Merge branch 'main' into ruby-mad-argument-self

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -872,7 +872,7 @@ class FormatLiteral extends Literal {
 
   private Type getConversionType1(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("d|i") and
+      cnv = ["d", "i"] and
       result = this.getIntegralConversion(n) and
       not result.getUnderlyingType().(IntegralType).isExplicitlySigned() and
       not result.getUnderlyingType().(IntegralType).isExplicitlyUnsigned()
@@ -912,7 +912,7 @@ class FormatLiteral extends Literal {
 
   private Type getConversionType2(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("o|u|x|X") and
+      cnv = ["o", "u", "x", "X"] and
       result = this.getIntegralConversion(n) and
       result.getUnderlyingType().(IntegralType).isUnsigned()
     )
@@ -920,7 +920,7 @@ class FormatLiteral extends Literal {
 
   private Type getConversionType3(int n) {
     exists(string cnv | cnv = this.getConversionChar(n) |
-      cnv.regexpMatch("a|A|e|E|f|F|g|G") and result = this.getFloatingPointConversion(n)
+      cnv = ["a", "A", "e", "E", "f", "F", "g", "G"] and result = this.getFloatingPointConversion(n)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -216,10 +216,9 @@ private module LambdaFlow {
     or
     // jump step
     exists(Node mid, DataFlowType t0 |
-      revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and
+      revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
       toReturn = false and
-      toJump = true and
-      lastCall = TDataFlowCallNone()
+      toJump = true
     |
       jumpStepCached(node, mid) and
       t = t0
@@ -789,24 +788,31 @@ private module Cached {
   cached
   predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
 
+  cached
+  predicate storeSet(
+    Node node1, ContentSet c, Node node2, DataFlowType contentType, DataFlowType containerType
+  ) {
+    storeStep(node1, c, node2) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
+    or
+    exists(Node n1, Node n2 |
+      n1 = node1.(PostUpdateNode).getPreUpdateNode() and
+      n2 = node2.(PostUpdateNode).getPreUpdateNode()
+    |
+      argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
+      or
+      readSet(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
+    )
+  }
+
   private predicate store(
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
-    exists(ContentSet cs | c = cs.getAStoreContent() |
-      storeStep(node1, cs, node2) and
-      contentType = getNodeDataFlowType(node1) and
-      containerType = getNodeDataFlowType(node2)
-      or
-      exists(Node n1, Node n2 |
-        n1 = node1.(PostUpdateNode).getPreUpdateNode() and
-        n2 = node2.(PostUpdateNode).getPreUpdateNode()
-      |
-        argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, cs, contentType), n1)
-        or
-        readSet(n2, cs, n1) and
-        contentType = getNodeDataFlowType(n1) and
-        containerType = getNodeDataFlowType(n2)
-      )
+    exists(ContentSet cs |
+      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowVar.qll

@@ -549,7 +549,7 @@ module FlowVar_internal {
         bb = this.(Loop).getStmt() and
         v = this.getARelevantVariable()
         or
-        this.reachesWithoutAssignment(bb.getAPredecessor(), v) and
+        this.reachesWithoutAssignment(pragma[only_bind_out](bb.getAPredecessor()), v) and
         this.bbInLoop(bb)
       ) and
       not assignsToVar(bb, v)

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll

@@ -216,10 +216,9 @@ private module LambdaFlow {
     or
     // jump step
     exists(Node mid, DataFlowType t0 |
-      revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and
+      revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
       toReturn = false and
-      toJump = true and
-      lastCall = TDataFlowCallNone()
+      toJump = true
     |
       jumpStepCached(node, mid) and
       t = t0
@@ -789,24 +788,31 @@ private module Cached {
   cached
   predicate readSet(Node node1, ContentSet c, Node node2) { readStep(node1, c, node2) }
 
+  cached
+  predicate storeSet(
+    Node node1, ContentSet c, Node node2, DataFlowType contentType, DataFlowType containerType
+  ) {
+    storeStep(node1, c, node2) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
+    or
+    exists(Node n1, Node n2 |
+      n1 = node1.(PostUpdateNode).getPreUpdateNode() and
+      n2 = node2.(PostUpdateNode).getPreUpdateNode()
+    |
+      argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
+      or
+      readSet(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
+    )
+  }
+
   private predicate store(
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
-    exists(ContentSet cs | c = cs.getAStoreContent() |
-      storeStep(node1, cs, node2) and
-      contentType = getNodeDataFlowType(node1) and
-      containerType = getNodeDataFlowType(node2)
-      or
-      exists(Node n1, Node n2 |
-        n1 = node1.(PostUpdateNode).getPreUpdateNode() and
-        n2 = node2.(PostUpdateNode).getPreUpdateNode()
-      |
-        argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, cs, contentType), n1)
-        or
-        readSet(n2, cs, n1) and
-        contentType = getNodeDataFlowType(n1) and
-        containerType = getNodeDataFlowType(n2)
-      )
+    exists(ContentSet cs |
+      c = cs.getAStoreContent() and storeSet(node1, cs, node2, contentType, containerType)
     )
   }
 

cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql

@@ -19,7 +19,7 @@ predicate whitelist(Function f) {
       "nearbyintl", "rint", "rintf", "rintl", "round", "roundf", "roundl", "trunc", "truncf",
       "truncl"
     ] or
-  f.getName().matches("__builtin_%")
+  f.getName().matches("\\_\\_builtin\\_%")
 }
 
 predicate whitelistPow(FunctionCall fc) {

cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql

@@ -13,7 +13,7 @@
  * @deprecated This query is deprecated, use
  *             Potentially overrunning write (`cpp/overrunning-write`) and
  *             Potentially overrunning write with float to string conversion
- *             (`cpp/overrunning-write-with-float) instead.
+ *             (`cpp/overrunning-write-with-float`) instead.
  */
 
 import cpp

cpp/ql/src/experimental/Best Practices/WrongUintAccess.cpp

@@ -0,0 +1,7 @@
+void test()
+{
+    uint16_t j = 256;
+    char testSubject[122];
+
+    testSubject[j] = 12; // You can use a uint8 here
+}

cpp/ql/src/experimental/Best Practices/WrongUintAccess.qhelp

@@ -0,0 +1,18 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Find access to an array with a Uint16 when the array has a size lower than 256.</p>
+</overview>
+
+<recommendation>
+<p>Use a int with a lower bit size instead. For instance in this example use a 8 bit int.</p>
+</recommendation>
+
+<example>
+<sample src="WrongUintAccess.cpp" />
+</example>
+
+</qhelp>

cpp/ql/src/experimental/Best Practices/WrongUintAccess.ql

@@ -0,0 +1,25 @@
+/**
+ * @id cpp/wrong-uint-access
+ * @name Wrong Uint
+ * @descripion Acess an array of size lower than 256 with a uint16.
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags efficiency
+ */
+
+import cpp
+
+from Variable var, ArrayExpr useExpr, ArrayType defLine, VariableAccess use
+where
+  var.getUnspecifiedType() = defLine and
+  use = useExpr.getArrayBase() and
+  var = use.getTarget() and
+  (
+    useExpr.getArrayOffset().getType() instanceof UInt16_t or
+    useExpr.getArrayOffset().getType() instanceof UInt32_t or
+    useExpr.getArrayOffset().getType() instanceof UInt64_t
+  ) and
+  defLine.getArraySize() <= 256
+select useExpr,
+  "Using a " + useExpr.getArrayOffset().getType() + " to acess the array $@ of size " +
+    defLine.getArraySize() + ".", var, var.getName()

cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql

@@ -58,7 +58,7 @@ where
       // unfortunately cannot use numeric value here because // O_CREAT is defined differently on different OSes:
       // https://github.com/red/red/blob/92feb0c0d5f91e087ab35fface6906afbf99b603/runtime/definitions.reds#L477-L491
       // this may introduce false negatives
-      fctmp.getArgument(1).(BitwiseOrExpr).getAChild*().getValueText().matches("O_CREAT") or
+      fctmp.getArgument(1).(BitwiseOrExpr).getAChild*().getValueText() = "O_CREAT" or
       fctmp.getArgument(1).getValueText().matches("%O_CREAT%")
     ) and
     fctmp.getNumberOfArguments() = 2 and

cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql

@@ -13,7 +13,7 @@ import cpp
 
 from Function f
 where
-  f.getName().regexpMatch("atof|atoi|atol") and
+  f.getName() = ["atof", "atoi", "atol"] and
   f.getFile().getAbsolutePath().matches("%stdlib.h")
 select f.getACallToThisFunction(),
   "AV Rule 23: The library functions atof, atoi and atol from library <stdlib.h> shall not be used."

cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql

@@ -13,7 +13,7 @@ import cpp
 
 from Function f
 where
-  f.getName().regexpMatch("abort|exit|getenv|system") and
+  f.getName() = ["abort", "exit", "getenv", "system"] and
   f.getFile().getAbsolutePath().matches("%stdlib.h")
 select f.getACallToThisFunction(),
   "The library functions abort, exit, getenv and system from library <stdlib.h> should not be used."