codeql/csharp/ql/test/query-tests/Security Features/CWE-117/LogForgingAsp.cs at f79bd3f4cfddd44633b3070b11ddb6c3d05a864c · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
using System;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Headers;
using Microsoft.AspNetCore.Mvc;

public enum TestEnum
{
    TestEnumValue
}

public class AspController : ControllerBase
{
    public void Action1(string username) // $ Source
    {
        var logger = new ILogger();
        // BAD: Logged as-is
        logger.Warn(username + " logged in"); // $ Alert
    }

    public void Action1(DateTime date)
    {
        var logger = new ILogger();
        // GOOD: DateTime is a sanitizer.
        logger.Warn($"Warning about the date: {date:yyyy-MM-dd}");
    }

    public void Action2(DateTime? date)
    {
        var logger = new ILogger();
        if (date is not null)
        {
            // GOOD: DateTime? is a sanitizer.
            logger.Warn($"Warning about the date: {date:yyyy-MM-dd}");
        }
    }

    public void Action2(bool? b)
    {
        var logger = new ILogger();
        if (b is not null)
        {
            // GOOD: Boolean? is a sanitizer.
            logger.Warn($"Warning about the bool: {b}");
        }
    }

    public void ActionInt(int i)
    {
        var logger = new ILogger();
        // GOOD: int is a sanitizer.
        logger.Warn($"Warning about the int: {i}");
    }

    public void ActionLong(long l)
    {
        var logger = new ILogger();
        // GOOD: long is a sanitizer.
        logger.Warn($"Warning about the long: {l}");
    }

    public void ActionFloat(float f)
    {
        var logger = new ILogger();
        // GOOD: float is a sanitizer.
        logger.Warn($"Warning about the float: {f}");
    }

    public void ActionDouble(double d)
    {
        var logger = new ILogger();
        // GOOD: double is a sanitizer.
        logger.Warn($"Warning about the double: {d}");
    }

    public void ActionDecimal(decimal d)
    {
        var logger = new ILogger();
        // GOOD: decimal is a sanitizer.
        logger.Warn($"Warning about the decimal: {d}");
    }

    public void ActionEnum(TestEnum e)
    {
        var logger = new ILogger();
        // GOOD: Enum is a sanitizer.
        logger.Warn($"Warning about the enum: {e}");
    }

    public void ActionDateTime(DateTimeOffset dt)
    {
        var logger = new ILogger();
        // GOOD: DateTimeOffset is a sanitizer.
        logger.Warn($"Warning about the DateTimeOffset: {dt}");
    }
}