From d203bceb1c18ec99356ee5262be1ca57fcddb4a0 Mon Sep 17 00:00:00 2001 From: Daniel Romano <108014683+daniel-romano-DD@users.noreply.github.com> Date: Fri, 27 Dec 2024 12:11:57 +0100 Subject: [PATCH] Propagation tests reorg --- .../Bugs/GetCustomAttributesCrashTests.cs | 2 +- .../InstrumentationTestsBase.cs | 2 +- .../{Vulnerabilities => }/ObjectsForTests.cs | 2 +- .../DefaultInterpolatedStringHandlerTests.cs | 2 +- .../String/StringCaseChangeTests.cs | 18 +- .../String/StringConcatTests.cs | 268 +++++++++--------- .../String/StringCopyTests.cs | 8 +- .../String/StringFormatTests.cs | 164 +++++------ .../String/StringGeneralTests.cs | 2 +- .../String/StringInsertTests.cs | 14 +- .../String/StringJoinTests.cs | 178 ++++++------ .../String/StringMaxRangesTests.cs | 2 +- .../String/StringPadTests.cs | 26 +- .../String/StringRemoveTests.cs | 44 +-- .../String/StringReplaceTests.cs | 32 +-- .../String/StringSplitTests.cs | 18 +- .../String/StringSubstringTests.cs | 14 +- .../String/StringToCharArrayTests.cs | 2 +- .../String/StringTrimTests.cs | 14 +- .../StringBuilderAppendFormatTests.cs | 61 ++-- .../StringBuilder/StringBuilderAppendJoin.cs | 90 +++--- .../StringBuilder/StringBuilderAppendTests.cs | 152 +++++----- .../StringBuilder/StringBuilderBasicTests.cs | 131 +++++---- .../StringBuilder/StringBuilderCopyToTests.cs | 15 +- .../StringBuilder/StringBuilderInsertTests.cs | 113 ++++---- .../StringBuilderMaxRangesTests.cs | 6 +- .../StringBuilder/StringBuilderRemoveTests.cs | 37 +-- .../StringBuilderReplaceTests.cs | 98 +++---- .../Vulnerabilities/SSRF/UrlEscapeTests.cs | 2 +- .../Vulnerabilities/Xss/HtmlEscapeTests.cs | 2 +- 30 files changed, 759 insertions(+), 760 deletions(-) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => }/InstrumentationTestsBase.cs (99%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => }/ObjectsForTests.cs (97%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/DefaultInterpolatedStringHandlerTests.cs (99%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringCaseChangeTests.cs (90%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringConcatTests.cs (53%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringCopyTests.cs (65%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringFormatTests.cs (56%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringGeneralTests.cs (84%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringInsertTests.cs (88%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringJoinTests.cs (60%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringMaxRangesTests.cs (98%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringPadTests.cs (80%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringRemoveTests.cs (80%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringReplaceTests.cs (90%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringSplitTests.cs (95%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringSubstringTests.cs (90%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringToCharArrayTests.cs (95%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/String/StringTrimTests.cs (94%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderAppendFormatTests.cs (66%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderAppendJoin.cs (71%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderAppendTests.cs (60%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderBasicTests.cs (59%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderCopyToTests.cs (64%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderInsertTests.cs (70%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderMaxRangesTests.cs (95%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderRemoveTests.cs (74%) rename tracer/test/test-applications/integrations/Samples.InstrumentedTests/{Vulnerabilities => Propagation}/StringBuilder/StringBuilderReplaceTests.cs (64%) diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Bugs/GetCustomAttributesCrashTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Bugs/GetCustomAttributesCrashTests.cs index cfbde39af791..1794fb279e91 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Bugs/GetCustomAttributesCrashTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Bugs/GetCustomAttributesCrashTests.cs @@ -8,7 +8,7 @@ namespace Samples.InstrumentedTests.Iast.Bugs; -public class GetCustomAttributesCrashTests : Samples.InstrumentedTests.Iast.Vulnerabilities.InstrumentationTestsBase +public class GetCustomAttributesCrashTests : Samples.InstrumentedTests.Iast.InstrumentationTestsBase { public GetCustomAttributesCrashTests() { diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/InstrumentationTestsBase.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/InstrumentationTestsBase.cs similarity index 99% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/InstrumentationTestsBase.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/InstrumentationTestsBase.cs index 7315939c4ef7..b6e582c99123 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/InstrumentationTestsBase.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/InstrumentationTestsBase.cs @@ -15,7 +15,7 @@ using Castle.Core.Internal; using FluentAssertions; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities; +namespace Samples.InstrumentedTests.Iast; public class InstrumentationTestsBase : IDisposable { diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/ObjectsForTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/ObjectsForTests.cs similarity index 97% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/ObjectsForTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/ObjectsForTests.cs index 407cbd84af9b..dc21e9c2d773 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/ObjectsForTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/ObjectsForTests.cs @@ -1,6 +1,6 @@ using System; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities; +namespace Samples.InstrumentedTests.Iast; struct StructForStringTest { readonly string str; diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/DefaultInterpolatedStringHandlerTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/DefaultInterpolatedStringHandlerTests.cs similarity index 99% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/DefaultInterpolatedStringHandlerTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/DefaultInterpolatedStringHandlerTests.cs index e8fb6b46a000..197314fc807e 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/DefaultInterpolatedStringHandlerTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/DefaultInterpolatedStringHandlerTests.cs @@ -5,7 +5,7 @@ using System.Runtime.CompilerServices; using FluentAssertions; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class DefaultInterpolatedStringHandlerTests : InstrumentationTestsBase { diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringCaseChangeTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringCaseChangeTests.cs similarity index 90% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringCaseChangeTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringCaseChangeTests.cs index 70f461a7ce41..96c3b21a1e88 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringCaseChangeTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringCaseChangeTests.cs @@ -3,7 +3,7 @@ using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringCaseChangeTests : InstrumentationTestsBase { @@ -33,8 +33,8 @@ public void GivenATaintedObject_WhenCallingToUpper_ResultIsOk() string str1 = AddTaintedString("0a2"); string str2 = AddTaintedString("0b2"); AssertTaintedFormatWithOriginalCallCheck(" :+-0A2-+: :+-0B2-+:", - String.Concat(" ", str1, " ", str2).ToUpper(), - () => String.Concat(" ", str1, " ", str2).ToUpper()); + System.String.Concat(" ", str1, " ", str2).ToUpper(), + () => System.String.Concat(" ", str1, " ", str2).ToUpper()); } [Fact] @@ -49,8 +49,8 @@ public void GivenATaintedObject_WhenCallingToLower_ResultIsOk() string str1 = AddTaintedString("0A2"); string str2 = AddTaintedString("0B2"); AssertTaintedFormatWithOriginalCallCheck(" :+-0a2-+: :+-0b2-+:", - String.Concat(" ", str1, " ", str2).ToLower(), - () => String.Concat(" ", str1, " ", str2).ToLower()); + System.String.Concat(" ", str1, " ", str2).ToLower(), + () => System.String.Concat(" ", str1, " ", str2).ToLower()); } [Fact] @@ -65,8 +65,8 @@ public void GivenATaintedObject_WhenCallingToUpperInvariant_ResultIsOk() string str1 = AddTaintedString("0a2"); string str2 = AddTaintedString("0b2"); AssertTaintedFormatWithOriginalCallCheck(" :+-0A2-+: :+-0B2-+:", - String.Concat(" ", str1, " ", str2).ToUpperInvariant(), - () => String.Concat(" ", str1, " ", str2).ToUpperInvariant()); + System.String.Concat(" ", str1, " ", str2).ToUpperInvariant(), + () => System.String.Concat(" ", str1, " ", str2).ToUpperInvariant()); } [Fact] @@ -81,8 +81,8 @@ public void GivenATaintedObject_WhenCallingToLowerInvariant_ResultIsOk() string str1 = AddTaintedString("0A2"); string str2 = AddTaintedString("0B2"); AssertTaintedFormatWithOriginalCallCheck(" :+-0a2-+: :+-0b2-+:", - String.Concat(" ", str1, " ", str2).ToLowerInvariant(), - () => String.Concat(" ", str1, " ", str2).ToLowerInvariant()); + System.String.Concat(" ", str1, " ", str2).ToLowerInvariant(), + () => System.String.Concat(" ", str1, " ", str2).ToLowerInvariant()); } [Fact] diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringConcatTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringConcatTests.cs similarity index 53% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringConcatTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringConcatTests.cs index 3a9e1fc043cd..4a757682334f 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringConcatTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringConcatTests.cs @@ -3,7 +3,7 @@ using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringConcatTests : InstrumentationTestsBase { @@ -39,33 +39,33 @@ public void GivenStringConcatOperations_WhenPerformed_ResultIsOK() var testString4 = AddTaintedString(".,;:?"); var testString5 = AddTaintedString("+-*/{}"); - FormatTainted(String.Concat(testString1, testString2)).Should().Be(":+-01-+::+-abc-+:"); - FormatTainted(String.Concat("01", testString2)).Should().Be("01:+-abc-+:"); - FormatTainted(String.Concat(testString1, "abc")).Should().Be(":+-01-+:abc"); + FormatTainted(System.String.Concat(testString1, testString2)).Should().Be(":+-01-+::+-abc-+:"); + FormatTainted(System.String.Concat("01", testString2)).Should().Be("01:+-abc-+:"); + FormatTainted(System.String.Concat(testString1, "abc")).Should().Be(":+-01-+:abc"); - FormatTainted(String.Concat(testString1, null, testString2)).Should().Be(":+-01-+::+-abc-+:"); - FormatTainted(String.Concat((object)testString1, (object)testString2)).Should().Be(":+-01-+::+-abc-+:"); - FormatTainted(String.Concat((object)testString1, null, (object)testString2)).Should().Be(":+-01-+::+-abc-+:"); + FormatTainted(System.String.Concat(testString1, null, testString2)).Should().Be(":+-01-+::+-abc-+:"); + FormatTainted(System.String.Concat((object)testString1, (object)testString2)).Should().Be(":+-01-+::+-abc-+:"); + FormatTainted(System.String.Concat((object)testString1, null, (object)testString2)).Should().Be(":+-01-+::+-abc-+:"); - FormatTainted(String.Concat(testString1, testString2, testString3)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+:"); - FormatTainted(String.Concat((object)testString1, (object)testString2, (object)testString3)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+:"); + FormatTainted(System.String.Concat(testString1, testString2, testString3)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+:"); + FormatTainted(System.String.Concat((object)testString1, (object)testString2, (object)testString3)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+:"); - FormatTainted(String.Concat(testString1, testString2, testString3, testString4)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+:"); - FormatTainted(String.Concat((object)testString1, (object)testString2, (object)testString3, (object)testString4)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+:"); + FormatTainted(System.String.Concat(testString1, testString2, testString3, testString4)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+:"); + FormatTainted(System.String.Concat((object)testString1, (object)testString2, (object)testString3, (object)testString4)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+:"); - FormatTainted(String.Concat(testString1, testString2, testString3, testString4, testString5)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); - FormatTainted(String.Concat((object)testString1, (object)testString2, (object)testString3, (object)testString4, (object)testString5)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); + FormatTainted(System.String.Concat(testString1, testString2, testString3, testString4, testString5)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); + FormatTainted(System.String.Concat((object)testString1, (object)testString2, (object)testString3, (object)testString4, (object)testString5)).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); - FormatTainted(String.Concat(new string[] { testString1, testString2, testString3, testString4, testString5 })).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); - FormatTainted(String.Concat(new object[] { testString1, testString2, testString3, testString4, testString5 })).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); - FormatTainted(String.Concat(testString1, " dummy ")).Should().Be(":+-01-+: dummy "); - FormatTainted(String.Concat(" dummy ", testString2, " dummy ")).Should().Be(" dummy :+-abc-+: dummy "); - FormatTainted(String.Concat(" dummy ", testString3)).Should().Be(" dummy :+-ABCD-+:"); - FormatTainted(String.Concat(testString1, " dummy ", testString3)).Should().Be(":+-01-+: dummy :+-ABCD-+:"); + FormatTainted(System.String.Concat(new string[] { testString1, testString2, testString3, testString4, testString5 })).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); + FormatTainted(System.String.Concat(new object[] { testString1, testString2, testString3, testString4, testString5 })).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); + FormatTainted(System.String.Concat(testString1, " dummy ")).Should().Be(":+-01-+: dummy "); + FormatTainted(System.String.Concat(" dummy ", testString2, " dummy ")).Should().Be(" dummy :+-abc-+: dummy "); + FormatTainted(System.String.Concat(" dummy ", testString3)).Should().Be(" dummy :+-ABCD-+:"); + FormatTainted(System.String.Concat(testString1, " dummy ", testString3)).Should().Be(":+-01-+: dummy :+-ABCD-+:"); - FormatTainted(String.Concat(null, testString2, " dummy ")).Should().Be(":+-abc-+: dummy "); - FormatTainted(String.Concat(null, testString2, (object)" dummy ")).Should().Be(":+-abc-+: dummy "); - FormatTainted(String.Concat((object)" dummy ", null, testString2, (object)" dummy ")).Should().Be(" dummy :+-abc-+: dummy "); + FormatTainted(System.String.Concat(null, testString2, " dummy ")).Should().Be(":+-abc-+: dummy "); + FormatTainted(System.String.Concat(null, testString2, (object)" dummy ")).Should().Be(":+-abc-+: dummy "); + FormatTainted(System.String.Concat((object)" dummy ", null, testString2, (object)" dummy ")).Should().Be(" dummy :+-abc-+: dummy "); } [Fact] @@ -77,19 +77,19 @@ public void GivenStringConcatOperations_WhenPerformedWithGenerics_ResultIsOK() var testString4 = AddTaintedString(".,;:?"); var testString5 = AddTaintedString("+-*/{}"); - FormatTainted(String.Concat(new List { testString1, testString2, testString3, testString4, testString5 })).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); + FormatTainted(System.String.Concat(new List { testString1, testString2, testString3, testString4, testString5 })).Should().Be(":+-01-+::+-abc-+::+-ABCD-+::+-.,;:?-+::+-+-*/{}-+:"); } [Fact] public void GivenAStringConcatOneString_WhenPerformed_ResultIsOK() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Concat(taintedValue), () => String.Concat(taintedValue)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Concat(taintedValue), () => System.String.Concat(taintedValue)); } [Fact] public void GivenAStringConcatOneObject_WhenPerformed_ResultIsOK() { - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedObject-+:", String.Concat(TaintedObject), () => String.Concat(TaintedObject)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedObject-+:", System.String.Concat(TaintedObject), () => System.String.Concat(TaintedObject)); } [Fact] @@ -97,8 +97,8 @@ public void GivenAStringConcatBasicWithTainted_WhenPerformed_ResultIsOK() { AssertTaintedFormatWithOriginalCallCheck( "This is a tainted literal :+-TaintedString-+:", - String.Concat("This is a tainted literal ", TaintedString), - () => String.Concat("This is a tainted literal ", TaintedString)); + System.String.Concat("This is a tainted literal ", TaintedString), + () => System.String.Concat("This is a tainted literal ", TaintedString)); } [Fact] @@ -106,8 +106,8 @@ public void GivenAStringConcatBasicWithBothTainted_WhenPerformed_ResultIsOK() { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+::+-TaintedString-+:", - String.Concat(TaintedString, TaintedString), - () => String.Concat(TaintedString, TaintedString)); + System.String.Concat(TaintedString, TaintedString), + () => System.String.Concat(TaintedString, TaintedString)); } [Fact] @@ -115,8 +115,8 @@ public void GivenAStringConcatBasicWithBoth2_WhenPerformed_ResultIsOK() { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+:UntaintedString", - String.Concat(TaintedString, UntaintedString), - () => String.Concat(TaintedString, UntaintedString)); + System.String.Concat(TaintedString, UntaintedString), + () => System.String.Concat(TaintedString, UntaintedString)); } [Fact] @@ -124,14 +124,14 @@ public void GivenAStringLiteralsOptimizationsConcat_WhenPerformed_ResultIsOK() { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+:UntaintedString", - String.Concat(TaintedString, "UntaintedString"), - () => String.Concat(TaintedString, "UntaintedString")); + System.String.Concat(TaintedString, "UntaintedString"), + () => System.String.Concat(TaintedString, "UntaintedString")); } [Fact] public void GivenAStringLiteralsOptimizationsConcat_WhenPerformed_ResultIsOK2() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-TaintedString-+:",String.Concat("UntaintedString", TaintedString),() => String.Concat("UntaintedString", TaintedString)); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-TaintedString-+:", System.String.Concat("UntaintedString", TaintedString),() => System.String.Concat("UntaintedString", TaintedString)); } [Fact] @@ -143,7 +143,7 @@ public void GivenAStringLiteralsOptimizationsConcat_WhenPerformed_ResultIsOK3() [Fact] public void GivenAStringConcatBasicWithBothJoined_WhenPerformed_ResultIsOK() { - FormatTainted(String.Concat(String.Concat(TaintedString, UntaintedString), TaintedString)).Should().Be(":+-TaintedString-+:UntaintedString:+-TaintedString-+:"); + FormatTainted(System.String.Concat(System.String.Concat(TaintedString, UntaintedString), TaintedString)).Should().Be(":+-TaintedString-+:UntaintedString:+-TaintedString-+:"); } [Fact] @@ -151,8 +151,8 @@ public void GivenAStringConcatThreeParamsWithBoth_WhenPerformed_ResultIsOK() { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+:UntaintedString:+-OtherTaintedString-+:", - String.Concat(TaintedString, UntaintedString, OtherTaintedString), - () => String.Concat(TaintedString, UntaintedString, OtherTaintedString)); + System.String.Concat(TaintedString, UntaintedString, OtherTaintedString), + () => System.String.Concat(TaintedString, UntaintedString, OtherTaintedString)); } [Fact] @@ -160,18 +160,18 @@ public void GivenAStringConcatThreeParamsWithUntainted_WhenPerformed_ResultIsOK( { AssertTaintedFormatWithOriginalCallCheck( "UntaintedString:+-TaintedString-+:OtherUntaintedString", - String.Concat(UntaintedString, TaintedString, OtherUntaintedString), - () => String.Concat(UntaintedString, TaintedString, OtherUntaintedString)); + System.String.Concat(UntaintedString, TaintedString, OtherUntaintedString), + () => System.String.Concat(UntaintedString, TaintedString, OtherUntaintedString)); } [Fact] public void GivenAStringConcatThreeParamsWithBothJoined_WhenPerformed_ResultIsOK() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+:UntaintedString:+-OtherTaintedString-+:OtherUntaintedString", - String.Concat(str, OtherUntaintedString), - () => String.Concat(str, OtherUntaintedString)); + System.String.Concat(str, OtherUntaintedString), + () => System.String.Concat(str, OtherUntaintedString)); } [Fact] @@ -179,8 +179,8 @@ public void GivenAStringConcatFourParam_WithBoth_WhenPerformed_ResultIsOK() { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+:UntaintedString:+-OtherTaintedString-+:OtherUntaintedString", - String.Concat(TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString), - () => String.Concat(TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString)); + System.String.Concat(TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString), + () => System.String.Concat(TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString)); } [Fact] @@ -188,102 +188,102 @@ public void GivenAStringConcatFourParamsWithUntainted_WhenPerformed_ResultIsOK() { AssertTaintedFormatWithOriginalCallCheck( "UntaintedString:+-TaintedString-+:OtherUntaintedString:+-OtherTaintedString-+:", - String.Concat(UntaintedString, TaintedString, OtherUntaintedString, OtherTaintedString), - () => String.Concat(UntaintedString, TaintedString, OtherUntaintedString, OtherTaintedString)); + System.String.Concat(UntaintedString, TaintedString, OtherUntaintedString, OtherTaintedString), + () => System.String.Concat(UntaintedString, TaintedString, OtherUntaintedString, OtherTaintedString)); } [Fact] public void GivenAStringConcatFourParamsWithBothJoined_WhenPerformed_ResultIsOK() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+:UntaintedString:+-OtherTaintedString-+:OtherUntaintedString:+-TaintedString-+:", - String.Concat(str, TaintedString), - () => String.Concat(str, TaintedString)); + System.String.Concat(str, TaintedString), + () => System.String.Concat(str, TaintedString)); } [Fact] public void GivenAStringConcatFourParamsWithBothJoinedInverse_WhenPerformed_ResultIsOK() { - string str = String.Concat(TaintedString, UntaintedString, OtherUntaintedString, UntaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherUntaintedString, UntaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+:UntaintedStringOtherUntaintedStringUntaintedString:+-OtherTaintedString-+:", - String.Concat(str, OtherTaintedString), - () => String.Concat(str, OtherTaintedString)); + System.String.Concat(str, OtherTaintedString), + () => System.String.Concat(str, OtherTaintedString)); } [Fact] public void GivenAStringConcatFiveParamsWithBothJoinedWhenPerformed_ResultIsOK() { - string str = String.Concat(TaintedString, UntaintedString, OtherUntaintedString, OtherTaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherUntaintedString, OtherTaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+:UntaintedStringOtherUntaintedString:+-OtherTaintedString-+::+-OtherTaintedString-+:OtherUntaintedString", - String.Concat(str, OtherUntaintedString), - () => (String.Concat(str, OtherUntaintedString))); + System.String.Concat(str, OtherUntaintedString), + () => (System.String.Concat(str, OtherUntaintedString))); } [Fact] public void GivenAStringConcatFiveParamsWithBothJoinedInverse_WhenPerformed_ResultIsOK() { - string str = String.Concat(UntaintedString, OtherUntaintedString, TaintedString, OtherTaintedString, OtherUntaintedString); + string str = System.String.Concat(UntaintedString, OtherUntaintedString, TaintedString, OtherTaintedString, OtherUntaintedString); AssertTaintedFormatWithOriginalCallCheck( "UntaintedStringOtherUntaintedString:+-TaintedString-+::+-OtherTaintedString-+:OtherUntaintedStringOtherUntaintedString", - String.Concat(str, OtherUntaintedString), - () => String.Concat(str, OtherUntaintedString)); + System.String.Concat(str, OtherUntaintedString), + () => System.String.Concat(str, OtherUntaintedString)); } [Fact] public void GivenATaintedString_WhenCallingConcatWith2StringParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concat:+-tainted-+:", String.Concat("concat", taintedValue), () => String.Concat("concat", taintedValue)); + AssertTaintedFormatWithOriginalCallCheck("concat:+-tainted-+:", System.String.Concat("concat", taintedValue), () => System.String.Concat("concat", taintedValue)); } [Fact] public void GivenATaintedString_WhenCallingConcatWith2StringParams_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:concat", String.Concat(taintedValue, "concat"), () => String.Concat(taintedValue, "concat")); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:concat", System.String.Concat(taintedValue, "concat"), () => System.String.Concat(taintedValue, "concat")); } [Fact] public void GivenATaintedString_WhenCallingConcatWith3StringParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:concat:+-tainted-+:", String.Concat(taintedValue2, "concat", taintedValue), () => String.Concat(taintedValue2, "concat", taintedValue)); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:concat:+-tainted-+:", System.String.Concat(taintedValue2, "concat", taintedValue), () => System.String.Concat(taintedValue2, "concat", taintedValue)); } [Fact] public void GivenATaintedString_WhenCallingConcatWith4Params_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:concat:+-tainted-+:CONCAT2", String.Concat(taintedValue2, "concat", taintedValue, "CONCAT2"), () => String.Concat(taintedValue2, "concat", taintedValue, "CONCAT2")); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:concat:+-tainted-+:CONCAT2", System.String.Concat(taintedValue2, "concat", taintedValue, "CONCAT2"), () => System.String.Concat(taintedValue2, "concat", taintedValue, "CONCAT2")); } [Fact] public void GivenATaintedString_WhenCallingConcatWithStringNullParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-TAINTED2-+:", String.Concat("concat", "CONCAT2", null, taintedValue2), () => String.Concat("concat", "CONCAT2", null, taintedValue2)); + AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-TAINTED2-+:", System.String.Concat("concat", "CONCAT2", null, taintedValue2), () => System.String.Concat("concat", "CONCAT2", null, taintedValue2)); } [Fact] public void GivenATaintedString_WhenCallingConcat_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Concat(taintedValue), () => String.Concat(taintedValue)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Concat(taintedValue), () => System.String.Concat(taintedValue)); } [Fact] public void GivenATaintedString_WhenCallingConcat_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Concat(null, taintedValue), () => String.Concat(null, taintedValue)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Concat(null, taintedValue), () => System.String.Concat(null, taintedValue)); } [Fact] public void GivenATaintedString_WhenCallingConcat_ResultIsTainted3() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Concat(taintedValue, null), () => String.Concat(taintedValue, null)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Concat(taintedValue, null), () => System.String.Concat(taintedValue, null)); } [Fact] public void GivenATaintedString_WhenCallingConcat_ResultIsTainted4() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", String.Concat(taintedValue, taintedValue, null), () => String.Concat(taintedValue, taintedValue, null)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", System.String.Concat(taintedValue, taintedValue, null), () => System.String.Concat(taintedValue, taintedValue, null)); } [Fact] @@ -295,13 +295,13 @@ public void GivenATaintedString_WhenCallingConcat_ResultIsTainted5() [Fact] public void GivenANullString_WhenCallingConcat_ResultIsEmpty() { - Assert.Throws(() => String.Concat(null)); + Assert.Throws(() => System.String.Concat(null)); } [Fact] public void Given2NullStrings_WhenCallingConcat_ResultIsEmpty() { - String.Concat(null, null).Should().BeEmpty(); + System.String.Concat(null, null).Should().BeEmpty(); } //Literals @@ -309,25 +309,25 @@ public void Given2NullStrings_WhenCallingConcat_ResultIsEmpty() [Fact] public void GivenStringLiteralsOptimizations_WhenConcat_ResultIsNotTainted() { - AssertNotTainted(String.Concat("Literal1", "Literal2")); + AssertNotTainted(System.String.Concat("Literal1", "Literal2")); } [Fact] public void GivenStringLiteralsOptimizations_WhenConcat3Literals_ResultIsNotTainted() { - AssertNotTainted(String.Concat("Literal1", "Literal2", "Literal3")); + AssertNotTainted(System.String.Concat("Literal1", "Literal2", "Literal3")); } [Fact] public void GivenStringLiteralsOptimizations_WhenConcat4Literals_ResultIsNotTainted() { - AssertNotTainted(String.Concat("Literal1", "Literal2", "Literal3", "Literal4")); + AssertNotTainted(System.String.Concat("Literal1", "Literal2", "Literal3", "Literal4")); } [Fact] public void GivenStringLiteralsOptimizations_WhenConcat5Literals_ResultIsNotTainted() { - AssertNotTainted(String.Concat("Literal1", "Literal2", "Literal3", "Literal4", "Literal5")); + AssertNotTainted(System.String.Concat("Literal1", "Literal2", "Literal3", "Literal4", "Literal5")); } [Fact] @@ -363,8 +363,8 @@ public void GivenStringConcatObjectWithTainted_WhenConcat_ResultISTainted() { AssertTaintedFormatWithOriginalCallCheck( "This is a tainted literal :+-TaintedObject-+:", - String.Concat("This is a tainted literal ", TaintedObject), - () => String.Concat("This is a tainted literal ", TaintedObject)); + System.String.Concat("This is a tainted literal ", TaintedObject), + () => System.String.Concat("This