C#: Add LogForging testcase based on ASP.NET.

michaelnebel · michaelnebel · commit e45e06b675b0 · 2022-09-23T13:02:42.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-117/LogForgingAsp.cs b/csharp/ql/test/query-tests/Security Features/CWE-117/LogForgingAsp.cs
@@ -0,0 +1,21 @@
+using System;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Headers;
+using Microsoft.AspNetCore.Mvc;
+
+public class AspController : ControllerBase
+{
+    public void Action1(string username)
+    {
+        var logger = new ILogger();
+        // BAD: Logged as-is
+        logger.Warn(username + " logged in");
+    }
+
+    public void Action1(DateTime date)
+    {
+        var logger = new ILogger();
+        // GOOD: DateTime is a sanitizer. (FALSE POSITIVE)
+        logger.Warn($"Warning about the date: {date:yyyy-MM-dd}");
+    }
+}
