C#: Improve cs/invalid-string-formatting and add to the Code Quality suite.
#19148
Conversation
cfe6cbd to
286ae79
Compare
852eab9 to
e8f8145
Compare
|
DCA
|
51a03d2 to
be8d379
Compare
cs/invalid-string-formatting and add to the codeql quality suite.
be8d379 to
5c6b1dd
Compare
cs/invalid-string-formatting and add to the codeql quality suite.cs/invalid-string-formatting and add to the Code Quality suite.
|
|
||
| // GOOD: An array has been supplied. | ||
| String.Format("{0} {1} {2}", args); | ||
|
|
||
| // GOOD: All arguments supplied to params | ||
| String.Format("{0} {1} {2} {3}", 0, 1, 2, 3); | ||
|
|
||
| helper("{1}"); | ||
| helper("{1}"); // $ Source |
There was a problem hiding this comment.
I think this should be e.g. Source=source1 and then $ Alert=source1 further down.
|
|
||
| // BAD: Invalid format string | ||
| String.Format("%d", 1); | ||
| String.Format("%d", 1); // $ Alert Sink |
There was a problem hiding this comment.
I don't think the Sink part is needed when it is on the same line as the alert.
There was a problem hiding this comment.
The Sink and Alert doesn't have the exact same location (only the same line numbers), so the test fails, if we don't add both tags.
There was a problem hiding this comment.
There was a problem hiding this comment.
CoPilot managed to do it 😸
| class FormatMethod extends Method { | ||
| FormatMethod() { | ||
| exists(Class declType | declType = this.getDeclaringType() | | ||
| abstract class FormatMethod extends Method { |
There was a problem hiding this comment.
Now we are exposing an abstract method, which is not backwards-compatible (and also not best practice). So Instead replace the current abstract FormatMethod class with a private FormatMethodImpl class, and add final class FormatMethod = FormatMethodImpl;.
There was a problem hiding this comment.
Never mind, I see that you did exactly this in a subsequent commit.
| void TestCompositeFormatMissingArgument() | ||
| { | ||
| var format0 = CompositeFormat.Parse("{0}"); | ||
| var format1 = CompositeFormat.Parse("{1}"); // $ Source |
There was a problem hiding this comment.
Again, it is better to uniquely identify the sources so we can match them up against the alerts.
I think it is fine to keep as-is. |
5c6b1dd to
b9183ff
Compare
c10b5ce to
b9183ff
Compare
…tions and adjust some of the testcases.
…valid-string-format.
b9183ff to
65ac951
Compare
In this PR we
cs/invalid-string-formattingto the code quality suite.Improve the
cs/invalid-string-formattingquery bystring.Formatwhere no additional arguments are provided (for instancestring.Format("{")). Also start takingCompositeFormatversions ofFormatmethods into account and considerSystem.Text.CompositeFormat.Parsea method that parses format strings and might throw exceptions and cause a runtime crash.string.FormatandStringBuilder.AppendFormatand also add support forMemoryExtensions.TryWrite.Console.WriteLine(string)and friends (methods that itsn't format methods).Review commit by commit is encouraged.
@hvitved : The data flow configurations are quite similar. Is it a better approach to use flow state to track calls to
CompositeFormat.Parse? (instead of merging two similar graphs).