Merge pull request #10158 from michaelnebel/csharp/narrowcollectiontypes

C#: Narrow collection like types in model generation.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/frameworks/generated/dotnet/NegativeRuntime.qll

@@ -234,6 +234,7 @@ string captureSource(TargetApi api) {
     config.hasFlow(source, sink) and
     ExternalFlow::sourceNode(source, kind) and
     api = sink.getEnclosingCallable() and
+    isRelevantSourceKind(kind) and
     result = asSourceModel(api, returnNodeAsOutput(sink), kind)
   )
 }

csharp/ql/lib/semmle/code/csharp/frameworks/generated/dotnet/Runtime.qll

@@ -58,6 +58,31 @@ predicate asPartialModel = DataFlowPrivate::Csv::asPartialModel/1;
 
 predicate asPartialNegativeModel = DataFlowPrivate::Csv::asPartialNegativeModel/1;
 
+/**
+ * Holds if `t` is a type that is generally used for bulk data in collection types.
+ * Eg. char[] is roughly equivalent to string and thus a highly
+ * relevant type for model generation.
+ */
+private predicate isPrimitiveTypeUsedForBulkData(CS::Type t) {
+  t instanceof CS::ByteType or
+  t instanceof CS::CharType
+}
+
+/**
+ * Holds if the collection type `ct` is irrelevant for model generation.
+ * Collection types where the type of the elements are
+ * (1) unknown - are considered relevant.
+ * (2) known - at least one the child types should be relevant (a non-simple type
+ * or a type used for bulk data)
+ */
+private predicate irrelevantCollectionType(CS::Type ct) {
+  Collections::isCollectionType(ct) and
+  forex(CS::Type child | child = ct.getAChild() |
+    child instanceof CS::SimpleType and
+    not isPrimitiveTypeUsedForBulkData(child)
+  )
+}
+
 /**
  * Holds for type `t` for fields that are relevant as an intermediate
  * read or write step in the data flow analysis.
@@ -66,7 +91,8 @@ predicate asPartialNegativeModel = DataFlowPrivate::Csv::asPartialNegativeModel/
  */
 predicate isRelevantType(CS::Type t) {
   not t instanceof CS::SimpleType and
-  not t instanceof CS::Enum
+  not t instanceof CS::Enum and
+  not irrelevantCollectionType(t)
 }
 
 /**
@@ -167,3 +193,9 @@ string asInputArgument(DataFlow::Node source) {
  */
 bindingset[kind]
 predicate isRelevantSinkKind(string kind) { any() }
+
+/**
+ * Holds if `kind` is a relevant source kind for creating source models.
+ */
+bindingset[kind]
+predicate isRelevantSourceKind(string kind) { not kind = "file" }

csharp/ql/src/utils/model-generator/internal/CaptureModels.qll

@@ -1,5 +1,8 @@
 | NoSummaries;BaseClass;M1;(System.String);generated |
 | NoSummaries;BaseClass;M2;(System.String);generated |
+| NoSummaries;CollectionFlow;ReturnSimpleTypeArray;(System.Int32[]);generated |
+| NoSummaries;CollectionFlow;ReturnSimpleTypeDictionary;(System.Collections.Generic.Dictionary<System.Int32,System.Int32>);generated |
+| NoSummaries;CollectionFlow;ReturnSimpleTypeList;(System.Collections.Generic.List<System.Int32>);generated |
 | NoSummaries;EquatableBound;Equals;(System.Object);generated |
 | NoSummaries;EquatableUnBound<>;Equals;(T);generated |
 | NoSummaries;SimpleTypes;M1;(System.Boolean);generated |

csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll

@@ -13,8 +13,13 @@
 | Summaries;CollectionFlow;false;AssignFieldToArray;(System.Object[]);;Argument[this];Argument[0].Element;taint;generated |
 | Summaries;CollectionFlow;false;AssignToArray;(System.Object,System.Object[]);;Argument[0];Argument[1].Element;taint;generated |
 | Summaries;CollectionFlow;false;ReturnArrayElement;(System.Object[]);;Argument[0].Element;ReturnValue;taint;generated |
+| Summaries;CollectionFlow;false;ReturnBulkTypeList;(System.Collections.Generic.List<System.Byte>);;Argument[0].Element;ReturnValue;taint;generated |
+| Summaries;CollectionFlow;false;ReturnComplexTypeArray;(System.String[]);;Argument[0].Element;ReturnValue;taint;generated |
+| Summaries;CollectionFlow;false;ReturnComplexTypeDictionary;(System.Collections.Generic.Dictionary<System.Int32,System.String>);;Argument[0].Element;ReturnValue;taint;generated |
 | Summaries;CollectionFlow;false;ReturnFieldInAList;();;Argument[this];ReturnValue;taint;generated |
 | Summaries;CollectionFlow;false;ReturnListElement;(System.Collections.Generic.List<System.Object>);;Argument[0].Element;ReturnValue;taint;generated |
+| Summaries;CollectionFlow;false;ReturnUntypedArray;(System.Array);;Argument[0].Element;ReturnValue;taint;generated |
+| Summaries;CollectionFlow;false;ReturnUntypedList;(System.Collections.IList);;Argument[0].Element;ReturnValue;taint;generated |
 | Summaries;DerivedClass1Flow;false;ReturnParam1;(System.String,System.String);;Argument[1];ReturnValue;taint;generated |
 | Summaries;DerivedClass2Flow;false;ReturnParam0;(System.String,System.Int32);;Argument[0];ReturnValue;taint;generated |
 | Summaries;DerivedClass2Flow;false;ReturnParam;(System.Object);;Argument[0];ReturnValue;taint;generated |

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected

@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 
 namespace NoSummaries;
 
@@ -110,4 +111,24 @@ public virtual string M1(string s)
 
     // Negative summary.
     public abstract string M2(string s);
+}
+
+// No methods in this class will have generated flow as
+// the simple types used in the collection are not bulk data types.
+public class CollectionFlow
+{
+    public int[] ReturnSimpleTypeArray(int[] a)
+    {
+        return a;
+    }
+
+    public List<int> ReturnSimpleTypeList(List<int> a)
+    {
+        return a;
+    }
+
+    public Dictionary<int, int> ReturnSimpleTypeDictionary(Dictionary<int, int> a)
+    {
+        return a;
+    }
 }

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected

@@ -1,5 +1,6 @@
 using System;
 using System.Linq;
+using System.Collections;
 using System.Collections.Generic;
 
 namespace Summaries;
@@ -85,6 +86,31 @@ public List<string> ReturnFieldInAList()
     {
         return new List<string> { tainted };
     }
+
+    public string[] ReturnComplexTypeArray(string[] a)
+    {
+        return a;
+    }
+
+    public List<byte> ReturnBulkTypeList(List<byte> a)
+    {
+        return a;
+    }
+
+    public Dictionary<int, string> ReturnComplexTypeDictionary(Dictionary<int, string> a)
+    {
+        return a;
+    }
+
+    public Array ReturnUntypedArray(Array a)
+    {
+        return a;
+    }
+
+    public IList ReturnUntypedList(IList a)
+    {
+        return a;
+    }
 }
 
 public class IEnumerableFlow