Merge pull request #18865 from carldybdahl-microsoft/csharp/path-combine

michaelnebel · web-flow · commit 96c0ca87fc50 · 2025-03-04T08:51:04.000+01:00
Add CodeQL recommendation against Path.Combine
diff --git a/csharp/ql/src/Bad Practices/PathCombine.qhelp b/csharp/ql/src/Bad Practices/PathCombine.qhelp
@@ -0,0 +1,18 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p><code>Path.Combine</code> may silently drop its earlier arguments if its later arguments are absolute paths. E.g. <code>Path.Combine("C:\\Users\\Me\\Documents", "C:\\Program Files\\") == "C:\\Program Files"</code>.</p>
+
+</overview>
+<recommendation>
+<p>Use <code>Path.Join</code> instead.</p>
+</recommendation>
+<references>
+
+  <li>Microsoft Learn, .NET API browser, <a href="https://learn.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-9.0">Path.Combine</a>.</li>
+  <li>Microsoft Learn, .NET API browser, <a href="https://learn.microsoft.com/en-us/dotnet/api/system.io.path.join?view=net-9.0">Path.Join</a>.</li>
+
+</references>
+</qhelp>
diff --git a/csharp/ql/src/Bad Practices/PathCombine.ql b/csharp/ql/src/Bad Practices/PathCombine.ql
@@ -0,0 +1,16 @@
+/**
+ * @name Call to System.IO.Path.Combine
+ * @description Finds calls to System.IO.Path's Combine method
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision very-high
+ * @id cs/path-combine
+ * @tags reliability
+ */
+
+import csharp
+import semmle.code.csharp.frameworks.System
+
+from MethodCall call
+where call.getTarget().hasFullyQualifiedName("System.IO", "Path", "Combine")
+select call, "Call to 'System.IO.Path.Combine'."
diff --git a/csharp/ql/src/change-notes/2025-02-26-path-combine.md b/csharp/ql/src/change-notes/2025-02-26-path-combine.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `csharp/path-combine`, to recommend against the `Path.Combine` method due to it silently discarding its earlier parameters if later parameters are rooted.
diff --git a/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.cs b/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.cs
@@ -0,0 +1,14 @@
+using System.IO;
+
+class PathCombine
+{
+    void bad()
+    {
+        Path.Combine(@"C:\Users", @"C:\Program Files");
+    }
+
+    void good()
+    {
+        Path.Join(@"C:\Users", @"C:\Program Files");
+    }
+}
diff --git a/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.expected b/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.expected
@@ -0,0 +1 @@
+| PathCombine.cs:7:9:7:54 | call to method Combine | Call to 'System.IO.Path.Combine'. |
diff --git a/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.qlref b/csharp/ql/test/query-tests/Bad Practices/Path Combine/PathCombine.qlref
@@ -0,0 +1 @@
+Bad Practices/PathCombine.ql
diff --git a/csharp/ql/test/query-tests/Bad Practices/Path Combine/options b/csharp/ql/test/query-tests/Bad Practices/Path Combine/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| PathCombine.cs:7:9:7:54 \| call to method Combine \| Call to 'System.IO.Path.Combine'. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+semmle-extractor-options: /nostdlib /noconfig`
	`2`	`+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj`