C#: Re-factor Xss to use the new data flow API. #12845
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
michaelnebel
force-pushed
the
csharp/xssrefactor
branch
2 times, most recently
from
ff09ed8 to
5a83e1a
Compare
|
DCA looks good, except for a failure on mono (both variants failed - so most likely a spurious failure). |
michaelnebel
added
the
no-change-note-required
|
After re-running DCA for the mono project (failed in the first attempt), we get an extra alert. |
| } | ||
| } | ||
|
|
||
| private newtype TXssNode = | ||
| TXssDataFlowNode(DataFlow2::PathNode node) or | ||
| TXssDataFlowNode(DataFlow2::PathNode node) or // Deprecated |
There was a problem hiding this comment.
I don't think we want this, as it means we basically have to compute the flow graph twice. Instead, I think for this case we should simply break backwards compatibility.
There was a problem hiding this comment.
Ok - that is fair enough.
I will do that instead and add a change node (I suppose that is breaking change which requires bumping the major version number?)
michaelnebel
force-pushed
the
csharp/xssrefactor
branch
from
5a83e1a to
ee108a2
Compare
| --- | ||
| category: majorAnalysis | ||
| --- | ||
| * C#: Extending `TaintTrackingConfiguration` in `XSSQuery.qll` no longer affects query results. |
There was a problem hiding this comment.
I don't think this change note is needed, TBH. It was never intended for 3rd parties to customize the query by overriding the configuration itself; instead, they could add new sources or sinks.
There was a problem hiding this comment.
Alright - I will go ahead and remove it.
michaelnebel
force-pushed
the
csharp/xssrefactor
branch
from
ee108a2 to
0fdeeba
Compare
No description provided.