-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: C#: Add initial support for Blazor #17355
base: main
Are you sure you want to change the base?
Conversation
6873f39
to
9a55135
Compare
9a55135
to
0ff7512
Compare
67ab0df
to
66e6da3
Compare
Click to show differences in coveragecsharpGenerated file changes for csharp
- Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",57,1821,148,
+ Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",57,1824,150,2
- Totals,,104,12454,396,5
+ Totals,,104,12457,398,7
+ Microsoft.AspNetCore.Components,2,,3,,,,,,,2,,,,,,,,,,,,2,1 |
/** Provides classes for working with `Microsoft.AspNetCore.Components`. */ | ||
|
||
import csharp | ||
import semmle.code.csharp.frameworks.Microsoft |
Check warning
Code scanning / CodeQL
Redundant import Warning
semmle.code.csharp.frameworks.microsoft.AspNetCore
// - if there's no custom `ValueChanged` handler defined on the `InputText` component, such as `<InputText Value="@InputValue1" ValueChanged="HandleChange" />` or | ||
// - if `@bind-Value` is used on the component. In case of `<InputText Value="@InputValue1" />`, there's only one way binding. | ||
private class InputBaseValuePropertyJumpNode extends DataFlow::NonLocalJumpNode { | ||
Component c; |
Check notice
Code scanning / CodeQL
Field only used in CharPred Note
7433e8e
to
6fb7ae7
Compare
predicate hasAddComponentParameter( | ||
MethodCall addCall, ValueOrRefType componentType, Property p, Expr value | ||
) { | ||
exists(int i, int j, int k, MethodCall openCall, Callable enclosing | |
Check warning
Code scanning / CodeQL
Omittable 'exists' variable Warning
in this argument
private import semmle.code.csharp.frameworks.microsoft.Blazor as Blazor | ||
|
||
module TaintConfig implements DataFlow::ConfigSig { | ||
predicate isSource(DataFlow::Node source) { Blazor::Helpers::isInflowSource(_, source.asExpr()) } |
Check warning
Code scanning / CodeQL
Dead code Warning
module TaintConfig implements DataFlow::ConfigSig { | ||
predicate isSource(DataFlow::Node source) { Blazor::Helpers::isInflowSource(_, source.asExpr()) } | ||
|
||
predicate isSink(DataFlow::Node sink) { |
Check warning
Code scanning / CodeQL
Dead code Warning
Blazor::Helpers::isComponentParameterRead(sink.asExpr(), _) | ||
} | ||
|
||
predicate includeHiddenNodes() { any() } |
Check warning
Code scanning / CodeQL
Dead code Warning
|
||
from Taint::PathNode source, Taint::PathNode sink | ||
where Taint::flowPath(source, sink) | ||
select sink, source, sink, "$@", source, source.toString() |
Check warning
Code scanning / CodeQL
Alert message style violation Warning
private import semmle.code.csharp.frameworks.microsoft.Blazor as Blazor | ||
|
||
module TaintConfig implements DataFlow::ConfigSig { | ||
predicate isSource(DataFlow::Node source) { |
Check warning
Code scanning / CodeQL
Dead code Warning
Blazor::Helpers::isOutflowSource(_, source.asParameter()) | ||
} | ||
|
||
predicate isSink(DataFlow::Node sink) { |
Check warning
Code scanning / CodeQL
Dead code Warning
sink.asExpr() instanceof Access | ||
} | ||
|
||
predicate includeHiddenNodes() { any() } |
Check warning
Code scanning / CodeQL
Dead code Warning
|
||
from Taint::PathNode source, Taint::PathNode sink | ||
where Taint::flowPath(source, sink) | ||
select sink, source, sink, "$@", source, source.toString() |
Check warning
Code scanning / CodeQL
Alert message style violation Warning
// from `"Param1Changed"` in `__builder.AddComponentParameter(133, "Param1Changed", TypeCheck<>(EventCallback.Factory.Create<>(this, (s) => {})))` | ||
// to `s` in `(s) => {}` | ||
private class ComponentEventCallbackJumpNode2 extends DataFlow::NonLocalJumpNode { | ||
Property p; |
Check notice
Code scanning / CodeQL
Field only used in CharPred Note
No description provided.