Merge pull request #2945 from LLLXXXCCC/DoNotHardCodeCertificate

Do not hard code certificate

Author: LLLXXXCCC

src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotHardCodeCertificateTests.cs

@@ -292,6 +292,25 @@ public void TestMethod(string path, string password)
             GetCSharpResultAt(11, 9, 9, 24, "X509Certificate.X509Certificate(byte[] rawData, string password)", "void TestClass.TestMethod(string path, string password)", "byte[]", "void TestClass.TestMethod(string path, string password)"));
         }
 
+        [Fact]
+        public void Test_X509Certificates2_Diagnostic()
+        {
+            VerifyCSharp(@"
+using System.IO;
+using System.Security.Cryptography.X509Certificates;
+
+class TestClass
+{
+    public void TestMethod(string path)
+    {
+        byte[] bytes = new byte[] {1, 2, 3};
+        File.WriteAllBytes(path, bytes);
+        new X509Certificate2(path);
+    }
+}",
+            GetCSharpResultAt(11, 9, 9, 24, "X509Certificate2.X509Certificate2(string fileName)", "void TestClass.TestMethod(string path)", "byte[]", "void TestClass.TestMethod(string path)"));
+        }
+
         // For now, we didn't take serialization into consideration.
         [Fact]
         public void Test_Sink_X509Certificate_WithSerializationInfoAndStreamingContextParameters_NoDiagnostic()
@@ -347,6 +366,23 @@ public void TestMethod(string s, string path)
 }");
         }
 
+        [Fact]
+        public void Test_X509Certificate2_NoDiagnostic()
+        {
+            VerifyCSharp(@"
+using System.IO;
+using System.Security.Cryptography.X509Certificates;
+
+class TestClass
+{
+    public void TestMethod(byte[] bytes, string path)
+    {
+        File.WriteAllBytes(path, bytes);
+        new X509Certificate2(path);
+    }
+}");
+        }
+
         protected override DiagnosticAnalyzer GetBasicDiagnosticAnalyzer()
         {
             return new DoNotHardCodeCertificate();

src/Utilities/Compiler/WellKnownTypeNames.cs

@@ -326,6 +326,7 @@ internal static class WellKnownTypeNames
         public const string SystemSecurityCryptographyX509CertificatesX509Store = "System.Security.Cryptography.X509Certificates.X509Store";
         public const string SystemSecurityCryptographyX509CertificatesStoreName = "System.Security.Cryptography.X509Certificates.StoreName";
         public const string SystemSecurityCryptographyX509CertificatesX509Certificate = "System.Security.Cryptography.X509Certificates.X509Certificate";
+        public const string SystemSecurityCryptographyX509CertificatesX509Certificate2 = "System.Security.Cryptography.X509Certificates.X509Certificate2";
         public const string SystemSecurityCryptographyRSA = "System.Security.Cryptography.RSA";
         public const string SystemSecurityCryptographyDSA = "System.Security.Cryptography.DSA";
         public const string SystemSecurityCryptographyAsymmetricAlgorithm = "System.Security.Cryptography.AsymmetricAlgorithm";

src/Utilities/FlowAnalysis/FlowAnalysis/Analysis/TaintedDataAnalysis/HardcodedCertificateSinks.cs

@@ -25,6 +25,15 @@ static HardcodedCertificateSinks()
                 sinkMethodParameters: new[] {
                     ( ".ctor", new[] { "rawData", "data" }),
                 });
+            builder.AddSinkInfo(
+                WellKnownTypeNames.SystemSecurityCryptographyX509CertificatesX509Certificate2,
+                SinkKind.HardcodedCertificate,
+                isInterface: false,
+                isAnyStringParameterInConstructorASink: true,
+                sinkProperties: null,
+                sinkMethodParameters: new[] {
+                    ( ".ctor", new[] { "rawData", "data" }),
+                });
 
             SinkInfos = builder.ToImmutableAndFree();
         }