Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C#: Deprecate experimental queries. #17911

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

C#: Deprecate experimental queries. #17911

wants to merge 3 commits into from

Conversation

michaelnebel
Copy link
Contributor

The experimental queries are being deprecated. Instead a copy of the queries have been added to the CodeQL-Community-Packs.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 5, 2024
View reviewed changes
...l/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
isClassUnsafeXmlSerializerImplementation(c, m) and
message =
"Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details." and
classMessage = c.toString() and

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
...l/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
"Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details." and
classMessage = c.toString() and
member = m and
memberMessage = m.toString()

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
.../ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
FlowToDataSerializerConstructor::flow(source, sink) and
message =
"Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source." and
sourceMessage = source.toString()

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql Fixed Show fixed Hide fixed
csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
timeComparisonCall, selStatement) and
message =
"Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger." and
timeComparisonCallString = timeComparisonCall.toString() and

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
@michaelnebel
Copy link
Contributor Author

DCA didn't report any performance degradations of changes to alerts.

@michaelnebel michaelnebel marked this pull request as ready for review November 7, 2024 15:00
@michaelnebel michaelnebel requested a review from a team as a code owner November 7, 2024 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
C# documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@michaelnebel