C#: Convert cs/uncontrolled-format-string tests to use test inline expectations.

michaelnebel · michaelnebel · commit dda52a2c957a · 2025-04-24T10:42:05.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/ConsoleUncontrolledFormatString.cs b/csharp/ql/test/query-tests/Security Features/CWE-134/ConsoleUncontrolledFormatString.cs
@@ -5,9 +5,9 @@ public class Program
 {
     public static void Main()
     {
-        var format = Console.ReadLine();
+        var format = Console.ReadLine(); // $ Source
 
         // BAD: Uncontrolled format string.
-        var x = string.Format(format, 1, 2);
+        var x = string.Format(format, 1, 2); // $ Alert
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.cs b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.cs
@@ -6,13 +6,13 @@ public class TaintedPathHandler : IHttpHandler
 {
     public void ProcessRequest(HttpContext ctx)
     {
-        String path = ctx.Request.QueryString["page"];
+        String path = ctx.Request.QueryString["page"]; // $ Source
 
         // BAD: Uncontrolled format string.
-        String.Format(path, "Do not do this");
+        String.Format(path, "Do not do this"); // $ Alert
 
         // BAD: Using an IFormatProvider.
-        String.Format((IFormatProvider)null, path, "Do not do this");
+        String.Format((IFormatProvider)null, path, "Do not do this"); // $ Alert
 
         // GOOD: Not the format string.
         String.Format("Do not do this", path);
@@ -29,6 +29,6 @@ public void ProcessRequest(HttpContext ctx)
     void OnButtonClicked()
     {
         // BAD: Uncontrolled format string.
-        String.Format(box1.Text, "Do not do this");
+        String.Format(box1.Text, "Do not do this"); // $ Alert
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.qlref b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.qlref
@@ -1,2 +1,4 @@
 query: Security Features/CWE-134/UncontrolledFormatString.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatStringBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatStringBad.cs
@@ -6,9 +6,9 @@ public class HttpHandler : IHttpHandler
 
     public void ProcessRequest(HttpContext ctx)
     {
-        string format = ctx.Request.QueryString["nameformat"];
+        string format = ctx.Request.QueryString["nameformat"]; // $ Source
 
         // BAD: Uncontrolled format string.
-        FormattedName = string.Format(format, Surname, Forenames);
+        FormattedName = string.Format(format, Surname, Forenames); // $ Alert
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -5,9 +5,9 @@ public class Program`
`5`	`5`	`{`
`6`	`6`	`public static void Main()`
`7`	`7`	`{`
`8`		`- var format = Console.ReadLine();`
	`8`	`+ var format = Console.ReadLine(); // $ Source`
`9`	`9`
`10`	`10`	`// BAD: Uncontrolled format string.`
`11`		`- var x = string.Format(format, 1, 2);`
	`11`	`+ var x = string.Format(format, 1, 2); // $ Alert`
`12`	`12`	`}`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,13 +6,13 @@ public class TaintedPathHandler : IHttpHandler`
`6`	`6`	`{`
`7`	`7`	`public void ProcessRequest(HttpContext ctx)`
`8`	`8`	`{`
`9`		`- String path = ctx.Request.QueryString["page"];`
	`9`	`+ String path = ctx.Request.QueryString["page"]; // $ Source`
`10`	`10`
`11`	`11`	`// BAD: Uncontrolled format string.`
`12`		`- String.Format(path, "Do not do this");`
	`12`	`+ String.Format(path, "Do not do this"); // $ Alert`
`13`	`13`
`14`	`14`	`// BAD: Using an IFormatProvider.`
`15`		`- String.Format((IFormatProvider)null, path, "Do not do this");`
	`15`	`+ String.Format((IFormatProvider)null, path, "Do not do this"); // $ Alert`
`16`	`16`
`17`	`17`	`// GOOD: Not the format string.`
`18`	`18`	`String.Format("Do not do this", path);`
`@@ -29,6 +29,6 @@ public void ProcessRequest(HttpContext ctx)`
`29`	`29`	`void OnButtonClicked()`
`30`	`30`	`{`
`31`	`31`	`// BAD: Uncontrolled format string.`
`32`		`- String.Format(box1.Text, "Do not do this");`
	`32`	`+ String.Format(box1.Text, "Do not do this"); // $ Alert`
`33`	`33`	`}`
`34`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,9 +6,9 @@ public class HttpHandler : IHttpHandler`
`6`	`6`
`7`	`7`	`public void ProcessRequest(HttpContext ctx)`
`8`	`8`	`{`
`9`		`- string format = ctx.Request.QueryString["nameformat"];`
	`9`	`+ string format = ctx.Request.QueryString["nameformat"]; // $ Source`
`10`	`10`
`11`	`11`	`// BAD: Uncontrolled format string.`
`12`		`- FormattedName = string.Format(format, Surname, Forenames);`
	`12`	`+ FormattedName = string.Format(format, Surname, Forenames); // $ Alert`
`13`	`13`	`}`
`14`	`14`	`}`