protected override void Initialize(SonarAnalysisContext context) { InvocationTracker.Track(context, InvocationTracker.MatchMethod( new MemberDescriptor(KnownType.Microsoft_EntityFrameworkCore_RelationalQueryableExtensions, "FromSql")), Conditions.And( MethodHasRawSqlQueryParameter(), Conditions.Or( Conditions.Or(ArgumentAtIndexIsConcat(0), ArgumentAtIndexIsFormat(0), ArgumentAtIndexIsInterpolated(0)), Conditions.Or(ArgumentAtIndexIsConcat(1), ArgumentAtIndexIsFormat(1), ArgumentAtIndexIsInterpolated(1)) ) ), Conditions.ExceptWhen( InvocationTracker.ArgumentAtIndexIsConstant(0))); InvocationTracker.Track(context, InvocationTracker.MatchMethod( new MemberDescriptor(KnownType.Microsoft_EntityFrameworkCore_RelationalDatabaseFacadeExtensions, "ExecuteSqlCommandAsync"), new MemberDescriptor(KnownType.Microsoft_EntityFrameworkCore_RelationalDatabaseFacadeExtensions, "ExecuteSqlCommand")), Conditions.And( MethodHasRawSqlQueryParameter(), Conditions.Or( Conditions.Or(ArgumentAtIndexIsConcat(0), ArgumentAtIndexIsFormat(0), ArgumentAtIndexIsInterpolated(0)), Conditions.Or(ArgumentAtIndexIsConcat(1), ArgumentAtIndexIsFormat(1), ArgumentAtIndexIsInterpolated(1)) ) ), Conditions.ExceptWhen( InvocationTracker.ArgumentAtIndexIsConstant(0))); PropertyAccessTracker.Track(context, PropertyAccessTracker.MatchProperty( new MemberDescriptor(KnownType.System_Data_Odbc_OdbcCommand, "CommandText"), new MemberDescriptor(KnownType.System_Data_OracleClient_OracleCommand, "CommandText"), new MemberDescriptor(KnownType.System_Data_SqlClient_SqlCommand, "CommandText"), new MemberDescriptor(KnownType.System_Data_SqlServerCe_SqlCeCommand, "CommandText")), PropertyAccessTracker.MatchSetter(), Conditions.Or(SetterIsConcat(), SetterIsFormat(), SetterIsInterpolation()), Conditions.ExceptWhen( PropertyAccessTracker.AssignedValueIsConstant())); ObjectCreationTracker.Track(context, ObjectCreationTracker.MatchConstructor( KnownType.Microsoft_EntityFrameworkCore_RawSqlString, KnownType.System_Data_SqlClient_SqlCommand, KnownType.System_Data_SqlClient_SqlDataAdapter, KnownType.System_Data_Odbc_OdbcCommand, KnownType.System_Data_Odbc_OdbcDataAdapter, KnownType.System_Data_SqlServerCe_SqlCeCommand, KnownType.System_Data_SqlServerCe_SqlCeDataAdapter, KnownType.System_Data_OracleClient_OracleCommand, KnownType.System_Data_OracleClient_OracleDataAdapter), ObjectCreationTracker.ArgumentAtIndexIs(0, KnownType.System_String), Conditions.Or(FirstArgumentIsConcat(), FirstArgumentIsFormat(), FirstArgumentIsInterpolation()), Conditions.ExceptWhen( ObjectCreationTracker.ArgumentAtIndexIsConst(0))); }
protected override void Initialize(SonarAnalysisContext context) { PropertyAccessTracker.Track(context, PropertyAccessTracker.MatchProperty( new