C#: Convert Deserialization tests to use inline expectations.

michaelnebel · michaelnebel · commit 5d1f2a10b486 · 2025-07-03T14:50:19.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.cs
@@ -11,11 +11,11 @@ public static void M(FileStream fs)
     {
         var formatter = new BinaryFormatter();
         // BAD
-        var a = (Func<int>)formatter.Deserialize(fs);
+        var a = (Func<int>)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]
         // BAD
-        var b = (Expression<Func<int>>)formatter.Deserialize(fs);
+        var b = (Expression<Func<int>>)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]
         // BAD
-        var c = (D)formatter.Deserialize(fs);
+        var c = (D)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]
         // GOOD
         var d = (int)formatter.Deserialize(fs);
     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegate.qlref
@@ -1 +1,4 @@
-Security Features/CWE-502/DeserializedDelegate.ql
+query: Security Features/CWE-502/DeserializedDelegate.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegateBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/DeserializedDelegate/DeserializedDelegateBad.cs
@@ -8,7 +8,7 @@ public static int InvokeSerialized(FileStream fs)
     {
         var formatter = new BinaryFormatter();
         // BAD
-        var f = (Func<int>)formatter.Deserialize(fs);
+        var f = (Func<int>)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]
         return f();
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/BinaryFormatterBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/BinaryFormatterBad.cs
@@ -7,6 +7,6 @@ public static object Deserialize(Stream s)
     {
         var ds = new BinaryFormatter();
         // BAD
-        return ds.Deserialize(s);
+        return ds.Deserialize(s); // $ Alert[cs/unsafe-deserialization]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractJsonSerializerBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractJsonSerializerBad.cs
@@ -8,6 +8,6 @@ public static object Deserialize(Type type, Stream s)
     {
         var ds = new DataContractJsonSerializer(type);
         // BAD
-        return ds.ReadObject(s);
+        return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractSerializerBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/DataContractSerializerBad.cs
@@ -8,6 +8,6 @@ public static object Deserialize(Type type, Stream s)
     {
         var ds = new DataContractSerializer(type);
         // BAD
-        return ds.ReadObject(s);
+        return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ResourceReaderBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/ResourceReaderBad.cs
@@ -6,11 +6,11 @@ class BadResourceReader
 {
     public static void Deserialize(Stream s)
     {
-        var ds = new ResourceReader(s);
+        var ds = new ResourceReader(s); // $ Alert[cs/unsafe-deserialization]
         // BAD
         var dict = ds.GetEnumerator();
         while (dict.MoveNext())
-            Console.WriteLine("   {0}: '{1}' (Type {2})", 
+            Console.WriteLine("   {0}: '{1}' (Type {2})",
                             dict.Key, dict.Value, dict.Value.GetType().Name);
         ds.Close();
     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.qlref b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserialization.qlref
@@ -1 +1,4 @@
-Security Features/CWE-502/UnsafeDeserialization.ql
+query: Security Features/CWE-502/UnsafeDeserialization.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/UnsafeDeserializationBad.cs
@@ -6,6 +6,6 @@ public static object Deserialize(string s)
     {
         JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());
         // BAD
-        return sr.DeserializeObject(s);
+        return sr.DeserializeObject(s); // $ Alert[cs/unsafe-deserialization]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlObjectSerializerBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlObjectSerializerBad.cs
@@ -8,6 +8,6 @@ public static object Deserialize(Type type, Stream s)
     {
         XmlObjectSerializer ds = new DataContractSerializer(type);
         // BAD
-        return ds.ReadObject(s);
+        return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlSerializerBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserialization/XmlSerializerBad.cs
@@ -8,6 +8,6 @@ public static object Deserialize(Type type, Stream s)
     {
         var ds = new XmlSerializer(type);
         // BAD
-        return ds.Deserialize(s);
+        return ds.Deserialize(s); // $ Alert[cs/unsafe-deserialization]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/BinaryFormatterUntrustedInputBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/BinaryFormatterUntrustedInputBad.cs
@@ -10,7 +10,7 @@ public static object Deserialize(TextBox textBox)
     {
         var ds = new BinaryFormatter();
         // BAD
-        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(textBox.Text)));
+        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(textBox.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
     }
 }
 
