Merge pull request dotnet#10933 from ricardobossan/Issue_10871_Suppre…

…ss_CodeQL_Warnings_In_Tests Supress remaining CodeQL warning on tests
Epica3055 · Mar 1, 2024 · bd97476 · bd97476
2 parents 446a570 + d7f92ce
commit bd97476
Show file tree

Hide file tree

Showing 14 changed files with 80 additions and 38 deletions.
diff --git a/src/Common/tests/TestUtilities/BinarySerialization.cs b/src/Common/tests/TestUtilities/BinarySerialization.cs
@@ -68,14 +68,17 @@ static object FromByteArray(byte[] raw,
             FormatterAssemblyStyle assemblyStyle = FormatterAssemblyStyle.Simple)
         {
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-            BinaryFormatter binaryFormatter = new()
+            // cs/binary-formatter-without-binder
+            BinaryFormatter binaryFormatter = new() // CodeQL [SM04191] : Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
             {
                 AssemblyFormat = assemblyStyle
             };
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
 
             using MemoryStream serializedStream = new(raw);
-            return binaryFormatter.Deserialize(serializedStream);
+
+            // cs/dangerous-binary-deserialization
+            return binaryFormatter.Deserialize(serializedStream); // CodeQL[SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
         }
     }
 
@@ -89,7 +92,8 @@ static byte[] ToByteArray(object obj,
             FormatterAssemblyStyle assemblyStyle = FormatterAssemblyStyle.Simple)
         {
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-            BinaryFormatter binaryFormatter = new()
+            // cs/binary-formatter-without-binder
+            BinaryFormatter binaryFormatter = new() // CodeQL [SM04191]: Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
             {
                 AssemblyFormat = assemblyStyle
             };

diff --git a/...s.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/BinaryFormatWriterTests.cs b/...s.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/BinaryFormatWriterTests.cs
@@ -23,7 +23,9 @@ public void BinaryFormatWriter_WriteString(string testString)
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
         BinaryFormatter formatter = new();
 #pragma warning restore
-        object deserialized = formatter.Deserialize(stream);
+
+        // cs/dangerous-binary-deserialization
+        object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
         deserialized.Should().Be(testString);
     }
 
@@ -38,9 +40,12 @@ public void BinaryFormatWriter_TryWriteObject_SupportedObjects_BinaryFormatterRe
 
         using BinaryFormatterScope formatterScope = new(enable: true);
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter formatter = new();
+        // cs/binary-formatter-without-binder
+        BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
-        object deserialized = formatter.Deserialize(stream);
+
+        // cs/dangerous-binary-deserialization
+        object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
 
         if (value is Hashtable hashtable)
         {

diff --git a/...dows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/HashTableTests.cs b/...dows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/HashTableTests.cs
@@ -117,8 +117,11 @@ public void BinaryFormatWriter_WriteHashtables(Hashtable hashtable)
 
         using BinaryFormatterScope formatterScope = new(enable: true);
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter formatter = new();
-        Hashtable deserialized = (Hashtable)formatter.Deserialize(stream);
+        // cs/binary-formatter-without-binder
+        BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
+
+        // cs/dangerous-binary-deserialization
+        Hashtable deserialized = (Hashtable)formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
 #pragma warning restore SYSLIB0011
 
         deserialized.Count.Should().Be(hashtable.Count);

diff --git a/...m.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/ListTests.cs b/...m.Windows.Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/ListTests.cs
@@ -172,8 +172,10 @@ public void BinaryFormatWriter_TryWritePrimitiveList(IList list)
 
         using BinaryFormatterScope formatterScope = new(enable: true);
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter formatter = new();
-        IList deserialized = (IList)formatter.Deserialize(stream);
+        // cs/binary-formatter-without-binder
+        BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
+        // cs/dangerous-binary-deserialization
+        IList deserialized = (IList)formatter.Deserialize(stream); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
 #pragma warning restore SYSLIB0011
 
         deserialized.Should().BeEquivalentTo(list);

diff --git a/....Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/PrimitiveTypeTests.cs b/....Forms.Primitives/tests/UnitTests/System/Windows/Forms/BinaryFormat/PrimitiveTypeTests.cs
@@ -100,9 +100,14 @@ public void BinaryFormatWriter_WritePrimitive(object value)
 
