Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgumentNullException in SourceTriggeredTaintedDataAnalyzerBase for VB assembly attributes #4491

Closed
mavasani opened this issue Dec 3, 2020 · 2 comments
Closed

ArgumentNullException in SourceTriggeredTaintedDataAnalyzerBase for VB assembly attributes #4491

mavasani opened this issue Dec 3, 2020 · 2 comments
Assignees
@mavasani
Labels
Area-Microsoft.CodeAnalysis.NetAnalyzers Bug The product is not behaving according to its current intended design Category-Security

Comments

@mavasani
Copy link
Contributor

mavasani commented Dec 3, 2020

Unit test for ReviewCodeForSqlInjectionVulnerabilitiesTests

        [Fact]
        public async Task AssemblyAttributeRegressionTest()
        {
            await VerifyVisualBasicWithDependenciesAsync(@"<Assembly: System.Reflection.AssemblyTitle(""Title"")>");
        }

Exception call stack

    // error AD0001: Analyzer 'Microsoft.NetCore.Analyzers.Security.ReviewCodeForSqlInjectionVulnerabilities' threw an exception of type 'System.ArgumentNullException' with message 'Value cannot be null. (Parameter 'key')'.
    Exception occurred with following context:
    Compilation: TestProject
    ISymbol:  (Namespace)
    
    System.ArgumentNullException: Value cannot be null. (Parameter 'key')
       at System.Collections.Immutable.Requires.FailArgumentNullException(String parameterName)
       at System.Collections.Immutable.ImmutableDictionary`2.TryGetValue(TKey key, TValue& value)
       at Analyzer.Utilities.AggregateCategorizedAnalyzerConfigOptions.TryGetOptionValue[T](String optionName, OptionKind kind, SyntaxTree tree, DiagnosticDescriptor rule, TryParseValue`1 tryParseValue, T defaultValue, T& value) in c:\roslyn-analyzers\src\Utilities\Compiler\Options\AggregateCategorizedAnalyzerConfigOptions.cs:line 101
       at Analyzer.Utilities.AggregateCategorizedAnalyzerConfigOptions.GetOptionValue[T](String optionName, SyntaxTree tree, DiagnosticDescriptor rule, TryParseValue`1 tryParseValue, T defaultValue, OptionKind kind) in c:\roslyn-analyzers\src\Utilities\Compiler\Options\AggregateCategorizedAnalyzerConfigOptions.cs:line 79
       at Analyzer.Utilities.AnalyzerOptionsExtensions.GetNonFlagsEnumOptionValue[TEnum](AnalyzerOptions options, String optionName, DiagnosticDescriptor rule, SyntaxTree tree, Compilation compilation, TEnum defaultValue, CancellationToken cancellationToken) in c:\roslyn-analyzers\src\Utilities\Compiler\Options\AnalyzerOptionsExtensions.cs:line 187
       at Analyzer.Utilities.AnalyzerOptionsExtensions.GetInterproceduralAnalysisKindOption(AnalyzerOptions options, DiagnosticDescriptor rule, SyntaxTree tree, Compilation compilation, InterproceduralAnalysisKind defaultValue, CancellationToken cancellationToken) in c:\roslyn-analyzers\src\Utilities\FlowAnalysis\Options\AnalyzerOptionsExtensions_FlowAnalysis.cs:line 31
       at Microsoft.CodeAnalysis.FlowAnalysis.DataFlow.InterproceduralAnalysisConfiguration.Create(AnalyzerOptions analyzerOptions, DiagnosticDescriptor rule, SyntaxTree tree, Compilation compilation, InterproceduralAnalysisKind defaultInterproceduralAnalysisKind, CancellationToken cancellationToken, UInt32 defaultMaxInterproceduralMethodCallChain, UInt32 defaultMaxInterproceduralLambdaOrLocalFunctionCallChain) in c:\roslyn-analyzers\src\Utilities\FlowAnalysis\FlowAnalysis\Framework\DataFlow\InterproceduralAnalysisConfiguration.cs:line 62
       at Microsoft.CodeAnalysis.FlowAnalysis.DataFlow.InterproceduralAnalysisConfiguration.Create(AnalyzerOptions analyzerOptions, ImmutableArray`1 rules, SyntaxTree tree, Compilation compilation, InterproceduralAnalysisKind defaultInterproceduralAnalysisKind, CancellationToken cancellationToken, UInt32 defaultMaxInterproceduralMethodCallChain, UInt32 defaultMaxInterproceduralLambdaOrLocalFunctionCallChain) in c:\roslyn-analyzers\src\Utilities\FlowAnalysis\FlowAnalysis\Framework\DataFlow\InterproceduralAnalysisConfiguration.cs:line 111
       at Microsoft.CodeAnalysis.FlowAnalysis.DataFlow.InterproceduralAnalysisConfiguration.Create(AnalyzerOptions analyzerOptions, ImmutableArray`1 rules, ISymbol symbol, Compilation compilation, InterproceduralAnalysisKind defaultInterproceduralAnalysisKind, CancellationToken cancellationToken, UInt32 defaultMaxInterproceduralMethodCallChain, UInt32 defaultMaxInterproceduralLambdaOrLocalFunctionCallChain) in c:\roslyn-analyzers\src\Utilities\FlowAnalysis\FlowAnalysis\Framework\DataFlow\InterproceduralAnalysisConfiguration.cs:line 93
       at Microsoft.NetCore.Analyzers.Security.SourceTriggeredTaintedDataAnalyzerBase.<>c__DisplayClass6_0.<Initialize>b__1(OperationBlockStartAnalysisContext operationBlockStartContext) in c:\roslyn-analyzers\src\NetAnalyzers\Core\Microsoft.NetCore.Analyzers\Security\SourceTriggeredTaintedDataAnalyzerBase.cs:line 80
       at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c__62`6.<ExecuteBlockActionsCore>b__62_2(ValueTuple`5 data)
       at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
    -----
@mavasani mavasani added Bug The product is not behaving according to its current intended design Area-Microsoft.CodeAnalysis.NetAnalyzers Category-Security labels Dec 3, 2020
@mavasani mavasani self-assigned this Dec 3, 2020
@mavasani
Copy link
Contributor Author

