Merge pull request #2730 from LLLXXXCCC/DoNotHardCodedEncryptionKey

Fix the bug occurring when element type of array is not INamedType.
dotnet · Aug 7, 2019 · 87d85ce · 87d85ce
2 parents 7b1eec2 + 35637ad
commit 87d85ce
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 3 deletions.
diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeEncryptionKeyTests.cs
@@ -313,6 +313,96 @@ public void TestMethod(byte[] someOtherBytesForIV)
             GetCSharpResultAt(12, 9, 10, 26, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[,]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
         }
 
+        [Fact]
+        public void Test_HardcodedInJaggedArrayInitializer_CreateEncryptor_Diagnostic()
+        {
+            VerifyCSharpWithDependencies(@"
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+
+class TestClass
+{
+    public void TestMethod(byte[] someOtherBytesForIV, byte unknownByte)
+    {
+        byte[][] rgbKey = new byte[3][]
+        {
+            new byte[] { 1, 2 },
+            new byte[] { 3, 4, 5 },
+            new byte[] { unknownByte }
+        };
+        SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
+        rijn.CreateEncryptor(rgbKey.Cast<byte>().ToArray(), someOtherBytesForIV);
+    }
+}",
+            GetCSharpResultAt(17, 9, 13, 13, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte unknownByte)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte unknownByte)"),
+            GetCSharpResultAt(17, 9, 12, 13, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte unknownByte)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV, byte unknownByte)"));
+        }
+
+        [Fact]
+        public void Test_HardcodeByParamsBytesArray_CreateEncryptor_Diagnostic()
+        {
+            VerifyCSharpWithDependencies(@"
+using System;
+using System.Security.Cryptography;
+
+class TestClass
+{
+    public void TestMethod(byte[] someOtherBytesForIV)
+    {
+        byte[] rgbKey = GetArray(1, 2, 3);
+        SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
+        rijn.CreateEncryptor(rgbKey, someOtherBytesForIV);
+    }
+
+    public byte[] GetArray(params byte[] array)
+    {
+        return array;
+    }
+}",
+            GetCSharpResultAt(11, 9, 9, 25, "ICryptoTransform SymmetricAlgorithm.CreateEncryptor(byte[] rgbKey, byte[] rgbIV)", "void TestClass.TestMethod(byte[] someOtherBytesForIV)", "byte[]", "void TestClass.TestMethod(byte[] someOtherBytesForIV)"));
+        }
+
+        [Fact]
+        public void Test_ElementTypeIsTypeParameter_NoDiagnostic()
+        {
+            VerifyCSharpWithDependencies(@"
+using System;
+
+class TestClass<T1> where T1 : struct
+{
+    public void MethodWithArrayParameter<T2>(params T2[] arr) where T2 : struct
+    {
+    }
+
+    public void TestMethod(T1 t)
+    {
+        MethodWithArrayParameter(t);
+    }
+}");
+        }
+
+        [Fact]
+        public void Test_HardcodedInJaggedArray_CreateEncryptor_NoDiagnostic()
+        {
+            VerifyCSharpWithDependencies(@"
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+
+class TestClass
+{
+    public void TestMethod(byte[] someOtherBytesForIV)
+    {
+        byte[][] rgbKey = new byte[2][];
+        rgbKey[0] = new byte[2] { 1, 2 };
+        rgbKey[1] = new byte[3] { 3, 4, 5 };
+        SymmetricAlgorithm rijn = SymmetricAlgorithm.Create();
+        rijn.CreateEncryptor(rgbKey.Cast<byte>().ToArray(), someOtherBytesForIV);
+    }
+}");
+        }
+
         [Fact]
         public void Test_NotHardcoded_CreateEncryptor_NoDiagnostic()
         {

diff --git a/.../FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/TaintedDataSymbolMapExtensions.cs b/.../FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/TaintedDataSymbolMapExtensions.cs
@@ -82,11 +82,14 @@ public static bool IsSourceProperty(this TaintedDataSymbolMap<SourceInfo> source
         /// <returns></returns>
         public static bool IsSourceConstantArrayOfType(this TaintedDataSymbolMap<SourceInfo> sourceSymbolMap, IArrayTypeSymbol arrayTypeSymbol)
         {
-            foreach (SourceInfo sourceInfo in sourceSymbolMap.GetInfosForType(arrayTypeSymbol.ElementType as INamedTypeSymbol))
+            if (arrayTypeSymbol.ElementType is INamedTypeSymbol elementType)
             {
-                if (sourceInfo.TaintConstantArray)
+                foreach (SourceInfo sourceInfo in sourceSymbolMap.GetInfosForType(elementType))
                 {
-                    return true;
+                    if (sourceInfo.TaintConstantArray)
+                    {
+                        return true;
+                    }
                 }
             }