public async Task TransferPathInitializerSafe() { var cSharpTest = @" using System.IO; class PathTraversal { public static void Run() { File.WriteAllBytes(""a.txt"", new MemoryStream {Capacity = 10}.ToArray()); } } "; var visualBasicTest = @" Imports System.IO Class PathTraversal Public Shared Sub Run() File.WriteAllBytes(""a.txt"", new MemoryStream With {.Capacity = 10}.ToArray()) End Sub End Class "; await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task HardCodedInitializer() { var cSharpTest = @" using System; namespace VulnerableApp { class HardCodedPassword { static void TestCookie() { var uri = new UriBuilder {Port = 443}; } } } "; var visualBasicTest = @" Imports System Namespace VulnerableApp Class HardCodedPassword Private Shared Sub TestCookie() Dim uri = New UriBuilder With {.Port = 443} End Sub End Class End Namespace "; await VerifyCSharpDiagnostic(cSharpTest, null, await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); }
public async Task RecursiveStateAssignment() { var cSharpTest = @" namespace sample { class TestClass { public TestClass child; public TestClass foo() { return null; } public TestClass foo2() { return null; } public void Run() { TestClass b = new TestClass(); TestClass a; a = b.foo(); a.child = b.foo2(); } } } "; var visualBasicTest = @" Namespace sample Friend Class TestClass Public child As TestClass Public Function foo() As TestClass Return Nothing End Function Public Function foo2() As TestClass Return Nothing End Function Public Sub Run() Dim b As TestClass = New TestClass() Dim a As TestClass a = b.foo() a.child = b.foo2() End Sub End Class End Namespace "; // should not throw await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task SelfTaintAssignment() { var cSharpTest = @" namespace sample { class MyFoo { int x = 1; int y = 0; void foo() { } public static void Run(MyFoo[] aa) { foreach(var a in aa) { a.foo(); a.x = a.y; } } } } "; var visualBasicTest = @" Namespace sample Friend Class MyFoo Private x As Integer = 1 Private y As Integer = 0 Private Sub foo() End Sub Public Shared Sub Run(ByVal aa As MyFoo()) For Each a In aa a.foo() a.x = a.y Next End Sub End Class End Namespace "; // should not throw await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task SelfTaintAssignment2() { var cSharpTest = @" namespace sample { class B { public A z = null; } class A { public B y = null; public static void Run() { A x = null; x.y.z = x; var a = x; a.y = null; } } } "; var visualBasicTest = @" Namespace sample Friend Class MyFoo Private x As Integer = 1 Private y As Integer = 0 Private Sub foo() End Sub Public Shared Sub Run(ByVal aa As MyFoo()) For Each a In aa a.foo() a.x = a.y Next End Sub End Class End Namespace "; // should not throw await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task HardCodePasswordInitializerFromConstMemberFlow() { var cSharpTest = @" using System; namespace VulnerableApp { class HardCodedPassword { const string PWD = ""t0ps3cr3t""; static void Run() { TestCookie(PWD); } static void TestCookie(string pwd) { var uri = new UriBuilder {Password = pwd}; } } } "; var visualBasicTest = @" Imports System Namespace VulnerableApp Class HardCodedPassword Const PWD As String = ""t0ps3cr3t"" Private Shared Sub Run() TestCookie(PWD) End Sub Private Shared Sub TestCookie(ByVal pwd As String) Dim uri = New UriBuilder With { .Password = pwd } End Sub End Class End Namespace "; var expected = new DiagnosticResult { Id = "SCS0015", Severity = DiagnosticSeverity.Warning }; await VerifyCSharpDiagnostic(cSharpTest, expected, await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, expected, await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); }
public async Task TransferStringJoinSafe2(string dataType, bool isMethodGeneric) { var cSharpTest = $@" using System; using System.Data.SqlClient; #pragma warning disable 8019 using System.Collections.Generic; #pragma warning restore 8019 namespace sample {{ class SqlConstant {{ public static void Run() {{ IEnumerable<{dataType}> array = new []{{""aaa"", ""bbb""}}; new SqlCommand(String.Join{(isMethodGeneric ? $"<{dataType}>" : "")}("" "", array)); }} }} }} "; dataType = dataType.CSharpReplaceToVBasic(); var visualBasicTest = $@" Imports System.Data.SqlClient #Disable Warning BC50001 Imports System.Collections.Generic #Enable Warning BC50001 Namespace sample Class SqlConstant Public Shared Sub Run() Dim array As IEnumerable(Of {dataType}) = {{""aaa"", ""bbb""}} Dim com As New SqlCommand(String.Join{(isMethodGeneric ? $"(Of {dataType})" : "")}("" "", array)) End Sub End Class End Namespace "; await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task HardCodePasswordInitializerFromConstMemberFlowPlusNonConst() { var cSharpTest = @" using System; namespace VulnerableApp { class HardCodedPassword { const string PWD = ""t0ps3cr3t""; static void Run(string input) { TestCookie(PWD + input); } static void TestCookie(string pwd) { var uri = new UriBuilder {Password = pwd}; } } } "; var visualBasicTest = @" Imports System Namespace VulnerableApp Class HardCodedPassword Const PWD As String = ""t0ps3cr3t"" Private Shared Sub Run(input As String) TestCookie(PWD + input) End Sub Private Shared Sub TestCookie(ByVal pwd As String) Dim uri = New UriBuilder With { .Password = pwd } End Sub End Class End Namespace "; await VerifyCSharpDiagnostic(cSharpTest, null, await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); }
