From f0ca76102cc6ea8ba10715caafe37f89eab93cc3 Mon Sep 17 00:00:00 2001 From: Moshe Kaplan Date: Fri, 24 Mar 2023 15:26:46 -0400 Subject: [PATCH 0001/1955] Correct menu title name of "Open Workspace" Correct menu title name of "Open Workspace" to "Open Workspace from File", as that is the current menu title on VS Code (at least as of 1.76.2) --- .../setting-up-codeql-in-visual-studio-code.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst b/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst index 6ed374381d8..98990c7f706 100644 --- a/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst +++ b/docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst @@ -72,7 +72,7 @@ To use the starter workspace: * Make sure you include the submodules, either by using ``git clone --recursive``, or using by ``git submodule update --init --remote`` after cloning. * Use ``git submodule update --remote`` regularly to keep the submodules up to date. -#. In VS Code, use the **File** > **Open Workspace** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository. +#. In VS Code, use the **File** > **Open Workspace from File** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository. .. _existing-workspace: From 53dbfcb3aa6dc75871474e1f9538e2f582ea7a43 Mon Sep 17 00:00:00 2001 From: Asger F Date: Tue, 26 Sep 2023 10:29:19 +0200 Subject: [PATCH 0002/1955] C++: use in/out barriers with flow state --- cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql | 4 ++-- .../Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql index 0686c4a707c..f56064a1220 100644 --- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql @@ -134,8 +134,8 @@ module ExecTaintConfig implements DataFlow::StateConfigSig { predicate isBarrier(DataFlow::Node node) { isBarrierImpl(node) } - predicate isBarrierOut(DataFlow::Node node) { - isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers + predicate isBarrierOut(DataFlow::Node node, FlowState state) { + isSink(node, state) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers } } diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql index c38a012b27b..018974419a5 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql @@ -168,9 +168,9 @@ module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig { ) } - predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) } + predicate isBarrierIn(DataFlow::Node node, FlowState state) { isSource(node, state) } - predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) } + predicate isBarrierOut(DataFlow::Node node, FlowState state) { isSink(node, state) } predicate isAdditionalFlowStep( DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2 From d10a6b4ca0df39a5b5c5800745e598292fe0e681 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Thu, 3 Oct 2024 13:33:30 -0400 Subject: [PATCH 0003/1955] Remove unnecessary query --- .../ql/src/Language Abuse/EmptyStatement.java | 8 ---- .../src/Language Abuse/EmptyStatement.qhelp | 39 ------------------- java/ql/src/Language Abuse/EmptyStatement.ql | 19 --------- 3 files changed, 66 deletions(-) delete mode 100644 java/ql/src/Language Abuse/EmptyStatement.java delete mode 100644 java/ql/src/Language Abuse/EmptyStatement.qhelp delete mode 100644 java/ql/src/Language Abuse/EmptyStatement.ql diff --git a/java/ql/src/Language Abuse/EmptyStatement.java b/java/ql/src/Language Abuse/EmptyStatement.java deleted file mode 100644 index 4f9b462a38f..00000000000 --- a/java/ql/src/Language Abuse/EmptyStatement.java +++ /dev/null @@ -1,8 +0,0 @@ -public class Cart { - // AVOID: Empty statement - List items = new ArrayList();; - public void applyDiscount(float discount) { - // AVOID: Empty statement as loop body - for (int i = 0; i < items.size(); items.get(i++).applyDiscount(discount)); - } -} \ No newline at end of file diff --git a/java/ql/src/Language Abuse/EmptyStatement.qhelp b/java/ql/src/Language Abuse/EmptyStatement.qhelp deleted file mode 100644 index 700bd488dfc..00000000000 --- a/java/ql/src/Language Abuse/EmptyStatement.qhelp +++ /dev/null @@ -1,39 +0,0 @@ - - - - - -

An empty statement is a single semicolon ; that does not -terminate another statement. Such a statement hinders readability and has no effect on its own.

- - - - -

Avoid empty statements. If a loop is intended to have an empty body, it is better -to mark that fact explicitly by using a pair of braces {} containing an explanatory comment -for the body, rather than a single semicolon.

