diff --git a/src/NetAnalyzers/Core/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecution.cs b/src/NetAnalyzers/Core/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecution.cs index 7824ae2774..b84f3924e1 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecution.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecution.cs @@ -195,6 +195,12 @@ public void AnalyzeNodeForXsltSettings(IOperation lhs, IOperation rhs) return; } + // handle target-typed new + if (rhs is IConversionOperation { IsImplicit: true }) + { + rhs = rhs.WalkDownConversion(); + } + IMethodSymbol? rhsMethodSymbol = rhs.Kind switch { OperationKind.Invocation => ((IInvocationOperation)rhs).TargetMethod, diff --git a/src/NetAnalyzers/UnitTests/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecutionXslCompiledTransformLoadInsecureConstructedSettingsTests.cs b/src/NetAnalyzers/UnitTests/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecutionXslCompiledTransformLoadInsecureConstructedSettingsTests.cs index 0065fcf89b..9fc6cd6c2b 100644 --- a/src/NetAnalyzers/UnitTests/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecutionXslCompiledTransformLoadInsecureConstructedSettingsTests.cs +++ b/src/NetAnalyzers/UnitTests/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecutionXslCompiledTransformLoadInsecureConstructedSettingsTests.cs @@ -730,6 +730,34 @@ End Class End Namespace"); } + [Fact] + public async Task UseXslCompiledTransformLoadDefaultTargetTypedNewAndNonSecureResolverShouldNotGenerateDiagnosticAsync() + { + await VerifyCS.RunTestAsync( + new VerifyCS.Test + { + LanguageVersion = CodeAnalysis.CSharp.LanguageVersion.CSharp9, + TestCode = @" +using System.Xml; +using System.Xml.Xsl; + +namespace TestNamespace +{ + class TestClass + { + private static void TestMethod() + { + XslCompiledTransform xslCompiledTransform = new XslCompiledTransform(); + XsltSettings settings = new(); + var resolver = new XmlUrlResolver(); + xslCompiledTransform.Load(""testStylesheet"", settings, resolver); + } + } +}" + } + ); + } + [Fact] public async Task UseXslCompiledTransformLoadDefaultAndSecureResolverShouldNotGenerateDiagnosticAsync() { @@ -847,6 +875,35 @@ End Class ); } + [Fact] + public async Task UseXslCompiledTransformLoadEnableScriptTargetTypedNewAndNonSecureResolverShouldGenerateDiagnosticAsync() + { + await VerifyCS.RunTestAsync( + new VerifyCS.Test + { + LanguageVersion = CodeAnalysis.CSharp.LanguageVersion.CSharp9, + TestCode = @" +using System.Xml; +using System.Xml.Xsl; + +namespace TestNamespace +{ + class TestClass + { + private static void TestMethod() + { + XslCompiledTransform xslCompiledTransform = new XslCompiledTransform(); + XsltSettings settings = new() { EnableScript = true }; + var resolver = new XmlUrlResolver(); + xslCompiledTransform.Load(""testStylesheet"", settings, resolver); + } + } +}", + }, + GetCA3076LoadCSharpResultAt(14, 13, "TestMethod") + ); + } + [Fact] public async Task UseXslCompiledTransformLoadSetEnableScriptToTrueAndNonSecureResolverShouldGenerateDiagnosticAsync() { @@ -933,6 +990,35 @@ End Class ); } + [Fact] + public async Task UseXslCompiledTransformLoadEnableDocumentFunctionTargetTypedNewAndNonSecureResolverShouldGenerateDiagnosticAsync() + { + await VerifyCS.RunTestAsync( + new VerifyCS.Test + { + LanguageVersion = CodeAnalysis.CSharp.LanguageVersion.CSharp9, + TestCode = @" +using System.Xml; +using System.Xml.Xsl; + +namespace TestNamespace +{ + class TestClass + { + private static void TestMethod() + { + XslCompiledTransform xslCompiledTransform = new XslCompiledTransform(); + XsltSettings settings = new() { EnableDocumentFunction = true }; + var resolver = new XmlUrlResolver(); + xslCompiledTransform.Load(""testStylesheet"", settings, resolver); + } + } +}", + }, + GetCA3076LoadCSharpResultAt(14, 