Merge pull request #21400 from michaelnebel/csharp/implicitconversionreverseflowtaint

michaelnebel · web-flow · commit 219ea28217ec · 2026-03-04T12:40:59.000+01:00
C#: Add default taint step from an implicit operator call to its argument.
diff --git a/csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md b/csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added reverse taint flow from implicit conversion operator calls to their arguments.
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -109,6 +109,16 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon
   }
 }
 
+private ControlFlow::Nodes::ExprNode getALastEvalNode(ControlFlow::Nodes::ExprNode cfn) {
+  exists(OperatorCall oc | any(LocalTaintExprStepConfiguration x).hasExprPath(_, result, oc, cfn) |
+    oc.getTarget() instanceof ImplicitConversionOperator
+  )
+}
+
+private ControlFlow::Nodes::ExprNode getPostUpdateReverseStep(ControlFlow::Nodes::ExprNode e) {
+  result = getALastEvalNode(e)
+}
+
 private predicate localTaintStepCommon(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
   hasNodePath(any(LocalTaintExprStepConfiguration x), nodeFrom, nodeTo)
 }
@@ -177,6 +187,16 @@ private module Cached {
       readStep(nodeFrom, any(DataFlow::ContentSet c | c.isElement()), nodeTo)
       or
       nodeTo = nodeFrom.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+      or
+      // Allow reverse update flow for implicit conversion operator calls.
+      // This is needed to support flow out of method call arguments, where an implicit conversion is applied
+      // to a call argument.
+      nodeTo.(PostUpdateNode).getPreUpdateNode().(DataFlow::ExprNode).getControlFlowNode() =
+        getPostUpdateReverseStep(nodeFrom
+              .(PostUpdateNode)
+              .getPreUpdateNode()
+              .(DataFlow::ExprNode)
+              .getControlFlowNode())
     ) and
     model = ""
     or
diff --git a/csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs b/csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs
@@ -0,0 +1,14 @@
+using System;
+
+public class TestImplicitConversionOperator
+{
+    static void Sink(object o) { }
+    static void TaintArgument(ArraySegment<byte> segment) { }
+
+    public void M1()
+    {
+        byte[] bytes = new byte[1];
+        TaintArgument(bytes);
+        Sink(bytes);
+    }
+}
diff --git a/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected b/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected
@@ -0,0 +1,8 @@
+edges
+| ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | provenance |  |
+nodes
+| ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | semmle.label | [post] call to operator implicit conversion : ArraySegment<Byte> |
+| ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | semmle.label | access to local variable bytes |
+subpaths
+#select
+| ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | $@ | ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | [post] call to operator implicit conversion : ArraySegment<Byte> |
diff --git a/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql b/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql
@@ -0,0 +1,29 @@
+/**
+ * @kind path-problem
+ */
+
+import csharp
+import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+import Taint::PathGraph
+
+module TaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
+    exists(MethodCall mc |
+      mc.getTarget().hasName("TaintArgument") and
+      mc.getAnArgument() = src.(DataFlowPrivate::PostUpdateNode).getPreUpdateNode().asExpr()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc |
+      mc.getTarget().hasName("Sink") and
+      mc.getAnArgument() = sink.asExpr()
+    )
+  }
+}
+
+module Taint = TaintTracking::Global<TaintConfig>;
+
+from Taint::PathNode source, Taint::PathNode sink
+where Taint::flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added reverse taint flow from implicit conversion operator calls to their arguments.