Can't add custom sanitizers to config file for DotNet Core Tool. #239
Description
Environment:
- Version: 5.6.0
- Branch:
- vs2019
- vs2017
- vs2015
- Installation/Running method:
- Visual Studio Extension
- NuGet package
- Standalone tool
- DotNet Core Tool from NuGet
- security-scan4x.zip from GitHub Release section
- Operating System:
- Windows
- Linux
- Mac
Describe the bug
My company has a multi-tenant platform with a single API for SSO logins. I'm trying to add a custom sanitizer to for open redirects (SCS0027). Our login API is on a different subdomain from our customers' sites so we can't redirect to a relative URL. Our sanitizer checks the return URL against our database to verify that it's valid. I'm trying to add our custom sanitizer but getting an error.
This is the config file that I made.
Version: 3.1
Sanitizers:
- Type: Example.MyCustomSanitizer
TaintTypes:
- SCS0027
Methods:
- Name: IsReturnUrlValid
InOut: [{"returnUrl": "returnUrl"}]
Repro
Example.zip
security-scan Example.sln --config=scs.config.yml
Loading solution 'Example.sln'
Resolve 0:00.2828879 Example.csproj (net6.0)
Finished loading solution 'Example.sln'
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.HardcodedPasswordAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.ConstAnalyzer.<Initialize>b__7_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\ConstAnalyzer.cs:line 60
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0015
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.CommandInjectionTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0001
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.SqlInjectionTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0002
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.XPathTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0003
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.PathTraversalTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0018
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.OpenRedirectTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0027
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.DeserializationTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0028
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.LdapFilterTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0031
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.LdapPathTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0026
Found: warning AD0001: Analyzer 'SecurityCodeScan.Analyzers.Taint.XssTaintAnalyzer' threw an exception of type 'System.ArgumentException' with message 'Conflicting sanitizers for 'Example.MyCustomSanitizer'.'.
Exception occurred with following context:
Compilation: Example
System.ArgumentException: Conflicting sanitizers for 'Example.MyCustomSanitizer'.
at SecurityCodeScan.Config.TaintConfiguration.GetSanitizerInfos(SinkKind sinkKind, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 462
at SecurityCodeScan.Config.TaintConfiguration..ctor(WellKnownTypeProvider wellKnownTypeProvider, Configuration config) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 104
at SecurityCodeScan.Config.Configuration.<.ctor>b__12_0() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 702
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
at System.Lazy`1.CreateValue()
at System.Lazy`1.get_Value()
at SecurityCodeScan.Config.Configuration.get_TaintConfiguration() in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Config\Configuration.cs:line 695
at SecurityCodeScan.Analyzers.Taint.TaintAnalyzer.<Initialize>b__6_0(CompilationStartAnalysisContext compilationContext) in D:\a\security-code-scan\security-code-scan\SecurityCodeScan\Analyzers\Taint\TaintAnalyzer.cs:line 284
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c.<ExecuteCompilationStartActions>b__44_0(ValueTuple`2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
Suppress the following diagnostics to disable this analyzer: SCS0029
Completed in 00:00:03
10 warnings