is a tainted literal ", TaintedObject)); } [Fact] @@ -372,8 +372,8 @@ public void GivenStringConcatObjectWithBoth_WhenConcat_ResultISTainted() { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedObject-+:UntaintedObject", - String.Concat(TaintedObject, UntaintedObject), - () => String.Concat(TaintedObject, UntaintedObject)); + System.String.Concat(TaintedObject, UntaintedObject), + () => System.String.Concat(TaintedObject, UntaintedObject)); } [Fact] @@ -381,8 +381,8 @@ public void GivenStringConcatObjectWithBothJoined_WhenConcat_ResultISTainted() { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedObject-+:UntaintedObject:+-TaintedObject-+:", - String.Concat(String.Concat(TaintedObject, UntaintedObject), TaintedObject), - () => String.Concat(String.Concat(TaintedObject, UntaintedObject), TaintedObject)); + System.String.Concat(System.String.Concat(TaintedObject, UntaintedObject), TaintedObject), + () => System.String.Concat(System.String.Concat(TaintedObject, UntaintedObject), TaintedObject)); } [Fact] @@ -390,8 +390,8 @@ public void GivenStringConcatObjectThreeParamsWithBoth_WhenConcat_ResultISTainte { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedObject-+:UntaintedObject:+-OtherTaintedObject-+:", - String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject), - () => String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject)); + System.String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject), + () => System.String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject)); } [Fact] @@ -399,18 +399,18 @@ public void GivenStringConcatObjectThreeParamsWithUntainted_WhenConcat_ResultIST { AssertTaintedFormatWithOriginalCallCheck( "UntaintedObject:+-TaintedObject-+:OtherUntaintedObject", - String.Concat(UntaintedObject, TaintedObject, OtherUntaintedObject), - () => String.Concat(UntaintedObject, TaintedObject, OtherUntaintedObject)); + System.String.Concat(UntaintedObject, TaintedObject, OtherUntaintedObject), + () => System.String.Concat(UntaintedObject, TaintedObject, OtherUntaintedObject)); } [Fact] public void GivenStringConcatObjectThreeParamsWithBothJoined_WhenConcat_ResultIsTainted() { - string str = String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject); + string str = System.String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedObject-+:UntaintedObject:+-OtherTaintedObject-+:OtherUntaintedObject", - String.Concat(str, OtherUntaintedObject), - () => String.Concat(str, OtherUntaintedObject)); + System.String.Concat(str, OtherUntaintedObject), + () => System.String.Concat(str, OtherUntaintedObject)); } [Fact] @@ -418,8 +418,8 @@ public void GivenStringConcatObjectFourParamsWithBoth_WhenConcat_ResultIsTainted { AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedObject-+:UntaintedObject:+-OtherTaintedObject-+:OtherUntaintedObject", - String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject, OtherUntaintedObject), - () => String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject, OtherUntaintedObject)); + System.String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject, OtherUntaintedObject), + () => System.String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject, OtherUntaintedObject)); } @@ -428,78 +428,78 @@ public void GivenStringConcatObjectFourParamsWithUntainted_WhenConcat_ResultIsTa { AssertTaintedFormatWithOriginalCallCheck( "UntaintedObject:+-TaintedObject-+:OtherUntaintedObject:+-OtherTaintedObject-+:", - String.Concat(UntaintedObject, TaintedObject, OtherUntaintedObject, OtherTaintedObject), - () => String.Concat(UntaintedObject, TaintedObject, OtherUntaintedObject, OtherTaintedObject)); + System.String.Concat(UntaintedObject, TaintedObject, OtherUntaintedObject, OtherTaintedObject), + () => System.String.Concat(UntaintedObject, TaintedObject, OtherUntaintedObject, OtherTaintedObject)); } [Fact] public void GivenStringConcatObjectFourParamsWithBothJoined_WhenConcat_ResultIsTainted() { - string str = String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject, OtherUntaintedObject); + string str = System.String.Concat(TaintedObject, UntaintedObject, OtherTaintedObject, OtherUntaintedObject); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedObject-+:UntaintedObject:+-OtherTaintedObject-+:OtherUntaintedObject:+-TaintedObject-+:", - String.Concat(str, TaintedObject), - () => String.Concat(str, TaintedObject)); + System.String.Concat(str, TaintedObject), + () => System.String.Concat(str, TaintedObject)); } [Fact] public void GivenStringConcatObjectFourParamsWithBothJoinedInverse_WhenConcat_ResultIsTainted() { - string str = String.Concat(TaintedObject, UntaintedObject, OtherUntaintedObject, UntaintedObject); + string str = System.String.Concat(TaintedObject, UntaintedObject, OtherUntaintedObject, UntaintedObject); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedObject-+:UntaintedObjectOtherUntaintedObjectUntaintedObject:+-OtherTaintedObject-+:", - String.Concat(str, OtherTaintedObject), - () => String.Concat(str, OtherTaintedObject)); + System.String.Concat(str, OtherTaintedObject), + () => System.String.Concat(str, OtherTaintedObject)); } [Fact] public void GivenStringConcatObjectFiveParamsWithBothJoined_WhenConcat_ResultIsTainted() { - string str = String.Concat(TaintedObject, UntaintedObject, OtherUntaintedObject, OtherTaintedObject, OtherTaintedObject); + string str = System.String.Concat(TaintedObject, UntaintedObject, OtherUntaintedObject, OtherTaintedObject, OtherTaintedObject); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedObject-+:UntaintedObjectOtherUntaintedObject:+-OtherTaintedObject-+::+-OtherTaintedObject-+:OtherUntaintedObject", - String.Concat(str, OtherUntaintedObject), - () => String.Concat(str, OtherUntaintedObject)); + System.String.Concat(str, OtherUntaintedObject), + () => System.String.Concat(str, OtherUntaintedObject)); } [Fact] public void GivenStringConcatObjectFiveParamsWithBothJoinedInverse_WhenConcat_ResultIsTainted() { - string str = String.Concat(UntaintedObject, OtherUntaintedObject, TaintedObject, OtherTaintedObject, OtherUntaintedObject); + string str = System.String.Concat(UntaintedObject, OtherUntaintedObject, TaintedObject, OtherTaintedObject, OtherUntaintedObject); AssertTaintedFormatWithOriginalCallCheck( "UntaintedObjectOtherUntaintedObject:+-TaintedObject-+::+-OtherTaintedObject-+:OtherUntaintedObjectOtherUntaintedObject", - String.Concat(str, OtherUntaintedObject), - () => String.Concat(str, OtherUntaintedObject)); + System.String.Concat(str, OtherUntaintedObject), + () => System.String.Concat(str, OtherUntaintedObject)); } [Fact] public void GivenATaintedObject_WhenCallingConcatWith2ObjectParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concat:+-tainted-+:", String.Concat((object)"concat", taintedValue), () => String.Concat((object)"concat", taintedValue)); + AssertTaintedFormatWithOriginalCallCheck("concat:+-tainted-+:", System.String.Concat((object)"concat", taintedValue), () => System.String.Concat((object)"concat", taintedValue)); } [Fact] public void GivenATaintedObject_WhenCallingConcatWith2ObjectParams_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck("concat:+-tainted-+:", String.Concat("concat", (object)taintedValue), () => String.Concat("concat", (object)taintedValue)); + AssertTaintedFormatWithOriginalCallCheck("concat:+-tainted-+:", System.String.Concat("concat", (object)taintedValue), () => System.String.Concat("concat", (object)taintedValue)); } [Fact] public void GivenATaintedObject_WhenCallingConcatWith3ObjectParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:concat:+-tainted-+:", String.Concat(taintedValue2, (object)"concat", taintedValue), () => String.Concat(taintedValue2, (object)"concat", taintedValue)); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:concat:+-tainted-+:", System.String.Concat(taintedValue2, (object)"concat", taintedValue), () => System.String.Concat(taintedValue2, (object)"concat", taintedValue)); } [Fact] public void GivenATaintedObject_WhenCallingConcatWith4ObjectParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:concat:+-tainted-+:concat2", String.Concat(taintedValue2, (object)"concat", taintedValue, (object)"concat2"), () => String.Concat(taintedValue2, (object)"concat", taintedValue, (object)"concat2")); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:concat:+-tainted-+:concat2", System.String.Concat(taintedValue2, (object)"concat", taintedValue, (object)"concat2"), () => System.String.Concat(taintedValue2, (object)"concat", taintedValue, (object)"concat2")); } [Fact] public void GivenAnObjectList_WhenConcat_ResultIsOk() { - AssertTaintedFormatWithOriginalCallCheck("123:+-TaintedObject-+:", String.Concat(new List { 1, 2, 3, TaintedObject }), () => String.Concat(new List { 1, 2, 3, TaintedObject })); + AssertTaintedFormatWithOriginalCallCheck("123:+-TaintedObject-+:", System.String.Concat(new List { 1, 2, 3, TaintedObject }), () => System.String.Concat(new List { 1, 2, 3, TaintedObject })); } // structs and built-in types @@ -507,40 +507,40 @@ public void GivenAnObjectList_WhenConcat_ResultIsOk() [Fact] public void Given_StringConcatGenericStruct_WhenConcat_ResultIsTainted() { - string str = String.Concat(new List { new StructForStringTest(UntaintedString), new StructForStringTest(TaintedString) }); + string str = System.String.Concat(new List { new StructForStringTest(UntaintedString), new StructForStringTest(TaintedString) }); FormatTainted(str).Should().Be("UntaintedString:+-TaintedString-+:"); } [Fact] public void GivenATaintedStringInStruct_WhenCallingConcat_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-tainted-+:", String.Concat(new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) }), () => String.Concat(new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) })); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-tainted-+:", System.String.Concat(new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) }), () => System.String.Concat(new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) })); } [Fact] public void GivenANullStruct_WhenCallingConcat_ResultIsEmpty() { - String.Concat(new List { null }).Should().Be(string.Empty); + System.String.Concat(new List { null }).Should().Be(string.Empty); } [Fact] public void GivenAnIntList_WhenConcat_ResultIsOk() { - string str = String.Concat(new List { 1, 2, 3}); + string str = System.String.Concat(new List { 1, 2, 3}); str.Should().Be("123"); } [Fact] public void GivenAnIntList_WhenConcat_ResultIsOk2() { - string str = String.Concat(new List { 1, 2, null, 3 }); + string str = System.String.Concat(new List { 1, 2, null, 3 }); str.Should().Be("123"); } [Fact] public void GivenAnCharList_WhenConcat_ResultIsOk2() { - string str = String.Concat(new List { '1', '2', null, '3' }); + string str = System.String.Concat(new List { '1', '2', null, '3' }); str.Should().Be("123"); } @@ -550,28 +550,28 @@ public void GivenAnCharList_WhenConcat_ResultIsOk2() public void GivenATaintedStringInClassList_WhenCallingConcat_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-TaintedString-+:", - String.Concat(new List { new ClassForStringTest(UntaintedString), new ClassForStringTest(TaintedString) }), - () => String.Concat(new List { new ClassForStringTest(UntaintedString), new ClassForStringTest(TaintedString) })); + System.String.Concat(new List { new ClassForStringTest(UntaintedString), new ClassForStringTest(TaintedString) }), + () => System.String.Concat(new List { new ClassForStringTest(UntaintedString), new ClassForStringTest(TaintedString) })); } [Fact] public void GivenATaintedStringInClassArray_WhenCallingConcat_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-tainted-+:", - String.Concat(new ClassForStringTest[] { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) }), - () => String.Concat(new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) })); + System.String.Concat(new ClassForStringTest[] { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) }), + () => System.String.Concat(new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) })); } [Fact] public void GivenATaintedStringInStruct_WhenCallingConcat_ResultIsTainted3() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-tainted-+:", String.Concat(new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) }), () => String.Concat(new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) })); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-tainted-+:", System.String.Concat(new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) }), () => System.String.Concat(new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) })); } [Fact] public void GivenANullInList_WhenCallingConcat_ResultIsTainted4() { - String.Concat(new List { null }).Should().Be(string.Empty); + System.String.Concat(new List { null }).Should().Be(string.Empty); } // string enumerables @@ -579,31 +579,31 @@ public void GivenANullInList_WhenCallingConcat_ResultIsTainted4() [Fact] public void GivenATaintedObject_WhenCallingConcatWithStringArrayParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-tainted-+::+-TAINTED2-+:", String.Concat(new string[] { "concat", "CONCAT2", taintedValue, taintedValue2 }), () => String.Concat(new string[] { "concat", "CONCAT2", taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-tainted-+::+-TAINTED2-+:", System.String.Concat(new string[] { "concat", "CONCAT2", taintedValue, taintedValue2 }), () => System.String.Concat(new string[] { "concat", "CONCAT2", taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedString_WhenCallingConcatWithStringIEnumerableStringParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-tainted-+::+-TAINTED2-+:", String.Concat(new List { "concat", "CONCAT2", taintedValue, taintedValue2 }), () => String.Concat(new List { "concat", "CONCAT2", taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-tainted-+::+-TAINTED2-+:", System.String.Concat(new List { "concat", "CONCAT2", taintedValue, taintedValue2 }), () => System.String.Concat(new List { "concat", "CONCAT2", taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedString_WhenCallingConcatWithStringIEnumerableNullParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-TAINTED2-+:", String.Concat(new List { "concat", "CONCAT2", null, taintedValue2 }), () => String.Concat(new List { "concat", "CONCAT2", null, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-TAINTED2-+:", System.String.Concat(new List { "concat", "CONCAT2", null, taintedValue2 }), () => System.String.Concat(new List { "concat", "CONCAT2", null, taintedValue2 })); } [Fact] public void GivenATaintedString_WhenCallingConcatWithStringIEnumerableStringParam_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-tainted-+::+-TAINTED2-+:", String.Concat(new List { "concat", "CONCAT2", taintedValue, taintedValue2 }), () => String.Concat(new List { "concat", "CONCAT2", taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-tainted-+::+-TAINTED2-+:", System.String.Concat(new List { "concat", "CONCAT2", taintedValue, taintedValue2 }), () => System.String.Concat(new List { "concat", "CONCAT2", taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedString_WhenCallingConcatWithStringArrayNullParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-TAINTED2-+:", String.Concat(new string[] { "concat", "CONCAT2", null, taintedValue2 }), () => String.Concat(new string[] { "concat", "CONCAT2", null, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatCONCAT2:+-TAINTED2-+:", System.String.Concat(new string[] { "concat", "CONCAT2", null, taintedValue2 }), () => System.String.Concat(new string[] { "concat", "CONCAT2", null, taintedValue2 })); } // object enumerables @@ -611,39 +611,39 @@ public void GivenATaintedString_WhenCallingConcatWithStringArrayNullParam_Result [Fact] public void GivenATaintedString_WhenCallingConcatWithObjectArrayParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatconcat2:+-tainted-+::+-TAINTED2-+:", String.Concat(new object[] { "concat", "concat2", taintedValue, taintedValue2 }), () => String.Concat(new object[] { "concat", "concat2", taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatconcat2:+-tainted-+::+-TAINTED2-+:", System.String.Concat(new object[] { "concat", "concat2", taintedValue, taintedValue2 }), () => System.String.Concat(new object[] { "concat", "concat2", taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedObject_WhenCallingConcatWithObjectListParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatconcat2:+-tainted-+::+-TAINTED2-+:", String.Concat(new List { "concat", "concat2", taintedValue, taintedValue2 }), () => String.Concat(new List { "concat", "concat2", taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatconcat2:+-tainted-+::+-TAINTED2-+:", System.String.Concat(new List { "concat", "concat2", taintedValue, taintedValue2 }), () => System.String.Concat(new List { "concat", "concat2", taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedObject_WhenCallingConcatWithGenericObjectArrayParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatconcat2:+-tainted-+::+-TAINTED2-+:", String.Concat(new object[] { "concat", "concat2", taintedValue, taintedValue2 }), () => String.Concat(new object[] { "concat", "concat2", taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatconcat2:+-tainted-+::+-TAINTED2-+:", System.String.Concat(new object[] { "concat", "concat2", taintedValue, taintedValue2 }), () => System.String.Concat(new object[] { "concat", "concat2", taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedObject_WhenCallingConcatWithGenericObjectListParam_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("concatconcat2:+-tainted-+::+-TAINTED2-+:", String.Concat(new List { "concat", "concat2", taintedValue, taintedValue2 }), () => String.Concat(new List { "concat", "concat2", taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck("concatconcat2:+-tainted-+::+-TAINTED2-+:", System.String.Concat(new List { "concat", "concat2", taintedValue, taintedValue2 }), () => System.String.Concat(new List { "concat", "concat2", taintedValue, taintedValue2 })); } [Fact] public void GivenAListOfObjects_WhenCallingConcat_ThenNoExceptionIsThrown() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:4str2", String.Concat(taintedValue, 4, null, "str2"), () => String.Concat(taintedValue, 4, null, "str2")); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:4str2", System.String.Concat(taintedValue, 4, null, "str2"), () => System.String.Concat(taintedValue, 4, null, "str2")); } [Fact] public void GivenAListOfStrings_WhenCallingConcat_ThenNoExceptionIsThrown() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:str2", String.Concat(taintedValue, null, "str2"), () => String.Concat(taintedValue, null, "str2")); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:str2", System.String.Concat(taintedValue, null, "str2"), () => System.String.Concat(taintedValue, null, "str2")); } [Fact] @@ -660,7 +660,7 @@ public void GivenAnArrayOfObjectsWithFirstNullArgument_WhenCalling_Concat_Result obj[2] = testString2; obj[3] = testString3; - AssertTaintedFormatWithOriginalCallCheck(":+-01-+::+-abc-+::+-ABCD-+:", String.Concat(obj), () => String.Concat(obj)); + AssertTaintedFormatWithOriginalCallCheck(":+-01-+::+-abc-+::+-ABCD-+:", System.String.Concat(obj), () => System.String.Concat(obj)); } [Fact] @@ -677,7 +677,7 @@ public void GivenAnArrayOfObjectsWithOneNullArgument_WhenCalling_Concat_ResultIs obj[2] = null; obj[3] = testString3; - AssertTaintedFormatWithOriginalCallCheck(":+-abc-+::+-01-+::+-ABCD-+:", String.Concat(obj), () => String.Concat(obj)); + AssertTaintedFormatWithOriginalCallCheck(":+-abc-+::+-01-+::+-ABCD-+:", System.String.Concat(obj), () => System.String.Concat(obj)); } [Fact] @@ -692,7 +692,7 @@ public void GivenAnArrayOfObjectsWithOneNotNullArgument_WhenCalling_Concat_Resul obj[2] = null; obj[3] = null; - AssertTaintedFormatWithOriginalCallCheck(":+-01-+:", String.Concat(obj), () => String.Concat(obj)); + AssertTaintedFormatWithOriginalCallCheck(":+-01-+:", System.String.Concat(obj), () => System.String.Concat(obj)); } [Fact] @@ -705,7 +705,7 @@ public void GivenAnArrayOfObjectsWithAllNullArguments_WhenCalling_Concat_ResultI obj[2] = null; obj[3] = null; - String.Concat(obj).Should().BeEmpty(); + System.String.Concat(obj).Should().BeEmpty(); } } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringCopyTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringCopyTests.cs similarity index 65% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringCopyTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringCopyTests.cs index a4cc794bff0b..cc6569a6dbc3 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringCopyTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringCopyTests.cs @@ -1,7 +1,7 @@ using System; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; #pragma warning disable CS0618 // Obsolete public class StringCopyTests : InstrumentationTestsBase @@ -17,19 +17,19 @@ public StringCopyTests() [Fact] public void GivenATaintedObject_WhenCallingCopy_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Copy(taintedValue), () => String.Copy(taintedValue)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Copy(taintedValue), () => System.String.Copy(taintedValue)); } [Fact] public void GivenAUntaintedObject_WhenCallingCopy_ResultIsNotTainted() { - AssertUntaintedWithOriginalCallCheck(() => String.Copy(UntaintedString), () => String.Copy(UntaintedString)); + AssertUntaintedWithOriginalCallCheck(() => System.String.Copy(UntaintedString), () => System.String.Copy(UntaintedString)); } [Fact] public void GivenATaintedObject_WhenCallingCopyWithNull_ArgumentNullException() { - AssertUntaintedWithOriginalCallCheck(() => String.Copy(null), () => String.Copy(null)); + AssertUntaintedWithOriginalCallCheck(() => System.String.Copy(null), () => System.String.Copy(null)); } } #pragma warning restore CS0618 // Obsolete diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringFormatTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringFormatTests.cs similarity index 56% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringFormatTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringFormatTests.cs index 12e23632c57f..dd0fa8e42f19 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringFormatTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringFormatTests.cs @@ -2,7 +2,7 @@ using System.Text; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringFormatTests : InstrumentationTestsBase { private string _taintedValue = "tainted"; @@ -28,24 +28,24 @@ public StringFormatTests() public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-test: taintedcustomformat-+:", - String.Format(new FormatProviderForTest(), "test: {0}", new object[] { _taintedValue }), - () => String.Format(new FormatProviderForTest(), "test: {0}", new object[] { _taintedValue })); + System.String.Format(new FormatProviderForTest(), "test: {0}", new object[] { _taintedValue }), + () => System.String.Format(new FormatProviderForTest(), "test: {0}", new object[] { _taintedValue })); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-formatUntaintedStringcustomformatTAINTED2customformat-+:", - String.Format(new FormatProviderForTest(), _taintedFormat2Args, new object[] { _untaintedString, _taintedValue2 }), - () => String.Format(new FormatProviderForTest(), _taintedFormat2Args, new object[] { _untaintedString, _taintedValue2 })); + System.String.Format(new FormatProviderForTest(), _taintedFormat2Args, new object[] { _untaintedString, _taintedValue2 }), + () => System.String.Format(new FormatProviderForTest(), _taintedFormat2Args, new object[] { _untaintedString, _taintedValue2 })); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted8() { AssertTaintedFormatWithOriginalCallCheck(":+-formatUntaintedStringcustomformatUntaintedStringcustomformat-+:", - String.Format(new FormatProviderForTest(), _taintedFormat2Args, new object[] { _untaintedString, _untaintedString }), - () => String.Format(new FormatProviderForTest(), _taintedFormat2Args, new object[] { _untaintedString, _untaintedString })); + System.String.Format(new FormatProviderForTest(), _taintedFormat2Args, new object[] { _untaintedString, _untaintedString }), + () => System.String.Format(new FormatProviderForTest(), _taintedFormat2Args, new object[] { _untaintedString, _untaintedString })); } [Fact] @@ -53,16 +53,16 @@ public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted3() { string str = "Literal with tainteds {0}{1} and untainted {2} and tainted {3} and another untainted {4}"; AssertTaintedFormatWithOriginalCallCheck(":+-Literal with tainteds taintedcustomformatTAINTED2customformat and untainted UntaintedStringcustomformat and tainted TAINTED2customformat and another untainted OtherUntaintedStringcustomformat-+:", - String.Format(new FormatProviderForTest(), str, _taintedValue, _taintedValue2, _untaintedString, _taintedValue2, _otherUntaintedString), - () => String.Format(new FormatProviderForTest(), str, _taintedValue, _taintedValue2, _untaintedString, _taintedValue2, _otherUntaintedString)); + System.String.Format(new FormatProviderForTest(), str, _taintedValue, _taintedValue2, _untaintedString, _taintedValue2, _otherUntaintedString), + () => System.String.Format(new FormatProviderForTest(), str, _taintedValue, _taintedValue2, _untaintedString, _taintedValue2, _otherUntaintedString)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted13() { AssertTaintedFormatWithOriginalCallCheck(":+-formatwwcustomformat-+:", - String.Format(new FormatProviderForTest(), _taintedFormat1Arg, new object[] { "ww" }), - () => String.Format(new FormatProviderForTest(), _taintedFormat1Arg, new object[] { "ww" })); + System.String.Format(new FormatProviderForTest(), _taintedFormat1Arg, new object[] { "ww" }), + () => System.String.Format(new FormatProviderForTest(), _taintedFormat1Arg, new object[] { "ww" })); } // Testing public static string Format(IFormatProvider provider, string format, object arg0, object arg1) @@ -71,8 +71,8 @@ public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted13( public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted4() { AssertTaintedFormatWithOriginalCallCheck(":+-formattaintedcustomformatTAINTED2customformat-+:", - String.Format(new FormatProviderForTest(), _taintedFormat2Args, _taintedValue, _taintedValue2), - () => String.Format(new FormatProviderForTest(), _taintedFormat2Args, _taintedValue, _taintedValue2)); + System.String.Format(new FormatProviderForTest(), _taintedFormat2Args, _taintedValue, _taintedValue2), + () => System.String.Format(new FormatProviderForTest(), _taintedFormat2Args, _taintedValue, _taintedValue2)); } [Fact] @@ -80,16 +80,16 @@ public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted5() { Customer customer = new Customer(_taintedValue, 999654); AssertTaintedFormatWithOriginalCallCheck(":+-Tainted literal equals to tainted and number 0000-999-654-+:", - String.Format(new CustomerNumberFormatter(), "Tainted literal equals to {0} and number {1}", customer.Name, customer.CustomerNumber), - () => String.Format(new CustomerNumberFormatter(), "Tainted literal equals to {0} and number {1}", customer.Name, customer.CustomerNumber)); + System.String.Format(new CustomerNumberFormatter(), "Tainted literal equals to {0} and number {1}", customer.Name, customer.CustomerNumber), + () => System.String.Format(new CustomerNumberFormatter(), "Tainted literal equals to {0} and number {1}", customer.Name, customer.CustomerNumber)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted14() { AssertTaintedFormatWithOriginalCallCheck(":+-formatwwcustomformatwwcustomformat-+:", - String.Format(new FormatProviderForTest(), _taintedFormat2Args, "ww", "ww"), - () => String.Format(new FormatProviderForTest(), _taintedFormat2Args, "ww", "ww")); + System.String.Format(new FormatProviderForTest(), _taintedFormat2Args, "ww", "ww"), + () => System.String.Format(new FormatProviderForTest(), _taintedFormat2Args, "ww", "ww")); } // Testing public static string Format(IFormatProvider provider, string format, object arg0) @@ -98,32 +98,32 @@ public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted14( public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted6() { AssertTaintedFormatWithOriginalCallCheck(":+-formattaintedcustomformat-+:", - String.Format(new FormatProviderForTest(), "format{0}", _taintedValue), - () => String.Format(new FormatProviderForTest(), "format{0}", _taintedValue)); + System.String.Format(new FormatProviderForTest(), "format{0}", _taintedValue), + () => System.String.Format(new FormatProviderForTest(), "format{0}", _taintedValue)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted15() { AssertTaintedFormatWithOriginalCallCheck(":+-formatwwcustomformat-+:", - String.Format(new FormatProviderForTest(), _taintedFormat1Arg, "ww"), - () => String.Format(new FormatProviderForTest(), _taintedFormat1Arg, "ww")); + System.String.Format(new FormatProviderForTest(), _taintedFormat1Arg, "ww"), + () => System.String.Format(new FormatProviderForTest(), _taintedFormat1Arg, "ww")); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted7() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - String.Format(null, _taintedValue, _taintedValue2), - () => String.Format(null, _taintedValue, _taintedValue2)); + System.String.Format(null, _taintedValue, _taintedValue2), + () => System.String.Format(null, _taintedValue, _taintedValue2)); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormatWithNullParams_FormatException() { AssertUntaintedWithOriginalCallCheck( - () => String.Format(null, null, "r"), - () => String.Format(null, null, "r")); + () => System.String.Format(null, null, "r"), + () => System.String.Format(null, null, "r")); } // Testing public static string Format(IFormatProvider