C#: Tolerate missing call targets in LogMessageSink

tamasvajk · tamasvajk · commit 253c658ad2e9 · 2023-11-21T10:13:18.000+01:00
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
@@ -27,8 +27,9 @@ private class ExternalModelSink extends ExternalLocationSink {
  */
 class LogMessageSink extends ExternalLocationSink {
   LogMessageSink() {
-    this.getExpr() = any(LoggerType i).getAMethod().getACall().getAnArgument()
-    or
+    this.getExpr() = any(LoggerType i).getAMethod().getACall().getAnArgument() or
+    this.getExpr() =
+      any(MethodCall call | call.getQualifier().getType() instanceof LoggerType).getAnArgument() or
     this.getExpr() =
       any(ExtensionMethodCall call |
         call.getTarget().(ExtensionMethod).getExtendedType() instanceof LoggerType
diff --git a/csharp/ql/test/library-tests/standalone/externalLocationSink/externalLocationSink.expected b/csharp/ql/test/library-tests/standalone/externalLocationSink/externalLocationSink.expected
@@ -1,4 +1,6 @@
 #select
+| standalone.cs:20:20:20:20 | access to parameter s | standalone.cs:20:20:20:20 | access to parameter s |
+| standalone.cs:25:28:25:32 | "abc" | standalone.cs:25:28:25:32 | "abc" |
 compilationErrors
 | standalone.cs:16:12:16:18 | CS0104: 'ILogger' is an ambiguous reference between 'A.ILogger' and 'B.ILogger' |
 methodCalls
