Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix S2115 FN: Support multi-line string interpolation inside a raw string literal #6359

Merged
merged 3 commits into from
Nov 15, 2022
Merged

Fix S2115 FN: Support multi-line string interpolation inside a raw string literal #6359

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6af955e
Fix S2115 FN: Support multi-line string interpolation inside a raw st…
CristianAmbrosini Nov 14, 2022
158f518
Minor changes
CristianAmbrosini Nov 14, 2022
dbeedba
Moved a property before constructor
CristianAmbrosini Nov 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 8 additions & 11 deletions analyzers/src/SonarAnalyzer.CSharp/Rules/DatabasePasswordsShouldBeSecure.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,9 @@

using System;
using System.IO;
using System.Linq;
using System.Text.RegularExpressions;
using System.Xml.Linq;
using System.Xml.XPath;
using Microsoft.CodeAnalysis;
using Microsoft.CodeAnalysis.CSharp;
using Microsoft.CodeAnalysis.CSharp.Syntax;
using Microsoft.CodeAnalysis.Diagnostics;
using Microsoft.CodeAnalysis.Text;
using SonarAnalyzer.Common;
using SonarAnalyzer.Helpers;
using SonarAnalyzer.Json;
using SonarAnalyzer.Json.Parsing;

Expand All @@ -42,7 +34,7 @@ public sealed class DatabasePasswordsShouldBeSecure : TrackerHotspotDiagnosticAn
private const string DiagnosticId = "S2115";
private const string MessageFormat = "Use a secure password when connecting to this database.";

private static readonly Regex Sanitizers = new Regex(@"((integrated[_\s]security)|(trusted[_\s]connection))=(sspi|yes|true)", RegexOptions.Compiled | RegexOptions.IgnoreCase);
private static readonly Regex Sanitizers = new(@"((integrated[_\s]security)|(trusted[_\s]connection))=(sspi|yes|true)", RegexOptions.Compiled | RegexOptions.IgnoreCase);

private readonly MemberDescriptor[] trackedInvocations =
gregory-paidis-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
{
Expand Down Expand Up @@ -153,7 +145,10 @@ private void ReportEmptyPassword(JsonNode doc, string appSettingsPath, Compilati
private static ArgumentSyntax ConnectionStringArgument(SeparatedSyntaxList<ArgumentSyntax> argumentList) =>
// Where(cond).First() is more efficient than First(cond)
argumentList.Where(a => a.NameColon?.Name.Identifier.ValueText == "connectionString").FirstOrDefault()
?? argumentList.Where(a => a.Expression.IsAnyKind(SyntaxKind.StringLiteralExpression, SyntaxKind.InterpolatedStringExpression, SyntaxKind.AddExpression)).FirstOrDefault()
?? argumentList.Where(a => a.Expression.IsAnyKind(
SyntaxKind.StringLiteralExpression,
SyntaxKind.InterpolatedStringExpression,
SyntaxKind.AddExpression)).FirstOrDefault()
?? argumentList.FirstOrDefault();

// For both interpolated strings and concatenation chain, it's easier to search in the string representation of the tree, rather than doing string searches for each individual
Expand All @@ -169,7 +164,9 @@ private static bool HasEmptyPasswordAndNoSanitizers(ExpressionSyntax expression)
|| connectionString.Contains("Password=;")
// this is an edge case, for a string interpolation or concatenation the toString() will contain the ending "
// we prefer to keep it like this for the simplicity of the implementation
|| connectionString.EndsWith("Password=\"");
|| connectionString.EndsWith("Password=\"")
// raw string literals
|| connectionString.EndsWith("Password=\"\"\"");

private static bool HasSanitizers(string connectionString) =>
Sanitizers.IsMatch(connectionString);
Expand Down
6 changes: 5 additions & 1 deletion analyzers/tests/SonarAnalyzer.UnitTest/TestCases/DatabasePasswordsShouldBeSecure.CSharp11.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,16 @@ protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
optionsBuilder.UseSqlServer("""Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password="""); // Noncompliant {{Use a secure password when connecting to this database.}}

string[] test = new string[] { "FirstTest", "SecondTest" };

optionsBuilder.UseSqlServer($"""Server={test[0]};Database=myDataBase;User Id=myUsername;Password="""); // Noncompliant

optionsBuilder.UseSqlServer($"Server={test
[0]};Database=myDataBase;User Id=myUsername;Password="); // Noncompliant@-1 {{Use a secure password when connecting to this database.}}
optionsBuilder.UseSqlServer($"Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password={test
[1]}"); // Compliant

optionsBuilder.UseSqlServer($$"""Server={{test
[0]}};Database=myDataBase;User Id=myUsername;Password="""); // FN
[0]}};Database=myDataBase;User Id=myUsername;Password="""); // Noncompliant@-1
optionsBuilder.UseSqlServer($$"""Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password={{test
[1]}}"""); // Compliant
}
Expand Down