provider, string format, object arg0, object arg1, object arg2) @@ -132,40 +132,40 @@ public void GivenATaintedFormatObject_WhenCallingFormatWithNullParams_FormatExce public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted9() { AssertTaintedFormatWithOriginalCallCheck(":+-formattaintedcustomformat TAINTED2customformat TAINTED2customformat-+:", - String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _taintedValue, _taintedValue2, _taintedValue2), - () => String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _taintedValue, _taintedValue2, _taintedValue2)); + System.String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _taintedValue, _taintedValue2, _taintedValue2), + () => System.String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _taintedValue, _taintedValue2, _taintedValue2)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted10() { AssertTaintedFormatWithOriginalCallCheck(":+-formatUntaintedStringcustomformat taintedcustomformat UntaintedStringcustomformat-+:", - String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _untaintedString, _taintedValue, _untaintedString), - () => String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _untaintedString, _taintedValue, _untaintedString)); + System.String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _untaintedString, _taintedValue, _untaintedString), + () => System.String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _untaintedString, _taintedValue, _untaintedString)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted11() { AssertTaintedFormatWithOriginalCallCheck(":+-formattaintedcustomformat UntaintedStringcustomformat UntaintedStringcustomformat-+:", - String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _taintedValue, _untaintedString, _untaintedString), - () => String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _taintedValue, _untaintedString, _untaintedString)); + System.String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _taintedValue, _untaintedString, _untaintedString), + () => System.String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _taintedValue, _untaintedString, _untaintedString)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted12() { AssertTaintedFormatWithOriginalCallCheck(":+-formatUntaintedStringcustomformat UntaintedStringcustomformat taintedcustomformat-+:", - String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _untaintedString, _untaintedString, _taintedValue), - () => String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _untaintedString, _untaintedString, _taintedValue)); + System.String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _untaintedString, _untaintedString, _taintedValue), + () => System.String.Format(new FormatProviderForTest(), "format{0} {1} {2}", _untaintedString, _untaintedString, _taintedValue)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted16() { AssertTaintedFormatWithOriginalCallCheck(":+-formatwwcustomformatwwcustomformatwwcustomformat-+:", - String.Format(new FormatProviderForTest(), _taintedFormat3Args, "ww", "ww", "ww"), - () => String.Format(new FormatProviderForTest(), _taintedFormat3Args, "ww", "ww", "ww")); + System.String.Format(new FormatProviderForTest(), _taintedFormat3Args, "ww", "ww", "ww"), + () => System.String.Format(new FormatProviderForTest(), _taintedFormat3Args, "ww", "ww", "ww")); } // Testing public static string Format(string format, params object[] args) @@ -174,24 +174,24 @@ public void GivenATaintedObject_WhenCallingFormatWithProvider_ResultIsTainted16( public void GivenATaintedObject_WhenCallingFormatWithObjectArray_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-test: tainted-+:", - String.Format("test: {0}", new object[] { _taintedValue }), - () => String.Format("test: {0}", new object[] { _taintedValue })); + System.String.Format("test: {0}", new object[] { _taintedValue }), + () => System.String.Format("test: {0}", new object[] { _taintedValue })); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithObjectArray_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-test: UntaintedString tainted-+:", - String.Format("test: {0} {1}", new object[] { _untaintedString, _taintedValue }), - () => String.Format("test: {0} {1}", new object[] { _untaintedString, _taintedValue })); + System.String.Format("test: {0} {1}", new object[] { _untaintedString, _taintedValue }), + () => System.String.Format("test: {0} {1}", new object[] { _untaintedString, _taintedValue })); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithObjectArray_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-formatww-+:", - String.Format(_taintedFormat1Arg, new object[] { "ww" }), - () => String.Format(_taintedFormat1Arg, new object[] { "ww" })); + System.String.Format(_taintedFormat1Arg, new object[] { "ww" }), + () => System.String.Format(_taintedFormat1Arg, new object[] { "ww" })); } // Testing public static string Format(string format, object arg0) @@ -200,38 +200,38 @@ public void GivenATaintedObject_WhenCallingFormatWithObjectArray_ResultIsTainted public void GivenATaintedObject_WhenCallingFormatWithOneObject_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-test: tainted-+:", - String.Format("test: {0}", _taintedValue), - () => String.Format("test: {0}", _taintedValue)); + System.String.Format("test: {0}", _taintedValue), + () => System.String.Format("test: {0}", _taintedValue)); } [Fact] public void GivenANotTaintedObject_WhenCallingFormatWithOneObject_ResultIsNotTainted() { - AssertNotTainted(String.Format("test: {0}", _untaintedString)); + AssertNotTainted(System.String.Format("test: {0}", _untaintedString)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithNewStringBuilder_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-test: tainted-+:", - String.Format("test: {0}", new StringBuilder(_taintedValue)), - () => String.Format("test: {0}", new StringBuilder(_taintedValue))); + System.String.Format("test: {0}", new System.Text.StringBuilder(_taintedValue)), + () => System.String.Format("test: {0}", new System.Text.StringBuilder(_taintedValue))); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormatWithOneObjectLess_FormatException() { AssertUntaintedWithOriginalCallCheck( - () => String.Format(_taintedFormat2Args, _taintedValue), - () => String.Format(_taintedFormat2Args, _taintedValue)); + () => System.String.Format(_taintedFormat2Args, _taintedValue), + () => System.String.Format(_taintedFormat2Args, _taintedValue)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithOneObject_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-formatww-+:", - String.Format(_taintedFormat1Arg, "ww"), - () => String.Format(_taintedFormat1Arg, "ww")); + System.String.Format(_taintedFormat1Arg, "ww"), + () => System.String.Format(_taintedFormat1Arg, "ww")); } // Testing public static string Format(string format, object arg0, object arg1) @@ -240,8 +240,8 @@ public void GivenATaintedObject_WhenCallingFormatWithOneObject_ResultIsTainted2( public void GivenATaintedObject_WhenCallingFormatWithTwoObjects_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-test: tainted TAINTED2-+:", - String.Format("test: {0} {1}", _taintedValue, _taintedValue2), - () => String.Format("test: {0} {1}", _taintedValue, _taintedValue2)); + System.String.Format("test: {0} {1}", _taintedValue, _taintedValue2), + () => System.String.Format("test: {0} {1}", _taintedValue, _taintedValue2)); } [Fact] @@ -249,24 +249,24 @@ public void GivenATaintedObject_WhenCallingFormatWithTwoObjects_ResultIsTainted2 { string str = "{0} and Literal equals to {1}"; AssertTaintedFormatWithOriginalCallCheck(":+-tainted and Literal equals to UntaintedString-+:", - String.Format(str, _taintedValue, _untaintedString), - () => String.Format(str, _taintedValue, _untaintedString)); + System.String.Format(str, _taintedValue, _untaintedString), + () => System.String.Format(str, _taintedValue, _untaintedString)); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormatWithTwoObjects_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-formatUntaintedStringTAINTED2-+:", - String.Format(_taintedFormat2Args, _untaintedString, _taintedValue2), - () => String.Format(_taintedFormat2Args, _untaintedString, _taintedValue2)); + System.String.Format(_taintedFormat2Args, _untaintedString, _taintedValue2), + () => System.String.Format(_taintedFormat2Args, _untaintedString, _taintedValue2)); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormatWithTwoObjects_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-formatwwww-+:", - String.Format(_taintedFormat2Args, "ww", "ww"), - () => String.Format(_taintedFormat2Args, "ww", "ww")); + System.String.Format(_taintedFormat2Args, "ww", "ww"), + () => System.String.Format(_taintedFormat2Args, "ww", "ww")); } // Testing public static string Format(string format, object arg0, object arg1, object arg2) @@ -275,40 +275,40 @@ public void GivenATaintedFormatObject_WhenCallingFormatWithTwoObjects_ResultIsTa public void GivenATaintedObject_WhenCallingFormatWithThreebjects_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-test: www www TAINTED2-+:", - String.Format("test: {0} {1} {2}", "www", "www", _taintedValue2), - () => String.Format("test: {0} {1} {2}", "www", "www", _taintedValue2)); + System.String.Format("test: {0} {1} {2}", "www", "www", _taintedValue2), + () => System.String.Format("test: {0} {1} {2}", "www", "www", _taintedValue2)); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithThreebjects_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-test: www tainted www-+:", - String.Format("test: {0} {1} {2}", "www", _taintedValue, "www"), - () => String.Format("test: {0} {1} {2}", "www", _taintedValue, "www")); + System.String.Format("test: {0} {1} {2}", "www", _taintedValue, "www"), + () => System.String.Format("test: {0} {1} {2}", "www", _taintedValue, "www")); } [Fact] public void GivenATaintedObject_WhenCallingFormatWithThreebjects_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-test: tainted www www-+:", - String.Format("test: {0} {1} {2}", _taintedValue, "www", "www"), - () => String.Format("test: {0} {1} {2}", _taintedValue, "www", "www")); + System.String.Format("test: {0} {1} {2}", _taintedValue, "www", "www"), + () => System.String.Format("test: {0} {1} {2}", _taintedValue, "www", "www")); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormat_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-formattainted TAINTED2 TAINTED2-+:", - String.Format("format{0} {1} {2}", _taintedValue, _taintedValue2, _taintedValue2), - () => String.Format("format{0} {1} {2}", _taintedValue, _taintedValue2, _taintedValue2)); + System.String.Format("format{0} {1} {2}", _taintedValue, _taintedValue2, _taintedValue2), + () => System.String.Format("format{0} {1} {2}", _taintedValue, _taintedValue2, _taintedValue2)); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormat_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-formatwwwwww-+:", - String.Format(_taintedFormat3Args, "ww", "ww", "ww"), - () => String.Format(_taintedFormat3Args, "ww", "ww", "ww")); + System.String.Format(_taintedFormat3Args, "ww", "ww", "ww"), + () => System.String.Format(_taintedFormat3Args, "ww", "ww", "ww")); } // Testing public static string Format(string format, params object[] args) @@ -317,48 +317,48 @@ public void GivenATaintedFormatObject_WhenCallingFormat_ResultIsTainted3() public void GivenATaintedFormatObject_WhenCallingFormatWithObjectArray_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-formattaintedTAINTED2-+:", - String.Format(_taintedFormat2Args, new object[] { _taintedValue, _taintedValue2 }), - () => String.Format(_taintedFormat2Args, new object[] { _taintedValue, _taintedValue2 })); + System.String.Format(_taintedFormat2Args, new object[] { _taintedValue, _taintedValue2 }), + () => System.String.Format(_taintedFormat2Args, new object[] { _taintedValue, _taintedValue2 })); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormatWithObjectArray_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-formattaintednotTainted-+:", - String.Format(_taintedFormat2Args, new object[] { _taintedValue, "notTainted" }), - () => String.Format(_taintedFormat2Args, new object[] { _taintedValue, "notTainted" })); + System.String.Format(_taintedFormat2Args, new object[] { _taintedValue, "notTainted" }), + () => System.String.Format(_taintedFormat2Args, new object[] { _taintedValue, "notTainted" })); } [Fact] public void GivenANotTaintedFormatObject_WhenCallingFormatWithObjectArray_ResultIsNotTainted2() { AssertUntaintedWithOriginalCallCheck("FormatnotTaintednotTainted", - String.Format("Format{0}{1}", new object[] { "notTainted", "notTainted" }), - () => String.Format("Format{0}{1}", new object[] { "notTainted", "notTainted" })); + System.String.Format("Format{0}{1}", new object[] { "notTainted", "notTainted" }), + () => System.String.Format("Format{0}{1}", new object[] { "notTainted", "notTainted" })); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormatWithObjectArray_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-abcnotTaintedtainted-+:", - String.Format("abc{0}{1}", new object[] { "notTainted", _taintedValue }), - () => String.Format("abc{0}{1}", new object[] { "notTainted", _taintedValue })); + System.String.Format("abc{0}{1}", new object[] { "notTainted", _taintedValue }), + () => System.String.Format("abc{0}{1}", new object[] { "notTainted", _taintedValue })); } [Fact] public void GivenATaintedFormatObject_WhenCallingFormatWithObjectArray_ResultIsTainted4() { AssertTaintedFormatWithOriginalCallCheck(":+-formatwwwwww-+:", - String.Format(_taintedFormat3Args, new object[] { "ww", "ww", "ww" }), - () => String.Format(_taintedFormat3Args, new object[] { "ww", "ww", "ww" })); + System.String.Format(_taintedFormat3Args, new object[] { "ww", "ww", "ww" }), + () => System.String.Format(_taintedFormat3Args, new object[] { "ww", "ww", "ww" })); } [Fact] public void GivenANotTaintedFormatObject_WhenCallingFormatWithTaintedObjectNoReplace_ResultIsNotTainted2() { AssertUntaintedWithOriginalCallCheck("Format", - String.Format("Format", _taintedValue), - () => String.Format("Format", _taintedValue)); + System.String.Format("Format", _taintedValue), + () => System.String.Format("Format", _taintedValue)); } @@ -371,8 +371,8 @@ public void GivenATaintedString_WhenCallingStringFormatObjectArrayFormatProvider var composite = CompositeFormat.Parse("myformat{0}{1}"); AssertUntaintedWithOriginalCallCheck( "myformattaintedcustomformatUntaintedStringcustomformat", - String.Format(new FormatProviderForTest(), composite, new object[] { _taintedValue, _untaintedString }).ToString(), - () => String.Format(new FormatProviderForTest(), composite, new object[] { _taintedValue, _untaintedString }).ToString()); + System.String.Format(new FormatProviderForTest(), composite, new object[] { _taintedValue, _untaintedString }).ToString(), + () => System.String.Format(new FormatProviderForTest(), composite, new object[] { _taintedValue, _untaintedString }).ToString()); } #endif } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringGeneralTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringGeneralTests.cs similarity index 84% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringGeneralTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringGeneralTests.cs index b60a3eaf48e8..a7014f8f8e39 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringGeneralTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringGeneralTests.cs @@ -1,6 +1,6 @@ using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringGeneralTests : InstrumentationTestsBase { protected string taintedValue = "tainted"; diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringInsertTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringInsertTests.cs similarity index 88% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringInsertTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringInsertTests.cs index fa052bcf8c54..79048df5a9a1 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringInsertTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringInsertTests.cs @@ -3,7 +3,7 @@ using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringInsertTests : InstrumentationTestsBase { @@ -64,7 +64,7 @@ public void String_Insert_Index_With_Both() [Fact] public void String_Insert_Index_Two_Tainted_With_Two_Untainted() { - string str = String.Concat(LargeTaintedString, " and ", OtherTaintedString); + string str = System.String.Concat(LargeTaintedString, " and ", OtherTaintedString); str = str.Insert(2, UntaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-La-+:UntaintedString:+-rgeTaintedString-+: and UntaintedString:+-OtherTaintedString-+:", str.Insert(38, UntaintedString), () => str.Insert(38, UntaintedString)); } @@ -72,7 +72,7 @@ public void String_Insert_Index_Two_Tainted_With_Two_Untainted() [Fact] public void String_Insert_Index_Two_Tainted_With_Two_Tainted() { - string str = String.Concat(LargeTaintedString, " and ", OtherTaintedString); + string str = System.String.Concat(LargeTaintedString, " and ", OtherTaintedString); str = str.Insert(5, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-Large-+::+-OtherTaintedString-+::+-TaintedString-+: and :+-Other-+::+-TaintedString-+::+-TaintedString-+:", str.Insert(46, TaintedString), () => str.Insert(46, TaintedString)); } @@ -81,14 +81,14 @@ public void String_Insert_Index_Two_Tainted_With_Two_Tainted() public void String_Insert_Index_Two_Tainted_With_Both() { AssertTaintedFormatWithOriginalCallCheck(":+-Large-+::+-OtherTaintedString-+::+-TaintedString-+: and :+-Other-+:UntaintedString:+-TaintedString-+:", - String.Concat(LargeTaintedString, " and ", OtherTaintedString).Insert(5, OtherTaintedString).Insert(46, UntaintedString), - () => String.Concat(LargeTaintedString, " and ", OtherTaintedString).Insert(5, OtherTaintedString).Insert(46, UntaintedString)); + System.String.Concat(LargeTaintedString, " and ", OtherTaintedString).Insert(5, OtherTaintedString).Insert(46, UntaintedString), + () => System.String.Concat(LargeTaintedString, " and ", OtherTaintedString).Insert(5, OtherTaintedString).Insert(46, UntaintedString)); } [Fact] public void String_Insert_Index_Both_With_Two_Untainted() { - string str = String.Concat(LargeTaintedString, " and ", UntaintedString); + string str = System.String.Concat(LargeTaintedString, " and ", UntaintedString); str = str.Insert(2, UntaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-La-+:UntaintedString:+-rgeTaintedString-+: and UntaintedStringUntaintedString", str.Insert(38, UntaintedString), () => str.Insert(38, UntaintedString)); } @@ -96,7 +96,7 @@ public void String_Insert_Index_Both_With_Two_Untainted() [Fact] public void String_Insert_Index_Both_With_Two_Tainted() { - string str = String.Concat(LargeTaintedString, " and ", UntaintedString); + string str = System.String.Concat(LargeTaintedString, " and ", UntaintedString); str = str.Insert(2, TaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-La-+::+-TaintedString-+::+-rgeTaintedString-+: and Un:+-OtherTaintedString-+:taintedString", str.Insert(38, OtherTaintedString), () => str.Insert(38, OtherTaintedString)); } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringJoinTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringJoinTests.cs similarity index 60% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringJoinTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringJoinTests.cs index 4e52cf89e625..b0c3c52112e6 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringJoinTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringJoinTests.cs @@ -3,7 +3,7 @@ using System.Linq; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringJoinTests : InstrumentationTestsBase { @@ -31,91 +31,91 @@ public StringJoinTests() [Fact] public void GivenATaintedObject_WhenCallingJoinWithObjectArray_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", String.Join(",", new object[] { taintedValue, taintedValue2 }), () => String.Join(",", new object[] { taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", System.String.Join(",", new object[] { taintedValue, taintedValue2 }), () => System.String.Join(",", new object[] { taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithObjectArray_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", String.Join(",", taintedValue, taintedValue2), () => String.Join(",", taintedValue , taintedValue2)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", System.String.Join(",", taintedValue, taintedValue2), () => System.String.Join(",", taintedValue , taintedValue2)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithObjectArrayAndTaintedSeparator_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", String.Join(taintedValue, new object[] { taintedValue2, "eee" }), () => String.Join(taintedValue, new object[] { taintedValue2, "eee" })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", System.String.Join(taintedValue, new object[] { taintedValue2, "eee" }), () => System.String.Join(taintedValue, new object[] { taintedValue2, "eee" })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArray_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", String.Join(",", new string[] { taintedValue, taintedValue2 }), () => String.Join(",", new string[] { taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", System.String.Join(",", new string[] { taintedValue, taintedValue2 }), () => System.String.Join(",", new string[] { taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArray_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", String.Join(",", taintedValue, taintedValue2), () => String.Join(",", taintedValue, taintedValue2)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", System.String.Join(",", taintedValue, taintedValue2), () => System.String.Join(",", taintedValue, taintedValue2)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndTaintedSeparator_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", String.Join(taintedValue, new string[] { taintedValue2, "eee" }), () => String.Join(taintedValue, new string[] { taintedValue2, "eee" })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", System.String.Join(taintedValue, new string[] { taintedValue2, "eee" }), () => System.String.Join(taintedValue, new string[] { taintedValue2, "eee" })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringList_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", String.Join(",", new List { taintedValue, taintedValue2 }), () => String.Join(",", new List { taintedValue, taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", System.String.Join(",", new List { taintedValue, taintedValue2 }), () => System.String.Join(",", new List { taintedValue, taintedValue2 })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringListAndTaintedSeparator_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", String.Join(taintedValue, new List { taintedValue2, "eee" }), () => String.Join(taintedValue, new List { taintedValue2, "eee" })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", System.String.Join(taintedValue, new List { taintedValue2, "eee" }), () => System.String.Join(taintedValue, new List { taintedValue2, "eee" })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringListAndTaintedSeparator_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:", String.Join(taintedValue, new List { taintedValue2}), () => String.Join(taintedValue, new List { taintedValue2})); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:", System.String.Join(taintedValue, new List { taintedValue2}), () => System.String.Join(taintedValue, new List { taintedValue2})); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndex_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 1), () => String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 1)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 1), () => System.String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 1)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndex_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 2), () => String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 2)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", System.String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 2), () => System.String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 2)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndex_ResultIsTainted3() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", String.Join(",", new string[] { taintedValue, taintedValue2 }), () => String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 2)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,:+-TAINTED2-+:", System.String.Join(",", new string[] { taintedValue, taintedValue2 }), () => System.String.Join(",", new string[] { taintedValue, taintedValue2 }, 0, 2)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndex_ResultIsTainted4() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Join(",", new string[] { taintedValue }), () => String.Join(",", new string[] { taintedValue}, 0, 1)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Join(",", new string[] { taintedValue }), () => System.String.Join(",", new string[] { taintedValue}, 0, 1)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndex_ResultIsTainted5() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Join(",", new string[] { taintedValue }), () => String.Join(",", new string[] { taintedValue })); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Join(",", new string[] { taintedValue }), () => System.String.Join(",", new string[] { taintedValue })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndexAndTaintedSeparator_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", String.Join(taintedValue, new string[] { taintedValue2, "eee" }, 0, 2), () => String.Join(taintedValue, new string[] { taintedValue2, "eee" }, 0, 2)); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", System.String.Join(taintedValue, new string[] { taintedValue2, "eee" }, 0, 2), () => System.String.Join(taintedValue, new string[] { taintedValue2, "eee" }, 0, 2)); } #if NETFRAMEWORK @@ -123,130 +123,130 @@ public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndexAndTainted public void GivenATaintedObject_WhenCallingJoinWithObjectArrayAndTaintedSeparatorOneNullParams_ResultIsTainted() { - AssertUntaintedWithOriginalCallCheck(String.Empty, String.Join(taintedValue, new object[] { null, "eee" }), - () => String.Join(taintedValue, new object[] { null, "eee" })); + AssertUntaintedWithOriginalCallCheck(System.String.Empty, System.String.Join(taintedValue, new object[] { null, "eee" }), + () => System.String.Join(taintedValue, new object[] { null, "eee" })); } #else [Fact] public void GivenATaintedObject_WhenCallingJoinWithObjectArrayAndTaintedSeparatorOneNullParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:eee", String.Join(taintedValue, new object[] { null, "eee" }), - () => String.Join(taintedValue, new object[] { null, "eee" })); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:eee", System.String.Join(taintedValue, new object[] { null, "eee" }), + () => System.String.Join(taintedValue, new object[] { null, "eee" })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithObjectArrayAndTaintedSeparatorOneNullParams_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:", String.Join(taintedValue, new object[] { taintedValue2 }), - () => String.Join(taintedValue, new object[] { taintedValue2 })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:", System.String.Join(taintedValue, new object[] { taintedValue2 }), + () => System.String.Join(taintedValue, new object[] { taintedValue2 })); } #endif [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayOneNullParams_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(",:+-TAINTED2-+:", String.Join(",", null, taintedValue2), () => String.Join(",", null, taintedValue2)); + AssertTaintedFormatWithOriginalCallCheck(",:+-TAINTED2-+:", System.String.Join(",", null, taintedValue2), () => System.String.Join(",", null, taintedValue2)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndexOneNullParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(",:+-TAINTED2-+:", String.Join(",", new string[] { null, taintedValue2 }, 0, 2), () => String.Join(",", new string[] { null, taintedValue2 }, 0, 2)); + AssertTaintedFormatWithOriginalCallCheck(",:+-TAINTED2-+:", System.String.Join(",", new string[] { null, taintedValue2 }, 0, 2), () => System.String.Join(",", new string[] { null, taintedValue2 }, 0, 2)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithObjectArrayAndNullSeparator_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:eee", String.Join(null, new object[] { taintedValue2, "eee" }), () => String.Join(null, new object[] { taintedValue2, "eee" })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:eee", System.String.Join(null, new object[] { taintedValue2, "eee" }), () => System.String.Join(null, new object[] { taintedValue2, "eee" })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayNullSeparator_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-TAINTED2-+:", String.Join(null, taintedValue, taintedValue2), () => String.Join(null, taintedValue, taintedValue2)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-TAINTED2-+:", System.String.Join(null, taintedValue, taintedValue2), () => System.String.Join(null, taintedValue, taintedValue2)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringListAndNullSeparator_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:eee", String.Join(null, new List { taintedValue2, "eee" }), () => String.Join(null, new List { taintedValue2, "eee" })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:eee", System.String.Join(null, new List { taintedValue2, "eee" }), () => System.String.Join(null, new List { taintedValue2, "eee" })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithStringArrayAndIndexAndNullSeparator_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:eee", String.Join(null, new string[] { taintedValue2, "eee" }, 0, 2), () => String.Join(null, new string[] { taintedValue2, "eee" }, 0, 2)); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:eee", System.String.Join(null, new string[] { taintedValue2, "eee" }, 0, 2), () => System.String.Join(null, new string[] { taintedValue2, "eee" }, 0, 2)); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithGenericListNullSeparator_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:eee", String.Join(null, new List { taintedValue2, "eee" }), () => String.Join(null, new List { taintedValue2, "eee" })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+:eee", System.String.Join(null, new List { taintedValue2, "eee" }), () => System.String.Join(null, new List { taintedValue2, "eee" })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithGenericListOneNullParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:", String.Join(taintedValue, new List { taintedValue2, null }), () => String.Join(taintedValue, new List { taintedValue2, null })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:", System.String.Join(taintedValue, new List { taintedValue2, null }), () => System.String.Join(taintedValue, new List { taintedValue2, null })); } [Fact] public void GivenATaintedObject_WhenCallingJoinWithGenericList_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", String.Join(taintedValue, new List { taintedValue2, "eee" }), () => String.Join(taintedValue, new List { taintedValue2, "eee" })); + AssertTaintedFormatWithOriginalCallCheck(":+-TAINTED2-+::+-tainted-+:eee", System.String.Join(taintedValue, new List { taintedValue2, "eee" }), () => System.String.Join(taintedValue, new List { taintedValue2, "eee" })); } [Fact] public void GivenATaintedStringInStruct_WhenCallingJoin_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", String.Join(",", new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) }), () => String.Join(",", new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) })); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", System.String.Join(",", new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) }), () => System.String.Join(",", new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) })); } [Fact] public void GivenATaintedStringInStruct_WhenCallingJoin_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", String.Join(",", new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) }), () => String.Join(",", new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) })); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", System.String.Join(",", new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) }), () => System.String.Join(",", new List { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) })); } [Fact] public void GivenATaintedStringInStruct_WhenCallingJoin_ResultIsTainted4() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", String.Join(",", new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue)), () => String.Join(",", new object[] { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) })); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", System.String.Join(",", new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue)), () => System.String.Join(",", new object[] { new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue) })); } [Fact] public void GivenATaintedStringInStruct_WhenCallingJoin_ResultIsTainted3() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", String.Join(",", new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue)), () => String.Join(",", new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue))); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", System.String.Join(",", new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue)), () => System.String.Join(",", new StructForStringTest("UntaintedString"), new StructForStringTest(taintedValue))); } [Fact] public void GivenATaintedStringInClass_WhenCallingJoin_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", String.Join(",", new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) }), () => String.Join(",", new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) })); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", System.String.Join(",", new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) }), () => System.String.Join(",", new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) })); } [Fact] public void GivenATaintedStringInClass_WhenCallingJoin_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", String.Join(",", new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) }), () => String.Join(",", new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) })); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", System.String.Join(",", new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) }), () => System.String.Join(",", new List { new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue) })); } [Fact] public void GivenATaintedStringInClass_WhenCallingJoin_ResultIsTainted3() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", String.Join(",", new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue)), () => String.Join(",", new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue))); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", System.String.Join(",", new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue)), () => System.String.Join(",", new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue))); } [Fact] public void GivenATaintedStringInClass_WhenCallingJoin_ResultIsTainted4() { - AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", String.Join(",", new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue)), () => String.Join(",", new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue))); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString,:+-tainted-+:", System.String.Join(",", new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue)), () => System.String.Join(",", new ClassForStringTest("UntaintedString"), new ClassForStringTest(taintedValue))); } [Fact] public void GivenATaintedStringInClass_WhenCallingJoin_ResultIsTainted5() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Join(",", new ClassForStringTest(taintedValue)), () => String.Join(",", new ClassForStringTest(taintedValue))); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Join(",", new ClassForStringTest(taintedValue)), () => System.String.Join(",", new ClassForStringTest(taintedValue))); } #if NETCOREAPP3_1_OR_GREATER @@ -266,7 +266,7 @@ public void GivenATaintedStringInNestedMethodObject_WhenCallingJoinWithChar_Resu { void NestedMethod(List parameters) { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", String.Join(',', parameters), () => String.Join(',', parameters)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", System.String.Join(',', parameters), () => System.String.Join(',', parameters)); } NestedMethod(new List { taintedValue }); @@ -277,7 +277,7 @@ public void GivenATaintedStringInNestedMethodObject_WhenCallingJoinWithChar_Resu { void NestedMethod(List parameters) { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,NonTainted", String.Join(',', parameters), () => String.Join(',', parameters)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,NonTainted", System.String.Join(',', parameters), () => System.String.Join(',', parameters)); } NestedMethod(new List { taintedValue, "NonTainted" }); @@ -287,72 +287,72 @@ void NestedMethod(List parameters) public void GivenATaintedStringInList_WhenCallingJoinWithChar_ResultIsTainted8() { var parameters = new List { taintedValue, "NonTainted" }; - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,NonTainted", String.Join(',', parameters), () => String.Join(',', parameters)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:,NonTainted", System.String.Join(',', parameters), () => System.String.Join(',', parameters)); } [Fact] public void GivenATaintedString_WhenCallingJoin_ResultIsTainted7() { - String.Concat(taintedValue, "eee"); + System.String.Concat(taintedValue, "eee"); AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:a:+-tainted-+:", - String.Join('a', taintedValue, taintedValue), - () => String.Join('a', taintedValue, taintedValue)); + System.String.Join('a', taintedValue, taintedValue), + () => System.String.Join('a', taintedValue, taintedValue)); } [Fact] public void GivenATaintedString_WhenCallingJoin_ResultIsTainted8() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:a:+-tainted-+:", - String.Join('a', (object)taintedValue, (object)taintedValue), - () => String.Join('a', (object)taintedValue, (object)taintedValue)); + System.String.Join('a', (object)taintedValue, (object)taintedValue), + () => System.String.Join('a', (object)taintedValue, (object)taintedValue)); } [Fact] public void GivenATaintedString_WhenCallingJoin_ResultIsTainted9() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:a:+-tainted-+:a1", - String.Join('a', (object)taintedValue, (object)taintedValue, 1), - () => String.Join('a', (object)taintedValue, (object)taintedValue, 1)); + System.String.Join('a', (object)taintedValue, (object)taintedValue, 1), + () => System.String.Join('a', (object)taintedValue, (object)taintedValue, 1)); } [Fact] public void GivenATaintedString_WhenCallingJoin_ResultIsTainted10() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:a:+-tainted-+:", - String.Join('a', new string[] { taintedValue, taintedValue }, 0, 2), - () => String.Join('a', new string[] { taintedValue, taintedValue }, 0, 2)); + System.String.Join('a', new string[] { taintedValue, taintedValue }, 0, 2), + () => System.String.Join('a', new string[] { taintedValue, taintedValue }, 0, 2)); } [Fact] public void GivenATaintedString_WhenCallingJoin_ResultIsTainted12() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:a:+-tainted-+:", - String.Join('a', new List { taintedValue, taintedValue }), - () => String.Join('a', new List { taintedValue, taintedValue })); + System.String.Join('a', new List { taintedValue, taintedValue }), + () => System.String.Join('a', new List { taintedValue, taintedValue })); } [Fact] public void GivenATaintedString_WhenCallingJoin_ResultIsTainted13() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:aa:+-tainted-+:", - String.Join('a', new List { taintedValue, null, taintedValue }), - () => String.Join('a', new List { taintedValue, null, taintedValue })); + System.String.Join('a', new List { taintedValue, null, taintedValue }), + () => System.String.Join('a', new List { taintedValue, null, taintedValue })); } [Fact] public void GivenATaintedString_WhenCallingJoin_ResultIsTainted14() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:a:+-tainted-+:", - String.Join('a', new List { taintedValue, taintedValue }), - () => String.Join('a', new List { taintedValue, taintedValue })); + System.String.Join('a', new List { taintedValue, taintedValue }), + () => System.String.Join('a', new List { taintedValue, taintedValue })); } [Fact] public void GivenATaintedString_WhenCallingJoin_ResultIsTainted15() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:aa:+-tainted-+:", - String.Join('a', new List { taintedValue, null, taintedValue }), - () => String.Join('a', new List { taintedValue, null, taintedValue })); + System.String.Join('a', new List { taintedValue, null, taintedValue }), + () => System.String.Join('a', new List { taintedValue, null, taintedValue })); } #endif @@ -360,8 +360,8 @@ public void GivenATaintedString_WhenCallingJoin_ResultIsTainted15() public void GivenATaintedString_WhenCallingJoin_ResultIsTainted16() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:a:+-tainted-+:", - String.Join("a", new string[] { taintedValue, taintedValue }, 0, 2), - () => String.Join("a", new string[] { taintedValue, taintedValue }, 0, 2)); + System.String.Join("a", new string[] { taintedValue, taintedValue }, 0, 2), + () => System.String.Join("a", new string[] { taintedValue, taintedValue }, 0, 2)); } [Fact] @@ -371,30 +371,30 @@ public void GivenSomeStrings_WhenJoin_ResultIsOk() string testString1 = (string) AddTainted("01"); string testString2 = (string) AddTainted("abc"); - AssertTaintedFormatWithOriginalCallCheck(":+-01-+:", String.Join("-", testString1), () => String.Join("-",testString1)); - AssertTaintedFormatWithOriginalCallCheck(":+-01-+:", String.Join(separator, testString1), () => String.Join(separator, testString1)); - AssertTaintedFormatWithOriginalCallCheck(":+-01-+:-:+-abc-+:", String.Join("-", testString1, testString2), () => String.Join("-", testString1, testString2)); + AssertTaintedFormatWithOriginalCallCheck(":+-01-+:", System.String.Join("-", testString1), () => System.String.Join("-",testString1)); + AssertTaintedFormatWithOriginalCallCheck(":+-01-+:", System.String.Join(separator, testString1), () => System.String.Join(separator, testString1)); + AssertTaintedFormatWithOriginalCallCheck(":+-01-+:-:+-abc-+:", System.String.Join("-", testString1, testString2), () => System.String.Join("-", testString1, testString2)); } [Fact] public void GivenStringJoinBasicWithBoth_WhenJoin_ResultIsOk() { string[] sArr = new string[] { TaintedString, UntaintedString }; - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString", String.Join("|", sArr), () => String.Join("|", sArr)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString", System.String.Join("|", sArr), () => System.String.Join("|", sArr)); } [Fact] public void GivenStringJoinBasicWithTwoTainted_WhenJoin_ResultIsOk() { string[] sArr = new string[] { TaintedString, UntaintedString, OtherTaintedString }; - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString|:+-OtherTaintedString-+:", String.Join("|", sArr), () => String.Join("|", sArr)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString|:+-OtherTaintedString-+:", System.String.Join("|", sArr), () => System.String.Join("|", sArr)); } [Fact] public void GivenStringJoinBasicWithTwoUntainted_WhenJoin_ResultIsOk() { string[] sArr = new string[] { UntaintedString, TaintedString, OtherUntaintedString }; - AssertTaintedFormatWithOriginalCallCheck("UntaintedString|:+-TaintedString-+:|OtherUntaintedString", String.Join("|", sArr), () => String.Join("|", sArr)); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString|:+-TaintedString-+:|OtherUntaintedString", System.String.Join("|", sArr), () => System.String.Join("|", sArr)); } [Fact] @@ -402,29 +402,29 @@ public void GivenStringJoinBasicWithTwoTaintedAndTwoUntainted_WhenJoin_ResultIsO { string[] sArr = new string[] { TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString }; AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString|:+-OtherTaintedString-+:|OtherUntaintedString", - String.Join("|", sArr), - () => String.Join("|", sArr)); + System.String.Join("|", sArr), + () => System.String.Join("|", sArr)); } [Fact] public void GivenStringJoinObjectWithBoth_WhenJoin_ResultIsOk() { object[] sArr = new object[] { TaintedObject, UntaintedObject }; - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedObject-+:|UntaintedObject", String.Join("|", sArr), () => String.Join("|", sArr)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedObject-+:|UntaintedObject", System.String.Join("|", sArr), () => System.String.Join("|", sArr)); } [Fact] public void GivenStringJoinObjectWithTwoTainted_WhenJoin_ResultIsOk() { object[] sArr = new object[] { TaintedObject, UntaintedObject, OtherTaintedObject }; - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedObject-+:|UntaintedObject|:+-OtherTaintedObject-+:", String.Join("|", sArr), () => String.Join("|", sArr)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedObject-+:|UntaintedObject|:+-OtherTaintedObject-+:", System.String.Join("|", sArr), () => System.String.Join("|", sArr)); } [Fact] public void GivenStringJoinObjectWithTwoUntainted_WhenJoin_ResultIsOk() { object[] sArr = new object[] { UntaintedObject, TaintedObject, OtherUntaintedObject }; - AssertTaintedFormatWithOriginalCallCheck("UntaintedObject|:+-TaintedObject-+:|OtherUntaintedObject", String.Join("|", sArr), () => String.Join("|", sArr)); + AssertTaintedFormatWithOriginalCallCheck("UntaintedObject|:+-TaintedObject-+:|OtherUntaintedObject", System.String.Join("|", sArr), () => System.String.Join("|", sArr)); } [Fact] @@ -432,8 +432,8 @@ public void GivenStringJoinObjectWithTwoTaintedAndTwoUntainted_WhenJoin_ResultIs { object[] sArr = new object[] { TaintedObject, UntaintedObject, OtherTaintedObject, OtherUntaintedObject }; AssertTaintedFormatWithOriginalCallCheck(":+-TaintedObject-+:|UntaintedObject|:+-OtherTaintedObject-+:|OtherUntaintedObject", - String.Join("|", sArr), - () => String.Join("|", sArr)); + System.String.Join("|", sArr), + () => System.String.Join("|", sArr)); } [Fact] @@ -441,8 +441,8 @@ public void GivenStringJoinIndexWithBoth_WhenJoin_ResultIsOk() { string[] sArr = new string[] { TaintedString, UntaintedString, OtherUntaintedString }; AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString", - String.Join("|", sArr, 0, 2), - () => String.Join("|", sArr, 0, 2)); + System.String.Join("|", sArr, 0, 2), + () => System.String.Join("|", sArr, 0, 2)); } [Fact] @@ -450,8 +450,8 @@ public void GivenStringJoinIndexWithTwoTainted_WhenJoin_ResultIsOk() { string[] sArr = new string[] { TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString }; AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString|:+-OtherTaintedString-+:", - String.Join("|", sArr, 0, 3), - () => String.Join("|", sArr, 0, 3)); + System.String.Join("|", sArr, 0, 3), + () => System.String.Join("|", sArr, 0, 3)); } [Fact] @@ -459,8 +459,8 @@ public void GivenStringJoinIndexWithTwoUntainted_WhenJoin_ResultIsOk() { string[] sArr = new string[] { UntaintedString, TaintedString, OtherUntaintedString, OtherUntaintedString }; AssertTaintedFormatWithOriginalCallCheck("UntaintedString|:+-TaintedString-+:|OtherUntaintedString", - String.Join("|", sArr, 0, 3), - () => String.Join("|", sArr, 0, 3)); + System.String.Join("|", sArr, 0, 3), + () => System.String.Join("|", sArr, 0, 3)); } [Fact] @@ -468,36 +468,36 @@ public void GivenStringJoinIndexWithTwoTaintedAndTwoUntainted_WhenJoin_ResultIsO { string[] sArr = new string[] { TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString, OtherUntaintedString }; AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString|:+-OtherTaintedString-+:|OtherUntaintedString", - String.Join("|", sArr, 0, 4), - () => String.Join("|", sArr, 0, 4)); + System.String.Join("|", sArr, 0, 4), + () => System.String.Join("|", sArr, 0, 4)); } [Fact] public void GivenStringJoinIndexWithTwoTaintedAndTwoUntaintedChunk_WhenJoin_ResultIsOk() { string[] sArr = new string[] { TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString, OtherUntaintedString }; - AssertTaintedFormatWithOriginalCallCheck(":+-OtherTaintedString-+:|OtherUntaintedString", String.Join("|", sArr, 2, 2), () => String.Join("|", sArr, 2, 2)); + AssertTaintedFormatWithOriginalCallCheck(":+-OtherTaintedString-+:|OtherUntaintedString", System.String.Join("|", sArr, 2, 2), () => System.String.Join("|", sArr, 2, 2)); } [Fact] public void GivenStringJoinListWithBoth_WhenJoin_ResultIsOk() { List list = new List() { TaintedString, UntaintedString }; - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString", String.Join("|", list), () => String.Join("|", list)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString", System.String.Join("|", list), () => System.String.Join("|", list)); } [Fact] public void GivenStringJoinListWithTwoTainted_WhenJoin_ResultIsOk() { List list = new List() { TaintedString, UntaintedString, OtherTaintedString }; - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString|:+-OtherTaintedString-+:", String.Join("|", list), () => String.Join("|", list)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString|:+-OtherTaintedString-+:", System.String.Join("|", list), () => System.String.Join("|", list)); } [Fact] public void GivenStringJoinListWithTwoUntainted_WhenJoin_ResultIsOk() { List list = new List() { UntaintedString, TaintedString, OtherUntaintedString }; - AssertTaintedFormatWithOriginalCallCheck("UntaintedString|:+-TaintedString-+:|OtherUntaintedString", String.Join("|", list), () => String.Join("|", list)); + AssertTaintedFormatWithOriginalCallCheck("UntaintedString|:+-TaintedString-+:|OtherUntaintedString", System.String.Join("|", list), () => System.String.Join("|", list)); } [Fact] @@ -505,8 +505,8 @@ public void GivenStringJoinListWithTwoTaintedAndTwoUntainted_WhenJoin_ResultIsOk { List list = new List() { TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString }; AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:|UntaintedString|:+-OtherTaintedString-+:|OtherUntaintedString", - String.Join("|", list), - () => String.Join("|", list)); + System.String.Join("|", list), + () => System.String.Join("|", list)); } [Fact] diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringMaxRangesTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringMaxRangesTests.cs similarity index 98% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringMaxRangesTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringMaxRangesTests.cs index c7b2f5b3d078..b6711874fc03 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringMaxRangesTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringMaxRangesTests.cs @@ -1,6 +1,6 @@ using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringMaxRangesTests : InstrumentationTestsBase { diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringPadTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringPadTests.cs similarity index 80% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringPadTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringPadTests.cs index e61627551575..ec51dd86fcb6 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringPadTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringPadTests.cs @@ -2,7 +2,7 @@ using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringPadTests : InstrumentationTestsBase { @@ -33,8 +33,8 @@ public void GivenATaintedObject_WhenCallingPadLeft_ResultIsTainted2() public void GivenATaintedObject_WhenCallingPadLeft_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(" :+-TaintedString-+:UntaintedString", - String.Concat(TaintedString, UntaintedString).PadLeft(32) - , () => String.Concat(TaintedString, UntaintedString).PadLeft(32)); + System.String.Concat(TaintedString, UntaintedString).PadLeft(32) + , () => System.String.Concat(TaintedString, UntaintedString).PadLeft(32)); } [Fact] @@ -47,16 +47,16 @@ public void GivenATaintedObject_WhenCallingPadLeft_ResultIsTainted4() public void GivenATaintedObject_WhenCallingPadLeft_ResultIsTainted5() { AssertTaintedFormatWithOriginalCallCheck("****:+-TaintedString-+:UntaintedString", - String.Concat(TaintedString, UntaintedString).PadLeft(32, '*'), - () => String.Concat(TaintedString, UntaintedString).PadLeft(32, '*')); + System.String.Concat(TaintedString, UntaintedString).PadLeft(32, '*'), + () => System.String.Concat(TaintedString, UntaintedString).PadLeft(32, '*')); } [Fact] public void GivenATaintedObject_WhenCallingPadLeft_ResultIsTainted6() { AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString", - String.Concat(TaintedString, UntaintedString).PadLeft(2, '*'), - () => String.Concat(TaintedString, UntaintedString).PadLeft(2, '*')); + System.String.Concat(TaintedString, UntaintedString).PadLeft(2, '*'), + () => System.String.Concat(TaintedString, UntaintedString).PadLeft(2, '*')); } [Fact] @@ -94,8 +94,8 @@ public void GivenATaintedObject_WhenCallingPadRight_ResultIsTainted2() public void GivenATaintedObject_WhenCallingPadRight_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString ", - String.Concat(TaintedString, UntaintedString).PadRight(32), - () => String.Concat(TaintedString, UntaintedString).PadRight(32)); + System.String.Concat(TaintedString, UntaintedString).PadRight(32), + () => System.String.Concat(TaintedString, UntaintedString).PadRight(32)); } [Fact] @@ -108,8 +108,8 @@ public void GivenATaintedObject_WhenCallingPadRight_ResultIsTainted4() public void GivenATaintedObject_WhenCallingPadRight_ResultIsTainted5() { AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString****", - String.Concat(TaintedString, UntaintedString).PadRight(32, '*'), - () => String.Concat(TaintedString, UntaintedString).PadRight(32, '*')); + System.String.Concat(TaintedString, UntaintedString).PadRight(32, '*'), + () => System.String.Concat(TaintedString, UntaintedString).PadRight(32, '*')); } [Fact] @@ -129,8 +129,8 @@ public void GivenATaintedObject_WhenCallingPadRight_ResultIsTainted7() public void GivenATaintedObject_WhenCallingPadRight_ResultIsTainted8() { AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString", - String.Concat(TaintedString, UntaintedString).PadRight(2, '*'), - () => String.Concat(TaintedString, UntaintedString).PadRight(2, '*')); + System.String.Concat(TaintedString, UntaintedString).PadRight(2, '*'), + () => System.String.Concat(TaintedString, UntaintedString).PadRight(2, '*')); } [Fact] diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringRemoveTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringRemoveTests.cs similarity index 80% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringRemoveTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringRemoveTests.cs index a8e0c345a04f..a9533b919578 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringRemoveTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringRemoveTests.cs @@ -2,7 +2,7 @@ using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringRemoveTests : InstrumentationTestsBase { protected string TaintedString = "TaintedString"; @@ -44,7 +44,7 @@ public void GivenATaintedString_WhenRemove_ResultIsOk1() [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk2() { - string str = String.Concat(TaintedString, UntaintedString); + string str = System.String.Concat(TaintedString, UntaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:Untainted", str.Remove(22), () => str.Remove(22)); } @@ -57,21 +57,21 @@ public void GivenATaintedString_WhenRemove_ResultIsOk3() [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk4() { - string str = String.Concat(TaintedString, UntaintedString); + string str = System.String.Concat(TaintedString, UntaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-Tainted-+:UntaintedString", str.Remove(7, 6), () => str.Remove(7, 6)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk5() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-Tainted-+:String:+-OtherTaintedString-+:", str.Remove(7, 15), () => str.Remove(7, 15)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk6() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:Untainted:+-TaintedString-+:", str.Remove(22, 11), () => str.Remove(22, 11)); } @@ -102,98 +102,98 @@ public void GivenATaintedString_WhenRemove_ResultIsOk11() [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk12() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaindString-+:UntaintedString:+-OtherTaintedString-+:", str.Remove(4, 2), () => str.Remove(4, 2)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk13() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-Tain-+:aintedString:+-OtherTaintedString-+:", str.Remove(4, 12), () => str.Remove(4, 12)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk13_2() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-Tain-+:UntaintedString:+-OtherTaintedString-+:", str.Remove(4, 9), () => str.Remove(4, 9)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk14() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:taintedString:+-OtherTaintedString-+:", str.Remove(13, 2), () => str.Remove(13, 2)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk15() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+::+-OtherTaintedString-+:", str.Remove(13, 15), () => str.Remove(13, 15)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk16() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+::+-TaintedString-+:", str.Remove(13, 20), () => str.Remove(13, 20)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk17() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:U:+-aintedString-+:", str.Remove(14, 20), () => str.Remove(14, 20)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk18() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:U:+-OtherTaintedString-+:", str.Remove(14, 14), () => str.Remove(14, 14)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk19() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UaintedString:+-OtherTaintedString-+:", str.Remove(14, 2), () => str.Remove(14, 2)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk20() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString:+-herTaintedString-+:", str.Remove(28, 2), () => str.Remove(28, 2)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk21() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString", str.Remove(28, 18), () => str.Remove(28, 18)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk22() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString:+-OtrTaintedString-+:", str.Remove(30, 2), () => str.Remove(30, 2)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk23() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString:+-Ottring-+:", str.Remove(30, 11), () => str.Remove(30, 11)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk24() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-Tai-+::+-TaintedString-+:", str.Remove(3, 30), () => str.Remove(3, 30)); } @@ -206,21 +206,21 @@ public void