fix(rules): correct path-traversal StartsWith sanitizer in dotnet rule

dc-larsen · dc-larsen · commit dc2869567afb · 2026-04-20T19:35:33.000-04:00
The $X.StartsWith($BASE) sanitizer was matching the boolean expression
instead of marking the checked path variable as sanitized, so correctly
validated paths were still flagged as tainted.

Use focus-metavariable + by-side-effect so the sanitizer applies to $X
itself. Verified with a synthetic test case: scans of an unsanitized
File.ReadAllText still fire, but the same call guarded by
full.StartsWith("/var/data/") no longer does. Juliet CWE-23/36 results
unchanged at 432 findings (Juliet test cases do not exercise StartsWith
validation). opengrep --validate and pytest pass.
diff --git a/socket_basics/rules/dotnet.yml b/socket_basics/rules/dotnet.yml
@@ -406,11 +406,14 @@ rules:
           - pattern: Directory.GetFiles(...)
           - pattern: Directory.EnumerateFiles(...)
     pattern-sanitizers:
-      - pattern-either:
-          - pattern: Path.GetFileName(...)
-          # Framework-provided base paths are safe sources, not sanitizers,
-          # but if the result is validated against a base we consider it sanitized
+      - pattern: Path.GetFileName(...)
+      # Treat the checked path variable as sanitized after a base-path validation.
+      # focus-metavariable + by-side-effect cleans $X itself, not just the
+      # StartsWith(...) boolean expression.
+      - patterns:
           - pattern: $X.StartsWith($BASE)
+          - focus-metavariable: $X
+        by-side-effect: true
     metadata:
       category: security
       cwe: CWE-22
