Merge pull request #4679 from Evangelink/merges/2.9.x-to-master

Merge 2.9.x to master

src/NetAnalyzers/Core/AnalyzerReleases.Unshipped.md

@@ -1 +1 @@
-; Please do not edit this file manually, it should only be updated through code fix application.
+; Please do not edit this file manually, it should only be updated through code fix application.

src/NetAnalyzers/Core/Microsoft.NetFramework.Analyzers/DoNotUseInsecureDtdProcessing.cs

@@ -264,7 +264,7 @@ private void AnalyzeMethodOverloads(OperationAnalysisContext context, IMethodSym
                 }
                 else if (method.MatchMethodDerivedByName(_xmlTypes.XmlReader, SecurityMemberNames.Create))
                 {
-                    int xmlReaderSettingsIndex = SecurityDiagnosticHelpers.GetXmlReaderSettingsParameterIndex(method, _xmlTypes);
+                    int xmlReaderSettingsIndex = method.GetXmlReaderSettingsParameterIndex(_xmlTypes);
 
                     if (xmlReaderSettingsIndex < 0)
                     {
@@ -312,15 +312,15 @@ private void AnalyzeObjectCreationInternal(OperationAnalysisContext context, ISy
                     _objectCreationOperationsAnalyzed.Add(objCreation);
                 }
 
-                if (SecurityDiagnosticHelpers.IsXmlDocumentCtorDerived(objCreation.Constructor, _xmlTypes))
+                if (objCreation.Constructor.IsXmlDocumentCtorDerived(_xmlTypes))
                 {
                     AnalyzeObjectCreationForXmlDocument(context, variable, objCreation);
                 }
-                else if (SecurityDiagnosticHelpers.IsXmlTextReaderCtorDerived(objCreation.Constructor, _xmlTypes))
+                else if (objCreation.Constructor.IsXmlTextReaderCtorDerived(_xmlTypes))
                 {
                     AnalyzeObjectCreationForXmlTextReader(context, variable, objCreation);
                 }
-                else if (SecurityDiagnosticHelpers.IsXmlReaderSettingsCtor(objCreation.Constructor, _xmlTypes))
+                else if (objCreation.Constructor.IsXmlReaderSettingsCtor(_xmlTypes))
                 {
                     AnalyzeObjectCreationForXmlReaderSettings(variable, objCreation);
                 }

src/NetAnalyzers/Core/Microsoft.NetFramework.Analyzers/Helpers/SecurityDiagnosticHelpers.cs

@@ -12,14 +12,12 @@ namespace Microsoft.NetFramework.Analyzers.Helpers
 {
     public static class SecurityDiagnosticHelpers
     {
-        public static bool IsXslCompiledTransformLoad([NotNullWhen(returnValue: true)] IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
-        {
-            return method != null
+        public static bool IsXslCompiledTransformLoad([NotNullWhen(returnValue: true)] this IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
+            => method != null
                 && xmlTypes.XslCompiledTransform != null
                 && method.MatchMethodByName(xmlTypes.XslCompiledTransform, SecurityMemberNames.Load);
-        }
 
-        public static bool IsXmlDocumentCtorDerived([NotNullWhen(returnValue: true)] IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
+        public static bool IsXmlDocumentCtorDerived([NotNullWhen(returnValue: true)] this IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
         {
             return method != null
                 && xmlTypes.XmlDocument != null
@@ -31,7 +29,7 @@ public static bool IsXmlDocumentXmlResolverProperty([NotNullWhen(returnValue: tr
             return IsSpecifiedProperty(symbol, xmlTypes.XmlDocument, SecurityMemberNames.XmlResolver);
         }
 
-        public static bool IsXmlTextReaderCtorDerived([NotNullWhen(returnValue: true)] IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
+        public static bool IsXmlTextReaderCtorDerived([NotNullWhen(returnValue: true)] this IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
         {
             return method != null
                 && xmlTypes.XmlTextReader != null
@@ -58,7 +56,7 @@ public static bool IsXmlTextReaderDtdProcessingProperty([NotNullWhen(returnValue
             return IsSpecifiedProperty(symbol, xmlTypes.XmlTextReader, SecurityMemberNames.DtdProcessing);
         }
 
-        public static bool IsXmlReaderSettingsCtor([NotNullWhen(returnValue: true)] IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
+        public static bool IsXmlReaderSettingsCtor([NotNullWhen(returnValue: true)] this IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
         {
             return method != null
                 && xmlTypes.XmlReaderSettings != null
@@ -80,44 +78,32 @@ public static bool IsXmlReaderSettingsMaxCharactersFromEntitiesProperty([NotNull
             return IsSpecifiedProperty(symbol, xmlTypes.XmlReaderSettings, SecurityMemberNames.MaxCharactersFromEntities);
         }
 