         using BinaryFormatterScope formatterScope = new(enable: true);
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter formatter = new();
+
+        // cs/binary-formatter-without-binder
+        BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
+
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
-        object deserialized = formatter.Deserialize(stream);
+
+        // cs/dangerous-binary-deserialization
+        object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
         deserialized.Should().Be(value);
     }
 

diff --git a/src/System.Windows.Forms/tests/InteropTests/NativeTests/testhelpers.h b/src/System.Windows.Forms/tests/InteropTests/NativeTests/testhelpers.h
@@ -32,7 +32,8 @@ std::wstring format(const wchar_t* format, Args... args)
     int length = std::swprintf(nullptr, 0, format, args...);
     // If this fails, let the program crash.
     wchar_t* buf = new wchar_t[length + 1];
-    std::swprintf(buf, length + 1, format, args...);
+    // cpp/non-constant-format
+    std::swprintf(buf, length + 1, format, args...); // CodeQL [SM01734] : This is a test code and the format string is trusted.
 
     std::wstring str(buf);
     delete[] buf;

diff --git a/...ystem.Windows.Forms/tests/UnitTests/System/Windows/Forms/AxHost.PropertyBagStreamTests.cs b/...ystem.Windows.Forms/tests/UnitTests/System/Windows/Forms/AxHost.PropertyBagStreamTests.cs
@@ -14,10 +14,12 @@ public void PropertyBagStream_WriteReadRoundTrip_FormatterEnabled()
     {
         using BinaryFormatterScope formatterScope = new(enable: true);
         AxHost.PropertyBagStream bag = new();
-        HRESULT hr = bag.Write("Integer", (VARIANT)42);
+        // cs/deserialization-unexpected-subtypes
+        HRESULT hr = bag.Write("Integer", (VARIANT)42); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of VARIANT because the data is trusted and the types are controlled and validated.
         Assert.True(hr.Succeeded);
         NameClass obj = new() { Name = "Hamlet" };
-        hr = bag.Write("Object", VARIANT.FromObject(obj));
+        // cs/deserialization-unexpected-subtypes
+        hr = bag.Write("Object", VARIANT.FromObject(obj)); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of VARIANT because the data is trusted and the types are controlled and validated.
         Assert.True(hr.Succeeded);
 
         using MemoryStream stream = new();
@@ -43,7 +45,9 @@ public void PropertyBagStream_WriteReadRoundTrip_FormatterDisabled()
     {
         using BinaryFormatterScope formatterScope = new(enable: false);
         AxHost.PropertyBagStream bag = new();
-        HRESULT hr = bag.Write("Integer", (VARIANT)42);
+
+        // cs/deserialization-unexpected-subtypes
+        HRESULT hr = bag.Write("Integer", (VARIANT)42); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of VARIANT because the data is trusted and the types are controlled and validated.
         Assert.True(hr.Succeeded);
         NameClass obj = new() { Name = "Hamlet" };
         hr = bag.Write("Object", VARIANT.FromObject(obj));
@@ -65,7 +69,8 @@ public void PropertyBagStream_WriteReadRoundTrip_Primitives_FormatterDisabled(ob
         Marshal.GetNativeVariantForObject(value, (nint)(void*)&variant);
         string name = value.GetType().FullName!;
 
-        HRESULT hr = bag.Write(value.GetType().FullName!, variant);
+        // cs/deserialization-unexpected-subtypes
+        HRESULT hr = bag.Write(value.GetType().FullName!, variant); // CodeQL[SM02229] : Testing legacy feature. This is a safe use of VARIANT because the data is trusted and the types are controlled and validated.
         Assert.True(hr.Succeeded);
 
         using MemoryStream stream = new();

diff --git a/...s/tests/UnitTests/System/Windows/Forms/BinaryFormat/WinFormsBinaryFormattedObjectTests.cs b/...s/tests/UnitTests/System/Windows/Forms/BinaryFormat/WinFormsBinaryFormattedObjectTests.cs
@@ -55,12 +55,14 @@ public void BinaryFormattedObject_Bitmap_FromWinFormsBinaryFormatWriter()
 
         using BinaryFormatterScope formatterScope = new(enable: true);
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter binaryFormat = new();
+        // cs/binary-formatter-without-binder
+        BinaryFormatter binaryFormat = new(); // CodeQL [SM04191] This is a test deserialization process is performed on trusted data and the types are controlled and validated.
 #pragma warning restore SYSLIB0011
 
