The analyzer fails to detect a vulnerability when an interface is used as declaring type #270
Description
Environment:
- Version: 5.6.7
- Installation/Running method:
- Visual Studio Extension VS2022
- NuGet package
- Standalone tool
- DotNet Core Tool from NuGet
- security-scan4x.zip from GitHub Release section
- Operating System:
- Windows
- Linux
- Mac
Describe the bug
The analyzer doesn't report any vulnerabilities in this code. It seems to be because of the use of an interface as a declaring type for _sampleRepo variable. If we change the declaration type to be SampleRepo everything is fine and a vulnerability is being reported for .ExecuteSqlCommand(input); .
Repro
I've also attached the sample project with the code below.
using System;
using System.Data.Entity;
namespace SQLi_console
{
internal class Program
{
static ISampleRepo _sampleRepo = new SampleRepo();
static void Main(string[] args)
{
string input = Console.ReadLine();
_sampleRepo.SampleCommand(input);
}
}
public interface ISampleRepo
{
void SampleCommand(string input);
}
public class SampleRepo : ISampleRepo
{
public void SampleCommand(string input)
{
new SampleContext().Database.ExecuteSqlCommand(input); // A vulnerability should be reported here
}
}
public class SampleContext : DbContext
{
public DbSet<string> Test { get; set; }
}
}