- - - - -

In the following example, there is an empty statement on line 3, where an additional semicolon is -used. On line 6, the for statement has an empty body because the condition is -immediately followed by a semicolon. In this case, it is better to include a pair of braces {} containing -an explanatory comment for the body instead. - -

- - - - - -
  • -Help - Eclipse Platform: -Java Compiler Errors/Warnings Preferences. -
    • - - -     -     diff --git a/java/ql/src/Language Abuse/EmptyStatement.ql b/java/ql/src/Language Abuse/EmptyStatement.ql deleted file mode 100644 index 36f61b862ac..00000000000 --- a/java/ql/src/Language Abuse/EmptyStatement.ql +++ /dev/null @@ -1,19 +0,0 @@ -/** - * @name Empty statement - * @description An empty statement hinders readability. - * @kind problem - * @problem.severity recommendation - * @precision low - * @id java/empty-statement - * @tags maintainability - * useless-code - */ - -import java - -from EmptyStmt empty, string action -where - if exists(LoopStmt l | l.getBody() = empty) - then action = "turned into '{}'" - else action = "deleted" -select empty, "This empty statement should be " + action + "." From e98db7fd20f7c64cb68ed315523bc8bc0594aac8 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Thu, 3 Oct 2024 17:28:59 -0400 Subject: [PATCH 0004/1955] Add changenote for query removal change --- java/ql/src/change-notes/2024-10-03-remove-java-query.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2024-10-03-remove-java-query.md diff --git a/java/ql/src/change-notes/2024-10-03-remove-java-query.md b/java/ql/src/change-notes/2024-10-03-remove-java-query.md new file mode 100644 index 00000000000..efa7fa3504b --- /dev/null +++ b/java/ql/src/change-notes/2024-10-03-remove-java-query.md @@ -0,0 +1,4 @@ +--- +category: removedQuery +--- +* Removed the `java/empty-statement` query that was subsumed by the `java/empty-block` query. \ No newline at end of file From df18891a2f7840a3d3a12caf41ff4dc43a049d11 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Thu, 3 Oct 2024 17:36:42 -0400 Subject: [PATCH 0005/1955] Fix changenote for query removal change --- java/ql/src/change-notes/2024-10-03-remove-java-query.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/change-notes/2024-10-03-remove-java-query.md b/java/ql/src/change-notes/2024-10-03-remove-java-query.md index efa7fa3504b..e9f3e4910cb 100644 --- a/java/ql/src/change-notes/2024-10-03-remove-java-query.md +++ b/java/ql/src/change-notes/2024-10-03-remove-java-query.md @@ -1,4 +1,4 @@ --- -category: removedQuery +category: minorAnalysis --- * Removed the `java/empty-statement` query that was subsumed by the `java/empty-block` query. \ No newline at end of file From 150debdd8dc5d0ff368ae6d25578b63c8c617179 Mon Sep 17 00:00:00 2001 From: 2h0ng <60600792+superboy-zjc@users.noreply.github.com> Date: Sun, 9 Feb 2025 15:29:37 -0500 Subject: [PATCH 0006/1955] Fix the broken reference --- docs/codeql/ql-language-reference/aliases.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/ql-language-reference/aliases.rst b/docs/codeql/ql-language-reference/aliases.rst index efbbef65cda..ebecbdf0a2b 100644 --- a/docs/codeql/ql-language-reference/aliases.rst +++ b/docs/codeql/ql-language-reference/aliases.rst @@ -137,6 +137,6 @@ During :ref:`name resolution `, ambiguity between aliases from for the same module/type/predicate is allowed, but ambiguity between between aliases from distinct **strong** alias definitions is invalid QL. Likewise, for the purpose of applicative instantiation of :ref:`parameterised modules ` -and `:ref:`parameterised module signatures `, aliases from **weak** alias +and :ref:`parameterised module signatures `, aliases from **weak** alias definitions for instantiation arguments do not result in separate instantiations, but aliases from **strong** alias definitions for instantiation arguments do. From 26f3b40d3591ec07806bdf1438df6e95030bd2c3 Mon Sep 17 00:00:00 2001 From: Vasco-jofra <11303847+Vasco-jofra@users.noreply.github.com> Date: Sat, 14 Jun 2025 00:13:03 +0200 Subject: [PATCH 0007/1955] Add lodash GroupBy as taint step --- .../javascript/frameworks/LodashUnderscore.qll | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll b/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll index 7c2e6aa37a5..20258622737 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll @@ -341,6 +341,18 @@ module LodashUnderscore { preservesValue = true } } + + private class LodashGroupBy extends DataFlow::SummarizedCallable { + LodashGroupBy() { this = "_.groupBy" } + + override DataFlow::CallNode getACall() { result = member("groupBy").getACall() } + + override predicate propagatesFlow(string input, string output, boolean preservesValue) { + input = "Argument[0]" and + output = ["Argument[1].Parameter[0]", "ReturnValue"] and + preservesValue = false + } + } } /** From 8c4dbca23c895b28fab9f256ce0c2b042b7174f6 Mon Sep 17 00:00:00 2001 From: Vasco-jofra <11303847+Vasco-jofra@users.noreply.github.com> Date: Sun, 15 Jun 2025 17:59:49 +0200 Subject: [PATCH 0008/1955] Improve data flow in the async library --- .../dataflow/internal/FlowSummaryPrivate.qll | 2 + .../javascript/frameworks/AsyncPackage.qll | 147 +++++++++++++----- .../AsyncPackage/AsyncTaintTracking.expected | 32 ++-- .../frameworks/AsyncPackage/map.js | 13 ++ .../frameworks/AsyncPackage/waterfall.js | 10 +- 5 files changed, 158 insertions(+), 46 