[csharp] Delegate propagation fails

[Hug0Vincent]

I’m analyzing a DLL and encountered a code pattern that I’m having trouble modeling with CodeQL. Below is a simplified example to illustrate the issue:

namespaceConsoleApp1{// 1. Define the delegate with one input and one out parameterdelegatevoidSimpleDelegate(stringinput,outstringoutput);// 2. A method that matches the delegate signatureclassHandler{publicstaticvoidProcess(stringinput,outstringoutput){output="Processed: "+input;}}// 3. Class that stores and retrieves the delegateclassDelegateRegistry{publicstaticreadonlyDictionary<string,SimpleDelegate>Registry=newDictionary<string,SimpleDelegate>();publicstaticvoidRegister(stringkey,SimpleDelegatedel){Registry[key]=del;}}internalclassDelegatePoc{staticvoidPoc(){stringsource="source";SimpleDelegatesimpleDelegate=newSimpleDelegate(Handler.Process);/// Register the delegateDelegateRegistry.Register("key",simpleDelegate);// Fetch and callif(DelegateRegistry.Registry.TryGetValue("key",outSimpleDelegatedel)){stringresult;del(source,outresult);Console.WriteLine(result);}}}}

Tracking the source string with partial dataflow analysis ends in the del call. It can't follow to the actual method Process. I also tried to call getTarget / getRuntimeTarget on the DelegateCall but there is no result.

I don't know why it can't follow further or find the Process method ?

[jketema]

Hi @Hug0Vincent,

I've asked the team to have a look.

[Hug0Vincent]

Thank you 🙏

[hvitved]

Hi.

Thanks for your question. This is a known limitation of how we resolve delegate calls (we do not track delegates stored in collections). If it instead had been

classDelegateRegistry{publicstaticreadonlySimpleDelegated=null;publicstaticvoidRegister(SimpleDelegatedel){d=del;}}

then it ought to work (we do track delegates stored in fields).

I have been wanting to improve this for some time, but it has not yet been a priority.

[Hug0Vincent]

Alright thank you for your answer