MemberDescriptor(KnownType.System_Web_HttpCookie, "Value")), PropertyAccessTracker.MatchSetter()); ObjectCreationTracker.Track(context, ObjectCreationTracker.MatchConstructor(KnownType.System_Web_HttpCookie), ObjectCreationTracker.ArgumentAtIndexIs(1, KnownType.System_String)); ElementAccessTracker.Track(context, ElementAccessTracker.MatchIndexerIn(KnownType.System_Web_HttpCookie), ElementAccessTracker.ArgumentAtIndexIs(0, KnownType.System_String), ElementAccessTracker.MatchSetter()); ElementAccessTracker.Track(context, ElementAccessTracker.MatchIndexerIn(KnownType.Microsoft_AspNetCore_Http_IHeaderDictionary), ElementAccessTracker.ArgumentAtIndexEquals(0, "Set-Cookie"), ElementAccessTracker.MatchSetter()); ElementAccessTracker.Track(context, ElementAccessTracker.MatchIndexerIn( KnownType.Microsoft_AspNetCore_Http_IRequestCookieCollection, KnownType.Microsoft_AspNetCore_Http_IResponseCookies), ElementAccessTracker.MatchSetter()); ElementAccessTracker.Track(context, ElementAccessTracker.MatchIndexerIn( KnownType.System_Collections_Specialized_NameValueCollection), ElementAccessTracker.MatchSetter(), ElementAccessTracker.MatchProperty( new MemberDescriptor(KnownType.System_Web_HttpCookie, "Values"))); InvocationTracker.Track(context, InvocationTracker.MatchMethod( new MemberDescriptor(KnownType.Microsoft_AspNetCore_Http_IResponseCookies, "Append"))); InvocationTracker.Track(context, InvocationTracker.MatchMethod( new MemberDescriptor(KnownType.System_Collections_Generic_IDictionary_TKey_TValue, "Add"), new MemberDescriptor(KnownType.System_Collections_Generic_IDictionary_TKey_TValue_VB, "Add")), InvocationTracker.ArgumentAtIndexEquals(0, "Set-Cookie"), InvocationTracker.MethodHasParameters(2), IsIHeadersDictionary()); InvocationTracker.Track(context, InvocationTracker.MatchMethod( new MemberDescriptor(KnownType.System_Collections_Specialized_NameObjectCollectionBase, "Add")), InvocationTracker.MatchProperty( new MemberDescriptor(KnownType.System_Web_HttpCookie, "Values"))); }
protected override void Initialize(SonarAnalysisContext context) { InvocationTracker.Track(context, InvocationTracker.MatchMethod(new MemberDescriptor(KnownType.System_Diagnostics_Process, "Start")), c => IsInvalid(FirstArgument(c))); PropertyAccessTracker.Track(context, PropertyAccessTracker.MatchProperty(new MemberDescriptor(KnownType.System_Diagnostics_ProcessStartInfo, "FileName")), PropertyAccessTracker.MatchSetter(), c => IsInvalid((string)PropertyAccessTracker.AssignedValue(c))); ObjectCreationTracker.Track(context, ObjectCreationTracker.MatchConstructor(KnownType.System_Diagnostics_ProcessStartInfo), c => ObjectCreationTracker.ConstArgumentForParameter(c, "fileName") is string value && IsInvalid(value)); }
protected override void Initialize(SonarAnalysisContext context) { InvocationTracker.Track(context, InvocationTracker.MatchMethod(new MemberDescriptor(KnownType.System_Diagnostics_Process, "Start")), Conditions.ExceptWhen( InvocationTracker.ArgumentAtIndexIs(0, KnownType.System_Diagnostics_ProcessStartInfo)), InvocationTracker.MethodHasParameters()); PropertyAccessTracker.Track(context, PropertyAccessTracker.MatchProperty( new MemberDescriptor(KnownType.System_Diagnostics_ProcessStartInfo, "FileName")), PropertyAccessTracker.MatchSetter()); ObjectCreationTracker.Track(context, ObjectCreationTracker.MatchConstructor(KnownType.System_Diagnostics_ProcessStartInfo), ObjectCreationTracker.ArgumentAtIndexIs(0, KnownType.System_String)); }
