InsecureCookieAnalyzer: System.NullReferenceException error

[abssd]

Compiler error:
Warning AD0001 Analyzer 'RoslynSecurityGuard.Analyzers.CsrfTokenAnalyzer' threw an exception of type 'System.NullReferenceException' with message 'Object reference not set to an instance of an object.'.

[h3xstream]

Do you have complete stacktrace ?

[vlm---]

We've seen same error in our internal TFS builds (offline environment). There's no stacktrace from analyzer in logs. Can you please point me to some guide how to enable more detailed logs for analyzers during build process in order to create requested stacktrace?

[h3xstream]

@vlm---
@abssd
I have publish a new version to the visual studio marketplace. Let me know if it fix this NRE:
https://marketplace.visualstudio.com/items?itemName=PhilippeArteau.RoslynSecurityGuard

[leahey]

I am seeing a similar issue, with v2.3.0, installed yesterday (16 Feb 2017). Over 9000 instances of the message in my Error List (text/stack follows). Let me know how I can assist.

Warning	AD0001	Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method Evaluate : Object reference not set to an instance of an object.'.	RoslynSecurityGuard	<Unknown>		1	Compiler	Active	Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw the following exception:
'Exception occurred with following context:
Compilation: Titan.Website
SyntaxTree: C:\Dev\Titan.Web\Titan.Website\Controllers\Api\InsightsController.cs
SyntaxNode: [HttpPost] public DataResponse< ... [MethodDeclarationSyntax]@[14935..15972) (364,8)-(393,9)

System.Exception: Unhandle exception while visiting method Evaluate : Object reference not set to an instance of an object. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at RoslynSecurityGuard.Analyzers.InsecureCookieAnalyzer.VisitEndMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   --- End of inner exception stack trace ---
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   at RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer.VisitMethods(SyntaxNodeAnalysisContext obj)
   at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c__DisplayClass42_1`1.<ExecuteSyntaxNodeAction>b__1()
   at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock(DiagnosticAnalyzer analyzer, Action analyze, Nullable`1 info)
-----
System.NullReferenceException: Object reference not set to an instance of an object.
   at RoslynSecurityGuard.Analyzers.InsecureCookieAnalyzer.VisitEndMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
-----
'.

[h3xstream]

@leahey Could you provide a approximation of the method InsightsController.Evaluate ? (You can renamed all the variables / Class names)

[leahey]

Certainly - it follows. However, be aware that this error is occurring on many different methods, not just Evaluate().

public GrekResponse<RemoResult> Evaluate( int id )
{
	var result = new GrekResponse<RemoResult>();
	var user = MyUser;

	try
	{
		var remo = _remoService.Evaluate(user.GetUserProxyInfo(), user.User, id);
		result.IsSuccess = true;
		result.Data = remo;
	}
	catch ( UnauthorizedAccessException ex )
	{
		result.IsUnauthorizedAccessError = true;
                LogError( () => string.Format( "{0} => {1}", ex.Message, ex.StackTrace ) );
	}
	catch ( Exception ex )
	{
		LogError( ex );
	}

	result.ErrorMessages = ModelState.ErrorMessages();
	return result;
}

[leahey]

It looks like my generics were mis-rendered. I'll attach a file instead.
EvaluateMethod.txt

[leahey]

Additional info, I was creating a console app just for some testing, and I got
"Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method Main : Object reference not set to an instance of an object.'."

for the following:

   class Program
    {
        int _intField = 42;

        static void Main(string[] args)
        {
            var localInt = 0;


        }
    }

[h3xstream]

@leahey Sorry for the delay.
Does the Evaluate method has some annotations?

[leahey]

Hello. Evaluate() has an HttpPostAttribute, but nothing else.

[leahey]

Any developments on this? I'm having to filter out thousands of AD0001 warnings.

[h3xstream]

@leahey
I have looked at it a couple of times. I can't find a potential NRE just by code review it in (InsecureCookieAnalyzer).

I have created a test case that scan the two samples provided before. And it does not create any fault in the test environment and in integration in VS 2017.

I will provide a debug extension that will try to isolate better the problem. I would have like to reproduce it so far this seems like the next step.
(A update will come soon..)

[jessehouwing]

Seeing another instance of a very similar error on a almost standard new web project in Visual Studio 2017 update 3 preview 6 using RoslynSecurityGuard 2.3.0.0.

Severity	Code	Description	Project	File	Line	Suppression State
Warning	AD0001	Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method OnException : Object reference not set to an instance of an object.'.	SampleWebApp	C:\Users\JesseHouwing\Source\Repos\Agile2017\Agile2017\SampleWebApp\CSC	1	Active
Severity	Code	Description	Project	File	Line	Suppression State
Warning	AD0001	Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method OnException : Object reference not set to an instance of an object.'.	SampleWebApp		1	Active

Code that's causing the error:

using System;
using System.Web.Mvc;
using Microsoft.ApplicationInsights;

namespace SampleWebApp.ErrorHandler
{
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)] 
    public class AiHandleErrorAttribute : HandleErrorAttribute
    {
        public override void OnException(ExceptionContext filterContext)
        {
            if (filterContext != null && filterContext.HttpContext != null && filterContext.Exception != null)
            {
                //If customError is Off, then AI HTTPModule will report the exception
                if (filterContext.HttpContext.IsCustomErrorEnabled)
                {   
                    var ai = new TelemetryClient();
                    ai.TrackException(filterContext.Exception);
                } 
            }
            base.OnException(filterContext);
        }
    }
}