[C#] Taint analysis does not have flow path for non constant field of a class as its source #9569
Description
I have this simple Test class, where I'm trying to mimic a path problem.
with Message1 as source and Console.WriteLine(Message1) as sink.
class Test
{
private const string Message1 = "Test Message 1";
private readonly string Message2 = "Test Message 2";
public void Run()
{
Console.WriteLine(Message1);
Console.WriteLine(Message2);
}
}import csharp
import DataFlow::PathGraph
class Source extends DataFlow::Node {
Source() { this.asExpr() instanceof StringLiteral }
}
class WriteLineMethod extends Method {
WriteLineMethod() { this.hasQualifiedName("System.Console.WriteLine") }
}
class Sink extends DataFlow::Node {
Sink() {
exists(MethodCall m |
m.getTarget() instanceof WriteLineMethod and
this.asExpr() = m.getArgument(0)
)
}
}
class SimpleConfiguration extends TaintTracking::Configuration {
SimpleConfiguration() { this = "Simple configuration" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, SimpleConfiguration cfg
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ is used in WriteLine method.", source.getNode(),
"String"Here I did simple taint tracking analysis on above Test class using above query, for const field private const string Message1 = "Test Message 1"; as source and
Console.WriteLine(Message1); as sink i'm getting correct result, But for non const field private readonly string Message2 = "Test Message 2"; it doesn't seem to work.
Did i miss something here? why does taint tracking works for const field or static field in static class but not for instance field?
