C#: Adding synthetic implicit ToString calls in binary- and string interpolation expressions. #18446
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michaelnebel
force-pushed
the
csharp/implicittostring2
branch
2 times, most recently
from
7ba7af1 to
9959976
Compare
michaelnebel
force-pushed
the
csharp/implicittostring2
branch
7 times, most recently
from
bf46c42 to
825c64f
Compare
michaelnebel
changed the title
michaelnebel
force-pushed
the
csharp/implicittostring2
branch
from
825c64f to
9ebee34
Compare
Click to show differences in coveragecsharpGenerated file changes for csharp
- Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",61,2074,152,4
+ Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.Sdk.WebAssembly``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",61,2075,152,4
- Totals,,108,12900,400,9
+ Totals,,108,12901,400,9
+ Microsoft.AspNetCore.Http,,,1,,,,,,,,,,,,,,,,,,,1, |
There was a problem hiding this comment.
Copilot reviewed 35 out of 50 changed files in this pull request and generated no comments.
Files not reviewed (15)
- csharp/ql/examples/snippets/ternary_conditional.ql: Language not supported
- csharp/ql/lib/semmle/code/csharp/PrintAst.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/commons/Constants.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/commons/Strings.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/exprs/Call.qll: Language not supported
- csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll: Language not supported
- csharp/ql/src/Bad Practices/VirtualCallInConstructorOrDestructor.ql: Language not supported
- csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql: Language not supported
- csharp/ql/src/Likely Bugs/ObjectComparison.ql: Language not supported
- csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected: Language not supported
- csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs: Evaluated as low risk
- csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs: Evaluated as low risk
- csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitCast.cs: Evaluated as low risk
Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
…ring calls into account.
…ons and generated ToString calls.
…ons, if the type implements IFormattable.
michaelnebel
force-pushed
the
csharp/implicittostring2
branch
from
dbc7a80 to
0c5c2a3
Compare
hvitved
reviewed
Jan 16, 2025
csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitToString.cs
Show resolved
Hide resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In this PR we get the ball rolling on synthesizing compiler generated
ToStringcalls.We introduce
ToStringcalls in binary expressions for concatenating strings and string interpolation expressions:That is,
This is expected to increase accuracy of the data flow analysis, but there are some pitfalls:
ToStringthat is implicitly called is not in source code and if we don't have a model for it.Object.ToStringis the one being implicitly called and there exists aToStringimplementation that contains a source for a query. In this case we might get false positives due to dynamic dispatch. DCA reports a couple of results like that (cs/web/xss,cs/log-forgingandcs/information-exposure-through-exceptionon ASP.NET andcs/cleartext-storage-of-sensitive-informationandcs/exposure-of-sensitive-informationon mono). In any case, this is an anti pattern that should generally be avoided (there is also a quality query for this). We could consider not to extract the implicit to string call when the target isToStringis onSystem.Object?The extra result on ASP.NET for
cs/web/unvalidated-url-redirectionis due to the summary model added forPathString.ToString.According to DCA til change does not affect performance.