public void DifferentConfigVersion_Exception()
{
var options = ConfigurationTest.CreateAnalyzersOptionsWithConfig("MinimumPasswordValidatorProperties: 0", new Version(1, 2));
Assert.ThrowsException <ArgumentException>(() => Manager.GetProjectConfiguration(options.AdditionalFiles));
}
public async Task AddSink()
{
var cSharpTest = @"
using System.Web.Mvc;
namespace sample
{
class Test : Controller
{
public void Vulnerable(string param)
{
}
public void TestMethod(string param)
{
Vulnerable(param);
}
}
}
";
var visualBasicTest = @"
Imports System.Web.Mvc
Namespace sample
Class Test
Inherits Controller
Public Sub Vulnerable(param As String)
End Sub
Public Sub TestMethod(param As String)
Vulnerable(param)
End Sub
End Class
End Namespace
";
await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
var testConfig = @"
Behavior:
MyKey:
Namespace: sample
ClassName: Test
Name: Vulnerable
Method:
InjectableArguments: [SCS0001: 0]
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
var expected = new DiagnosticResult
{
Id = "SCS0001",
Severity = DiagnosticSeverity.Warning,
};
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
}
public async Task HardcodedPassword(string classPayload, string payload, string pattern, bool warn)
{
var cSharpTest = $@"
#pragma warning disable 8019
using System;
#pragma warning restore 8019
namespace VulnerableApp
{{
#pragma warning disable CS0414
class HardCodedPassword
{{
private string SecretWord{classPayload};
void Foo()
{{
{payload};
}}
}}
#pragma warning restore CS0414
}}
";
var visualBasicTest = $@"
#Disable Warning BC50001
Imports System
#Enable Warning BC50001
Namespace VulnerableApp
Class HardCodedPassword
Private SecretWord As String{classPayload}
Private Sub Foo()
{payload}
End Sub
End Class
End Namespace
";
await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
var testConfig = $@"
PasswordFields: [{pattern}]
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
if (warn)
{
var expected = new DiagnosticResult
{
Id = "SCS0015",
Severity = DiagnosticSeverity.Warning
};
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
}
else
{
await VerifyCSharpDiagnostic(cSharpTest, null, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, null, optionsWithProjectConfig).ConfigureAwait(false);
}
}
public async Task TwoDifferentProjectConfigs()
{
var cSharpTest = @"
using System.Web.Mvc;
namespace sample
{
class Test : Controller
{
public static string Safe (string param)
{
return param;
}
public void Vulnerable(string param)
{
}
public void TestMethod(string param)
{
Vulnerable(param);
Vulnerable(Safe(""test""));
}
}
}
";
var visualBasicTest = @"
Imports System.Web.Mvc
Namespace sample
Class Test
Inherits Controller
Public Shared Function Safe(param As String) As String
Return param
End Function
Public Sub Vulnerable(param As String)
End Sub
Public Sub TestMethod(param As String)
Vulnerable(param)
Vulnerable(Safe(""test""))
End Sub
End Class
End Namespace
";
await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
var testConfig = @"
AuditMode: true
Behavior:
MyKey:
Namespace: sample
ClassName: Test
Name: Vulnerable
Method:
InjectableArguments: [SCS0001: 0]
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
var expected = new DiagnosticResult
{
Id = "SCS0001",
Severity = DiagnosticSeverity.Warning,
};
await VerifyCSharpDiagnostic(cSharpTest, new [] { expected, expected }, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, new[] { expected, expected }, optionsWithProjectConfig).ConfigureAwait(false);
testConfig = @"
AuditMode: true
Behavior:
MyKey1:
Namespace: sample
ClassName: Test
Name: Vulnerable
Method:
InjectableArguments: [SCS0001: 0]
MyKey2:
Namespace: sample
ClassName: Test
Name: Safe
Method:
Returns:
Taint: Safe
";
optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
}
public async Task AddConstantValue()
{
var cSharpTest = @"
using System.Data.SqlClient;
using System.Web.Mvc;
namespace sample
{
class Test : Controller
{
public static readonly string Safe = ""Safe"";
static void TestMethod()
{
new SqlCommand(Safe);
}
}
}
";
var visualBasicTest = @"
Imports System.Data.SqlClient
Imports System.Web.Mvc
Namespace sample
Class Test
Inherits Controller
Public Shared ReadOnly Safe As String = ""Safe""
Private Shared Sub TestMethod()
Dim com As New SqlCommand(Safe)
End Sub
End Class
End Namespace
";
var expected = new DiagnosticResult
{
Id = "SCS0026",
Severity = DiagnosticSeverity.Warning,
};
var testConfig = @"
AuditMode: true
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
testConfig = @"
AuditMode: true
