|
// Copyright (c) Microsoft. All Rights Reserved. Licensed under the MIT license. See License.txt in the project root for license information.
using System.Threading.Tasks;
using Microsoft.CodeAnalysis.Testing;
using Test.Utilities;
using Xunit;
using VerifyCS = Test.Utilities.CSharpSecurityCodeFixVerifier<
Microsoft.NetCore.Analyzers.Security.DoNotUseInsecureDeserializerLosFormatter,
Microsoft.CodeAnalysis.Testing.EmptyCodeFixProvider>;
using VerifyVB = Test.Utilities.VisualBasicSecurityCodeFixVerifier<
Microsoft.NetCore.Analyzers.Security.DoNotUseInsecureDeserializerLosFormatter,
Microsoft.CodeAnalysis.Testing.EmptyCodeFixProvider>;
namespace Microsoft.NetCore.Analyzers.Security.UnitTests
{
public class DoNotUseInsecureDeserializerLosFormatterTests
{
[Fact]
public async Task DocSample1_CSharp_Violation_DiagnosticAsync()
{
await VerifyCSharpAnalyzerAsync(@"
using System.IO;
using System.Web.UI;
public class ExampleClass
{
public object MyDeserialize(byte[] bytes)
{
LosFormatter formatter = new LosFormatter();
return formatter.Deserialize(new MemoryStream(bytes));
}
}",
GetCSharpResultAt(10, 16, "object LosFormatter.Deserialize(Stream stream)"));
}
[Fact]
public async Task DocSample1_VB_Violation_DiagnosticAsync()
{
await VerifyBasicAnalyzerAsync(@"
Imports System.IO
Imports System.Web.UI
Public Class ExampleClass
Public Function MyDeserialize(bytes As Byte()) As Object
Dim formatter As LosFormatter = New LosFormatter()
Return formatter.Deserialize(New MemoryStream(bytes))
End Function
End Class",
GetBasicResultAt(8, 16, "Function LosFormatter.Deserialize(stream As Stream) As Object"));
}
[Fact]
public async Task DeserializeStream_DiagnosticAsync()
{
await VerifyCSharpAnalyzerAsync(@"
using System.IO;
using System.Web.UI;
namespace Blah
{
public class Program
{
public object Deserialize(byte[] bytes)
{
LosFormatter formatter = new LosFormatter();
return formatter.Deserialize(new MemoryStream(bytes));
}
}
}",
GetCSharpResultAt(12, 20, "object LosFormatter.Deserialize(Stream stream)"));
}
[Fact]
public async Task DeserializeString_DiagnosticAsync()
{
await VerifyCSharpAnalyzerAsync(@"
using System.IO;
using System.Web.UI;
namespace Blah
{
public class Program
{
public object Deserialize(string input)
{
LosFormatter formatter = new LosFormatter();
return formatter.Deserialize(input);
}
}
}",
GetCSharpResultAt(12, 20, "object LosFormatter.Deserialize(string input)"));
}
[Fact]
public async Task DeserializeTextReader_DiagnosticAsync()
{
await VerifyCSharpAnalyzerAsync(@"
using System.IO;
using System.Web.UI;
namespace Blah
{
public class Program
{
public object Deserialize(TextReader tr)
{
LosFormatter formatter = new LosFormatter();
return formatter.Deserialize(tr);
}
}
}",
GetCSharpResultAt(12, 20, "object LosFormatter.Deserialize(TextReader input)"));
}
[Fact]
public async Task Deserialize_Reference_DiagnosticAsync()
{
await VerifyCSharpAnalyzerAsync(@"
using System.IO;
using System.Web.UI;
namespace Blah
{
public class Program
{
public delegate object Des(string s);
public Des GetDeserializer()
{
LosFormatter formatter = new LosFormatter();
return formatter.Deserialize;
}
}
}",
GetCSharpResultAt(13, 20, "object LosFormatter.Deserialize(string input)"));
}
[Fact]
public async Task Serialize_NoDiagnosticAsync()
{
await VerifyCSharpAnalyzerAsync(@"
using System.IO;
using System.Web.UI;
namespace Blah
{
public class Program
{
public byte[] Serialize(object o)
{
LosFormatter formatter = new LosFormatter();
MemoryStream stream = new MemoryStream();
formatter.Serialize(stream, o);
return stream.ToArray();
}
}
}");
}
[Fact]
public async Task Serialize_Reference_NoDiagnosticAsync()
{
await VerifyCSharpAnalyzerAsync(@"
using System.IO;
using System.Web.UI;
namespace Blah
{
public class Program
{
public delegate void Ser(Stream s, object o);
public Ser GetSerializer()
{
LosFormatter formatter = new LosFormatter();
return formatter.Serialize;
}
}
}");
}
private static async Task VerifyCSharpAnalyzerAsync(string source, params DiagnosticResult[] expected)
{
var csharpTest = new VerifyCS.Test
{
ReferenceAssemblies = AdditionalMetadataReferences.DefaultWithSystemWeb,
TestState =
{
Sources = { source },
}
};
csharpTest.ExpectedDiagnostics.AddRange(expected);
await csharpTest.RunAsync();
}
private static async Task VerifyBasicAnalyzerAsync(string source, params DiagnosticResult[] expected)
{
var csharpTest = new VerifyVB.Test
{
ReferenceAssemblies = AdditionalMetadataReferences.DefaultWithSystemWeb,
TestState =
{
Sources = { source },
}
};
csharpTest.ExpectedDiagnostics.AddRange(expected);
await csharpTest.RunAsync();
}
private static DiagnosticResult GetCSharpResultAt(int line, int column, params string[] arguments)
#pragma warning disable RS0030 // Do not use banned APIs
=> VerifyCS.Diagnostic()
.WithLocation(line, column)
#pragma warning restore RS0030 // Do not use banned APIs
.WithArguments(arguments);
private static DiagnosticResult GetBasicResultAt(int line, int column, params string[] arguments)
#pragma warning disable RS0030 // Do not use banned APIs
=> VerifyVB.Diagnostic()
.WithLocation(line, column)
#pragma warning restore RS0030 // Do not use banned APIs
.WithArguments(arguments);
}
}
|