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll index 31f5f16bbfb..6315b34b0a4 100644 --- a/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll +++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll @@ -94,6 +94,8 @@ private string encodeContentAux(ContentSet cs, string arg) { cs = ContentSet::iteratorElement() and result = "IteratorElement" or cs = ContentSet::iteratorError() and result = "IteratorError" + or + cs = ContentSet::anyProperty() and result = "AnyMember" ) or cs = getPromiseContent(arg) and diff --git a/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll b/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll index 4dc60d44765..eacc69585ed 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll @@ -15,14 +15,15 @@ module AsyncPackage { } /** - * Gets a reference to the given member or one of its `Limit` or `Series` variants. + * Gets `Limit` or `Series` name variants for a given member name. * - * For example, `memberVariant("map")` finds references to `map`, `mapLimit`, and `mapSeries`. + * For example, `memberNameVariant("map")` returns `map`, `mapLimit`, and `mapSeries`. */ - DataFlow::SourceNode memberVariant(string name) { - result = member(name) or - result = member(name + "Limit") or - result = member(name + "Series") + bindingset[name] + string memberNameVariant(string name) { + result = name or + result = name + "Limit" or + result = name + "Series" } /** @@ -101,22 +102,47 @@ module AsyncPackage { */ class IterationCall extends DataFlow::InvokeNode { string name; + int iteratorCallbackIndex; + int finalCallbackIndex; IterationCall() { - this = memberVariant(name).getACall() and - name = - [ - "concat", "detect", "each", "eachOf", "forEach", "forEachOf", "every", "filter", - "groupBy", "map", "mapValues", "reduce", "reduceRight", "reject", "some", "sortBy", - "transform" - ] + ( + ( + name = + memberNameVariant([ + "concat", "detect", "each", "eachOf", "forEach", "forEachOf", "every", "filter", + "groupBy", "map", "mapValues", "reject", "some", "sortBy", + ]) and + if name.matches("%Limit") + then ( + iteratorCallbackIndex = 2 and finalCallbackIndex = 3 + ) else ( + iteratorCallbackIndex = 1 and finalCallbackIndex = 2 + ) + ) + or + name = ["reduce", "reduceRight", "transform"] and + iteratorCallbackIndex = 2 and + finalCallbackIndex = 3 + ) and + this = member(name).getACall() } /** - * Gets the name of the iteration call, without the `Limit` or `Series` suffix. + * Gets the name of the iteration call */ string getName() { result = name } + /** + * Gets the iterator callback index + */ + int getIteratorCallbackIndex() { result = iteratorCallbackIndex } + + /** + * Gets the final callback index + */ + int getFinalCallbackIndex() { result = finalCallbackIndex } + /** * Gets the node holding the collection being iterated over. */ @@ -125,26 +151,73 @@ module AsyncPackage { /** * Gets the node holding the function being called for each element in the collection. */ - DataFlow::Node getIteratorCallback() { result = this.getArgument(this.getNumArgument() - 2) } + DataFlow::FunctionNode getIteratorCallback() { + result = this.getCallback(iteratorCallbackIndex) + } /** - * Gets the node holding the function being invoked after iteration is complete. + * Gets the node holding the function being invoked after iteration is complete. (may not exist) */ - DataFlow::Node getFinalCallback() { result = this.getArgument(this.getNumArgument() - 1) } + DataFlow::FunctionNode getFinalCallback() { result = this.getCallback(finalCallbackIndex) } } /** - * A taint step from the collection into the iterator callback of an iteration call. + * An IterationCall with its iterator callback at index 1 + */ + private class IterationCallCallbacksFirstArg extends IterationCall { + IterationCallCallbacksFirstArg() { this.getIteratorCallbackIndex() = 1 } + } + + /** + * An IterationCall with its iterator callback at index 2 + */ + private class IterationCallCallbacksSecondArg extends IterationCall { + IterationCallCallbacksSecondArg() { this.getIteratorCallbackIndex() = 2 } + } + + /** + * The model with the iteratorCallbackIndex abstracted + */ + bindingset[iteratorCallbackIndex] + private predicate iterationCallPropagatesFlow( + string input, string output, boolean preservesValue, int iteratorCallbackIndex + ) { + preservesValue = true and + input = "Argument[0]." + ["ArrayElement", "SetElement", "IteratorElement", "AnyMember"] and + output = "Argument[" + iteratorCallbackIndex + "].Parameter[0]" + } + + /** + * A taint step from the collection into the iterator callback (at index 1) of an iteration call. * * For example: `data -> item` in `async.each(data, (item, cb) => {})`. */ - private class IterationInputTaintStep extends TaintTracking::SharedTaintStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - exists(DataFlow::FunctionNode iteratee, IterationCall call | - iteratee = call.getIteratorCallback() and // Require a closure to avoid spurious call/return mismatch. - pred = call.getCollection() and // TODO: needs a flow summary to ensure ArrayElement content is unfolded - succ = iteratee.getParameter(0) - ) + class IterationCallCallbacksFirstArgFlowSummary extends DataFlow::SummarizedCallable { + IterationCallCallbacksFirstArgFlowSummary() { this = "async.