-        public static bool IsXsltSettingsCtor([NotNullWhen(returnValue: true)] IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
-        {
-            return method != null
+        public static bool IsXsltSettingsCtor([NotNullWhen(returnValue: true)] this IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
+            => method != null
                 && xmlTypes.XsltSettings != null
                 && method.MatchMethodByName(xmlTypes.XsltSettings, WellKnownMemberNames.InstanceConstructorName);
-        }
 
-        public static bool IsXsltSettingsTrustedXsltProperty([NotNullWhen(returnValue: true)] IPropertySymbol? symbol, CompilationSecurityTypes xmlTypes)
-        {
-            return IsSpecifiedProperty(symbol, xmlTypes.XsltSettings, SecurityMemberNames.TrustedXslt);
-        }
+        public static bool IsXsltSettingsTrustedXsltProperty([NotNullWhen(returnValue: true)] this IPropertySymbol? symbol, CompilationSecurityTypes xmlTypes)
+            => IsSpecifiedProperty(symbol, xmlTypes.XsltSettings, SecurityMemberNames.TrustedXslt);
 
-        public static bool IsXsltSettingsDefaultProperty([NotNullWhen(returnValue: true)] IPropertySymbol? symbol, CompilationSecurityTypes xmlTypes)
-        {
-            return IsSpecifiedProperty(symbol, xmlTypes.XsltSettings, SecurityMemberNames.Default);
-        }
+        public static bool IsXsltSettingsDefaultProperty([NotNullWhen(returnValue: true)] this IPropertySymbol? symbol, CompilationSecurityTypes xmlTypes)
+            => IsSpecifiedProperty(symbol, xmlTypes.XsltSettings, SecurityMemberNames.Default);
 
-        public static bool IsXsltSettingsEnableDocumentFunctionProperty([NotNullWhen(returnValue: true)] IPropertySymbol? symbol, CompilationSecurityTypes xmlTypes)
-        {
-            return IsSpecifiedProperty(symbol, xmlTypes.XsltSettings, SecurityMemberNames.EnableDocumentFunction);
-        }
+        public static bool IsXsltSettingsEnableDocumentFunctionProperty([NotNullWhen(returnValue: true)] this IPropertySymbol? symbol, CompilationSecurityTypes xmlTypes)
+            => IsSpecifiedProperty(symbol, xmlTypes.XsltSettings, SecurityMemberNames.EnableDocumentFunction);
 
-        public static bool IsXsltSettingsEnableScriptProperty([NotNullWhen(returnValue: true)] IPropertySymbol? symbol, CompilationSecurityTypes xmlTypes)
-        {
-            return IsSpecifiedProperty(symbol, xmlTypes.XsltSettings, SecurityMemberNames.EnableScript);
-        }
+        public static bool IsXsltSettingsEnableScriptProperty([NotNullWhen(returnValue: true)] this IPropertySymbol? symbol, CompilationSecurityTypes xmlTypes)
+            => IsSpecifiedProperty(symbol, xmlTypes.XsltSettings, SecurityMemberNames.EnableScript);
 
         public static bool IsXmlResolverType([NotNullWhen(returnValue: true)] ITypeSymbol? symbol, CompilationSecurityTypes xmlTypes)
         {
             return symbol != null
                 && symbol.DerivesFrom(xmlTypes.XmlResolver, baseTypesOnly: true);
         }
 
-        public static bool IsXmlSecureResolverType([NotNullWhen(returnValue: true)] ITypeSymbol? symbol, CompilationSecurityTypes xmlTypes)
-        {
-            return symbol != null
+        public static bool IsXmlSecureResolverType([NotNullWhen(returnValue: true)] this ITypeSymbol? symbol, CompilationSecurityTypes xmlTypes)
+            => symbol != null
                 && symbol.DerivesFrom(xmlTypes.XmlSecureResolver, baseTypesOnly: true);
-        }
 
         public static bool IsXsltSettingsType([NotNullWhen(returnValue: true)] ITypeSymbol? symbol, CompilationSecurityTypes xmlTypes)
         {
@@ -129,17 +115,13 @@ public static bool IsXmlReaderSettingsType([NotNullWhen(returnValue: true)] ITyp
             return Equals(symbol, xmlTypes.XmlReaderSettings);
         }
 
-        public static int GetXmlResolverParameterIndex(IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
-        {
-            return GetSpecifiedParameterIndex(method, xmlTypes, IsXmlResolverType);
-        }
+        public static int GetXmlResolverParameterIndex(this IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
+            => GetSpecifiedParameterIndex(method, xmlTypes, IsXmlResolverType);
 
-        public static int GetXsltSettingsParameterIndex(IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
-        {
-            return GetSpecifiedParameterIndex(method, xmlTypes, IsXsltSettingsType);
-        }
+        public static int GetXsltSettingsParameterIndex(this IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
+            => GetSpecifiedParameterIndex(method, xmlTypes, IsXsltSettingsType);
 