mavasani commented Dec 3, 2020

I am testing a fix and will send PRs to 2.9.x and release/5.0.2xx branches soon. FYI @dotpaul

@mavasani mavasani mentioned this issue Dec 3, 2020
Merged
@reduckted
Copy link
Contributor

I'm seeing the same exceptions from all of these analyzers when using .NET SDK 5.0.102:

  • Microsoft.NetCore.Analyzers.Security.DoNotAddArchiveItemPathToTheTargetFileSystemPath
  • Microsoft.NetCore.Analyzers.Security.DoNotHardCodeCertificate
  • Microsoft.NetCore.Analyzers.Security.DoNotHardCodeEncryptionKey
  • Microsoft.NetCore.Analyzers.Security.ReviewCodeForCommandExecutionVulnerabilities
  • Microsoft.NetCore.Analyzers.Security.ReviewCodeForDllInjectionVulnerabilities
  • Microsoft.NetCore.Analyzers.Security.ReviewCodeForFilePathInjectionVulnerabilities
  • Microsoft.NetCore.Analyzers.Security.ReviewCodeForRegexInjectionVulnerabilities
  • Microsoft.NetCore.Analyzers.Security.ReviewCodeForSqlInjectionVulnerabilities
  • Microsoft.NetCore.Analyzers.Security.ReviewCodeForXmlInjectionVulnerabilities
  • Microsoft.NetCore.Analyzers.Security.ReviewCodeForXPathInjectionVulnerabilities

@mavasani, does your PR fix all of those, or could some of those exceptions be caused by a different problem?

@reduckted reduckted mentioned this issue Feb 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mavasani mavasani

Labels
Area-Microsoft.CodeAnalysis.NetAnalyzers Bug The product is not behaving according to its current intended design Category-Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reduckted @mavasani