C#: Exclude Microsoft.Data.SqlClient.SqlCommand from the best effort SqlSink creation.

michaelnebel · michaelnebel · commit f3eafd33ff77 · 2025-06-26T08:46:49.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
@@ -35,6 +35,7 @@ class IDbCommandConstructionSqlExpr extends SqlExpr, ObjectCreation {
       ic.getParameter(0).getType() instanceof StringType and
       not exists(Type t | t = ic.getDeclaringType() |
         // Known sealed classes:
+        t.hasFullyQualifiedName("Microsoft.Data.SqlClient", "SqlCommand") or
         t.hasFullyQualifiedName("System.Data.SqlClient", "SqlCommand") or
         t.hasFullyQualifiedName("System.Data.Odbc", "OdbcCommand") or
         t.hasFullyQualifiedName("System.Data.OleDb", "OleDbCommand") or
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.expected
@@ -1,21 +1,11 @@
 #select
-| SqlInjection.cs:19:42:19:52 | access to local variable queryString | SqlInjection.cs:18:21:18:29 | access to property Text : String | SqlInjection.cs:19:42:19:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:18:21:18:29 | access to property Text : String | this TextBox text |
-| SqlInjection.cs:28:42:28:52 | access to local variable queryString | SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | SqlInjection.cs:28:42:28:52 | access to local variable queryString | This query depends on $@. | SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | this read from stdin |
 edges
-| SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | SqlInjection.cs:19:42:19:52 | access to local variable queryString | provenance |  |
-| SqlInjection.cs:18:21:18:29 | access to property Text : String | SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | provenance |  |
-| SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | SqlInjection.cs:28:42:28:52 | access to local variable queryString | provenance |  |
-| SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | provenance | Src:MaD:1  |
-models
-| 1 | Source: System; Console; false; ReadLine; ; ; ReturnValue; stdin; manual |
 nodes
-| SqlInjection.cs:17:21:17:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
-| SqlInjection.cs:18:21:18:29 | access to property Text : String | semmle.label | access to property Text : String |
-| SqlInjection.cs:19:42:19:52 | access to local variable queryString | semmle.label | access to local variable queryString |
-| SqlInjection.cs:26:21:26:31 | access to local variable queryString : String | semmle.label | access to local variable queryString : String |
-| SqlInjection.cs:27:21:27:38 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
-| SqlInjection.cs:28:42:28:52 | access to local variable queryString | semmle.label | access to local variable queryString |
 subpaths
 testFailures
+| SqlInjection.cs:18:53:18:81 | // ... | Missing result: Source[cs/sql-injection] |
+| SqlInjection.cs:19:56:19:83 | // ... | Missing result: Alert[cs/sql-injection] |
 | SqlInjection.cs:20:56:20:83 | // ... | Missing result: Alert[cs/sql-injection] |
+| SqlInjection.cs:27:62:27:90 | // ... | Missing result: Source[cs/sql-injection] |
+| SqlInjection.cs:28:56:28:83 | // ... | Missing result: Alert[cs/sql-injection] |
 | SqlInjection.cs:29:56:29:83 | // ... | Missing result: Alert[cs/sql-injection] |