13, "TestMethod") + ); + } + [Fact] public async Task UseXslCompiledTransformLoadSetEnableDocumentFunctionToTrueAndNonSecureResolverShouldGenerateDiagnosticAsync() { @@ -1095,6 +1181,35 @@ End Class ); } + [Fact] + public async Task UseXslCompiledTransformLoadConstructSettingsWithTrueParamTargetTypedNewAndNonSecureResolverShouldGenerateDiagnostic1Async() + { + await VerifyCS.RunTestAsync( + new VerifyCS.Test + { + LanguageVersion = CodeAnalysis.CSharp.LanguageVersion.CSharp9, + TestCode = @" +using System.Xml; +using System.Xml.Xsl; + +namespace TestNamespace +{ + class TestClass + { + private static void TestMethod() + { + XslCompiledTransform xslCompiledTransform = new XslCompiledTransform(); + XsltSettings settings = new(true, false); + var resolver = new XmlUrlResolver(); + xslCompiledTransform.Load(""testStylesheet"", settings, resolver); + } + } +}", + }, + GetCA3076LoadCSharpResultAt(14, 13, "TestMethod") + ); + } + [Fact] public async Task UseXslCompiledTransformLoadConstructSettingsWithTrueParamAndNonSecureResolverShouldGenerateDiagnostic2Async() { @@ -1136,6 +1251,35 @@ End Class ); } + [Fact] + public async Task UseXslCompiledTransformLoadConstructSettingsWithTrueParamTargetTypedNewAndNonSecureResolverShouldGenerateDiagnostic2Async() + { + await VerifyCS.RunTestAsync( + new VerifyCS.Test + { + LanguageVersion = CodeAnalysis.CSharp.LanguageVersion.CSharp9, + TestCode = @" +using System.Xml; +using System.Xml.Xsl; + +namespace TestNamespace +{ + class TestClass + { + private static void TestMethod() + { + XslCompiledTransform xslCompiledTransform = new XslCompiledTransform(); + XsltSettings settings = new(false, true); + var resolver = new XmlUrlResolver(); + xslCompiledTransform.Load(""testStylesheet"", settings, resolver); + } + } +}", + }, + GetCA3076LoadCSharpResultAt(14, 13, "TestMethod") + ); + } + [Fact] public async Task UseXslCompiledTransformLoadConstructSettingsWithFalseParamsAndNonSecureResolverShouldNotGenerateDiagnosticAsync() { @@ -1174,6 +1318,34 @@ End Class End Namespace"); } + [Fact] + public async Task UseXslCompiledTransformLoadConstructSettingsWithFalseParamsTargetTypedNewAndNonSecureResolverShouldNotGenerateDiagnosticAsync() + { + await VerifyCS.RunTestAsync( + new VerifyCS.Test + { + LanguageVersion = CodeAnalysis.CSharp.LanguageVersion.CSharp9, + TestCode = @" +using System.Xml; +using System.Xml.Xsl; + +namespace TestNamespace +{ + class TestClass + { + private static void TestMethod() + { + XslCompiledTransform xslCompiledTransform = new XslCompiledTransform(); + XsltSettings settings = new(false, false); + var resolver = new XmlUrlResolver(); + xslCompiledTransform.Load(""testStylesheet"", settings, resolver); + } + } +}" + } + ); + } + [Fact] public async Task UseXslCompiledTransformLoadNullSettingsAndNonSecureResolverShouldNotGenerateDiagnosticAsync() { diff --git a/src/Test.Utilities/CSharpSecurityCodeFixVerifier`2.cs b/src/Test.Utilities/CSharpSecurityCodeFixVerifier`2.cs index 191895bb36..5ebcdec4c1 100644 --- a/src/Test.Utilities/CSharpSecurityCodeFixVerifier`2.cs +++ b/src/Test.Utilities/CSharpSecurityCodeFixVerifier`2.cs @@ -30,8 +30,7 @@ public static async Task VerifyAnalyzerAsync(string source, params DiagnosticRes TestCode = source, }; - test.ExpectedDiagnostics.AddRange(expected); - await test.RunAsync(); + await RunTestAsync(test, expected); } public static Task VerifyCodeFixAsync(string source, string fixedSource) @@ -48,6 +47,11 @@ public static async Task VerifyCodeFixAsync(string source, DiagnosticResult[] ex FixedCode = fixedSource, }; + await RunTestAsync(test, expected); + } + + public static async Task RunTestAsync(Test test, params DiagnosticResult[] expected) + { test.ExpectedDiagnostics.AddRange(expected); await test.RunAsync(); }