public async Task SelfTaintAssignment3() { var cSharpTest = @" namespace sample { class A { public A y = null; public static void Run() { A x = null; x.y = x; } } } "; var visualBasicTest = @" Namespace sample Class A Public y As A = Nothing Public Shared Sub Run() Dim x As A = Nothing x.y = x End Sub End Class End Namespace "; // should not throw await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task HardCodePasswordAssignment() { var cSharpTest = @" using System; namespace VulnerableApp { class HardCodedPassword { static void TestCookie() { var uri = new UriBuilder(); uri.Password = ""t0ps3cr3t""; } } } "; var visualBasicTest = @" Imports System Namespace VulnerableApp Class HardCodedPassword Private Shared Sub TestCookie() Dim uri = New UriBuilder() uri.Password = ""t0ps3cr3t"" End Sub End Class End Namespace "; var expected = new DiagnosticResult { Id = "SCS0015", Severity = DiagnosticSeverity.Warning }; await VerifyCSharpDiagnostic(cSharpTest, expected, await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, expected, await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); }
public async Task TransferStringConstructorSafe() { var cSharpTest = @" using System.Data.SqlClient; class SqlTransferTesting { public static void Run() { new SqlCommand(new string(new []{'t'})); new SqlCommand(new string(new []{'t'}, 0, 3)); } } "; var visualBasicTest = @" Imports System.Data.SqlClient Class SqlTransferTesting Public Shared Sub Run() Dim chars1 = {""t""c, ""e""c} Dim safeQuery As String = New String(chars1) Dim com1 As New SqlCommand(safeQuery) safeQuery = New String(chars1, 0, 3) Dim com2 As New SqlCommand(safeQuery) End Sub End Class "; await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task TransferPathSafe(string method) { var cSharpTest = $@" using System.IO; class PathTraversal {{ public static void Run() {{ #pragma warning disable 618 {method}; #pragma warning restore 618 }} }} "; method = method.CSharpReplaceToVBasic(); var visualBasicTest = $@" Imports System.IO Class PathTraversal Public Shared Sub Run() #Disable Warning BC40000 {method} #Enable Warning BC40000 End Sub End Class "; await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task TransferSqlInitializerSafe() { var cSharpTest = @" using System.Data.SqlClient; namespace sample { class MyFoo { public static void Run() { var sqlCommand = new SqlCommand {CommandText = ""select * from Products""}; } } } "; var visualBasicTest = @" Imports System.Data.SqlClient Namespace sample Class MyFoo Public Shared Sub Run() Dim com As New SqlCommand With {.CommandText = ""select * from Products""} End Sub End Class End Namespace "; await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); var auditConfig = await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, null, auditConfig).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, null, auditConfig).ConfigureAwait(false); }
public async Task LdapInjection(string sink, string warningId = null, int count = 1) { var cSharpTest = $@" #pragma warning disable 8019 using System.DirectoryServices; using System.Web.Mvc; #pragma warning restore 8019 namespace sample {{ public class MyFooController : Controller {{ public void Run(string input, string[] propertiesToLoad, DirectoryEntry entry, SearchScope scope) {{ var temp = {sink}; }} }} }} "; var visualBasicTest = $@" #Disable Warning BC50001 Imports System.DirectoryServices Imports System.Web.Mvc #Enable Warning BC50001 Namespace sample Public Class MyFooController Inherits Controller Public Sub Run(input As System.String, propertiesToLoad() As System.String, entry As DirectoryEntry, scope As SearchScope ) Dim temp = {sink.CSharpReplaceToVBasic()} End Sub End Class End Namespace "; if (warningId != null) { var expected = new DiagnosticResult { Id = warningId, Severity = DiagnosticSeverity.Warning, }; await VerifyCSharpDiagnostic(cSharpTest, Enumerable.Repeat(expected, count).ToArray()).ConfigureAwait(false); await VerifyCSharpDiagnostic(cSharpTest, Enumerable.Repeat(expected, count).ToArray(), await AuditTest.GetAuditModeConfigOptions().ConfigureAwait(false)).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest, Enumerable.Repeat(expected, count).ToArray()).ConfigureAwait(false); } else { await VerifyCSharpDiagnostic(cSharpTest).ConfigureAwait(false); await VerifyVisualBasicDiagnostic(visualBasicTest).ConfigureAwait(false); } }