@@ -20,6 +20,6 @@ public static object Deserialize(TextBox type, TextBox data)
     {
         var ds = new BinaryFormatter();
         // BAD
-        return ds.Deserialize(new MemoryStream(Convert.FromBase64String(data.Text)));
+        return ds.Deserialize(new MemoryStream(Convert.FromBase64String(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractJsonSerializerUntrustedInputBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractJsonSerializerUntrustedInputBad.cs
@@ -10,6 +10,6 @@ public static object Deserialize(TextBox type, TextBox data)
     {
         var ds = new DataContractJsonSerializer(Type.GetType(type.Text));
         // BAD
-        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractSerializerUntrustedInputBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/DataContractSerializerUntrustedInputBad.cs
@@ -10,6 +10,6 @@ public static object Deserialize(TextBox type, TextBox data)
     {
         var ds = new DataContractSerializer(Type.GetType(type.Text));
         // BAD
-        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ResourceReaderUntrustedInputBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/ResourceReaderUntrustedInputBad.cs
@@ -8,11 +8,11 @@ class BadResourceReader
 {
     public static void Deserialize(TextBox data)
     {
-        var ds = new ResourceReader(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+        var ds = new ResourceReader(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
         // BAD
         var dict = ds.GetEnumerator();
         while (dict.MoveNext())
-            Console.WriteLine("   {0}: '{1}' (Type {2})", 
+            Console.WriteLine("   {0}: '{1}' (Type {2})",
                             dict.Key, dict.Value, dict.Value.GetType().Name);
         ds.Close();
     }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.qlref b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInput.qlref
@@ -1,2 +1,4 @@
 query: Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/UnsafeDeserializationUntrustedInputBad.cs
@@ -7,6 +7,6 @@ public static object Deserialize(TextBox textBox)
     {
         JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());
         // BAD
-        return sr.DeserializeObject(textBox.Text);
+        return sr.DeserializeObject(textBox.Text); // $ Alert[cs/unsafe-deserialization-untrusted-input]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlObjectSerializerUntrustedInputBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlObjectSerializerUntrustedInputBad.cs
@@ -10,6 +10,6 @@ public static object Deserialize(TextBox type, TextBox data)
     {
         XmlObjectSerializer ds = new DataContractSerializer(Type.GetType(type.Text));
         // BAD
-        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+        return ds.ReadObject(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlSerializerUntrustedInputBad.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInput/XmlSerializerUntrustedInputBad.cs
@@ -10,6 +10,6 @@ public static object Deserialize(TextBox type, TextBox data)
     {
         var ds = new XmlSerializer(Type.GetType(type.Text));
         // BAD
-        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(data.Text)));
+        return ds.Deserialize(new MemoryStream(Encoding.UTF8.GetBytes(data.Text))); // $ Alert[cs/unsafe-deserialization-untrusted-input]
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/Test.cs b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/Test.cs
@@ -14,9 +14,9 @@ public static object Deserialize1(TextBox data)
 
     public static object Deserialize2(TextBox data)
     {
-        return JsonConvert.DeserializeObject(data.Text, new JsonSerializerSettings
+        return JsonConvert.DeserializeObject(data.Text, new JsonSerializerSettings // $ Alert[cs/unsafe-deserialization-untrusted-input]
         {
-            TypeNameHandling = TypeNameHandling.Auto // BAD
+            TypeNameHandling = TypeNameHandling.Auto
         });
     }
 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.qlref b/csharp/ql/test/query-tests/Security Features/CWE-502/UnsafeDeserializationUntrustedInputNewtonsoftJson/UnsafeDeserializationUntrustedInput.qlref
@@ -1,2 +1,4 @@
 query: Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ public static int InvokeSerialized(FileStream fs)`
`8`	`8`	`{`
`9`	`9`	`var formatter = new BinaryFormatter();`
`10`	`10`	`// BAD`
`11`		`- var f = (Func<int>)formatter.Deserialize(fs);`
	`11`	`+ var f = (Func<int>)formatter.Deserialize(fs); // $ Alert[cs/deserialized-delegate]`
`12`	`12`	`return f();`
`13`	`13`	`}`
`14`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,6 @@ public static object Deserialize(Stream s)`
`7`	`7`	`{`
`8`	`8`	`var ds = new BinaryFormatter();`
`9`	`9`	`// BAD`
`10`		`- return ds.Deserialize(s);`
	`10`	`+ return ds.Deserialize(s); // $ Alert[cs/unsafe-deserialization]`
`11`	`11`	`}`
`12`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,6 @@ public static object Deserialize(Type type, Stream s)`
`8`	`8`	`{`
`9`	`9`	`var ds = new DataContractJsonSerializer(type);`
`10`	`10`	`// BAD`
`11`		`- return ds.ReadObject(s);`
	`11`	`+ return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]`
`12`	`12`	`}`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,6 @@ public static object Deserialize(Type type, Stream s)`
`8`	`8`	`{`
`9`	`9`	`var ds = new DataContractSerializer(type);`
`10`	`10`	`// BAD`
`11`		`- return ds.ReadObject(s);`
	`11`	`+ return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]`
`12`	`12`	`}`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,11 +6,11 @@ class BadResourceReader`
`6`	`6`	`{`
`7`	`7`	`public static void Deserialize(Stream s)`
`8`	`8`	`{`
`9`		`- var ds = new ResourceReader(s);`
	`9`	`+ var ds = new ResourceReader(s); // $ Alert[cs/unsafe-deserialization]`
`10`	`10`	`// BAD`
`11`	`11`	`var dict = ds.GetEnumerator();`
`12`	`12`	`while (dict.MoveNext())`
`13`		`- Console.WriteLine(" {0}: '{1}' (Type {2})",`
	`13`	`+ Console.WriteLine(" {0}: '{1}' (Type {2})",`
`14`	`14`	`dict.Key, dict.Value, dict.Value.GetType().Name);`
`15`	`15`	`ds.Close();`
`16`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,6 @@ public static object Deserialize(string s)`
`6`	`6`	`{`
`7`	`7`	`JavaScriptSerializer sr = new JavaScriptSerializer(new SimpleTypeResolver());`
`8`	`8`	`// BAD`
`9`		`- return sr.DeserializeObject(s);`
	`9`	`+ return sr.DeserializeObject(s); // $ Alert[cs/unsafe-deserialization]`
`10`	`10`	`}`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,6 @@ public static object Deserialize(Type type, Stream s)`
`8`	`8`	`{`
`9`	`9`	`XmlObjectSerializer ds = new DataContractSerializer(type);`
`10`	`10`	`// BAD`
`11`		`- return ds.ReadObject(s);`
	`11`	`+ return ds.ReadObject(s); // $ Alert[cs/unsafe-deserialization]`
`12`	`12`	`}`
`13`	`13`	`}`