[IterationCallCallbacksFirstArg]" } + + override DataFlow::InvokeNode getACallSimple() { + result instanceof IterationCallCallbacksFirstArg + } + + override predicate propagatesFlow(string input, string output, boolean preservesValue) { + iterationCallPropagatesFlow(input, output, preservesValue, 1) + } + } + + /** + * A taint step from the collection into the iterator callback (at index 2) of an iteration call. + * + * For example: `data -> item` in `async.eachLimit(data, 1, (item, cb) => {})`. + */ + class IterationCallCallbacksSecondArgFlowSummary extends DataFlow::SummarizedCallable { + IterationCallCallbacksSecondArgFlowSummary() { this = "async.[IterationCallCallbackSecondArg]" } + + override DataFlow::InvokeNode getACallSimple() { + result instanceof IterationCallCallbacksSecondArg + } + + override predicate propagatesFlow(string input, string output, boolean preservesValue) { + iterationCallPropagatesFlow(input, output, preservesValue, 2) } } @@ -152,14 +225,14 @@ module AsyncPackage { * A taint step from the return value of an iterator callback to the result of the iteration * call. * - * For example: `item + taint()` -> result` in `async.map(data, (item, cb) => cb(null, item + taint()), (err, result) => {})`. + * For example: `item + taint() -> result` in `async.map(data, (item, cb) => cb(null, item + taint()), (err, result) => {})`. */ private class IterationOutputTaintStep extends TaintTracking::SharedTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists( DataFlow::FunctionNode iteratee, DataFlow::FunctionNode final, int i, IterationCall call | - iteratee = call.getIteratorCallback().getALocalSource() and + iteratee = call.getIteratorCallback() and final = call.getFinalCallback() and // Require a closure to avoid spurious call/return mismatch. pred = getLastParameter(iteratee).getACall().getArgument(i) and succ = final.getParameter(i) and @@ -175,14 +248,18 @@ module AsyncPackage { * * For example: `data -> result` in `async.sortBy(data, orderingFn, (err, result) => {})`. */ - private class IterationPreserveTaintStep extends TaintTracking::SharedTaintStep { - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { - exists(DataFlow::FunctionNode final, IterationCall call | - final = call.getFinalCallback() and // Require a closure to avoid spurious call/return mismatch. - pred = call.getCollection() and - succ = final.getParameter(1) and - call.getName() = "sortBy" - ) + class IterationPreserveTaintStepFlowSummary extends DataFlow::SummarizedCallable { + IterationPreserveTaintStepFlowSummary() { this = "async.sortBy" } + + override DataFlow::InvokeNode getACallSimple() { + result instanceof IterationCall and + result.(IterationCall).getName() = "sortBy" + } + + override predicate propagatesFlow(string input, string output, boolean preservesValue) { + preservesValue = false and + input = "Argument[0]." + ["ArrayElement", "SetElement", "IteratorElement", "AnyMember"] and + output = "Argument[2].Parameter[1]" } } } diff --git a/javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.expected b/javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.expected index 168f5ec5ace..95ee8fe452b 100644 --- a/javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.expected +++ b/javascript/ql/test/library-tests/frameworks/AsyncPackage/AsyncTaintTracking.expected @@ -1,12 +1,24 @@ legacyDataFlowDifference -| each.js:11:9:11:16 | source() | each.js:13:12:13:15 | item | only flow with OLD data flow library | -| map.js:10:13:10:20 | source() | map.js:12:14:12:17 | item | only flow with OLD data flow library | -| map.js:26:13:26:20 | source() | map.js:28:27:28:32 | result | only flow with OLD data flow library | -| sortBy.js:10:22:10:29 | source() | sortBy.js:12:27:12:32 | result | only flow with OLD data flow library | +| each.js:11:9:11:16 | source() | each.js:13:12:13:15 | item | only flow with NEW data flow library | +| map.js:14:13:14:20 | source() | map.js:16:14:16:17 | item | only flow with NEW data flow library | +| map.js:30:13:30:20 | source() | map.js:32:27:32:32 | result | only flow with NEW data flow library | +| map.js:40:13:40:20 | source() | map.js:11:10:11:10 | x | only flow with NEW data flow library | +| map.js:42:12:42:19 | source() | map.js:11:10:11:10 | x | only flow with NEW data flow library | +| map.js:44:16:44:23 | source() | map.js:11:10:11:10 | x | only flow with NEW data flow library | +| map.js:46:18:46:25 | source() | map.js:11:10:11:10 | x | only flow with NEW data flow library | +| sortBy.js:10:22:10:29 | source() | sortBy.js:12:27:12:32 | result | only flow with NEW data flow library | #select -| map.js:20:19:20:26 | source() | map.js:23:27:23:32 | result | -| waterfall.js:8:30:8:37 | source() | waterfall.js:11:12:11:16 | taint | -| waterfall.js:8:30:8:37 | source() | waterfall.js:20:10:20:14 | taint | -| waterfall.js:28:18:28:25 | source() | waterfall.js:39:10:39:12 | err | -| waterfall.js:46:22:46:29 | source() | waterfall.js:49:12:49:16 | taint | -| waterfall.js:46:22:46:29 | source() | waterfall.js:55:10:55:14 | taint | +| each.js:11:9:11:16 | source() | each.js:13:12:13:15 | item | +| map.js:14:13:14:20 | source() | map.js:16:14:16:17 | item | +| map.js:24:19:24:26 | source() | map.js:27:27:27:32 | result | +| map.js:30:13:30:20 | source() | map.js:32:27:32:32 | result | +| map.js:40:13:40:20 | source() | map.js:11:10:11:10 | x | +| map.js:42:12:42:19 | source() | map.js:11:10:11:10 | x | +| map.js:44:16:44:23 | source() | map.js:11:10:11:10 | x | +| map.js:46:18:46:25 | source() | map.js:11:10:11:10 | x | +| sortBy.js:10:22:10:29 | source() | sortBy.js:12:27:12:32 | result | +| waterfall.js:16:30:16:37 | source() | waterfall.js:19:12:19:16 | taint | +| waterfall.js:16:30:16:37 | source() | waterfall.js:28:10:28:14 | taint | +| waterfall.js:36:18:36:25 | source() | waterfall.js:47:10:47:12 | err | +| waterfall.js:54:22:54:29 | source() | waterfall.js:57:12:57:16 | taint | +| waterfall.js:54:22:54:29 | source() | waterfall.js:63:10:63:14 | taint | diff --git a/javascript/ql/test/library-tests/frameworks/AsyncPackage/map.js b/javascript/ql/test/library-tests/frameworks/AsyncPackage/map.js index ed7e64b01fa..b1e9ecc883b 100644 --- a/javascript/ql/test/library-tests/frameworks/AsyncPackage/map.js +++ b/javascript/ql/test/library-tests/frameworks/AsyncPackage/map.js @@ -7,6 +7,10 @@ function sink(x) { console.log(x) } +function call_sink(x) { + sink(x) +} + async_.map([source()], (item, cb) => { sink(item), // NOT OK @@ -32,3 +36,12 @@ async_.map(['safe'], (item, cb) => cb(null, item), (err, result) => sink(result) // OK ); + +async_.map([source()], call_sink) // NOT OK + +async_.map(source().prop, call_sink) // NOT OK + +async_.map({a: source()}, call_sink) // NOT OK + +async_.mapLimit([source()], 1, call_sink) // NOT OK + diff --git a/javascript/ql/test/library-tests/frameworks/AsyncPackage/waterfall.js b/javascript/ql/test/library-tests/frameworks/AsyncPackage/waterfall.js index 439ac48674a..8554d048d98 100644 --- a/javascript/ql/test/library-tests/frameworks/AsyncPackage/waterfall.js +++ b/javascript/ql/test/library-tests/frameworks/AsyncPackage/waterfall.js @@ -1,7 +1,15 @@ let async_ = require('async'); let waterfall = require('a-sync-waterfall'); -var source, sink, somethingWrong; +function source() { + return 'TAINT' +} + +function sink(x) { + console.log(x) +} + +var somethingWrong; async_.waterfall([ function(callback) { From 575da5c31c8909a99a64dc20571bb7c23aa22635 Mon Sep 17 00:00:00 2001 From: Vasco-jofra <11303847+Vasco-jofra@users.noreply.github.com> Date: Thu, 26 Jun 2025 10:10:52 +0200 Subject: [PATCH 0009/1955] Merge SummarizedCallable into single class --- .../javascript/frameworks/AsyncPackage.qll | 77 ++++++------------- 1 file changed, 24 insertions(+), 53 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll b/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll index eacc69585ed..db2487ce46a 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll @@ -14,13 +14,24 @@ module AsyncPackage { result = DataFlow::moduleMember("async-es", name) } + /** + * Gets a reference to the given member or one of its `Limit` or `Series` variants. + * + * For example, `memberVariant("map")` finds references to `map`, `mapLimit`, and `mapSeries`. + */ + DataFlow::SourceNode memberVariant(string name) { + result = member(name) or + result = member(name + "Limit") or + result = member(name + "Series") + } + /** * Gets `Limit` or `Series` name variants for a given member name. * * For example, `memberNameVariant("map")` returns `map`, `mapLimit`, and `mapSeries`. */ bindingset[name] - string memberNameVariant(string name) { + private string memberNameVariant(string name) { result = name or result = name + "Limit" or result = name + "Series" @@ -161,63 +172,23 @@ module AsyncPackage { DataFlow::FunctionNode getFinalCallback() { result = this.getCallback(finalCallbackIndex) } } - /** - * An IterationCall with its iterator callback at index 1 - */ - private class IterationCallCallbacksFirstArg extends IterationCall { - IterationCallCallbacksFirstArg() { this.getIteratorCallbackIndex() = 1 } - } + private class IterationCallFlowSummary extends DataFlow::SummarizedCallable { + private int callbackArgIndex; - /** - * An IterationCall with its iterator callback at index 2 - */ - private class IterationCallCallbacksSecondArg extends IterationCall { - IterationCallCallbacksSecondArg() { this.getIteratorCallbackIndex() = 2 } - } - - /** - * The model with the iteratorCallbackIndex abstracted - */ - bindingset[iteratorCallbackIndex] - private predicate iterationCallPropagatesFlow( - string input, string output, boolean preservesValue, int iteratorCallbackIndex - ) { - preservesValue = true and - input = "Argument[0]." + ["ArrayElement", "SetElement", "IteratorElement", "AnyMember"] and - output = "Argument[" + iteratorCallbackIndex + "].Parameter[0]" - } - - /** - * A taint step from the collection into the iterator callback (at index 1) of an iteration call. - * - * For example: `data -> item` in `async.each(data, (item, cb) => {})`. - */ - class IterationCallCallbacksFirstArgFlowSummary extends DataFlow::SummarizedCallable { - IterationCallCallbacksFirstArgFlowSummary() { this = "async.[IterationCallCallbacksFirstArg]" } + IterationCallFlowSummary() { + this = "async.IteratorCall(callbackArgIndex=" + callbackArgIndex + ")" and + callbackArgIndex in [1 .. 3] + } override DataFlow::InvokeNode getACallSimple() { - result instanceof IterationCallCallbacksFirstArg + result instanceof IterationCall and + result.(IterationCall).getIteratorCallbackIndex() = callbackArgIndex } override predicate propagatesFlow(string input, string output, boolean preservesValue) { - iterationCallPropagatesFlow(input, output, preservesValue, 1) - } - } - - /** - * A taint step from the collection into the iterator callback (at index 2) of an iteration call. - * - * For example: `data -> item` in `async.eachLimit(data, 1, (item, cb) => {})`. - */ - class IterationCallCallbacksSecondArgFlowSummary extends DataFlow::SummarizedCallable { - IterationCallCallbacksSecondArgFlowSummary() { this = "async.