C#: Update SQL Injection with testcase with found vulnerability.

michaelnebel · michaelnebel · commit c3adb990a3b9 · 2022-08-10T14:49:20.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected
@@ -23,6 +23,15 @@ edges
 | SqlInjectionSqlite.cs:24:41:24:58 | access to property Text : String | SqlInjectionSqlite.cs:24:23:24:71 | object creation of type SQLiteCommand : SQLiteCommand |
 | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text |
 | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text |
+| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream |
+| SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:49:51:49:68 | access to property Text : String |
+| SqlInjectionSqlite.cs:49:51:49:68 | access to property Text : String | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream |
+| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader |
+| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader |
+| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String |
+| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String |
+| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String |
+| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql |
 nodes
 | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
 | SqlInjection.cs:33:21:33:40 | access to property Text : String | semmle.label | access to property Text : String |
@@ -63,6 +72,16 @@ nodes
 | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | semmle.label | access to field untrustedData : TextBox |
 | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | semmle.label | access to property Text |
 | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | semmle.label | access to local variable cmd |
+| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | semmle.label | object creation of type FileStream : FileStream |
+| SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | semmle.label | access to field untrustedData : TextBox |
+| SqlInjectionSqlite.cs:49:51:49:68 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | semmle.label | object creation of type StreamReader : StreamReader |
+| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
+| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
+| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
+| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | semmle.label | access to local variable sql : String |
+| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | semmle.label | call to method Trim : String |
+| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | semmle.label | access to local variable sql |
 subpaths
 #select
 | SqlInjection.cs:34:50:34:55 | access to local variable query1 | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:34:50:34:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:33:21:33:35 | access to field categoryTextBox : TextBox | this ASP.NET user input |
@@ -83,3 +102,4 @@ subpaths
 | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | Query might include code from $@. | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | this ASP.NET user input |
 | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | Query might include code from $@. | SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | this ASP.NET user input |
 | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | Query might include code from $@. | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | this ASP.NET user input |
+| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | Query might include code from $@. | SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | this ASP.NET user input |