-        public static int GetXmlReaderSettingsParameterIndex(IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
+        public static int GetXmlReaderSettingsParameterIndex(this IMethodSymbol? method, CompilationSecurityTypes xmlTypes)
         {
             return GetSpecifiedParameterIndex(method, xmlTypes, IsXmlReaderSettingsType);
         }
@@ -263,6 +245,30 @@ public static string GetNonEmptyParentName(SyntaxNode current, SemanticModel mod
             return string.Empty;
         }
 
+        /// <summary>
+        /// Get class or method name which encloses the current symbol node
+        /// </summary>
+        public static string GetNonEmptyParentName(ISymbol symbol)
+        {
+            var current = symbol;
+            while (current.ContainingSymbol != null)
+            {
+                switch (current)
+                {
+                    case IMethodSymbol method:
+                        return method.MethodKind == MethodKind.Ordinary
+                            ? method.Name
+                            : method.ContainingType.Name;
+                    case INamedTypeSymbol namedType:
+                        return namedType.Name;
+                }
+
+                current = symbol.ContainingSymbol;
+            }
+
+            return string.Empty;
+        }
+
         /// <summary>
         /// Gets the version of the target .NET framework of the compilation.
         /// </summary>

src/NetAnalyzers/Core/Microsoft.NetFramework.Analyzers/Helpers/SyntaxNodeHelper.cs

@@ -57,11 +57,6 @@ protected enum CallKinds
             return symbol;
         }
 
-        public IEnumerable<SyntaxNode> GetCallArgumentExpressionNodes(SyntaxNode node)
-        {
-            return GetCallArgumentExpressionNodes(node, CallKinds.AnyCall);
-        }
-
         public IEnumerable<SyntaxNode> GetInvocationArgumentExpressionNodes(SyntaxNode node)
         {
             return GetCallArgumentExpressionNodes(node, CallKinds.Invocation);
@@ -85,17 +80,6 @@ public static IEnumerable<IMethodSymbol> GetCandidateCalleeMethodSymbols(SyntaxN
             }
         }
 
-        public IEnumerable<IMethodSymbol> GetCalleeMethodSymbols(SyntaxNode? node, SemanticModel semanticModel)
-        {
-            IMethodSymbol? symbol = GetCalleeMethodSymbol(node, semanticModel);
-            if (symbol != null)
-            {
-                return new List<IMethodSymbol>() { symbol };
-            }
-
-            return GetCandidateCalleeMethodSymbols(node, semanticModel);
-        }
-
         public static IPropertySymbol? GetCalleePropertySymbol(SyntaxNode? node, SemanticModel semanticModel)
         {
             ISymbol? symbol = GetReferencedSymbol(node, semanticModel);
@@ -107,17 +91,6 @@ public IEnumerable<IMethodSymbol> GetCalleeMethodSymbols(SyntaxNode? node, Seman
             return null;
         }
 
-        public static IFieldSymbol? GetCalleeFieldSymbol(SyntaxNode? node, SemanticModel semanticModel)
-        {
-            ISymbol? symbol = GetReferencedSymbol(node, semanticModel);
-            if (symbol != null && symbol.Kind == SymbolKind.Field)
-            {
-                return (IFieldSymbol)symbol;
-            }
-
-            return null;
-        }
-
         public static ISymbol? GetSymbol(SyntaxNode? node, SemanticModel semanticModel)
         {
             return GetDeclaredSymbol(node, semanticModel) ?? GetReferencedSymbol(node, semanticModel);
@@ -163,17 +136,6 @@ public static bool NodeHasConstantValueNull(SyntaxNode? node, SemanticModel? mod
             return value.HasValue && value.Value == null;
         }
 
-        public static bool NodeHasConstantValueIntZero(SyntaxNode? node, SemanticModel? model)
-        {
-            if (node == null || model == null)
-            {
-                return false;
-            }
-            Optional<object> value = model.GetConstantValue(node);
-            return value.HasValue &&
-                   value.Value is 0;
-        }
-
         public static bool NodeHasConstantValueBoolFalse(SyntaxNode? node, SemanticModel? model)
         {
             if (node == null || model == null)