GivenATaintedString_WhenRemove_ResultIsOk25() [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk26() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-Ta-+:", str.Remove(2), () => str.Remove(2)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk27() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:Un", str.Remove(15), () => str.Remove(15)); } [Fact] public void GivenATaintedString_WhenRemove_ResultIsOk28() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:UntaintedString:+-Ot-+:", str.Remove(30), () => str.Remove(30)); } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringReplaceTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringReplaceTests.cs similarity index 90% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringReplaceTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringReplaceTests.cs index 367d98835e38..047b7dad5d56 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringReplaceTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringReplaceTests.cs @@ -2,7 +2,7 @@ using System.Globalization; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringReplaceTests : InstrumentationTestsBase { private string _taintedString = "TaintedString"; @@ -95,8 +95,8 @@ public void GivenAString_WhenCallingReplace_ResultIsOk9() public void GivenAString_WhenCallingReplace_ResultIsOk10() { AssertUntaintedWithOriginalCallCheck( - () => _taintedValue.Replace(String.Empty, "w"), - () => _taintedValue.Replace(String.Empty, "w")); + () => _taintedValue.Replace(System.String.Empty, "w"), + () => _taintedValue.Replace(System.String.Empty, "w")); } [Fact] @@ -148,7 +148,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted20() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedLarge joining OtherTaintedLarge-+:", str.Replace("String", "Large"), @@ -158,7 +158,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted19() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedSmall joining OtherTaintedSmall and LargeTaintedSmall-+:", str.Replace("String", "Small"), @@ -177,7 +177,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte17() { - string str = String.Concat(_otherTaintedString, " joining ", _otherTaintedString); + string str = System.String.Concat(_otherTaintedString, " joining ", _otherTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-OtherLargeString joining OtherLargeString-+:", str.Replace(_taintedString, _largeString), @@ -187,7 +187,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted16() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-LargeString joining OtherLargeString-+:", str.Replace(_taintedString, _largeString), @@ -197,7 +197,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted15() { - string str = String.Concat(_otherTaintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); + string str = System.String.Concat(_otherTaintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-OtherLargeString joining OtherLargeString and LargeLargeString-+:", str.Replace(_taintedString, _largeString), @@ -216,7 +216,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted13() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-XaintedString joining OtherXaintedString-+:", str.Replace("T", "X"), @@ -226,7 +226,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted12() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedXtring joining OtherTaintedXtring-+:", str.Replace("S", "X"), @@ -236,7 +236,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted11() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedStrinX joininX OtherTaintedStrinX-+:", str.Replace("g", "X"), @@ -246,7 +246,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted410() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedXtring joining OtherTaintedXtring and LargeTaintedXtring-+:", str.Replace("S", "X"), @@ -282,7 +282,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted6() { - string str = String.Concat("-", "Payload", "-", _otherTaintedString, "end"); + string str = System.String.Concat("-", "Payload", "-", _otherTaintedString, "end"); // if no replacement is done, string remains inmutable AssertTaintedFormatWithOriginalCallCheck("-Payload-:+-OtherTaintedString-+:end", str.Replace(@"-Payload-([A-Za-z0-9\-]+)\end", _untaintedString), @@ -292,7 +292,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted5() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); // if no replacement is done, string remains inmutable AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+: joining :+-OtherTaintedString-+: and :+-LargeTaintedString-+:", @@ -303,7 +303,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted4() { - string str = String.Concat(_taintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); + string str = System.String.Concat(_taintedString, " joining ", _otherTaintedString, " and ", _largeTaintedString); // if no replacement is done, string remains inmutable AssertTaintedFormatWithOriginalCallCheck( ":+-TaintedString-+: joining :+-OtherTaintedString-+: and :+-LargeTaintedString-+:", @@ -314,7 +314,7 @@ public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingReplaceWith2Parameters_ResultIsTainted() { - string str = String.Concat("dummy", _taintedString); + string str = System.String.Concat("dummy", _taintedString); AssertTaintedFormatWithOriginalCallCheck( ":+-duOtherTaintedStringTaintedString-+:", str.Replace("mmy", _otherTaintedString), diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringSplitTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringSplitTests.cs similarity index 95% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringSplitTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringSplitTests.cs index 0667c8c2ebf5..2af0f759a48b 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringSplitTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringSplitTests.cs @@ -1,7 +1,7 @@ using System; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringSplitTests : InstrumentationTestsBase { private string _taintedSeparator = "i"; @@ -84,7 +84,7 @@ public void GivenATaintedObject_WhenCallingSplitWithWrongLimit_ArgumentOutOfRang [Fact] public void GivenATaintedObject_WhenCallingSplitWithCharAndIndex_ResultIsTainted3() { - var str = String.Concat(_taintedString, "|", _untaintedString); + var str = System.String.Concat(_taintedString, "|", _untaintedString); var expected = new string[] { _taintedString, _untaintedString }; AssertEqual(expected, str.Split(new char[] { '|' }, 2)); @@ -93,7 +93,7 @@ public void GivenATaintedObject_WhenCallingSplitWithCharAndIndex_ResultIsTainted [Fact] public void GivenATaintedObject_WhenCallingSplitWithCharAndIndex_ResultIsTainted4() { - var str = String.Concat(_taintedString, "|", _untaintedString, "|", _otherTaintedString, "|", _otherUntaintedString); + var str = System.String.Concat(_taintedString, "|", _untaintedString, "|", _otherTaintedString, "|", _otherUntaintedString); var expected = new string[] { _taintedString, _untaintedString, _otherTaintedString + "|" + _otherUntaintedString }; var result = str.Split(new char[] { '|' }, 3); @@ -151,7 +151,7 @@ public void GivenATaintedObject_WhenCallingSplitWithCharArrayAndOptions_ResultIs [Fact] public void GivenATaintedObject_WhenCallingSplitWithCharArrayAndOptions_ResultIsTainted2() { - var str = String.Concat(_taintedString, "|", _untaintedString); + var str = System.String.Concat(_taintedString, "|", _untaintedString); var expected = new string[] { _taintedString, _untaintedString }; var result = str.Split(new char[] { '|' }, StringSplitOptions.RemoveEmptyEntries); @@ -172,7 +172,7 @@ public void GivenATaintedObject_WhenCallingSplitWithCharArrayAndOptions_ResultIs [Fact] public void GivenATaintedObject_WhenCallingSplitWithCharArrayAndOptions_ResultIsTainted4() { - var str = String.Concat(_taintedString, "|", _untaintedString, "|", _otherTaintedString, "|", _otherUntaintedString); + var str = System.String.Concat(_taintedString, "|", _untaintedString, "|", _otherTaintedString, "|", _otherUntaintedString); var expected = new string[] { _taintedString, _untaintedString, _otherTaintedString, _otherUntaintedString }; AssertEqual(expected, str.Split(new char[] { '|' }, StringSplitOptions.RemoveEmptyEntries)); @@ -226,7 +226,7 @@ public void GivenATaintedObject_WhenCallingSplitWithCharAndOptions_ResultIsTaint [Fact] public void GivenATaintedObject_WhenCallingSplitWithCharArrayCountAndOptions_ResultIsTainted() { - var str = String.Concat(_taintedString, "|", _untaintedString); + var str = System.String.Concat(_taintedString, "|", _untaintedString); var expected = new string[] { _taintedString, _untaintedString }; var results = str.Split(new char[] { '|' }, 2, StringSplitOptions.RemoveEmptyEntries); AssertEqual(expected, results); @@ -236,7 +236,7 @@ public void GivenATaintedObject_WhenCallingSplitWithCharArrayCountAndOptions_Res [Fact] public void GivenATaintedObject_WhenCallingSplitWithCharArrayCountAndOptions_ResultIsTainted2() { - var str = String.Concat(_taintedString, "|", _untaintedString, "|", _otherTaintedString, "|", _otherUntaintedString); + var str = System.String.Concat(_taintedString, "|", _untaintedString, "|", _otherTaintedString, "|", _otherUntaintedString); var expected = new string[] { _taintedString, _untaintedString, _otherTaintedString + "|" + _otherUntaintedString }; var results = str.Split(new char[] { '|' }, 3, StringSplitOptions.RemoveEmptyEntries); AssertEqual(expected, results); @@ -413,7 +413,7 @@ public void GivenATaintedObject_WhenCallingSplitWithStringCountOptions_ResultIsN public void GivenATaintedObject_WhenCallingSplitWithCharAndOptions_ResultIsTainted() { - var str = String.Concat(_taintedString, "|", _untaintedString); + var str = System.String.Concat(_taintedString, "|", _untaintedString); var expected = new string[] { _taintedString, _untaintedString }; AssertEqual(expected, str.Split('|')); @@ -432,7 +432,7 @@ public void GivenATaintedObject_WhenCallingSplitWithCharAndOptions_ResultIsTaint [Fact] public void GivenATaintedObject_WhenCallingSplitWithCharAndOptions_ResultIsTainted3() { - var str = String.Concat(_taintedString, "|", _untaintedString, "|", _otherTaintedString, "|", _otherUntaintedString); + var str = System.String.Concat(_taintedString, "|", _untaintedString, "|", _otherTaintedString, "|", _otherUntaintedString); var expected = new string[] { _taintedString, _untaintedString, _otherTaintedString, _otherUntaintedString }; AssertEqual(expected, str.Split('|')); diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringSubstringTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringSubstringTests.cs similarity index 90% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringSubstringTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringSubstringTests.cs index 5189893b3a15..42a67c962b5a 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringSubstringTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringSubstringTests.cs @@ -2,7 +2,7 @@ using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringSubstringTests : InstrumentationTestsBase { @@ -77,42 +77,42 @@ public void GivenATaintedString_WhenSubstringIndexWithTainted_ThenResultIsTainte [Fact] public void GivenATaintedString_WhenSubstringIndexWithBoth_ThenResultIsTainted() { - string str = String.Concat(TaintedString, UntaintedString); + string str = System.String.Concat(TaintedString, UntaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-intedString-+:UntaintedString", str.Substring(2), () => str.Substring(2)); } [Fact] public void GivenATaintedString_WhenSubstringIndexWithBoth_ThenResultIsTainted2() { - string str = String.Concat(TaintedString, UntaintedString); + string str = System.String.Concat(TaintedString, UntaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-intedString-+:Un", str.Substring(2, 13), () => str.Substring(2, 13)); } [Fact] public void GivenATaintedString_WhenSubstringIndexWithBothInverse_ThenResultIsTainted() { - string str = String.Concat(UntaintedString, TaintedString); + string str = System.String.Concat(UntaintedString, TaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-intedString-+:", str.Substring(17), () => str.Substring(17)); } [Fact] public void GivenATaintedString_WhenSubstringIndexWithTwoTainted_ThenResultIsTainted() { - string str = String.Concat(String.Concat(TaintedString, UntaintedString), TaintedString); + string str = System.String.Concat(System.String.Concat(TaintedString, UntaintedString), TaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-intedString-+:UntaintedString:+-TaintedString-+:", str.Substring(2), () => str.Substring(2)); } [Fact] public void GivenATaintedString_WhenSubstringIndexWithTwoTaintedTwoUntainted_ThenResultIsTainted() { - string str = String.Concat(TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString); + string str = System.String.Concat(TaintedString, UntaintedString, OtherTaintedString, OtherUntaintedString); AssertTaintedFormatWithOriginalCallCheck(":+-String-+:UntaintedString:+-OtherTaintedString-+:OtherUntaintedString", str.Substring(7), () => str.Substring(7)); } [Fact] public void GivenATaintedString_WhenSubstringIndexTaintedBaseOutOfRange_ThenResultIsNotTainted() { - string str = String.Concat(TaintedString, UntaintedString); + string str = System.String.Concat(TaintedString, UntaintedString); string newString = str.Substring(13); Assert.Equal("UntaintedString", newString); diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringToCharArrayTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringToCharArrayTests.cs similarity index 95% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringToCharArrayTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringToCharArrayTests.cs index ed0935b3c35e..140ab1a21e16 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringToCharArrayTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringToCharArrayTests.cs @@ -3,7 +3,7 @@ using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringToCharArrayTests : InstrumentationTestsBase { protected string taintedValue = "tainted"; diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringTrimTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringTrimTests.cs similarity index 94% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringTrimTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringTrimTests.cs index e90670624f5b..0a3c9a766249 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/String/StringTrimTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/String/StringTrimTests.cs @@ -3,7 +3,7 @@ using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class StringTrimTests : InstrumentationTestsBase { protected string taintedValue = "tainted"; @@ -37,19 +37,19 @@ public void GivenATaintedString_WhenCallingTrim_ResultIsTainted() [Fact] public void GivenATaintedString_WhenCallingTrim_ResultIsTainted2() { - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", String.Concat(TaintedString, " ").Trim(), () => String.Concat(TaintedString, " ").Trim()); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", System.String.Concat(TaintedString, " ").Trim(), () => System.String.Concat(TaintedString, " ").Trim()); } [Fact] public void GivenATaintedString_WhenCallingTrim_ResultIsTainted4() { - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", String.Concat(TaintedString, "\t\n\r").Trim(), () => String.Concat(TaintedString, "\t\n\r").Trim()); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", System.String.Concat(TaintedString, "\t\n\r").Trim(), () => System.String.Concat(TaintedString, "\t\n\r").Trim()); } [Fact] public void GivenATaintedString_WhenCallingTrim_ResultIsTainted3() { - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", String.Concat(" ", TaintedString).Trim(), () => String.Concat(" ", TaintedString).Trim()); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", System.String.Concat(" ", TaintedString).Trim(), () => System.String.Concat(" ", TaintedString).Trim()); } [Fact] @@ -101,7 +101,7 @@ public void GivenATaintedObject_WhenCallingTrimWithCharArrayParam_ResultIsTainte [Fact] public void GivenATaintedObject_WhenCallingTrimWithCharArrayParam_ResultIsTainted5() { - AssertUntaintedWithOriginalCallCheck(String.Empty, + AssertUntaintedWithOriginalCallCheck(System.String.Empty, taintedValue.Trim(new char[] { 't', 'a', 'i', 'n', 'e', 'd' }), () => taintedValue.Trim(new char[] { 't', 'a', 'i', 'n', 'e', 'd' })); } @@ -161,7 +161,7 @@ public void GivenATaintedObject_WhenCallingTrimStartCharArray_ResultIsTainted5() [Fact] public void GivenATaintedObject_WhenCallingTrimStartWithCharArrayParam_ResultIsTainted6() { - AssertUntaintedWithOriginalCallCheck(String.Empty, + AssertUntaintedWithOriginalCallCheck(System.String.Empty, taintedValue.TrimStart(new char[] { 't', 'a', 'i', 'n', 'e', 'd' }), () => taintedValue.TrimStart(new char[] { 't', 'a', 'i', 'n', 'e', 'd' })); } @@ -193,7 +193,7 @@ public void GivenATaintedObject_WhenCallingTrimStartNoParameters_ResultIsTainted [Fact] public void GivenATaintedObject_WhenCallingTrimEndWithCharArrayParam_ResultIsTainted5() { - AssertUntaintedWithOriginalCallCheck(String.Empty, + AssertUntaintedWithOriginalCallCheck(System.String.Empty, taintedValue.TrimEnd(new char[] { 't', 'a', 'i', 'n', 'e', 'd' }), () => taintedValue.TrimEnd(new char[] { 't', 'a', 'i', 'n', 'e', 'd' })); } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendFormatTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendFormatTests.cs similarity index 66% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendFormatTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendFormatTests.cs index d6f204469c55..ffc5d0e8e70e 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendFormatTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendFormatTests.cs @@ -1,8 +1,9 @@ -using System.Collections.Generic; using System.Text; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; + + public class StringBuilderAppendFormatTests : InstrumentationTestsBase { private string _taintedValue = "tainted"; @@ -44,16 +45,16 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatOneObjectFor public void GivenATaintedString_WhenCallingStringBuilderAppendFormatOneObjectFormatProvider_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-taintedtainted-+:", - new StringBuilder(_taintedValue).AppendFormat("{0}", _taintedValue).ToString(), - () => new StringBuilder(_taintedValue).AppendFormat("{0}", _taintedValue).ToString()); + new System.Text.StringBuilder(_taintedValue).AppendFormat("{0}", _taintedValue).ToString(), + () => new System.Text.StringBuilder(_taintedValue).AppendFormat("{0}", _taintedValue).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendFormatOneParamMissing_ResultIsTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", _taintedValue).ToString(), - () => new StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", _taintedValue).ToString()); + () => new System.Text.StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", _taintedValue).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", _taintedValue).ToString()); } // [AspectMethodReplace("System.Text.StringBuilder::AppendFormat(System.String,System.Object,System.Object)")] @@ -70,8 +71,8 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatTwoObjects_R public void GivenATaintedString_WhenCallingStringBuilderAppendFormatTwoObjects_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-taintedmyformattaintednotTainted-+:", - new StringBuilder(_taintedValue).AppendFormat("myformat{0}{1}", _taintedValue, _notTaintedValue).ToString(), - () => new StringBuilder(_taintedValue).AppendFormat("myformat{0}{1}", _taintedValue, _notTaintedValue).ToString()); + new System.Text.StringBuilder(_taintedValue).AppendFormat("myformat{0}{1}", _taintedValue, _notTaintedValue).ToString(), + () => new System.Text.StringBuilder(_taintedValue).AppendFormat("myformat{0}{1}", _taintedValue, _notTaintedValue).ToString()); } // [AspectMethodReplace("System.Text.StringBuilder::AppendFormat(System.String,System.Object,System.Object,System.Object)")] @@ -88,8 +89,8 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatThreeObjectF public void GivenATaintedString_WhenCallingStringBuilderAppendFormatThreeObjectFormatProvider_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-taintedtaintedeeetainted-+:", - new StringBuilder(_taintedValue).AppendFormat("{0}{1}{2}", _taintedValue, "eee", _taintedValue).ToString(), - () => new StringBuilder(_taintedValue).AppendFormat("{0}{1}{2}", _taintedValue, "eee", _taintedValue).ToString()); + new System.Text.StringBuilder(_taintedValue).AppendFormat("{0}{1}{2}", _taintedValue, "eee", _taintedValue).ToString(), + () => new System.Text.StringBuilder(_taintedValue).AppendFormat("{0}{1}{2}", _taintedValue, "eee", _taintedValue).ToString()); } // [AspectMethodReplace("System.Text.StringBuilder::AppendFormat(System.String,System.Object[])")] @@ -98,16 +99,16 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatThreeObjectF public void GivenATaintedString_WhenCallingStringBuilderAppendFormatObjectArray_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-formattaintednotTainted-+:", - new StringBuilder(string.Empty).AppendFormat(_formatTaintedValue, new object[] { _taintedValue, _notTaintedValue }).ToString(), - () => new StringBuilder(string.Empty).AppendFormat(_formatTaintedValue, new object[] { _taintedValue, _notTaintedValue }).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat(_formatTaintedValue, new object[] { _taintedValue, _notTaintedValue }).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat(_formatTaintedValue, new object[] { _taintedValue, _notTaintedValue }).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendFormatNottaintedObjectArray_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-myformattaintednotTainted-+:", - new StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", new object[] { _taintedValue, _notTaintedValue }).ToString(), - () => new StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", new object[] { _taintedValue, _notTaintedValue }).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", new object[] { _taintedValue, _notTaintedValue }).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", new object[] { _taintedValue, _notTaintedValue }).ToString()); } // [AspectMethodReplace("System.Text.StringBuilder::AppendFormat(System.IFormatProvider,System.String,System.Object)")] @@ -116,16 +117,16 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatNottaintedOb public void GivenATaintedString_WhenCallingStringBuilderAppendFormatOneObjectFormatProviderFormatProvider_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-taintedcustomformat-+:", - new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "{0}", _taintedValue).ToString(), - () => new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "{0}", _taintedValue).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "{0}", _taintedValue).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "{0}", _taintedValue).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendFormatFormatNull_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(string.Empty).AppendFormat(null, _taintedValue, _notTaintedValue).ToString(), - () => new StringBuilder(string.Empty).AppendFormat(null, _taintedValue, _notTaintedValue).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat(null, _taintedValue, _notTaintedValue).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat(null, _taintedValue, _notTaintedValue).ToString()); } // [AspectMethodReplace("System.Text.StringBuilder::AppendFormat(System.IFormatProvider,System.String,System.Object,System.Object)")] @@ -143,24 +144,24 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatTwoObjectsFo public void GivenATaintedString_WhenCallingStringBuilderAppendFormatTwoObjectsFormatProvider_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-myformattaintedcustomformatnotTaintedcustomformat-+:", - new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "myformat{0}{1}", _taintedValue, _notTaintedValue).ToString(), - () => new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "myformat{0}{1}", _taintedValue, _notTaintedValue).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "myformat{0}{1}", _taintedValue, _notTaintedValue).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "myformat{0}{1}", _taintedValue, _notTaintedValue).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendFormatOneParamNull_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-myformattainted-+:", - new StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", _taintedValue, null).ToString(), - () => new StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", _taintedValue, null).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", _taintedValue, null).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat("myformat{0}{1}", _taintedValue, null).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendFormatMoreParameters_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(string.Empty).AppendFormat(null, _taintedValue, _notTaintedValue, "eee").ToString(), - () => new StringBuilder(string.Empty).AppendFormat(null, _taintedValue, _notTaintedValue, "eee").ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat(null, _taintedValue, _notTaintedValue, "eee").ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat(null, _taintedValue, _notTaintedValue, "eee").ToString()); } // [AspectMethodReplace("System.Text.StringBuilder::AppendFormat(System.IFormatProvider,System.String,System.Object,System.Object,System.Object)")] @@ -169,8 +170,8 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatMoreParamete public void GivenATaintedString_WhenCallingStringBuilderAppendFormatThreeObjectFormatProviderFormatProvider_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-taintedcustomformatTAINTED2customformattaintedcustomformat-+:", - new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "{0}{1}{2}", _taintedValue, _taintedValue2, _taintedValue).ToString(), - () => new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "{0}{1}{2}", _taintedValue, _taintedValue2, _taintedValue).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "{0}{1}{2}", _taintedValue, _taintedValue2, _taintedValue).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "{0}{1}{2}", _taintedValue, _taintedValue2, _taintedValue).ToString()); } // [AspectMethodReplace("System.Text.StringBuilder::AppendFormat(System.IFormatProvider,System.String,System.Object[])")] @@ -179,8 +180,8 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatThreeObjectF public void GivenATaintedString_WhenCallingStringBuilderAppendFormatObjectArrayFormatProvider_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-myformattaintedcustomformatnotTaintedcustomformat-+:", - new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "myformat{0}{1}", new object[] { _taintedValue, _notTaintedValue }).ToString(), - () => new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "myformat{0}{1}", new object[] { _taintedValue, _notTaintedValue }).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "myformat{0}{1}", new object[] { _taintedValue, _notTaintedValue }).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), "myformat{0}{1}", new object[] { _taintedValue, _notTaintedValue }).ToString()); } @@ -193,8 +194,8 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendFormatObjectArrayF var composite = CompositeFormat.Parse("myformat{0}{1}"); AssertUntaintedWithOriginalCallCheck( "myformattaintedcustomformatnotTaintedcustomformat", - new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), composite, new object[] { _taintedValue, _notTaintedValue }).ToString(), - () => new StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), composite, new object[] { _taintedValue, _notTaintedValue }).ToString()); + new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), composite, new object[] { _taintedValue, _notTaintedValue }).ToString(), + () => new System.Text.StringBuilder(string.Empty).AppendFormat(new FormatProviderForTest(), composite, new object[] { _taintedValue, _notTaintedValue }).ToString()); } #endif } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendJoin.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendJoin.cs similarity index 71% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendJoin.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendJoin.cs index c86c96f3d57a..3a4f8e22cd3d 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendJoin.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendJoin.cs @@ -1,8 +1,8 @@ #if NETCOREAPP3_1_OR_GREATER using System.Collections.Generic; -using System.Text; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; + +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; public class StringBuilderAppendJoin : InstrumentationTestsBase { @@ -22,24 +22,24 @@ public StringBuilderAppendJoin() public void GivenAStringBuilderTainted_WhenAppendJoinStringString_ThenResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted.untainted-+:", - new StringBuilder().AppendJoin(".", new string[] { _taintedValue, _untaintedString }), - () => new StringBuilder().AppendJoin(".", new string[] { _taintedValue, _untaintedString })); + new System.Text.StringBuilder().AppendJoin(".", new string[] { _taintedValue, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(".", new string[] { _taintedValue, _untaintedString })); } [Fact] public void GivenAStringBuilderTainted_WhenAppendJoinStringString_ThenResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-untainted.tainted-+:", - new StringBuilder().AppendJoin(".", new string[] { _untaintedString, _taintedValue }), - () => new StringBuilder().AppendJoin(".", new string[] { _untaintedString, _taintedValue })); + new System.Text.StringBuilder().AppendJoin(".", new string[] { _untaintedString, _taintedValue }), + () => new System.Text.StringBuilder().AppendJoin(".", new string[] { _untaintedString, _taintedValue })); } [Fact] public void GivenAStringBuilderNotTainted_WhenAppendJoinStringString_ThenResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder().AppendJoin(".", new string[] { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin(".", new string[] { _untaintedString, _untaintedString })); + () => new System.Text.StringBuilder().AppendJoin(".", new string[] { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(".", new string[] { _untaintedString, _untaintedString })); } [Fact] @@ -78,8 +78,8 @@ public void GivenAStringBuilderTainted_WhenAppendJoinStringString_ThenResultIsNo public void GivenAStringBuilderTainted_WhenAppendJoinStringString_ThenResultIsTainted7() { AssertTaintedFormatWithOriginalCallCheck(":+-untaintedtainteduntainted-+:", - new StringBuilder().AppendJoin(_taintedValue, new string[] { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin(_taintedValue, new string[] { _untaintedString, _untaintedString })); + new System.Text.StringBuilder().AppendJoin(_taintedValue, new string[] { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(_taintedValue, new string[] { _untaintedString, _untaintedString })); } // System.Text.StringBuilder::AppendJoin(System.String,System.Object[]) @@ -88,24 +88,24 @@ public void GivenAStringBuilderTainted_WhenAppendJoinStringString_ThenResultIsTa public void GivenAStringBuilderTainted_WhenAppendJoinStringObject_ThenResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted.untainted-+:", - new StringBuilder().AppendJoin(".", new object[] { _taintedValue, _untaintedString }), - () => new StringBuilder().AppendJoin(".", new object[] { _taintedValue, _untaintedString })); + new System.Text.StringBuilder().AppendJoin(".", new object[] { _taintedValue, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(".", new object[] { _taintedValue, _untaintedString })); } [Fact] public void GivenAStringBuilderTainted_WhenAppendJoinStringObject_ThenResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-untainted.tainted-+:", - new StringBuilder().AppendJoin(".", new object[] { _untaintedString, _taintedValue }), - () => new StringBuilder().AppendJoin(".", new object[] { _untaintedString, _taintedValue })); + new System.Text.StringBuilder().AppendJoin(".", new object[] { _untaintedString, _taintedValue }), + () => new System.Text.StringBuilder().AppendJoin(".", new object[] { _untaintedString, _taintedValue })); } [Fact] public void GivenAStringBuilderNotTainted_WhenAppendJoinStringObject_ThenResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder().AppendJoin(".", new object[] { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin(".", new object[] { _untaintedString, _untaintedString })); + () => new System.Text.StringBuilder().AppendJoin(".", new object[] { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(".", new object[] { _untaintedString, _untaintedString })); } [Fact] @@ -144,8 +144,8 @@ public void GivenAStringBuilderTainted_WhenAppendJoinStringObject_ThenResultIsNo public void GivenAStringBuilderTainted_WhenAppendJoinStringObject_ThenResultIsTainted7() { AssertTaintedFormatWithOriginalCallCheck(":+-untaintedtainteduntainted-+:", - new StringBuilder().AppendJoin(_taintedValue, new object[] { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin(_taintedValue, new object[] { _untaintedString, _untaintedString })); + new System.Text.StringBuilder().AppendJoin(_taintedValue, new object[] { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(_taintedValue, new object[] { _untaintedString, _untaintedString })); } // System.Text.StringBuilder::AppendJoin(System.String,System.Collections.Generic.IEnumerable`1) @@ -154,24 +154,24 @@ public void GivenAStringBuilderTainted_WhenAppendJoinStringObject_ThenResultIsTa public void GivenAStringBuilderTainted_WhenAppendJoinStringIEnumerable_ThenResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted.untainted-+:", - new StringBuilder().AppendJoin(".", new List { _taintedValue, _untaintedString }), - () => new StringBuilder().AppendJoin(".", new List { _taintedValue, _untaintedString })); + new System.Text.StringBuilder().AppendJoin(".", new List { _taintedValue, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(".", new List { _taintedValue, _untaintedString })); } [Fact] public void GivenAStringBuilderTainted_WhenAppendJoinStringIEnumerable_ThenResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-untainted.tainted-+:", - new StringBuilder().AppendJoin(".", new List { _untaintedString, _taintedValue }), - () => new StringBuilder().AppendJoin(".", new List { _untaintedString, _taintedValue })); + new System.Text.StringBuilder().AppendJoin(".", new List { _untaintedString, _taintedValue }), + () => new System.Text.StringBuilder().AppendJoin(".", new List { _untaintedString, _taintedValue })); } [Fact] public void GivenAStringBuilderNotTainted_WhenAppendJoinStringIEnumerable_ThenResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder().AppendJoin(".", new List { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin(".", new List { _untaintedString, _untaintedString })); + () => new System.Text.StringBuilder().AppendJoin(".", new List { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(".", new List { _untaintedString, _untaintedString })); } [Fact] @@ -210,8 +210,8 @@ public void GivenAStringBuilderTainted_WhenAppendJoinStringIEnumerable_ThenResul public void GivenAStringBuilderTainted_WhenAppendJoinStringIEnumerable_ThenResultIsTainted7() { AssertTaintedFormatWithOriginalCallCheck(":+-untaintedtainteduntainted-+:", - new StringBuilder().AppendJoin(_taintedValue, new List { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin(_taintedValue, new List { _untaintedString, _untaintedString })); + new System.Text.StringBuilder().AppendJoin(_taintedValue, new List { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin(_taintedValue, new List { _untaintedString, _untaintedString })); } // System.Text.StringBuilder::AppendJoin(System.Char,System.Char[]) @@ -220,24 +220,24 @@ public void GivenAStringBuilderTainted_WhenAppendJoinStringIEnumerable_ThenResul public void GivenAStringBuilderTainted_WhenAppendJoinCharString_ThenResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted.untainted-+:", - new StringBuilder().AppendJoin('.', new string[] { _taintedValue, _untaintedString }), - () => new StringBuilder().AppendJoin('.', new string[] { _taintedValue, _untaintedString })); + new System.Text.StringBuilder().AppendJoin('.', new string[] { _taintedValue, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin('.', new string[] { _taintedValue, _untaintedString })); } [Fact] public void GivenAStringBuilderTainted_WhenAppendJoinCharString_ThenResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-untainted.tainted-+:", - new StringBuilder().AppendJoin('.', new string[] { _untaintedString, _taintedValue }), - () => new StringBuilder().AppendJoin('.', new string[] { _untaintedString, _taintedValue })); + new System.Text.StringBuilder().AppendJoin('.', new string[] { _untaintedString, _taintedValue }), + () => new System.Text.StringBuilder().AppendJoin('.', new string[] { _untaintedString, _taintedValue })); } [Fact] public void GivenAStringBuilderNotTainted_WhenAppendJoinCharString_ThenResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder().AppendJoin('.', new string[] { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin('.', new string[] { _untaintedString, _untaintedString })); + () => new System.Text.StringBuilder().AppendJoin('.', new string[] { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin('.', new string[] { _untaintedString, _untaintedString })); } [Fact] @@ -278,24 +278,24 @@ public void GivenAStringBuilderTainted_WhenAppendJoinCharString_ThenResultIsNotT public void GivenAStringBuilderTainted_WhenAppendJoinCharObject_ThenResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted.untainted-+:", - new StringBuilder().AppendJoin('.', new object[] { _taintedValue, _untaintedString }), - () => new StringBuilder().AppendJoin('.', new object[] { _taintedValue, _untaintedString })); + new System.Text.StringBuilder().AppendJoin('.', new object[] { _taintedValue, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin('.', new object[] { _taintedValue, _untaintedString })); } [Fact] public void GivenAStringBuilderTainted_WhenAppendJoinCharObject_ThenResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-untainted.tainted-+:", - new StringBuilder().AppendJoin('.', new object[] { _untaintedString, _taintedValue }), - () => new StringBuilder().AppendJoin('.', new object[] { _untaintedString, _taintedValue })); + new System.Text.StringBuilder().AppendJoin('.', new object[] { _untaintedString, _taintedValue }), + () => new System.Text.StringBuilder().AppendJoin('.', new object[] { _untaintedString, _taintedValue })); } [Fact] public void GivenAStringBuilderNotTainted_WhenAppendJoinCharObject_ThenResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder().AppendJoin('.', new object[] { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin('.', new object[] { _untaintedString, _untaintedString })); + () => new System.Text.StringBuilder().AppendJoin('.', new object[] { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin('.', new object[] { _untaintedString, _untaintedString })); } [Fact] @@ -318,30 +318,30 @@ public void GivenAStringBuilderTainted_WhenAppendJoinCharObject_ThenResultIsNotT public void GivenAStringBuilderTainted_WhenAppendJoinCharIEnumerable_ThenResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted.untainted-+:", - new StringBuilder().AppendJoin('.', new List { _taintedValue, _untaintedString }), - () => new StringBuilder().AppendJoin('.', new List { _taintedValue, _untaintedString })); + new System.Text.StringBuilder().AppendJoin('.', new List { _taintedValue, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin('.', new List { _taintedValue, _untaintedString })); } [Fact] public void GivenAStringBuilderTainted_WhenAppendJoinCharIEnumerable_ThenResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-untainted.tainted-+:", - new StringBuilder().AppendJoin('.', new List { _untaintedString, _taintedValue }), - () => new StringBuilder().AppendJoin('.', new List { _untaintedString, _taintedValue })); + new System.Text.StringBuilder().AppendJoin('.', new List { _untaintedString, _taintedValue }), + () => new System.Text.StringBuilder().AppendJoin('.', new List { _untaintedString, _taintedValue })); } [Fact] public void GivenAStringBuilderNotTainted_WhenAppendJoinCharIEnumerable_ThenResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder().AppendJoin('.', new List { _untaintedString, _untaintedString }), - () => new StringBuilder().AppendJoin('.', new List { _untaintedString, _untaintedString })); + () => new System.Text.StringBuilder().AppendJoin('.', new List { _untaintedString, _untaintedString }), + () => new System.Text.StringBuilder().AppendJoin('.', new List { _untaintedString, _untaintedString })); } [Fact] public void GivenAStringBuilderTainted_WhenAppendJoinCharIEnumerable_ThenResultIsTainted3() { - var st = new StringBuilder("test").AppendJoin('.', new List { _untaintedString, _untaintedString }); + var st = new System.Text.StringBuilder("test").AppendJoin('.', new List { _untaintedString, _untaintedString }); AssertTaintedFormatWithOriginalCallCheck(":+-testuntainted.untainted-+:", GetTaintedStringBuilder("test").AppendJoin('.', new List { _untaintedString, _untaintedString }), diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendTests.cs similarity index 60% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendTests.cs index 8a953835a383..9542182f7c92 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderAppendTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderAppendTests.cs @@ -1,14 +1,14 @@ using System; -using System.Text; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; + +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; public class StringBuilderAppendTests : InstrumentationTestsBase { protected string taintedValue = "tainted"; protected string taintedValue2 = "TAINTED2"; - StringBuilder TaintedStringBuilder = new StringBuilder("TaintedStringBuilder"); - StringBuilder TaintedStringBuilder2 = new StringBuilder("TaintedStringBuilder"); + System.Text.StringBuilder TaintedStringBuilder = new System.Text.StringBuilder("TaintedStringBuilder"); + System.Text.StringBuilder TaintedStringBuilder2 = new System.Text.StringBuilder("TaintedStringBuilder"); string TaintedString = "TaintedString"; string UntaintedString = "UntaintedString"; char[] TaintedCharArray = "TaintedString".ToCharArray(); @@ -29,7 +29,7 @@ public StringBuilderAppendTests() [Fact] public void GivenAStringBuilder_WhenAppendBasic_ThenResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", new StringBuilder().Append(TaintedString), () => new StringBuilder().Append(TaintedString)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", new System.Text.StringBuilder().Append(TaintedString), () => new System.Text.StringBuilder().Append(TaintedString)); } [Fact] @@ -55,39 +55,39 @@ public void GivenAStringBuilder_WhenStringBuilderAppendBasicWithBoth_ThenResultI [Fact] public void GivenATaintedString_WhenCallingStringEmptyBuilderAppendAppendAppend_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("pre:+-tainted-+:post", new StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString(), () => new StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString()); + AssertTaintedFormatWithOriginalCallCheck("pre:+-tainted-+:post", new System.Text.StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString(), () => new System.Text.StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString()); } [Fact] public void Given2TaintedStrings_WhenCallingStringBuilderManyAppends_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("pre:+-tainted-+:middle:+-TAINTED2-+:post", new StringBuilder().Append("pre").Append(taintedValue).Append("middle").Append(taintedValue2).Append("post").ToString(), () => new StringBuilder().Append("pre").Append(taintedValue).Append("middle").Append(taintedValue2).Append("post").ToString()); + AssertTaintedFormatWithOriginalCallCheck("pre:+-tainted-+:middle:+-TAINTED2-+:post", new System.Text.StringBuilder().Append("pre").Append(taintedValue).Append("middle").Append(taintedValue2).Append("post").ToString(), () => new System.Text.StringBuilder().Append("pre").Append(taintedValue).Append("middle").Append(taintedValue2).Append("post").ToString()); } [Fact] public void GivenATaintedStringBuilder_WhenAppendNull_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new StringBuilder(taintedValue).Append((string)null).ToString(), () => new StringBuilder(taintedValue).Append((string)null).ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new System.Text.StringBuilder(taintedValue).Append((string)null).ToString(), () => new System.Text.StringBuilder(taintedValue).Append((string)null).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppend_ResultIsTainted14() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(taintedValue).Append((string)null).ToString(), - () => new StringBuilder(taintedValue).Append((string)null).ToString()); + new System.Text.StringBuilder(taintedValue).Append((string)null).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append((string)null).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringEmptyBuilderAppendAppendAppendToString_ResultIsTainted2() { - AssertTainted(new StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString().ToString()); + AssertTainted(new System.Text.StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString().ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringEmptyBuilderAppendAppendAppendToString_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("pre:+-tainted-+:post", new StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString().ToString(), () => new StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString().ToString()); + AssertTaintedFormatWithOriginalCallCheck("pre:+-tainted-+:post", new System.Text.StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString().ToString(), () => new System.Text.StringBuilder().Append("pre").Append(taintedValue).Append("post").ToString().ToString()); } [Fact] @@ -99,8 +99,8 @@ public void GivenATaintedString_WhenCallingParamStringBuilder_ResultIsTainted() private void auxMethod(string a1, string a2, string a3, string a4, string a5, string a6) { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:123456", - new StringBuilder().Append(taintedValue + a1 + a2 + a3 + a4 + a5 + a6), - () => new StringBuilder().Append(taintedValue + a1 + a2 + a3 + a4 + a5 + a6)); + new System.Text.StringBuilder().Append(taintedValue + a1 + a2 + a3 + a4 + a5 + a6), + () => new System.Text.StringBuilder().Append(taintedValue + a1 + a2 + a3 + a4 + a5 + a6)); } // System.Text.StringBuilder::Append(System.Text.StringBuilder) @@ -108,18 +108,18 @@ private void auxMethod(string a1, string a2, string a3, string a4, string a5, st [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilder_ResultIsTainted() { - var sb2 = new StringBuilder(taintedValue); + var sb2 = new System.Text.StringBuilder(taintedValue); AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", - new StringBuilder(taintedValue).Append(sb2).ToString(), - () => new StringBuilder(taintedValue).Append(sb2).ToString()); + new System.Text.StringBuilder(taintedValue).Append(sb2).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(sb2).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilder_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(taintedValue).Append((StringBuilder)null).ToString(), - () => new StringBuilder(taintedValue).Append((StringBuilder)null).ToString()); + new System.Text.StringBuilder(taintedValue).Append((System.Text.StringBuilder)null).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append((System.Text.StringBuilder)null).ToString()); } // System.Text.StringBuilder::Append(System.String,System.Int32,System.Int32) @@ -130,7 +130,7 @@ public void GivenAStringBuilder_WhenStringBuilderAppendIndex_ThenResultIsTainted int start = 0; int count = 5; - AssertTaintedFormatWithOriginalCallCheck(":+-Taint-+:", new StringBuilder().Append(TaintedString, start, count), () => new StringBuilder().Append(TaintedString, start, count)); + AssertTaintedFormatWithOriginalCallCheck(":+-Taint-+:", new System.Text.StringBuilder().Append(TaintedString, start, count), () => new System.Text.StringBuilder().Append(TaintedString, start, count)); } [Fact] @@ -169,52 +169,52 @@ public void GivenAStringBuilder_WhenStringBuilderAppendIndexWithBoth() public void GivenATaintedString_WhenCallingStringBuilderAppendStringIndexes_ResultIsTainted7() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", - new StringBuilder(taintedValue).Append(taintedValue, 0, taintedValue.Length).ToString(), - () => new StringBuilder(taintedValue).Append(taintedValue, 0, taintedValue.Length).ToString()); + new System.Text.StringBuilder(taintedValue).Append(taintedValue, 0, taintedValue.Length).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(taintedValue, 0, taintedValue.Length).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringIndexes_ResultIsTainted8() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-ain-+:", - new StringBuilder(taintedValue).Append(taintedValue, 1, 3).ToString(), - () => new StringBuilder(taintedValue).Append(taintedValue, 1, 3).ToString()); + new System.Text.StringBuilder(taintedValue).Append(taintedValue, 1, 3).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(taintedValue, 1, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringEmptyBuilderAppendAppendAppendWithParams_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("re:+-aint-+:po", new StringBuilder().Append("pre", 1, 2).Append(taintedValue, 1, 4).Append("post", 0, 2).ToString(), () => new StringBuilder().Append("pre", 1, 2).Append(taintedValue, 1, 4).Append("post", 0, 2).ToString()); + AssertTaintedFormatWithOriginalCallCheck("re:+-aint-+:po", new System.Text.StringBuilder().Append("pre", 1, 2).Append(taintedValue, 1, 4).Append("post", 0, 2).ToString(), () => new System.Text.StringBuilder().Append("pre", 1, 2).Append(taintedValue, 1, 4).Append("post", 0, 2).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilder_ResultIsTainted9() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(taintedValue, 1, 377).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(taintedValue, 1, 377).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringIndexes_ResultIsTainted10() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(taintedValue, 1, -377).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(taintedValue, 1, -377).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringIndexes_ResultIsTainted11() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(taintedValue, 100, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(taintedValue, 100, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringIndexes_ResultIsTainted12() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(taintedValue, -100, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(taintedValue, -100, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringIndexes_ResultIsTainted13() { - Assert.Throws(() => new StringBuilder(taintedValue).Append((string)null, 1, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append((string)null, 1, 3).ToString()); } // System.Text.StringBuilder::Append(System.Text.StringBuilder,System.Int32,System.Int32) @@ -225,46 +225,46 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendStringIndexes_Resu public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndexes_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", - new StringBuilder(taintedValue).Append(new StringBuilder(taintedValue), 0, taintedValue.Length).ToString(), - () => new StringBuilder(taintedValue).Append(new StringBuilder(taintedValue), 0, taintedValue.Length).ToString()); + new System.Text.StringBuilder(taintedValue).Append(new System.Text.StringBuilder(taintedValue), 0, taintedValue.Length).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(new System.Text.StringBuilder(taintedValue), 0, taintedValue.Length).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndexes_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-ain-+:", - new StringBuilder(taintedValue).Append(new StringBuilder(taintedValue), 1, 3).ToString(), - () => new StringBuilder(taintedValue).Append(new StringBuilder(taintedValue), 1, 3).ToString()); + new System.Text.StringBuilder(taintedValue).Append(new System.Text.StringBuilder(taintedValue), 1, 3).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(new System.Text.StringBuilder(taintedValue), 1, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndexes_ResultIsTainted3() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(new StringBuilder(taintedValue), 1, 377).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(new System.Text.StringBuilder(taintedValue), 1, 377).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndexes_ResultIsTainted4() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(new StringBuilder(taintedValue), 1, -377).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(new System.Text.StringBuilder(taintedValue), 1, -377).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndexes_ResultIsTainted5() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(new StringBuilder(taintedValue), 100, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(new System.Text.StringBuilder(taintedValue), 100, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndexes_ResultIsTainted6() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(new StringBuilder(taintedValue), -100, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(new System.Text.StringBuilder(taintedValue), -100, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndexes_ResultIsTainted16() { - Assert.Throws(() => new StringBuilder(taintedValue).Append((StringBuilder)null, 1, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append((System.Text.StringBuilder)null, 1, 3).ToString()); } #endif @@ -274,46 +274,46 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndex public void GivenATaintedString_WhenCallingStringBuilderAppendCharArrayIndexes_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", - new StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 0, taintedValue.Length).ToString(), - () => new StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 0, taintedValue.Length).ToString()); + new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 0, taintedValue.Length).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 0, taintedValue.Length).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendCharArrayIndexes_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-ain-+:", - new StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 1, 3).ToString(), - () => new StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 1, 3).ToString()); + new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 1, 3).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 1, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendCharArrayIndexes_ExceptionIsThrown() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 1, 377).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 1, 377).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendCharArrayIndexes_ExceptionIsThrown2() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 1, -377).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 1, -377).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendCharArrayIndexes_ExceptionIsThrown3() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 100, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), 100, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendCharArrayIndexes_ExceptionIsThrown4() { - Assert.Throws(() => new StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), -100, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray(), -100, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendCharArrayIndexes_ExceptionIsThrown5() { - Assert.Throws(() => new StringBuilder(taintedValue).Append((char[])null, 1, 3).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append((char[])null, 1, 3).ToString()); } // System.Text.StringBuilder::Append(System.Object) @@ -322,53 +322,53 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendCharArrayIndexes_E public void GivenATaintedString_WhenCallingStringBuilderAppendObject_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", - new StringBuilder(taintedValue).Append(new StructForStringTest(taintedValue)).ToString(), - () => new StringBuilder(taintedValue).Append(new StructForStringTest(taintedValue)).ToString()); + new System.Text.StringBuilder(taintedValue).Append(new StructForStringTest(taintedValue)).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(new StructForStringTest(taintedValue)).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendObject_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", - new StringBuilder(taintedValue).Append(new ClassForStringTest(taintedValue)).ToString(), - () => new StringBuilder(taintedValue).Append(new ClassForStringTest(taintedValue)).ToString()); + new System.Text.StringBuilder(taintedValue).Append(new ClassForStringTest(taintedValue)).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(new ClassForStringTest(taintedValue)).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendObject_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(taintedValue).Append((object)null).ToString(), - () => new StringBuilder(taintedValue).Append((object)null).ToString()); + new System.Text.StringBuilder(taintedValue).Append((object)null).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append((object)null).ToString()); } [Fact] public void GivenAStringBuilder_WhenAppendTaintedObject_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck("pre:+-tainted-+:", new StringBuilder("pre").Append((object)taintedValue).ToString(), () => new StringBuilder("pre").Append((object)taintedValue).ToString()); + AssertTaintedFormatWithOriginalCallCheck("pre:+-tainted-+:", new System.Text.StringBuilder("pre").Append((object)taintedValue).ToString(), () => new System.Text.StringBuilder("pre").Append((object)taintedValue).ToString()); } [Fact] public void GivenATaintedStringBuilder_WhenAppendObject_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:post", new StringBuilder(taintedValue).Append((object)"post").ToString(), () => new StringBuilder(taintedValue).Append((object)"post").ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:post", new System.Text.StringBuilder(taintedValue).Append((object)"post").ToString(), () => new System.Text.StringBuilder(taintedValue).Append((object)"post").ToString()); } [Fact] public void GivenATaintedStringBuilder_WhenAppendObject_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(taintedValue).Append((object)null), - () => new StringBuilder(taintedValue).Append((object)null)); + new System.Text.StringBuilder(taintedValue).Append((object)null), + () => new System.Text.StringBuilder(taintedValue).Append((object)null)); } [Fact] public void GivenATaintedStringBuilder_WhenAppendObject_ResultIsTainted3() { - var sb2 = new StringBuilder(taintedValue); + var sb2 = new System.Text.StringBuilder(taintedValue); AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", - new StringBuilder(taintedValue).Append((object) sb2).ToString(), - () => new StringBuilder(taintedValue).Append((object) sb2).ToString()); + new System.Text.StringBuilder(taintedValue).Append((object) sb2).