ConstantFields: [sample.Test.Safe]
";
optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, null, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, null, optionsWithProjectConfig).ConfigureAwait(false);
}
// [DataRow("", "new Manager { Validator", "}", false)] todo: fix to work as in the previous line
public async Task PasswordValidatorAsMember(string modifier, string payload, string payload2, bool vb)
{
var cSharpTest = $@"
using Microsoft.AspNet.Identity;
namespace WebApplicationSandbox.Controllers
{{
public class Manager
{{
public {modifier}PasswordValidator Validator;
}}
public class TestApp
{{
public void TestMethod()
{{
{payload} = new PasswordValidator
{{
RequiredLength = 8,
RequireNonLetterOrDigit = true,
RequireDigit = true,
RequireLowercase = true,
RequireUppercase = true,
}}{payload2};
}}
}}
}}
";
var visualBasicTest = $@"
Imports Microsoft.AspNet.Identity
Namespace WebApplicationSandbox.Controllers
Public Class Manager
Public {modifier.CSharpReplaceToVBasic()}Validator As PasswordValidator
End Class
Public Class TestApp
Public Sub TestMethod()
{payload.CSharpReplaceToVBasic()} = New PasswordValidator With {{
.RequiredLength = 8,
.RequireNonLetterOrDigit = True,
.RequireDigit = True,
.RequireLowercase = True,
.RequireUppercase = True
}}
End Sub
End Class
End Namespace
";
await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
if (vb)
{
await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
}
var testConfig = @"
PasswordValidatorRequiredLength: 9
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
var expected = new DiagnosticResult
{
Id = "SCS0032",
Severity = DiagnosticSeverity.Warning
};
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
if (vb)
{
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
}
}
public async Task AddBehavior()
{
var cSharpTest = @"
using System.Data.SqlClient;
using System.Web.Mvc;
namespace sample
{
class Test : Controller
{
public string Safe (string param)
{
return param;
}
public void TestMethod()
{
var testString = ""test"";
new SqlCommand(Safe(testString));
}
}
}
";
var visualBasicTest = @"
Imports System.Web.Mvc
Imports System.Data.SqlClient
Namespace sample
Class Test
Inherits Controller
Public Function Safe(param As String) As String
Return param
End Function
Public Sub TestMethod()
Dim testString = ""test""
Dim com As New SqlCommand(Safe(testString))
End Sub
End Class
End Namespace
";
var expected = new DiagnosticResult
{
Id = "SCS0026",
Severity = DiagnosticSeverity.Warning,
};
var testConfig = @"
AuditMode: true
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
testConfig = @"
AuditMode: true
Behavior:
MyKey:
Namespace: sample
ClassName: Test
Name: Safe
Method:
Returns:
Taint: Safe
";
optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, null, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, null, optionsWithProjectConfig).ConfigureAwait(false);
}
public async Task TwoDifferentProjectConfigs()
{
var cSharpTest = @"
namespace sample
{
class Test
{
public static string Safe (string param)
{
return param;
}
public void Vulnerable(string param)
{
}
public void TestMethod(string param)
{
Vulnerable(param);
Vulnerable(Safe(""test""));
}
}
}
";
var visualBasicTest = @"
Namespace sample
Class Test
Public Shared Function Safe(param As String) As String
Return param
End Function
Public Sub Vulnerable(param As String)
End Sub
Public Sub TestMethod(param As String)
Vulnerable(param)
Vulnerable(Safe(""test""))
End Sub
End Class
End Namespace
";
await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
var testConfig = @"
Sinks:
MyKey:
Namespace: sample
ClassName: Test
Member: method
Name: Vulnerable
InjectableArguments: [0]
Locale: SCS0001
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
var expected = new DiagnosticResult
{
Id = "SCS0001",
Severity = DiagnosticSeverity.Warning,
};
await VerifyCSharpDiagnostic(cSharpTest, new [] { expected, expected }, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, new[] { expected, expected }, optionsWithProjectConfig).ConfigureAwait(false);
testConfig = @"
Sinks:
MyKey:
Namespace: sample
ClassName: Test
Member: method
Name: Vulnerable
InjectableArguments: [0]
Locale: SCS0001
Behavior:
MyKey:
Namespace: sample
ClassName: Test
Member: method
Name: Safe
TaintFromArguments: [-1]
";
optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
}
public async Task AddBehavior()
{
var cSharpTest = @"
using System.Data.SqlClient;
namespace sample
{
class Test
{
public static string Safe (string param)
{
return param;
}
static void TestMethod()