src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.sarif

@@ -420,25 +420,6 @@
             ]
           }
         },
-        "CA3076": {
-          "id": "CA3076",
-          "shortDescription": "Insecure XSLT script processing.",
-          "fullDescription": "Providing an insecure XsltSettings instance and an insecure XmlResolver instance to XslCompiledTransform.Load method is potentially unsafe as it allows processing script within XSL, which on an untrusted XSL input may lead to malicious code execution. Either replace the insecure XsltSettings argument with XsltSettings.Default or an instance that has disabled document function and script execution, or replace the XmlResolver argument with null or an XmlSecureResolver instance. This message may be suppressed if the input is known to be from a trusted source and external resource resolution from locations that are not known in advance must be supported.",
-          "defaultLevel": "hidden",
-          "helpUri": "https://docs.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca3076",
-          "properties": {
-            "category": "Security",
-            "isEnabledByDefault": true,
-            "typeName": "CSharpDoNotUseInsecureXSLTScriptExecutionAnalyzer",
-            "languages": [
-              "C#"
-            ],
-            "tags": [
-              "Telemetry",
-              "EnabledRuleInAggressiveMode"
-            ]
-          }
-        },
         "CA3077": {
           "id": "CA3077",
           "shortDescription": "Insecure Processing in API Design, XmlDocument and XmlTextReader",
@@ -4001,6 +3982,26 @@
             ]
           }
         },
+        "CA3076": {
+          "id": "CA3076",
+          "shortDescription": "Insecure XSLT script processing.",
+          "fullDescription": "Providing an insecure XsltSettings instance and an insecure XmlResolver instance to XslCompiledTransform.Load method is potentially unsafe as it allows processing script within XSL, which on an untrusted XSL input may lead to malicious code execution. Either replace the insecure XsltSettings argument with XsltSettings.Default or an instance that has disabled document function and script execution, or replace the XmlResolver argument with null or an XmlSecureResolver instance. This message may be suppressed if the input is known to be from a trusted source and external resource resolution from locations that are not known in advance must be supported.",
+          "defaultLevel": "hidden",
+          "helpUri": "https://docs.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca3076",
+          "properties": {
+            "category": "Security",
+            "isEnabledByDefault": true,
+            "typeName": "DoNotUseInsecureXSLTScriptExecutionAnalyzer",
+            "languages": [
+              "C#",
+              "Visual Basic"
+            ],
+            "tags": [
+              "Telemetry",
+              "EnabledRuleInAggressiveMode"
+            ]
+          }
+        },
         "CA3147": {
           "id": "CA3147",
           "shortDescription": "Mark Verb Handlers With Validate Antiforgery Token",
@@ -5496,25 +5497,6 @@
             ]
           }
         },
-        "CA3076": {
-          "id": "CA3076",
-          "shortDescription": "Insecure XSLT script processing.",
-          "fullDescription": "Providing an insecure XsltSettings instance and an insecure XmlResolver instance to XslCompiledTransform.Load method is potentially unsafe as it allows processing script within XSL, which on an untrusted XSL input may lead to malicious code execution. Either replace the insecure XsltSettings argument with XsltSettings.Default or an instance that has disabled document function and script execution, or replace the XmlResolver argument with null or an XmlSecureResolver instance. This message may be suppressed if the input is known to be from a trusted source and external resource resolution from locations that are not known in advance must be supported.",
-          "defaultLevel": "hidden",
-          "helpUri": "https://docs.microsoft.com/dotnet/fundamentals/code-analysis/quality-rules/ca3076",
-          "properties": {
-            "category": "Security",
-            "isEnabledByDefault": true,
-            "typeName": "BasicDoNotUseInsecureXSLTScriptExecutionAnalyzer",
-            "languages": [
-              "Visual Basic"
-            ],
-            "tags": [
-              "Telemetry",
-              "EnabledRuleInAggressiveMode"
-            ]
-          }
-        },
         "CA3077": {
           "id": "CA3077",
           "shortDescription": "Insecure Processing in API Design, XmlDocument and XmlTextReader",

src/NetAnalyzers/UnitTests/Microsoft.NetFramework.Analyzers/DoNotUseInsecureXSLTScriptExecutionXslCompiledTransformLoadInsecureConstructedSettingsTests.cs

@@ -5,10 +5,10 @@
 using Microsoft.CodeAnalysis.Testing;
 using Xunit;
 using VerifyCS = Test.Utilities.CSharpSecurityCodeFixVerifier<
-    Microsoft.NetFramework.CSharp.Analyzers.CSharpDoNotUseInsecureXSLTScriptExecutionAnalyzer,
+    Microsoft.NetFramework.Analyzers.DoNotUseInsecureXSLTScriptExecutionAnalyzer,
     Microsoft.CodeAnalysis.Testing.EmptyCodeFixProvider>;
 using VerifyVB = Test.Utilities.VisualBasicSecurityCodeFixVerifier<
-    Microsoft.NetFramework.VisualBasic.Analyzers.BasicDoNotUseInsecureXSLTScriptExecutionAnalyzer,
+    Microsoft.NetFramework.Analyzers.DoNotUseInsecureXSLTScriptExecutionAnalyzer,
     Microsoft.CodeAnalysis.Testing.EmptyCodeFixProvider>;
 
 namespace Microsoft.NetFramework.Analyzers.UnitTests