(ObjectCreationExpressionSyntax node)
{
if (IsSqlCommandCreatorNode(node))
{
SyntaxNode concatenatedNode = GetConcatinatedCommandTextNode(node.ArgumentList);
if (concatenatedNode != null && !ConcatinationUtilities.IsSafeValueConcatination(concatenatedNode as BinaryExpressionSyntax, SafeConcatinationTypes))
{
this.ReportableItems.Add(new AnalyserItem(ReporterMessage, node.GetReference()));
}
}
base.VisitObjectCreationExpression(node);
}