-        using Bitmap deserialized = binaryFormat.Deserialize(stream).Should().BeOfType<Bitmap>().Which;
+        // cs/dangerous-binary-deserialization
+        using Bitmap deserialized = binaryFormat.Deserialize(stream).Should().BeOfType<Bitmap>().Which; // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
         deserialized.Size.Should().Be(bitmap.Size);
-    }   
+    }
 
     [Fact]
     public void BinaryFormattedObject_ImageListStreamer_FromBinaryFormatter()

diff --git a/...System.Windows.Forms/tests/UnitTests/System/Windows/Forms/DataObject_BitmapBinderTests.cs b/...System.Windows.Forms/tests/UnitTests/System/Windows/Forms/DataObject_BitmapBinderTests.cs
@@ -42,7 +42,8 @@ public void BitmapBinder_BindToType_AllowedSerializationTypes(object value)
         {
             using MemoryStream stream = new();
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-            BinaryFormatter formatter = new();
+            // cs/binary-formatter-without-binder
+            BinaryFormatter formatter = new(); // CodeQL [SM04191] This is a test. Safe because the deserialization process is performed on trusted data and the types are controlled and validated.
 #pragma warning restore
             formatter.Serialize(stream, value);
             Assert.True(stream.Length > 0);
@@ -54,7 +55,7 @@ public void BitmapBinder_BindToType_AllowedSerializationTypes(object value)
             };
 
             // cs/dangerous-binary-deserialization
-            object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Safe use because input stream is controlled contains strings and Bitmap which is instantiated by a binder. 
+            object deserialized = formatter.Deserialize(stream); // CodeQL [SM03722] : Testing legacy feature. Safe use because input stream is controlled contains strings and Bitmap which is instantiated by a binder. 
             Assert.NotNull(deserialized);
 
             if (value is not Bitmap)
@@ -94,7 +95,8 @@ public void BitmapBinder_BindToType_DisallowedSerializationTypes(object value)
         using BinaryFormatterScope formatterScope = new(enable: true);
         using MemoryStream stream = new();
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter formatter = new();
+        // cs/binary-formatter-without-binder
+        BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
 #pragma warning restore SYSLIB0011
         formatter.Serialize(stream, value);
         Assert.True(stream.Length > 0);

diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ImageListTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ImageListTests.cs
@@ -441,11 +441,12 @@ private static T RoundtripSerialize<T>(T source)
         using BinaryFormatterScope formatterScope = new(enable: true);
         using MemoryStream stream = new();
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter formatter = new();
+        // cs/binary-formatter-without-binder
+        BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
         formatter.Serialize(stream, source);
         stream.Position = 0;
-        // cs/deserialization-unexpected-subtypes
-        return (T)formatter.Deserialize(stream); // CodeQL [SM02229] Testing legacy features: we are deserializing stream with controlled content.
+        // cs/dangerous-binary-deserialization, cs/deserialization-unexpected-subtypes
+        return (T)formatter.Deserialize(stream); // CodeQL [SM03722, SM02229] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
     }
 

diff --git a/...tem.Windows.Forms/tests/UnitTests/System/Windows/Forms/Layout/TableLayoutSettingsTests.cs b/...tem.Windows.Forms/tests/UnitTests/System/Windows/Forms/Layout/TableLayoutSettingsTests.cs
@@ -1785,11 +1785,13 @@ public void TableLayoutSettings_Serialize_Deserialize_Success()
         using (MemoryStream stream = new())
         {
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-            BinaryFormatter formatter = new();
+            // cs/binary-formatter-without-binder
+            BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
             formatter.Serialize(stream, settings);
             stream.Seek(0, SeekOrigin.Begin);
 
