public void GetConcatinatedNodeFindsConcatinatedVariableUsedAsArgument()
{
string code = @"
using System;
public class TestClass
{
public void testMethod(string name)
{
string arguments = ""echo "" + name;
System.Diagnostics.Process.Start(""CMD.exe"", arguments);
}
}
";
CompilationUnitSyntax root = CSharpSyntaxTree.ParseText(code).GetCompilationUnitRoot();
ArgumentSyntax argument = root.DescendantNodes()
.OfType <ArgumentListSyntax>()
.Last()
.Arguments
.Last();
SyntaxNode result = ConcatinationUtilities.GetConcatinatedNode(argument);
Assert.NotNull(result);
Assert.Equal(@"""echo "" + name", result.ToString());
}
public void GetConcatinatedNodeReturnsNullIfArgumentIsMethodParameter()
{
string code = @"
using System;
public class TestClass
{
public void testMethod(string arguments)
{
System.Diagnostics.Process.Start(""CMD.exe"", arguments);
}
}
";
CompilationUnitSyntax root = CSharpSyntaxTree.ParseText(code).GetCompilationUnitRoot();
ArgumentSyntax argument = root.DescendantNodes()
.OfType <ArgumentListSyntax>()
.Last()
.Arguments
.Last();
SyntaxNode result = ConcatinationUtilities.GetConcatinatedNode(argument);
Assert.Null(result);
}
public void IsSafeValueConcatinationReturnsTrueIfBothSidesOfConcatinationAreInSafeList()
{
string code = @"
using System;
public class TestClass
{
public void testMethod(string name)
{
string arguments1 = ""echo "" + name;
string arguments2 = arguments1;
System.Diagnostics.Process.Start(""CMD.exe"", arguments2);
}
}
";
IReadOnlyDictionary <Type, IReadOnlyCollection <Type> > safeConcatinationTypes = new Dictionary <Type, IReadOnlyCollection <Type> >
{
{ typeof(string), new List <Type> {
typeof(string)
}.AsReadOnly() }
};
CompilationUnitSyntax root = CSharpSyntaxTree.ParseText(code).GetCompilationUnitRoot();
ArgumentSyntax argument = root.DescendantNodes()
.OfType <ArgumentListSyntax>()
.Last()
.Arguments
.Last();
SyntaxNode concatination = ConcatinationUtilities.GetConcatinatedNode(argument);
bool result = ConcatinationUtilities.IsSafeValueConcatination(concatination as BinaryExpressionSyntax, safeConcatinationTypes);
Assert.True(result);
}
private static bool IsConcatinatedCommandText(ArgumentListSyntax arguments)
{
// Get the first argument syntax node, which will be the SqlCommand's command text
// Limitation: does not cater for named parameters, which may change the ordinal position of arguments
SyntaxNode commandTextArgumentNode = arguments.Arguments.FirstOrDefault();
return(ConcatinationUtilities.IsNodeValueConcatinated(commandTextArgumentNode));
}
public override void VisitObjectCreationExpression(ObjectCreationExpressionSyntax node)
{
if (IsSqlCommandCreatorNode(node))
{
SyntaxNode concatenatedNode = GetConcatinatedCommandTextNode(node.ArgumentList);
if (concatenatedNode != null && !ConcatinationUtilities.IsSafeValueConcatination(concatenatedNode as BinaryExpressionSyntax, SafeConcatinationTypes))
{
this.ReportableItems.Add(new AnalyserItem(ReporterMessage, node.GetReference()));
}
}
base.VisitObjectCreationExpression(node);
}
private static SyntaxNode GetConcatinatedCommandArgumentsNode(ArgumentListSyntax node)
{
if (node.Arguments.Count <= 1)
{
return(null);
}
// Get the first argument syntax node, which will be the SqlCommand's command text
// Limitation: does not cater for named parameters, which may change the ordinal position of arguments
SyntaxNode commandTextArgumentNode = node.Arguments.ElementAtOrDefault(1);
return(ConcatinationUtilities.GetConcatinatedNode(commandTextArgumentNode));
}