{
var testString = ""test"";
new SqlCommand(Safe(testString));
}
}
}
";
var visualBasicTest = @"
Imports System.Data.SqlClient
Namespace sample
Class Test
Public Shared Function Safe(param As String) As String
Return param
End Function
Private Sub TestMethod()
Dim testString = ""test""
Dim com As New SqlCommand(Safe(testString))
End Sub
End Class
End Namespace
";
var expected = new DiagnosticResult
{
Id = "SCS0026",
Severity = DiagnosticSeverity.Warning,
};
await VerifyCSharpDiagnostic(cSharpTest, expected).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected).ConfigureAwait(false);
var testConfig = @"
Behavior:
MyKey:
Namespace: sample
ClassName: Test
Member: method
Name: Safe
TaintFromArguments: [-1]
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, null, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, null, optionsWithProjectConfig).ConfigureAwait(false);
}
public async Task RemoveSink()
{
var cSharpTest = @"
using System.Web.Mvc;
namespace sample
{
public class TestController : Controller
{
public void Vulnerable(string param)
{
}
public void TestMethod(string param)
{
Vulnerable(param);
}
}
}
";
var visualBasicTest = @"
Imports System.Web.Mvc
Namespace sample
Public Class TestController
Inherits Controller
Public Sub Vulnerable(param As String)
End Sub
Public Sub TestMethod(param As String)
Vulnerable(param)
End Sub
End Class
End Namespace
";
var testConfig = @"
Sinks:
- Type: sample.TestController
TaintTypes:
- SCS0002
Methods:
- Name: Vulnerable
Arguments:
- param
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
var expected = new DiagnosticResult
{
Id = "SCS0002",
Severity = DiagnosticSeverity.Warning,
};
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
testConfig = @"
Sinks:
- Type: sample.TestController
TaintTypes:
- SCS0002
";
optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, null, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, null, optionsWithProjectConfig).ConfigureAwait(false);
}
public async Task TwoDifferentProjectConfigs()
{
var cSharpTest = @"
using System.Web.Mvc;
namespace sample
{
public class TestController : Controller
{
public static string Safe (string param)
{
return """";
}
public void Vulnerable(string param)
{
}
public void TestMethod(string param)
{
Vulnerable(param);
Vulnerable(Safe(""test""));
}
}
}
";
var visualBasicTest = @"
Imports System.Web.Mvc
Namespace sample
Public Class TestController
Inherits Controller
Public Shared Function Safe(param As String) As String
Return """"
End Function
Public Sub Vulnerable(param As String)
End Sub
Public Sub TestMethod(param As String)
Vulnerable(param)
Vulnerable(Safe(""test""))
End Sub
End Class
End Namespace
";
await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
// todo: review the test, why this is unused?
var testConfig = @"
Sinks:
- Type: sample.TestController
TaintTypes:
- SCS0002
Methods:
- Name: Vulnerable
Arguments:
- param
";
await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
testConfig = @"
Sinks:
- Type: sample.TestController
TaintTypes:
- SCS0002
Methods:
- Name: Vulnerable
Arguments:
- param
TaintSources:
- Type: sample.TestController
TaintTypes:
- SCS0002
Methods:
- Tainted
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
var expected = new DiagnosticResult
{
Id = "SCS0002",
Severity = DiagnosticSeverity.Warning,
};
optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
}
public async Task AddTaintSource()
{
var cSharpTest = @"
using System.Data.SqlClient;
using System.Web.Mvc;
namespace sample
{
public class TestController : Controller
{
public string Tainted ()
{
return """";
}
public void TestMethod()
{
new SqlCommand(Tainted());
}
}
}
";
var visualBasicTest = @"
Imports System.Web.Mvc
Imports System.Data.SqlClient
Namespace sample
Public Class TestController
Inherits Controller
Public Function Tainted() As String
Return """"
End Function
Public Sub TestMethod()
Dim com As New SqlCommand(Tainted())
End Sub
End Class
End Namespace
";
await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false);
var expected = new DiagnosticResult
{
Id = "SCS0002",
Severity = DiagnosticSeverity.Warning,
};
var testConfig = @"
TaintSources:
- Type: sample.TestController
TaintTypes:
- SCS0002
Methods:
- Tainted
";
var optionsWithProjectConfig = ConfigurationTest.CreateAnalyzersOptionsWithConfig(testConfig);
await VerifyCSharpDiagnostic(cSharpTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
await VerifyVisualBasicDiagnostic(visualBasicTest, expected, optionsWithProjectConfig).ConfigureAwait(false);
}