-            TableLayoutSettings result = Assert.IsType<TableLayoutSettings>(formatter.Deserialize(stream));
+            // cs/dangerous-binary-deserialization
+            TableLayoutSettings result = Assert.IsType<TableLayoutSettings>(formatter.Deserialize(stream)); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
             Assert.Equal(columnStyle.SizeType, ((ColumnStyle)Assert.Single(result.ColumnStyles)).SizeType);
             Assert.Equal(columnStyle.Width, ((ColumnStyle)Assert.Single(result.ColumnStyles)).Width);
@@ -1815,11 +1817,13 @@ public void TableLayoutSettings_Serialize_InvalidStringConverter_DeserializeThro
         using (MemoryStream stream = new())
         {
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-            BinaryFormatter formatter = new();
+            // cs/binary-formatter-without-binder
+            BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
             formatter.Serialize(stream, settings);
             stream.Seek(0, SeekOrigin.Begin);
 
-            Assert.Throws<SerializationException>(() => formatter.Deserialize(stream));
+            // cs/dangerous-binary-deserialization
+            Assert.Throws<SerializationException>(() => formatter.Deserialize(stream)); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
         }
     }
@@ -1836,12 +1840,14 @@ public void TableLayoutSettings_Deserialize_InvalidConverterResult_Success(Type
         using (MemoryStream stream = new())
         {
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-            BinaryFormatter formatter = new();
+            // cs/binary-formatter-without-binder
+            BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated. 
             formatter.Serialize(stream, settings);
 
             stream.Seek(0, SeekOrigin.Begin);
 
-            TableLayoutSettings result = Assert.IsType<TableLayoutSettings>(formatter.Deserialize(stream));
+            // cs/dangerous-binary-deserialization
+            TableLayoutSettings result = Assert.IsType<TableLayoutSettings>(formatter.Deserialize(stream)); // CodeQL [SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
             Assert.NotNull(result.LayoutEngine);
             Assert.Same(result.LayoutEngine, result.LayoutEngine);

diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewGroupTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewGroupTests.cs
@@ -1334,11 +1334,13 @@ public void ListViewGroup_Serialize_Deserialize_Success(ListViewGroup group)
         using BinaryFormatterScope formatterScope = new(enable: true);
         using MemoryStream stream = new();
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter formatter = new();
+        // cs/binary-formatter-without-binder 
+        BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
         formatter.Serialize(stream, group);
         stream.Seek(0, SeekOrigin.Begin);
 
-        ListViewGroup result = Assert.IsType<ListViewGroup>(formatter.Deserialize(stream));
+        // cs/dangerous-binary-deserialization 
+        ListViewGroup result = Assert.IsType<ListViewGroup>(formatter.Deserialize(stream)); // CodeQL [SM03722] : Deserialization is performed on trusted data and the types are controlled and validated.
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
         Assert.Equal(group.Header, result.Header);
         Assert.Equal(group.HeaderAlignment, result.HeaderAlignment);

diff --git a/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewSubItemTests.cs b/src/System.Windows.Forms/tests/UnitTests/System/Windows/Forms/ListViewSubItemTests.cs
@@ -580,11 +580,13 @@ public void ListViewSubItem_Serialize_Deserialize_Success(ListViewItem.ListViewS
         using BinaryFormatterScope formatterScope = new(enable: true);
         using MemoryStream stream = new();
 #pragma warning disable SYSLIB0011 // Type or member is obsolete
-        BinaryFormatter formatter = new();
+        // cs/binary-formatter-without-binder
+        BinaryFormatter formatter = new(); // CodeQL [SM04191] : This is a test. Safe use because the deserialization process is performed on trusted data and the types are controlled and validated.
         new BinaryFormatter().Serialize(stream, subItem);
         stream.Seek(0, SeekOrigin.Begin);
 
-        ListViewItem.ListViewSubItem result = Assert.IsType<ListViewItem.ListViewSubItem>(formatter.Deserialize(stream));
+        // cs/dangerous-binary-deserialization
+        ListViewItem.ListViewSubItem result = Assert.IsType<ListViewItem.ListViewSubItem>(formatter.Deserialize(stream)); // CodeQL[SM03722] : Testing legacy feature. This is a safe use of BinaryFormatter because the data is trusted and the types are controlled and validated.
 #pragma warning restore SYSLIB0011 // Type or member is obsolete
         Assert.Equal(subItem.BackColor, result.BackColor);
         Assert.Equal(subItem.Font, result.Font);