[IterationCallCallbackSecondArg]" } - - override DataFlow::InvokeNode getACallSimple() { - result instanceof IterationCallCallbacksSecondArg - } - - override predicate propagatesFlow(string input, string output, boolean preservesValue) { - iterationCallPropagatesFlow(input, output, preservesValue, 2) + preservesValue = true and + input = "Argument[0]." + ["ArrayElement", "SetElement", "IteratorElement", "AnyMember"] and + output = "Argument[" + callbackArgIndex + "].Parameter[0]" } } @@ -248,7 +219,7 @@ module AsyncPackage { * * For example: `data -> result` in `async.sortBy(data, orderingFn, (err, result) => {})`. */ - class IterationPreserveTaintStepFlowSummary extends DataFlow::SummarizedCallable { + private class IterationPreserveTaintStepFlowSummary extends DataFlow::SummarizedCallable { IterationPreserveTaintStepFlowSummary() { this = "async.sortBy" } override DataFlow::InvokeNode getACallSimple() { From 6e5734adcab70596e4a0b494f3bf6836ec1fc6a7 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Thu, 26 Jun 2025 09:18:30 -0400 Subject: [PATCH 0010/1955] Crypto: Fix openssl padding to propery link async padding to hashing configs. --- .../AlgorithmInstances/AlgToAVCFlow.qll | 4 +- .../CipherAlgorithmInstance.qll | 14 +++-- .../PaddingAlgorithmInstance.qll | 61 +++++-------------- .../OpenSSL/Operations/CipherOperation.qll | 26 +++++++- .../Operations/EVPPKeyCtxInitializer.qll | 33 ++++++++-- .../Operations/OpenSSLOperationBase.qll | 18 ++++-- .../library-tests/quantum/node_edges.expected | 14 +++++ .../quantum/node_properties.expected | 15 +++++ .../library-tests/quantum/nodes.expected | 12 ++++ .../library-tests/quantum/openssl_basic.c | 58 +++++++++++++++++- 10 files changed, 188 insertions(+), 67 deletions(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll index d46c2f69191..45a194db307 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll @@ -49,7 +49,9 @@ module KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow = DataFlow::Global; module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSslPaddingLiteral } + predicate isSource(DataFlow::Node source) { + source.asExpr() instanceof OpenSslSpecialPaddingLiteral + } predicate isSink(DataFlow::Node sink) { exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll index 0fb8ecf9539..7cf71d12f71 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll @@ -4,8 +4,9 @@ private import KnownAlgorithmConstants private import Crypto::KeyOpAlg as KeyOpAlg private import OpenSSLAlgorithmInstanceBase private import PaddingAlgorithmInstance -private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase -private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import experimental.quantum.OpenSSL.Operations.OpenSSLOperationBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import OpenSSLAlgorithmInstances private import AlgToAVCFlow private import BlockAlgorithmInstance @@ -97,10 +98,13 @@ class KnownOpenSslCipherConstantAlgorithmInstance extends OpenSslAlgorithmInstan } override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { - //TODO: the padding is either self, or it flows through getter ctx to a set padding call - // like EVP_PKEY_CTX_set_rsa_padding result = this - // TODO or trace through getter ctx to set padding + or + exists(OperationStep s | + this.getAvc().(AvcContextCreationStep).flowsToOperationStep(s) and + s.getAlgorithmValueConsumerForInput(PaddingAlgorithmIO()) = + result.(OpenSslAlgorithmInstance).getAvc() + ) } override string getRawAlgorithmName() { diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll index 7a34b69ddf5..6a517ce90d2 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll @@ -1,6 +1,7 @@ import cpp private import experimental.quantum.Language private import OpenSSLAlgorithmInstanceBase +private import experimental.quantum.OpenSSL.Operations.OpenSSLOperationBase private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants private import AlgToAVCFlow private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer @@ -17,13 +18,14 @@ private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgor * # define RSA_PKCS1_WITH_TLS_PADDING 7 * # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 */ -class OpenSslPaddingLiteral extends Literal { +class OpenSslSpecialPaddingLiteral extends Literal { // TODO: we can be more specific about where the literal is in a larger expression // to avoid literals that are clealy not representing an algorithm, e.g., array indices. - OpenSslPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] } + OpenSslSpecialPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] } } /** + * Holds if `e` has the given `type`. * Given a `KnownOpenSslPaddingAlgorithmExpr`, converts this to a padding family type. * Does not bind if there is no mapping (no mapping to 'unknown' or 'other'). */ @@ -44,9 +46,6 @@ predicate knownOpenSslConstantToPaddingFamilyType( ) } -//abstract class OpenSslPaddingAlgorithmInstance extends OpenSslAlgorithmInstance, Crypto::PaddingAlgorithmInstance{} -// TODO: need to alter this to include known padding constants which don't have the -// same mechanics as those with known nids class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInstance, Crypto::PaddingAlgorithmInstance instanceof Expr { @@ -78,7 +77,7 