protected override void Initialize(SonarAnalysisContext context) { InvocationTracker.Track(context, InvocationTracker.MatchMethod( new MemberDescriptor(KnownType.System_Security_Cryptography_RSA, "Encrypt"), new MemberDescriptor(KnownType.System_Security_Cryptography_RSA, "TryEncrypt")), Conditions.Or( InvocationTracker.ArgumentIsBoolConstant("fOAEP", false), HasPkcs1PaddingArgument())); // There exist no GCM mode with AesManaged, so any mode we set will be insecure. We do not raise // when inside an ObjectInitializerExpression, as the issue is already raised on the constructor PropertyAccessTracker.Track(context, PropertyAccessTracker.MatchProperty( new MemberDescriptor(KnownType.System_Security_Cryptography_AesManaged, "Mode")), PropertyAccessTracker.MatchSetter(), Conditions.ExceptWhen(IsInsideObjectInitializer())); ObjectCreationTracker.Track(context, ObjectCreationTracker.MatchConstructor(KnownType.System_Security_Cryptography_AesManaged)); }
protected override void Initialize(SonarAnalysisContext context) { InvocationTracker.Track(context, InvocationTracker.MatchMethod(invocationsForFirstTwoArguments), Conditions.And( MethodHasRawSqlQueryParameter(), Conditions.Or(ArgumentAtIndexIsTracked(0), ArgumentAtIndexIsTracked(1)) ), Conditions.ExceptWhen(InvocationTracker.ArgumentAtIndexIsConstant(0))); TrackInvocations(context, invocationsForFirstArgument, FirstArgumentIndex); TrackInvocations(context, invocationsForSecondArgument, SecondArgumentIndex); PropertyAccessTracker.Track(context, PropertyAccessTracker.MatchProperty(properties), PropertyAccessTracker.MatchSetter(), c => IsTracked(GetSetValue(c), c), Conditions.ExceptWhen(PropertyAccessTracker.AssignedValueIsConstant())); TrackObjectCreation(context, constructorsForFirstArgument, FirstArgumentIndex); TrackObjectCreation(context, constructorsForSecondArgument, SecondArgumentIndex); }
protected override void Initialize(SonarAnalysisContext context) { ObjectCreationTracker.Track(context, ObjectCreationTracker.MatchConstructor( KnownType.System_Security_Permissions_PrincipalPermission)); ObjectCreationTracker.Track(context, ObjectCreationTracker.WhenDerivesOrImplementsAny( KnownType.System_Security_Principal_IIdentity, KnownType.System_Security_Principal_IPrincipal)); InvocationTracker.Track(context, InvocationTracker.MatchMethod( new MemberDescriptor(KnownType.System_Security_Principal_WindowsIdentity, "GetCurrent"), new MemberDescriptor(KnownType.System_IdentityModel_Tokens_SecurityTokenHandler, "ValidateToken"), new MemberDescriptor(KnownType.System_AppDomain, "SetPrincipalPolicy"), new MemberDescriptor(KnownType.System_AppDomain, "SetThreadPrincipal"))); PropertyAccessTracker.Track(context, PropertyAccessTracker.MatchProperty( new MemberDescriptor(KnownType.System_Web_HttpContext, "User"), new MemberDescriptor(KnownType.System_Threading_Thread, "CurrentPrincipal"))); MethodDeclarationTracker.Track(context, MethodDeclarationTracker.AnyParameterIsOfType( KnownType.System_Security_Principal_IIdentity, KnownType.System_Security_Principal_IPrincipal), MethodDeclarationTracker.IsOrdinaryMethod()); MethodDeclarationTracker.Track(context, MethodDeclarationTracker.DecoratedWithAnyAttribute( KnownType.System_Security_Permissions_PrincipalPermissionAttribute)); BaseTypeTracker.Track(context, BaseTypeTracker.MatchSubclassesOf( KnownType.System_Security_Principal_IIdentity, KnownType.System_Security_Principal_IPrincipal)); }