Skip to content

C#: Add implicit System.Collections.Generic.KeyValuePair2.Value reads at taint sinks #21024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MathiasVP merged 3 commits into from
Dec 12, 2025
Merged

C#: Add implicit System.Collections.Generic.KeyValuePair2.Value reads at taint sinks #21024

MathiasVP merged 3 commits into from
Dec 12, 2025
+2,271 −13

Conversation

@MathiasVP
Copy link
Contributor

@MathiasVP MathiasVP commented Dec 12, 2025
edited
Loading

Java includes MapValueContent in the set of implicit taint reads (see here), but C# doesn't.

This leads to some developer confusion when trying to write the same query for both Java and C#. Additionally, C# uses the System.Collections.Generic.KeyValuePair.Value property (+ an ElementContent) to model the equivalent of a MapValueContent in Java which makes it even more mysterious when translating a query from Java to C#.

This PR fixes this problem by adding implicit reads of System.Collections.Generic.KeyValuePair.Value. This means that C# and Java behaves (hopefully) similarly when taint-tracking ends up with a "map-like" collection at a sink.

cc @hvitved

@MathiasVP MathiasVP requested a review from a team as a code owner December 12, 2025 11:15
Copilot AI review requested due to automatic review settings December 12, 2025 11:15
@github-actions github-actions bot added the C# label Dec 12, 2025
@MathiasVP MathiasVP changed the title C#: Add implicit System.Collections.Generic.KeyValuePair2.Value` at taint sinks C#: Add implicit System.Collections.Generic.KeyValuePair2.Value` reads at taint sinks Dec 12, 2025
@MathiasVP MathiasVP changed the title C#: Add implicit System.Collections.Generic.KeyValuePair2.Value` reads at taint sinks C#: Add implicit System.Collections.Generic.KeyValuePair2.Value reads at taint sinks Dec 12, 2025
Copilot AI reviewed Dec 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds implicit reads of System.Collections.Generic.KeyValuePair<TKey,TValue>.Value property at taint sinks in C# to align taint tracking behavior with Java's MapValueContent handling. This change makes it easier to write cross-language queries and ensures consistent behavior when taint tracking encounters dictionary-like collections at sinks.

Key Changes:

  • Added implicit taint read for KeyValuePair.Value property at sinks
  • Refactored test infrastructure to share common configuration
  • Added test case demonstrating the new implicit read behavior

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll Core implementation adding KeyValuePair.Value to implicit taint reads
csharp/ql/test/library-tests/dataflow/collections/CollectionFlowCommon.qll New shared test configuration module
csharp/ql/test/library-tests/dataflow/collections/CollectionTaintFlow.ql New test query for taint flow validation
csharp/ql/test/library-tests/dataflow/collections/CollectionDataFlow.ql Refactored to use common configuration
csharp/ql/test/library-tests/dataflow/collections/CollectionFlow.cs Added test case for implicit map value read
csharp/ql/test/library-tests/dataflow/collections/CollectionTaintFlow.expected Expected test results

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@aschackmull
Copy link
Contributor

aschackmull commented Dec 12, 2025

Additionally, C# uses the System.Collections.Generic.KeyValuePair.Value property (+ an ElementContent) to model the equivalent of a MapValueContent in Java which makes it even more mysterious when translting a query from Java to C#.

C# needs to do it this way because C# maps implement IEnumerabl<KeyValuePair> - the Java Map interface doesn't do that.

@MathiasVP
Copy link
Contributor Author

MathiasVP commented Dec 12, 2025

Additionally, C# uses the System.Collections.Generic.KeyValuePair.Value property (+ an ElementContent) to model the equivalent of a MapValueContent in Java which makes it even more mysterious when translting a query from Java to C#.

C# needs to do it this way because C# maps implement IEnumerabl<KeyValuePair> - the Java Map interface doesn't do that.

Oh yeah no hate towards the way C# does it. The strategy totally makes sense. I'm just saying this additional quirk makes it harder for people to write "the same" query for both Java and C#.

hvitved
hvitved approved these changes Dec 12, 2025
View reviewed changes
Copy link
Contributor

@hvitved hvitved left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (assuming DCA is good).

@MathiasVP
Copy link
Contributor Author

MathiasVP commented Dec 12, 2025

DCA looked uneventful

@MathiasVP MathiasVP merged commit 3ea92ea into github:main Dec 12, 2025
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hvitved hvitved hvitved approved these changes

Assignees

No one assigned

Labels

C# documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MathiasVP @aschackmull @hvitved