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append((object) sb2).ToString()); } // System.Text.StringBuilder::Append(System.Char[]) @@ -376,13 +376,13 @@ public void GivenATaintedStringBuilder_WhenAppendObject_ResultIsTainted3() [Fact] public void GivenATaintedStringBuilder_WhenAppendCharArray_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", new StringBuilder(taintedValue).Append(taintedValue.ToCharArray()).ToString(), () => new StringBuilder(taintedValue).Append(taintedValue.ToCharArray()).ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray()).ToString(), () => new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray()).ToString()); } [Fact] public void GivenAStringBuilder_WhenStringBuilderAppendChars_ThenResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", new StringBuilder().Append(TaintedCharArray), () => new StringBuilder().Append(TaintedCharArray)); + AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:", new System.Text.StringBuilder().Append(TaintedCharArray), () => new System.Text.StringBuilder().Append(TaintedCharArray)); } [Fact] @@ -413,16 +413,16 @@ public void GivenAStringBuilder_WhenStringBuilderAppendCharsWithBoth_ThenResultI public void GivenATaintedString_WhenCallingStringBuilderAppendCharArray_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+::+-tainted-+:", - new StringBuilder(taintedValue).Append(taintedValue.ToCharArray()).ToString(), - () => new StringBuilder(taintedValue).Append(taintedValue.ToCharArray()).ToString()); + new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray()).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append(taintedValue.ToCharArray()).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndexes_ResultIsTainted18() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(taintedValue).Append((char[])null).ToString(), - () => new StringBuilder(taintedValue).Append((char[])null).ToString()); + new System.Text.StringBuilder(taintedValue).Append((char[])null).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append((char[])null).ToString()); } // System.Text.StringBuilder::AppendLine(System.String) @@ -430,7 +430,7 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendStringBuilderIndex [Fact] public void GivenAStringBuilder_WhenStringBuilderAppendLineBasic_ThenResultIsTainted() { - StringBuilder strb = new StringBuilder(); + var strb = new System.Text.StringBuilder(); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedString-+:" + Environment.NewLine, strb.AppendLine(TaintedString), () => strb.AppendLine(TaintedString)); } @@ -461,19 +461,19 @@ public void GivenAStringBuilder_WhenStringBuilderAppendLineBasicWithBoth_ThenRes [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendLine_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:" + Environment.NewLine, new StringBuilder(taintedValue).AppendLine().ToString(), () => new StringBuilder(taintedValue).AppendLine().ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:" + Environment.NewLine, new System.Text.StringBuilder(taintedValue).AppendLine().ToString(), () => new System.Text.StringBuilder(taintedValue).AppendLine().ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendLineString_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:rrr" + Environment.NewLine, new StringBuilder(taintedValue).AppendLine("rrr").ToString(), () => new StringBuilder(taintedValue).AppendLine("rrr").ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:rrr" + Environment.NewLine, new System.Text.StringBuilder(taintedValue).AppendLine("rrr").ToString(), () => new System.Text.StringBuilder(taintedValue).AppendLine("rrr").ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderAppendLineNull_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:" + Environment.NewLine, new StringBuilder(taintedValue).AppendLine(null).ToString(), () => new StringBuilder(taintedValue).AppendLine(null).ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:" + Environment.NewLine, new System.Text.StringBuilder(taintedValue).AppendLine(null).ToString(), () => new System.Text.StringBuilder(taintedValue).AppendLine(null).ToString()); } // Not covered by aspects @@ -482,22 +482,22 @@ public void GivenATaintedString_WhenCallingStringBuilderAppendLineNull_ResultIsT public void GivenATaintedStringBuilder_WhenAppendChar_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:wwww", - new StringBuilder(taintedValue).Append('w', 4).ToString(), - () => new StringBuilder(taintedValue).Append('w', 4).ToString()); + new System.Text.StringBuilder(taintedValue).Append('w', 4).ToString(), + () => new System.Text.StringBuilder(taintedValue).Append('w', 4).ToString()); } [Fact] public void GivenATaintedStringBuilder_WhenAppendChar_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:w", - new StringBuilder(taintedValue).Append('w').ToString(), - () => new StringBuilder(taintedValue).Append('w').ToString()); + new System.Text.StringBuilder(taintedValue).Append('w').ToString(), + () => new System.Text.StringBuilder(taintedValue).Append('w').ToString()); } [Fact] public void GivenATaintedStringBuilder_WhenAppendChar_ResultIsTainted3() { - Assert.Throws(() => new StringBuilder(taintedValue).Append('w', -4).ToString()); + Assert.Throws(() => new System.Text.StringBuilder(taintedValue).Append('w', -4).ToString()); } [Fact] diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderBasicTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderBasicTests.cs similarity index 59% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderBasicTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderBasicTests.cs index 8a21b608b02f..04be470109d0 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderBasicTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderBasicTests.cs @@ -1,12 +1,9 @@ using System; -using System.Diagnostics; using System.Reflection; -using System.Text; -using Dapper; using FluentAssertions; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; public class StringBuilderBasicTests : InstrumentationTestsBase { private string _taintedValue = "tainted"; @@ -23,49 +20,49 @@ public StringBuilderBasicTests() [Fact] public void GivenATaintedString_WhenCreateStringBuilder_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new StringBuilder(_taintedValue), () => new StringBuilder(_taintedValue)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new System.Text.StringBuilder(_taintedValue), () => new System.Text.StringBuilder(_taintedValue)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilder_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-tainted-+:UntaintedString", - new StringBuilder(_untaintedString + _taintedValue + _untaintedString), - () => new StringBuilder(_untaintedString + _taintedValue + _untaintedString)); + new System.Text.StringBuilder(_untaintedString + _taintedValue + _untaintedString), + () => new System.Text.StringBuilder(_untaintedString + _taintedValue + _untaintedString)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilder_ResultIsNotTainted3() { AssertUntaintedWithOriginalCallCheck("UntaintedString", - new StringBuilder(_untaintedString), - () => new StringBuilder(_untaintedString)); + new System.Text.StringBuilder(_untaintedString), + () => new System.Text.StringBuilder(_untaintedString)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilder_ResultIsNotTainted4() { - AssertUntaintedWithOriginalCallCheck(string.Empty, new StringBuilder(null), () => new StringBuilder(null)); + AssertUntaintedWithOriginalCallCheck(string.Empty, new System.Text.StringBuilder(null), () => new System.Text.StringBuilder(null)); } [Fact] public void GivenATaintedString_WhenCallingNewStringBuilder_ResultIsTainted2() { - new StringBuilder(null).ToString().Should().Be(String.Empty); + new System.Text.StringBuilder(null).ToString().Should().Be(System.String.Empty); } [Fact] public void GivenANotTaintedString_WhenCallingNewStringBuilder_ResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_notTaintedValue).ToString(), - () => new StringBuilder(_notTaintedValue).ToString()); + () => new System.Text.StringBuilder(_notTaintedValue).ToString(), + () => new System.Text.StringBuilder(_notTaintedValue).ToString()); } [Fact] public void GivenATaintedString_WhenCallingNewStringBuilderToString_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new StringBuilder(_taintedValue).ToString(), () => new StringBuilder(_taintedValue).ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new System.Text.StringBuilder(_taintedValue).ToString(), () => new System.Text.StringBuilder(_taintedValue).ToString()); } [Fact] @@ -79,16 +76,16 @@ public void GivenATaintedString_WhenCallingLocalStringBuilderToString_ResultIsTa string a6 = "6"; AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:123456", - new StringBuilder(_taintedValue + a1 + a2 + a3 + a4 + a5 + a6).ToString(), - () => new StringBuilder(_taintedValue + a1 + a2 + a3 + a4 + a5 + a6).ToString()); + new System.Text.StringBuilder(_taintedValue + a1 + a2 + a3 + a4 + a5 + a6).ToString(), + () => new System.Text.StringBuilder(_taintedValue + a1 + a2 + a3 + a4 + a5 + a6).ToString()); } [Fact] public void GivenANotTaintedString_WhenCallingNewStringBuilderToString_ResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_notTaintedValue).ToString(), - () => new StringBuilder(_notTaintedValue).ToString()); + () => new System.Text.StringBuilder(_notTaintedValue).ToString(), + () => new System.Text.StringBuilder(_notTaintedValue).ToString()); } // System.Text.StringBuilder::.ctor(System.String,System.Int32) @@ -96,55 +93,55 @@ public void GivenANotTaintedString_WhenCallingNewStringBuilderToString_ResultIsN [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacity_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new StringBuilder(_taintedValue, 100), () => new StringBuilder(_taintedValue, 100)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new System.Text.StringBuilder(_taintedValue, 100), () => new System.Text.StringBuilder(_taintedValue, 100)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacity_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck("UntaintedString:+-tainted-+:UntaintedString", - new StringBuilder(_untaintedString + _taintedValue + _untaintedString, 100), - () => new StringBuilder(_untaintedString + _taintedValue + _untaintedString, 100)); + new System.Text.StringBuilder(_untaintedString + _taintedValue + _untaintedString, 100), + () => new System.Text.StringBuilder(_untaintedString + _taintedValue + _untaintedString, 100)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacity_ResultIsNotTainted3() { AssertUntaintedWithOriginalCallCheck("UntaintedString", - new StringBuilder(_untaintedString, 100), - () => new StringBuilder(_untaintedString, 100)); + new System.Text.StringBuilder(_untaintedString, 100), + () => new System.Text.StringBuilder(_untaintedString, 100)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacity_ResultIsNotTainted4() { - AssertUntaintedWithOriginalCallCheck(string.Empty, new StringBuilder(null, 3), () => new StringBuilder(null, 3)); + AssertUntaintedWithOriginalCallCheck(string.Empty, new System.Text.StringBuilder(null, 3), () => new System.Text.StringBuilder(null, 3)); } [Fact] public void GivenATaintedString_WhenCallingNewStringBuilderWithMaxLenght_ResultIsTainted3() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new StringBuilder(_taintedValue, 500).ToString(), () => new StringBuilder(_taintedValue, 500).ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new System.Text.StringBuilder(_taintedValue, 500).ToString(), () => new System.Text.StringBuilder(_taintedValue, 500).ToString()); } [Fact] public void GivenATaintedString_WhenCallingNewStringBuilderWithMaxLenght_ResultIsTainted4() { - new StringBuilder(null, 500).ToString().Should().Be(String.Empty); + new System.Text.StringBuilder(null, 500).ToString().Should().Be(System.String.Empty); } [Fact] public void GivenATaintedString_WhenCallingNewStringBuilderWithWrongMaxLenght_ArgumentOutOfRangeException() { - Assert.Throws(() => new StringBuilder(_taintedValue, -500)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue, -500)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacity_ResultIsNotTainted5() { AssertUntaintedWithOriginalCallCheck("UntaintedString", - new StringBuilder(_untaintedString, 1), - () => new StringBuilder(_untaintedString, 1)); + new System.Text.StringBuilder(_untaintedString, 1), + () => new System.Text.StringBuilder(_untaintedString, 1)); } // System.Text.StringBuilder::.ctor(System.String,System.Int32,System.Int32,System.Int32) @@ -152,73 +149,73 @@ public void GivenATaintedString_WhenCreateStringBuilderCapacity_ResultIsNotTaint [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new StringBuilder(_taintedValue, 0, 7, 10), () => new StringBuilder(_taintedValue)); + AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", new System.Text.StringBuilder(_taintedValue, 0, 7, 10), () => new System.Text.StringBuilder(_taintedValue)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-in-+:", - new StringBuilder(_taintedValue, 2, 2, 10), - () => new StringBuilder(_taintedValue, 2, 2, 10)); + new System.Text.StringBuilder(_taintedValue, 2, 2, 10), + () => new System.Text.StringBuilder(_taintedValue, 2, 2, 10)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck("intedString:+-tain-+:", - new StringBuilder(_untaintedString + _taintedValue + _untaintedString, 4, 15, 22), - () => new StringBuilder(_untaintedString + _taintedValue + _untaintedString, 4, 15, 22)); + new System.Text.StringBuilder(_untaintedString + _taintedValue + _untaintedString, 4, 15, 22), + () => new System.Text.StringBuilder(_untaintedString + _taintedValue + _untaintedString, 4, 15, 22)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ResultIsNotTainted3() { AssertUntaintedWithOriginalCallCheck("ta", - new StringBuilder(_untaintedString, 2, 2, 2), - () => new StringBuilder(_untaintedString, 2, 2, 2)); + new System.Text.StringBuilder(_untaintedString, 2, 2, 2), + () => new System.Text.StringBuilder(_untaintedString, 2, 2, 2)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ExceptionIsThrown() { - Assert.Throws(() => new StringBuilder(null, 2, 2, 2)); + Assert.Throws(() => new System.Text.StringBuilder(null, 2, 2, 2)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ExceptionIsThrown2() { - Assert.Throws(() => new StringBuilder(_taintedValue, -1, 3, 3)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue, -1, 3, 3)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ExceptionIsThrown3() { - Assert.Throws(() => new StringBuilder(_taintedValue, 1, -3, 3)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue, 1, -3, 3)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ExceptionIsThrown4() { - Assert.Throws(() => new StringBuilder(_taintedValue, 1, 3, -3)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue, 1, 3, -3)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ExceptionIsThrown5() { - Assert.Throws(() => new StringBuilder(_taintedValue, 1, 300, 3)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue, 1, 300, 3)); } [Fact] public void GivenATaintedString_WhenCreateStringBuilderCapacityOffsets_ExceptionIsThrown6() { - Assert.Throws(() => new StringBuilder(_taintedValue, 100, 3, 3)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue, 100, 3, 3)); } [Fact] public void GivenATaintedString_WhenCallingNewStringBuilderWithSubString_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-inte-+:", new StringBuilder(_taintedValue, 2, 4, 100).ToString(), () => new StringBuilder(_taintedValue, 2, 4, 100).ToString()); + AssertTaintedFormatWithOriginalCallCheck(":+-inte-+:", new System.Text.StringBuilder(_taintedValue, 2, 4, 100).ToString(), () => new System.Text.StringBuilder(_taintedValue, 2, 4, 100).ToString()); } // System.Text.StringBuilder::ToString(System.Int32,System.Int32) @@ -227,46 +224,46 @@ public void GivenATaintedString_WhenCallingNewStringBuilderWithSubString_ResultI public void GivenATaintedString_WhenCallingStringBuilderToString_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-ta-+:", - new StringBuilder(_taintedValue).ToString(0, 2), - () => new StringBuilder(_taintedValue).ToString(0, 2)); + new System.Text.StringBuilder(_taintedValue).ToString(0, 2), + () => new System.Text.StringBuilder(_taintedValue).ToString(0, 2)); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderToString_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-in-+:", - new StringBuilder(_taintedValue).ToString(2, 2), - () => new StringBuilder(_taintedValue).ToString(2, 2)); + new System.Text.StringBuilder(_taintedValue).ToString(2, 2), + () => new System.Text.StringBuilder(_taintedValue).ToString(2, 2)); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderToString_ResultIsTainted3() { - Assert.Throws(() => new StringBuilder(_taintedValue).ToString(-1, 2)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue).ToString(-1, 2)); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderToString_ResultIsTainted4() { - Assert.Throws(() => new StringBuilder(_taintedValue).ToString(1, -2)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue).ToString(1, -2)); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderToString_ResultIsTainted5() { - Assert.Throws(() => new StringBuilder(_taintedValue).ToString(1, 332)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue).ToString(1, 332)); } [Fact] public void GivenATaintedString_WhenCallingNewStringBuilderWithWrongSubString_ArgumentOutOfRangeException6() { - Assert.Throws(() => new StringBuilder(_taintedValue).ToString(200, 2)); + Assert.Throws(() => new System.Text.StringBuilder(_taintedValue).ToString(200, 2)); } [Fact] public void GivenATaintedString_WhenCallingNewStringBuilderToString2Params_ResultIsTainted() { - AssertTaintedFormatWithOriginalCallCheck(":+-int-+:", new StringBuilder(_taintedValue).ToString(2, 3), () => new StringBuilder(_taintedValue).ToString(2, 3)); + AssertTaintedFormatWithOriginalCallCheck(":+-int-+:", new System.Text.StringBuilder(_taintedValue).ToString(2, 3), () => new System.Text.StringBuilder(_taintedValue).ToString(2, 3)); } // Ranges validation @@ -274,8 +271,8 @@ public void GivenATaintedString_WhenCallingNewStringBuilderToString2Params_Resul [Fact] public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk() { - var stringBuilder = new StringBuilder().Append(_taintedValue); - MethodInfo replaceMethod = typeof(StringBuilder).GetMethod("Replace", new Type[] {typeof(string), typeof(string) }); + var stringBuilder = new System.Text.StringBuilder().Append(_taintedValue); + MethodInfo replaceMethod = typeof(System.Text.StringBuilder).GetMethod("Replace", new Type[] {typeof(string), typeof(string) }); replaceMethod.Invoke(stringBuilder, new object[] { _taintedValue, "a" }); var mystring = stringBuilder.ToString(); ValidateRanges(mystring); @@ -284,8 +281,8 @@ public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk() [Fact] public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk2() { - var stringBuilder = new StringBuilder().Append(_taintedValue + _taintedValue); - MethodInfo replaceMethod = typeof(StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); + var stringBuilder = new System.Text.StringBuilder().Append(_taintedValue + _taintedValue); + MethodInfo replaceMethod = typeof(System.Text.StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); replaceMethod.Invoke(stringBuilder, new object[] { _taintedValue + _taintedValue, _taintedValue }); var mystring = stringBuilder.ToString(); ValidateRanges(mystring); @@ -294,13 +291,13 @@ public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk2() [Fact] public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk3() { - var stringBuilder = new StringBuilder(_taintedValue); + var stringBuilder = new System.Text.StringBuilder(_taintedValue); for (int i = 0; i < 100; i++) { stringBuilder.Append(_taintedValue); } - MethodInfo replaceMethod = typeof(StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); + MethodInfo replaceMethod = typeof(System.Text.StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); replaceMethod.Invoke(stringBuilder, new object[] { _taintedValue, string.Empty}); stringBuilder.Append(_taintedValue); @@ -319,8 +316,8 @@ public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk3() [Fact] public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk4() { - var stringBuilder = new StringBuilder().Append("aw" + _taintedValue); - MethodInfo replaceMethod = typeof(StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); + var stringBuilder = new System.Text.StringBuilder().Append("aw" + _taintedValue); + MethodInfo replaceMethod = typeof(System.Text.StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); replaceMethod.Invoke(stringBuilder, new object[] { "wtainted" , string.Empty}); var mystring = stringBuilder.ToString(); ValidateRanges(mystring); @@ -329,8 +326,8 @@ public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk4() [Fact] public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk5() { - var stringBuilder = new StringBuilder().Append("aw" + _taintedValue + _taintedValue); - MethodInfo replaceMethod = typeof(StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); + var stringBuilder = new System.Text.StringBuilder().Append("aw" + _taintedValue + _taintedValue); + MethodInfo replaceMethod = typeof(System.Text.StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); replaceMethod.Invoke(stringBuilder, new object[] { "wtainted", string.Empty }); var mystring = stringBuilder.ToString(); ValidateRanges(mystring); @@ -340,8 +337,8 @@ public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk5() [Fact] public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk6() { - var stringBuilder = new StringBuilder().Append(_taintedValue + "aw" + _taintedValue); - MethodInfo replaceMethod = typeof(StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); + var stringBuilder = new System.Text.StringBuilder().Append(_taintedValue + "aw" + _taintedValue); + MethodInfo replaceMethod = typeof(System.Text.StringBuilder).GetMethod("Replace", new Type[] { typeof(string), typeof(string) }); replaceMethod.Invoke(stringBuilder, new object[] { "wtainted", string.Empty }); var mystring = stringBuilder.ToString(); ValidateRanges(mystring); @@ -353,7 +350,7 @@ public void GivenAStringBuilder_WhenUsingNotCoveredMethod_RangesAreOk6() [Fact] public void GivenATaintedString_WhenChangingLength_ResultIsTainted() { - var stringBuilder = new StringBuilder(_taintedValue); + var stringBuilder = new System.Text.StringBuilder(_taintedValue); stringBuilder.Length = 2; FormatTainted(stringBuilder.ToString()).Should().Be(":+-ta-+:"); } @@ -361,7 +358,7 @@ public void GivenATaintedString_WhenChangingLength_ResultIsTainted() [Fact] public void GivenATaintedString_WhenChangingLength_ResultIsTainted2() { - var stringBuilder = new StringBuilder(_taintedValue); + var stringBuilder = new System.Text.StringBuilder(_taintedValue); stringBuilder.Length = 10; AssertTainted(stringBuilder); } @@ -369,7 +366,7 @@ public void GivenATaintedString_WhenChangingLength_ResultIsTainted2() [Fact] public void GivenATaintedString_WhenChangingLength_ResultIsTainted4() { - var stringBuilder = new StringBuilder(_taintedValue); + var stringBuilder = new System.Text.StringBuilder(_taintedValue); Assert.Throws(() => stringBuilder.Length = -1); } } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderCopyToTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderCopyToTests.cs similarity index 64% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderCopyToTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderCopyToTests.cs index 60dbd5eefe51..fdeb7c39266d 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderCopyToTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderCopyToTests.cs @@ -1,11 +1,12 @@ -using System.Text; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; + +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; public class StringBuilderCopyToTests : InstrumentationTestsBase { private string _taintedValue = "tainted"; + public StringBuilderCopyToTests() { AddTainted(_taintedValue); @@ -15,7 +16,7 @@ public StringBuilderCopyToTests() public void GivenATaintedString_WhenCallingCopyTo_ResultIsTainted() { char[] result = new char[20]; - new StringBuilder(_taintedValue).CopyTo(0, result, 0, 3); + new System.Text.StringBuilder(_taintedValue).CopyTo(0, result, 0, 3); AssertTainted(result); } @@ -30,8 +31,8 @@ public void GivenATaintedString_WhenCallingCopyToWrongArguments_ArgumentOutOfRan { char[] result = new char[20]; AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).CopyTo(sourceIndex, result, destinationIndex, count), - () => new StringBuilder(_taintedValue).CopyTo(sourceIndex, result, destinationIndex, count)); + () => new System.Text.StringBuilder(_taintedValue).CopyTo(sourceIndex, result, destinationIndex, count), + () => new System.Text.StringBuilder(_taintedValue).CopyTo(sourceIndex, result, destinationIndex, count)); } [Fact] @@ -40,8 +41,8 @@ public void GivenATaintedString_WhenCallingCopyToWrongArguments_ArgumentNullExce char[] result = null; AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).CopyTo(0, result, 1, 1), - () => new StringBuilder(_taintedValue).CopyTo(0, result, 1, 1)); + () => new System.Text.StringBuilder(_taintedValue).CopyTo(0, result, 1, 1), + () => new System.Text.StringBuilder(_taintedValue).CopyTo(0, result, 1, 1)); } } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderInsertTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderInsertTests.cs similarity index 70% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderInsertTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderInsertTests.cs index 0bc220a69134..07ec9fc488de 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderInsertTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderInsertTests.cs @@ -1,13 +1,12 @@ using System.Text; using Xunit; - -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; public class StringBuilderInsertTests : InstrumentationTestsBase { private string _taintedValue = "tainted"; private string _taintedValue2 = "TAINTED2"; private string _untaintedString = "UntaintedString"; - private StringBuilder _taintedStringBuilder = new StringBuilder("TaintedStringBuilder"); + private System.Text.StringBuilder _taintedStringBuilder = new System.Text.StringBuilder("TaintedStringBuilder"); private string _taintedString = "TaintedString"; private char[] _untaintedCharArray = "UntaintedCharArray".ToCharArray(); private char[] _taintedCharArray = "TaintedString".ToCharArray(); @@ -27,8 +26,8 @@ public StringBuilderInsertTests() public void GivenATaintedString_WhenCallingStringBuilderInsertNullString_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(_taintedValue).Insert(3, (string)null).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (string)null).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (string)null).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (string)null).ToString()); } [Fact] @@ -36,8 +35,8 @@ public void GivenANullString_WhenCallingStringBuilderInsertObject_ResultIsNotTai { int index = 2; AssertUntaintedWithOriginalCallCheck( - () => ((StringBuilder)null).Insert(index, _untaintedString), - () => ((StringBuilder)null).Insert(index, _untaintedString)); + () => ((System.Text.StringBuilder)null).Insert(index, _untaintedString), + () => ((System.Text.StringBuilder)null).Insert(index, _untaintedString)); } [Fact] @@ -99,16 +98,16 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertObject_ResultIsTai public void GivenATaintedString_WhenCallingStringBuilderInsertString_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:www:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, "www").ToString(), - () => new StringBuilder(_taintedValue).Insert(3, "www").ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, "www").ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, "www").ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderInsertStringTainted_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+::+-TAINTED2-+::+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, _taintedValue2).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, _taintedValue2).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.String,System.Int32) @@ -121,24 +120,24 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertStringAndCount_Res string expected, int index, string value, int count) { AssertTaintedFormatWithOriginalCallCheck(expected, - new StringBuilder(_taintedValue).Insert(index, value, count).ToString(), - () => new StringBuilder(_taintedValue).Insert(index, value, count).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(index, value, count).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(index, value, count).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderInsertStringTaintedAndCount1_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+::+-TAINTED2-+::+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, _taintedValue2, 1).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, _taintedValue2, 1).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2, 1).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2, 1).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderInsertStringTaintedAndCount_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+::+-TAINTED2-+::+-TAINTED2-+::+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, _taintedValue2, 2).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, _taintedValue2, 2).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2, 2).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2, 2).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.Char) @@ -147,8 +146,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertStringTaintedAndCo public void GivenATaintedString_WhenCallingStringBuilderInsertChar_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:d:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, 'd').ToString(), - () => new StringBuilder(_taintedValue).Insert(3, 'd').ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, 'd').ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, 'd').ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.Char[]) @@ -157,40 +156,40 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertChar_ResultIsTaint public void GivenATaintedString_WhenCallingStringBuilderInsertCharArray_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:er:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, new char[] { 'e', 'r' }).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, new char[] { 'e', 'r' }).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, new char[] { 'e', 'r' }).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, new char[] { 'e', 'r' }).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayEmpty_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(_taintedValue).Insert(3, new char[] { }).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, new char[] { }).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, new char[] { }).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, new char[] { }).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayNull_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(_taintedValue).Insert(3, (char[])null).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (char[])null).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (char[])null).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (char[])null).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayTainted_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+::+-TAINTED2-+::+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray()).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray()).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray()).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray()).ToString()); } [Fact] //[ExpectedException(typeof(ArgumentOutOfRangeException))] public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayBadIndex_ArgumentOutOfRangeException() { - AssertUntaintedWithOriginalCallCheck(() => new StringBuilder(_taintedValue).Insert(-3, new char[] { 'e', 'r' }), - () => new StringBuilder(_taintedValue).Insert(-3, new char[] { 'e', 'r' })); + AssertUntaintedWithOriginalCallCheck(() => new System.Text.StringBuilder(_taintedValue).Insert(-3, new char[] { 'e', 'r' }), + () => new System.Text.StringBuilder(_taintedValue).Insert(-3, new char[] { 'e', 'r' })); } // test System.Text.StringBuilder::Insert(System.Int32,System.Char[],System.Int32,System.Int32) @@ -199,8 +198,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayBadIndex_ public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayTaintedAndCount_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+::+-NTE-+::+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray(), 3, 3).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray(), 3, 3).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray(), 3, 3).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray(), 3, 3).ToString()); } [Theory] @@ -211,8 +210,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayTaintedAn public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayTaintedAndWrongIndex_ArgumentOutOfRangeException(int startIndex, int charCount) { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray(), startIndex, charCount), - () => new StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray(), startIndex, charCount)); + () => new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray(), startIndex, charCount), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, _taintedValue2.ToCharArray(), startIndex, charCount)); } // test System.Text.StringBuilder::Insert(System.Int32,System.Int32) @@ -220,8 +219,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertCharArrayTaintedAn [Fact] public void StringBuilder_Insert_Int_With_Untainted() { - var check = new StringBuilder("TaintedStringBuilder"); - var tainted = new StringBuilder("TaintedStringBuilder"); + var check = new System.Text.StringBuilder("TaintedStringBuilder"); + var tainted = new System.Text.StringBuilder("TaintedStringBuilder"); AddTainted(tainted); AssertTaintedFormatWithOriginalCallCheck("10:+-TaintedStringBuilder-+:", @@ -233,8 +232,8 @@ public void StringBuilder_Insert_Int_With_Untainted() public void GivenATaintedString_WhenCallingStringBuilderInsertInt_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:12:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, 12).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (int)12).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, 12).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (int)12).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.Int64) @@ -251,8 +250,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertObject_ResultIsTai public void GivenATaintedString_WhenCallingStringBuilderInsertLong_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:12:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (long)12).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (long)12).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (long)12).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (long)12).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.Single) @@ -270,8 +269,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertObject_ResultIsTai public void GivenATaintedString_WhenCallingStringBuilderInsertfloat_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:33:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (float)33).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (float)33).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (float)33).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (float)33).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.Double) @@ -300,8 +299,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertObject_ResultIsTai public void GivenATaintedString_WhenCallingStringBuilderInsertdecimal_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:33:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (decimal)33).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (decimal)33).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (decimal)33).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (decimal)33).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.UInt16) @@ -319,8 +318,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertObject_ResultIsTai public void GivenATaintedString_WhenCallingStringBuilderInsertushort_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:33:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (ushort)33).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (ushort)33).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (ushort)33).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (ushort)33).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.UInt32) @@ -338,8 +337,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertObject_ResultIsTai public void GivenATaintedString_WhenCallingStringBuilderInsertuint_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:33:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (uint)33).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (uint)33).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (uint)33).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (uint)33).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.UInt64) @@ -368,8 +367,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertObject_ResultIsTai public void GivenATaintedString_WhenCallingStringBuilderInsertsbyte_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:33:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (sbyte)33).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (sbyte)33).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (sbyte)33).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (sbyte)33).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.Byte) @@ -378,8 +377,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertsbyte_ResultIsTain public void GivenATaintedString_WhenCallingStringBuilderInsertByte_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:12:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (byte)12).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (byte)12).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (byte)12).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (byte)12).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.Int16) @@ -388,8 +387,8 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertByte_ResultIsTaint public void GivenATaintedString_WhenCallingStringBuilderInsertshort_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:33:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (short)33).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (short)33).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (short)33).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (short)33).ToString()); } // test System.Text.StringBuilder::Insert(System.Int32,System.Object) @@ -398,15 +397,15 @@ public void GivenATaintedString_WhenCallingStringBuilderInsertshort_ResultIsTain public void GivenATaintedString_WhenCallingStringBuilderInsertObject_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+:www:+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (object)"www").ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (object)"www").ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (object)"www").ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (object)"www").ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderInsertObjectTainted_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tai-+::+-TAINTED2-+::+-nted-+:", - new StringBuilder(_taintedValue).Insert(3, (object)_taintedValue2).ToString(), - () => new StringBuilder(_taintedValue).Insert(3, (object)_taintedValue2).ToString()); + new System.Text.StringBuilder(_taintedValue).Insert(3, (object)_taintedValue2).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Insert(3, (object)_taintedValue2).ToString()); } } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderMaxRangesTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderMaxRangesTests.cs similarity index 95% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderMaxRangesTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderMaxRangesTests.cs index 6a39bd633ea8..66ff53613645 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderMaxRangesTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderMaxRangesTests.cs @@ -1,7 +1,7 @@ using System.Text; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; public class StringBuilderMaxRanges : InstrumentationTestsBase { @@ -21,7 +21,7 @@ public void GivenATaintedObject_WithNotMaxedOutRanges_WhenCallingAppend_ResultTa var testString9 = AddTaintedString("9"); var testString10 = AddTaintedString("10"); - var sb = new StringBuilder(); + var sb = new System.Text.StringBuilder(); sb.Append(testString1); sb.Append(UntaintedString); sb.Append(testString2); @@ -63,7 +63,7 @@ public void GivenATaintedObject_WithMaxedOutRanges_WhenCallingAppend_ResultTaint var testString10 = AddTaintedString("10"); var testString11 = AddTaintedString("11"); - var sb = new StringBuilder(); + var sb = new System.Text.StringBuilder(); sb.Append(testString1); sb.Append(UntaintedString); sb.Append(testString2); diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderRemoveTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderRemoveTests.cs similarity index 74% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderRemoveTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderRemoveTests.cs index a5241cd99184..e49d660cdae7 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderRemoveTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderRemoveTests.cs @@ -1,11 +1,12 @@ using System.Text; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; + +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; public class StringBuilderRemoveTests : InstrumentationTestsBase { private string _taintedValue = "tainted"; - //private StringBuilder _taintedStringBuilder = new StringBuilder("TaintedStringBuilder"); + //private StringBuilder _taintedStringBuilder = new System.Text.StringBuilder("TaintedStringBuilder"); private string _taintedString = "TaintedString"; private string _untaintedString = "UntaintedString"; @@ -19,8 +20,8 @@ public StringBuilderRemoveTests() [Fact] public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTainted() { - var check = new StringBuilder("TaintedStringBuilder"); - var tainted = new StringBuilder("TaintedStringBuilder"); + var check = new System.Text.StringBuilder("TaintedStringBuilder"); + var tainted = new System.Text.StringBuilder("TaintedStringBuilder"); AddTainted(tainted); AssertTaintedFormatWithOriginalCallCheck(":+-TaintedBuilder-+:", @@ -31,8 +32,8 @@ public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTa [Fact] public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTainted2() { - var check = new StringBuilder("TaintedStringBuilder"); - var tainted = new StringBuilder("TaintedStringBuilder"); + var check = new System.Text.StringBuilder("TaintedStringBuilder"); + var tainted = new System.Text.StringBuilder("TaintedStringBuilder"); AddTainted(tainted); tainted.Append(_untaintedString); @@ -46,8 +47,8 @@ public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTa [Fact] public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTainted3() { - var check = new StringBuilder("TaintedStringBuilder"); - var tainted = new StringBuilder("TaintedStringBuilder"); + var check = new System.Text.StringBuilder("TaintedStringBuilder"); + var tainted = new System.Text.StringBuilder("TaintedStringBuilder"); AddTainted(tainted); tainted.Append(_taintedString); @@ -61,8 +62,8 @@ public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTa [Fact] public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTainted4() { - var check = new StringBuilder("TaintedStringBuilder"); - var tainted = new StringBuilder("TaintedStringBuilder"); + var check = new System.Text.StringBuilder("TaintedStringBuilder"); + var tainted = new System.Text.StringBuilder("TaintedStringBuilder"); AddTainted(tainted); tainted.Append(_untaintedString).Append(_taintedString); @@ -76,8 +77,8 @@ public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTa [Fact] public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTainted5() { - var check = new StringBuilder("TaintedStringBuilder"); - var tainted = new StringBuilder("TaintedStringBuilder"); + var check = new System.Text.StringBuilder("TaintedStringBuilder"); + var tainted = new System.Text.StringBuilder("TaintedStringBuilder"); AddTainted(tainted); tainted.Append(_untaintedString).Append(_taintedString); @@ -108,16 +109,16 @@ public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTa public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTainted8() { AssertTaintedFormatWithOriginalCallCheck(":+-taid-+:", - new StringBuilder(_taintedValue).Remove(3, 3).ToString(), - () => new StringBuilder(_taintedValue).Remove(3, 3).ToString()); + new System.Text.StringBuilder(_taintedValue).Remove(3, 3).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Remove(3, 3).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTainted9() { AssertTaintedFormatWithOriginalCallCheck(":+-taid-+:abc", - new StringBuilder(_taintedValue).Append("abc").Remove(3, 3).ToString(), - () => new StringBuilder(_taintedValue).Append("abc").Remove(3, 3).ToString()); + new System.Text.StringBuilder(_taintedValue).Append("abc").Remove(3, 3).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Append("abc").Remove(3, 3).ToString()); } [Theory] @@ -128,8 +129,8 @@ public void GivenATaintedString_WhenCallingStringBuilderRemoveTainted_ResultIsTa public void GivenATaintedString_WhenCallingStringBuilderRemoveTaintedWrongAnguments_ArgumentOutOfRangeException(int index1, int index2) { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Remove(index1, index2), - () => new StringBuilder(_taintedValue).Remove(index1, index2)); + () => new System.Text.StringBuilder(_taintedValue).Remove(index1, index2), + () => new System.Text.StringBuilder(_taintedValue).Remove(index1, index2)); } } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderReplaceTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderReplaceTests.cs similarity index 64% rename from tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderReplaceTests.cs rename to tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderReplaceTests.cs index 9da71eee6e86..0104a65dff93 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/StringBuilder/StringBuilderReplaceTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Propagation/StringBuilder/StringBuilderReplaceTests.cs @@ -1,7 +1,7 @@ using System.Text; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringBuilderPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.StringBuilder; public class StringBuilderReplaceTests : InstrumentationTestsBase { private string _taintedValue = "tainted"; @@ -85,56 +85,56 @@ public void TestReplace() public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTainted_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-TainTed-+:", - new StringBuilder(_taintedValue).Replace('t', 'T').ToString(), - () => new StringBuilder(_taintedValue).Replace('t', 'T').ToString()); + new System.Text.StringBuilder(_taintedValue).Replace('t', 'T').ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace('t', 'T').ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTaintedIndexCount_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainTed-+:", - new StringBuilder(_taintedValue).Replace('t', 'T', 2, 5).ToString(), - () => new StringBuilder(_taintedValue).Replace('t', 'T', 2, 5).ToString()); + new System.Text.StringBuilder(_taintedValue).Replace('t', 'T', 2, 5).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace('t', 'T', 2, 5).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTaintedIndexCount_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-taintEd-+:", - new StringBuilder(_taintedValue).Replace('e', 'E', 2, 5).ToString(), - () => new StringBuilder(_taintedValue).Replace('e', 'E', 2, 5).ToString()); + new System.Text.StringBuilder(_taintedValue).Replace('e', 'E', 2, 5).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace('e', 'E', 2, 5).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTaintedIndexCount_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-tainted-+:", - new StringBuilder(_taintedValue).Replace('e', 'E', 2, 0).ToString(), - () => new StringBuilder(_taintedValue).Replace('e', 'E', 2, 0).ToString()); + new System.Text.StringBuilder(_taintedValue).Replace('e', 'E', 2, 0).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace('e', 'E', 2, 0).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTaintedIndexCount_ResultIsTainted4() { AssertTaintedFormatWithOriginalCallCheck(":+-taintEd-+:", - new StringBuilder(_taintedValue).Replace('e', 'E').ToString(), - () => new StringBuilder(_taintedValue).Replace('e', 'E').ToString()); + new System.Text.StringBuilder(_taintedValue).Replace('e', 'E').ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace('e', 'E').ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTaintedIndexCountWrongArguments_ArgumentOutOfRangeException() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace('t', 'T', -2, 2), - () => new StringBuilder(_taintedValue).Replace('t', 'T', -2, 2)); + () => new System.Text.StringBuilder(_taintedValue).Replace('t', 'T', -2, 2), + () => new System.Text.StringBuilder(_taintedValue).Replace('t', 'T', -2, 2)); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTaintedIndexCountWrongArguments_ArgumentOutOfRangeException2() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace('t', 'T', 200, 2), - () => new StringBuilder(_taintedValue).Replace('t', 'T', 200, 2)); + () => new System.Text.StringBuilder(_taintedValue).Replace('t', 'T', 200, 2), + () => new System.Text.StringBuilder(_taintedValue).Replace('t', 'T', 200, 2)); } [Fact] @@ -142,48 +142,48 @@ public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTaintedIndexC public void GivenATaintedString_WhenCallingStringBuilderReplaceCharTaintedIndexCountWrongArguments_ArgumentOutOfRangeException3() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace('t', 'T', 2, -2), - () => new StringBuilder(_taintedValue).Replace('t', 'T', 2, -2)); + () => new System.Text.StringBuilder(_taintedValue).Replace('t', 'T', 2, -2), + () => new System.Text.StringBuilder(_taintedValue).Replace('t', 'T', 2, -2)); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTainted_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-TainTed-+:", - new StringBuilder(_taintedValue).Replace("t", "T").ToString(), - () => new StringBuilder(_taintedValue).Replace("t", "T").ToString()); + new System.Text.StringBuilder(_taintedValue).Replace("t", "T").ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "T").ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTainted_ResultIsTainted3() { AssertTaintedFormatWithOriginalCallCheck(":+-TTTainTTTed-+:", - new StringBuilder(_taintedValue).Replace("t", "TTT").ToString(), - () => new StringBuilder(_taintedValue).Replace("t", "TTT").ToString()); + new System.Text.StringBuilder(_taintedValue).Replace("t", "TTT").ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "TTT").ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTainted_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-taiNted-+:", - new StringBuilder(_taintedValue).Replace("n", "N").ToString(), - () => new StringBuilder(_taintedValue).Replace("n", "N").ToString()); + new System.Text.StringBuilder(_taintedValue).Replace("n", "N").ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace("n", "N").ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCount_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-tainTed-+:", - new StringBuilder(_taintedValue).Replace("t", "T", 2, 5).ToString(), - () => new StringBuilder(_taintedValue).Replace("t", "T", 2, 5).ToString()); + new System.Text.StringBuilder(_taintedValue).Replace("t", "T", 2, 5).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "T", 2, 5).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCount_ResultIsTainted2() { AssertTaintedFormatWithOriginalCallCheck(":+-tainTTTed-+:", - new StringBuilder(_taintedValue).Replace("t", "TTT", 2, 5).ToString(), - () => new StringBuilder(_taintedValue).Replace("t", "TTT", 2, 5).ToString()); + new System.Text.StringBuilder(_taintedValue).Replace("t", "TTT", 2, 5).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "TTT", 2, 5).ToString()); } [Fact] @@ -191,8 +191,8 @@ public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedInde public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCountWrongArguments_ArgumentOutOfRangeException() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace("t", "T", -2, 2).ToString(), - () => new StringBuilder(_taintedValue).Replace("t", "T", -2, 2).ToString()); + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "T", -2, 2).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "T", -2, 2).ToString()); } [Fact] @@ -200,40 +200,40 @@ public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedInde public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCountWrongArguments_ArgumentOutOfRangeException2() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace("t", "T", 200, 2).ToString(), - () => new StringBuilder(_taintedValue).Replace("t", "T", 200, 2).ToString()); + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "T", 200, 2).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "T", 200, 2).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringNotTaintedWithTainted_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-NoTAINTED2TainTAINTED2ed-+:", - new StringBuilder(_notTaintedValue).Replace("t", _taintedValue2).ToString(), - () => new StringBuilder(_notTaintedValue).Replace("t", _taintedValue2).ToString()); + new System.Text.StringBuilder(_notTaintedValue).Replace("t", _taintedValue2).ToString(), + () => new System.Text.StringBuilder(_notTaintedValue).Replace("t", _taintedValue2).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringNotTaintedWithTaintedIndexCount_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-NoTAINTED2Tainted-+:", - new StringBuilder(_notTaintedValue).Replace("t", _taintedValue2, 2, 5).ToString(), - () => new StringBuilder(_notTaintedValue).Replace("t", _taintedValue2, 2, 5).ToString()); + new System.Text.StringBuilder(_notTaintedValue).Replace("t", _taintedValue2, 2, 5).ToString(), + () => new System.Text.StringBuilder(_notTaintedValue).Replace("t", _taintedValue2, 2, 5).ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringNotTaintedWithTaintedPattern_ResultIsTainted() { AssertTaintedFormatWithOriginalCallCheck(":+-NotTtttinted-+:", - new StringBuilder(_notTaintedValue).Replace(_taintedValue.Substring(1, 1), "ttt").ToString(), - () => new StringBuilder(_notTaintedValue).Replace(_taintedValue.Substring(1, 1), "ttt").ToString()); + new System.Text.StringBuilder(_notTaintedValue).Replace(_taintedValue.Substring(1, 1), "ttt").ToString(), + () => new System.Text.StringBuilder(_notTaintedValue).Replace(_taintedValue.Substring(1, 1), "ttt").ToString()); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringNotTaintedWithNotTaintedPattern_ResultIsNotTainted() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_notTaintedValue).Replace(_notTaintedValue.Substring(1), "ttt").ToString(), - () => new StringBuilder(_notTaintedValue).Replace(_notTaintedValue.Substring(1), "ttt").ToString()); + () => new System.Text.StringBuilder(_notTaintedValue).Replace(_notTaintedValue.Substring(1), "ttt").ToString(), + () => new System.Text.StringBuilder(_notTaintedValue).Replace(_notTaintedValue.Substring(1), "ttt").ToString()); } [Fact] @@ -241,8 +241,8 @@ public void GivenATaintedString_WhenCallingStringBuilderReplaceStringNotTaintedW public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCountWrongArguments_ArgumentOutOfRangeException3() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace("t", "T", 2, -2), - () => new StringBuilder(_taintedValue).Replace("t", "T", 2, -2)); + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "T", 2, -2), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", "T", 2, -2)); } [Fact] @@ -250,8 +250,8 @@ public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedInde public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCountWrongArguments_ArgumentNullException() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace((string)null, "T", 2, 2), - () => new StringBuilder(_taintedValue).Replace((string)null, "T", 2, 2)); + () => new System.Text.StringBuilder(_taintedValue).Replace((string)null, "T", 2, 2), + () => new System.Text.StringBuilder(_taintedValue).Replace((string)null, "T", 2, 2)); } [Fact] @@ -259,16 +259,16 @@ public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedInde public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCountWrongArguments_ArgumentOutOfRangeException5() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace("t", (string)null, 2, -2), - () => new StringBuilder(_taintedValue).Replace("t", (string)null, 2, -2)); + () => new System.Text.StringBuilder(_taintedValue).Replace("t", (string)null, 2, -2), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", (string)null, 2, -2)); } [Fact] public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCountWrongArguments_ArgumentOutOfRangeException6() { AssertTaintedFormatWithOriginalCallCheck(":+-ained-+:", - new StringBuilder(_taintedValue).Replace("t", (string)null).ToString(), - () => new StringBuilder(_taintedValue).Replace("t", (string)null).ToString()); + new System.Text.StringBuilder(_taintedValue).Replace("t", (string)null).ToString(), + () => new System.Text.StringBuilder(_taintedValue).Replace("t", (string)null).ToString()); } [Fact] @@ -276,7 +276,7 @@ public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedInde public void GivenATaintedString_WhenCallingStringBuilderReplaceStringTaintedIndexCountWrongArguments_ArgumentNullException2() { AssertUntaintedWithOriginalCallCheck( - () => new StringBuilder(_taintedValue).Replace((string)null, "T"), - () => new StringBuilder(_taintedValue).Replace((string)null, "T")); + () => new System.Text.StringBuilder(_taintedValue).Replace((string)null, "T"), + () => new System.Text.StringBuilder(_taintedValue).Replace((string)null, "T")); } } diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/SSRF/UrlEscapeTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/SSRF/UrlEscapeTests.cs index c5f5935073b9..cb1474f2c094 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/SSRF/UrlEscapeTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/SSRF/UrlEscapeTests.cs @@ -4,7 +4,7 @@ using System.Web; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class UrlEscapeTests : InstrumentationTestsBase { private string _taintedValue = "tainted"; diff --git a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/Xss/HtmlEscapeTests.cs b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/Xss/HtmlEscapeTests.cs index 4bdc8d381fa0..631f3f2b2d08 100644 --- a/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/Xss/HtmlEscapeTests.cs +++ b/tracer/test/test-applications/integrations/Samples.InstrumentedTests/Vulnerabilities/Xss/HtmlEscapeTests.cs @@ -2,7 +2,7 @@ using System.Web; using Xunit; -namespace Samples.InstrumentedTests.Iast.Vulnerabilities.StringPropagation; +namespace Samples.InstrumentedTests.Iast.Propagation.String; public class HtmlEscapeTests : InstrumentationTestsBase { private string _taintedValue = "tainted";