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta isPaddingSpecificConsumer = false or // Possibility 3: padding-specific literal - this instanceof OpenSslPaddingLiteral and + this instanceof OpenSslSpecialPaddingLiteral and exists(DataFlow::Node src, DataFlow::Node sink | // Sink is an argument to a CipherGetterCall sink = getterCall.getInputNode() and @@ -123,44 +122,6 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta } } -// // Values used for EVP_PKEY_CTX_set_rsa_padding, these are -// // not the same as 'typical' constants found in the set of known algorithm constants -// // they do not have an NID -// // TODO: what about setting the padding directly? -// class KnownRSAPaddingConstant extends OpenSslPaddingAlgorithmInstance, Crypto::PaddingAlgorithmInstance instanceof Literal -// { -// KnownRSAPaddingConstant() { -// // from rsa.h in openssl: -// // # define RSA_PKCS1_PADDING 1 -// // # define RSA_NO_PADDING 3 -// // # define RSA_PKCS1_OAEP_PADDING 4 -// // # define RSA_X931_PADDING 5 -// // /* EVP_PKEY_ only */ -// // # define RSA_PKCS1_PSS_PADDING 6 -// // # define RSA_PKCS1_WITH_TLS_PADDING 7 -// // /* internal RSA_ only */ -// // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 -// this instanceof Literal and -// this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] -// // TODO: trace to padding-specific consumers -// RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow -// } -// override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() } -// override Crypto::TPaddingType getPaddingType() { -// if this.(Literal).getValue().toInt() in [1, 6, 7, 8] -// then result = Crypto::PKCS1_v1_5() -// else -// if this.(Literal).getValue().toInt() = 3 -// then result = Crypto::NoPadding() -// else -// if this.(Literal).getValue().toInt() = 4 -// then result = Crypto::OAEP() -// else -// if this.(Literal).getValue().toInt() = 5 -// then result = Crypto::ANSI_X9_23() -// else result = Crypto::OtherPadding() -// } -// } class OAEPPaddingAlgorithmInstance extends Crypto::OAEPPaddingAlgorithmInstance, KnownOpenSslPaddingConstantAlgorithmInstance { @@ -169,10 +130,18 @@ class OAEPPaddingAlgorithmInstance extends Crypto::OAEPPaddingAlgorithmInstance, } override Crypto::HashAlgorithmInstance getOAEPEncodingHashAlgorithm() { - none() //TODO + exists(OperationStep s | + this.getAvc().(AvcContextCreationStep).flowsToOperationStep(s) and + s.getAlgorithmValueConsumerForInput(HashAlgorithmOaepIO()) = + result.(OpenSslAlgorithmInstance).getAvc() + ) } override Crypto::HashAlgorithmInstance getMGF1HashAlgorithm() { - none() //TODO + exists(OperationStep s | + this.getAvc().(AvcContextCreationStep).flowsToOperationStep(s) and + s.getAlgorithmValueConsumerForInput(HashAlgorithmMgf1IO()) = + result.(OpenSslAlgorithmInstance).getAvc() + ) } } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/CipherOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/CipherOperation.qll index 96af476117b..0d9c8f496ea 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/CipherOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/CipherOperation.qll @@ -214,7 +214,14 @@ class EvpCipherFinalCall extends EvpCipherOperationFinalStep { */ class EvpPKeyCipherOperation extends EvpCipherOperationFinalStep { EvpPKeyCipherOperation() { - this.getTarget().getName() in ["EVP_PKEY_encrypt", "EVP_PKEY_decrypt"] + this.getTarget().getName() in ["EVP_PKEY_encrypt", "EVP_PKEY_decrypt"] and + // TODO: for now ignore this operation entirely if it is setting the cipher text to null + // this needs to be re-evalauted if this scenario sets other values worth tracking + ( + exists(this.(Call).getArgument(1).getValue()) + implies + this.(Call).getArgument(1).getValue().toInt() != 0 + ) } override DataFlow::Node getInput(IOType type) { @@ -226,9 +233,24 @@ class EvpPKeyCipherOperation extends EvpCipherOperationFinalStep { override DataFlow::Node getOutput(IOType type) { super.getOutput(type) = result or - result.asExpr() = this.getArgument(1) and type = CiphertextIO() + result.asExpr() = this.getArgument(1) and + type = CiphertextIO() and + this.getStepType() = FinalStep() // TODO: could indicate text lengths here, as well } + + override OperationStepType getStepType() { + // When the output buffer is null, the step is not a final step + // it is used to get the buffer size, if 0 consider it an initialization step + // NOTE/TODO: not tracing 0 to the arg, just looking for 0 directly in param + // the assumption is this is the common case, but we may want to make this more + // robust and support a dataflow. + result = FinalStep() and + (exists(super.getArgument(1).getValue()) implies super.getArgument(1).getValue().toInt() != 0) + or + result = InitializerStep() and + super.getArgument(1).getValue().toInt() = 0 + } } /** diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPPKeyCtxInitializer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPPKeyCtxInitializer.qll index 2208407e53c..9d9b14c6d2f 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPPKeyCtxInitializer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPPKeyCtxInitializer.qll @@ -71,19 +71,42 @@ class EvpCtxSetEcParamgenCurveNidInitializer extends OperationStep { * - `EVP_PKEY_CTX_set_ecdh_kdf_md` */ class EvpCtxSetHashInitializer extends OperationStep { + boolean isOaep; + boolean isMgf1; + EvpCtxSetHashInitializer() { this.getTarget().getName() in [ - "EVP_PKEY_CTX_set_signature_md", "EVP_PKEY_CTX_set_rsa_mgf1_md_name", - "EVP_PKEY_CTX_set_rsa_mgf1_md", "EVP_PKEY_CTX_set_rsa_oaep_md_name", - "EVP_PKEY_CTX_set_rsa_oaep_md", "EVP_PKEY_CTX_set_dsa_paramgen_md", + "EVP_PKEY_CTX_set_signature_md", "EVP_PKEY_CTX_set_dsa_paramgen_md", "EVP_PKEY_CTX_set_dh_kdf_md", "EVP_PKEY_CTX_set_ecdh_kdf_md" - ] + ] and + isOaep = false and + isMgf1 = false + or + this.getTarget().getName() in [ + "EVP_PKEY_CTX_set_rsa_mgf1_md_name", "EVP_PKEY_CTX_set_rsa_mgf1_md" + ] and + isOaep = false and + isMgf1 = true + or + this.getTarget().getName() in [ + "EVP_PKEY_CTX_set_rsa_oaep_md_name", + "EVP_PKEY_CTX_set_rsa_oaep_md" + ] and + isOaep = true and + isMgf1 = false } override DataFlow::Node getInput(IOType type) { result.asExpr() = this.getArgument(0) and type = ContextIO() or - result.asExpr() = this.getArgument(1) and type = HashAlgorithmIO() + result.asExpr() = this.getArgument(1) and + type = HashAlgorithmIO() and + isOaep = false and + isMgf1 = false + or + result.asExpr() = this.getArgument(1) and type = HashAlgorithmOaepIO() and isOaep = true + or + result.asExpr() = this.getArgument(1) and type = HashAlgorithmMgf1IO() and isMgf1 = true } override DataFlow::Node getOutput(IOType type) { diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll index f1ab394ad78..389cb249058 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll @@ -58,7 +58,11 @@ newtype TIOType = // For OSSL_PARAM and OSSL_LIB_CTX use of OsslParamIO and OsslLibContextIO ContextIO() or DigestIO() or + // For OAEP and MGF1 hashes, there is a special IO type for these hashes + // it is recommended to set the most explicit type known, not both HashAlgorithmIO() or + HashAlgorithmOaepIO() or + HashAlgorithmMgf1IO() or IVorNonceIO() or KeyIO() or KeyOperationSubtypeIO() or @@ -254,18 +258,18 @@ abstract class OperationStep extends Call { * operation step (dominating operation step, see `getDominatingInitializersToStep`). */ Crypto::AlgorithmValueConsumer getPrimaryAlgorithmValueConsumer() { - exists(DataFlow::Node src, DataFlow::Node sink, IOType t, OperationStep avcSucc | + exists(DataFlow::Node src, DataFlow::Node sink, IOType t, OperationStep avcConsumingPred | (t = PrimaryAlgorithmIO() or t = ContextIO()) and - avcSucc.flowsToOperationStep(this) and + avcConsumingPred.flowsToOperationStep(this) and src.asExpr() = result and - sink = avcSucc.getInput(t) and + sink = avcConsumingPred.getInput(t) and AvcToOperationStepFlow::flow(src, sink) and ( - // Case 1: the avcSucc step is a dominating initialization step + // Case 1: the avcConsumingPred step is a dominating initialization step t = PrimaryAlgorithmIO() and - avcSucc = this.getDominatingInitializersToStep(PrimaryAlgorithmIO()) + avcConsumingPred = this.getDominatingInitializersToStep(PrimaryAlgorithmIO()) or - // Case 2: the succ is a context input (any avcSucc is valid) + // Case 2: the pred is a context input t = ContextIO() ) ) @@ -277,6 +281,8 @@ abstract class OperationStep extends Call { * TODO: generalize to use this for `getPrimaryAlgorithmValueConsumer` */ Crypto::AlgorithmValueConsumer getAlgorithmValueConsumerForInput(IOType type) { + result = this and this.setsValue(type) + or exists(DataFlow::Node src, DataFlow::Node sink | AvcToOperationStepFlow::flow(src, sink) and src.asExpr() = result and diff --git a/cpp/ql/test/experimental/library-tests/quantum/node_edges.expected b/cpp/ql/test/experimental/library-tests/quantum/node_edges.expected index 652194fc60c..c31b1035d85 100644 --- a/cpp/ql/test/experimental/library-tests/quantum/node_edges.expected +++ b/cpp/ql/test/experimental/library-tests/quantum/node_edges.expected @@ -41,6 +41,20 @@ | openssl_basic.c:167:9:167:27 | SignOperation | Input | openssl_basic.c:163:35:163:41 | Message | | openssl_basic.c:167:9:167:27 | SignOperation | Key | openssl_basic.c:160:59:160:62 | Key | | openssl_basic.c:167:9:167:27 | SignOperation | Output | openssl_basic.c:167:34:167:36 | SignatureOutput | +| openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Mode | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | +| openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Padding | openssl_basic.c:249:51:249:72 | PaddingAlgorithm | +| openssl_basic.c:238:9:238:25 | KeyGeneration | Algorithm | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | +| openssl_basic.c:238:9:238:25 | KeyGeneration | Output | openssl_basic.c:238:39:238:43 | Key | +| openssl_basic.c:238:39:238:43 | Key | Algorithm | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | +| openssl_basic.c:243:52:243:55 | Key | Source | openssl_basic.c:238:39:238:43 | Key | +| openssl_basic.c:249:51:249:72 | PaddingAlgorithm | MD | openssl_basic.c:250:51:250:60 | HashAlgorithm | +| openssl_basic.c:249:51:249:72 | PaddingAlgorithm | MGF1Hash | openssl_basic.c:251:51:251:60 | HashAlgorithm | +| openssl_basic.c:262:24:262:39 | EncryptOperation | Algorithm | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | +| openssl_basic.c:262:24:262:39 | EncryptOperation | Input | openssl_basic.c:263:64:263:70 | Message | +| openssl_basic.c:262:24:262:39 | EncryptOperation | Key | openssl_basic.c:243:52:243:55 | Key | +| openssl_basic.c:262:24:262:39 | EncryptOperation | Nonce | openssl_basic.c:262:24:262:39 | EncryptOperation | +| openssl_basic.c:262:24:262:39 | EncryptOperation | Output | openssl_basic.c:262:54:262:63 | KeyOperationOutput | +| openssl_basic.c:263:64:263:70 | Message | Source | openssl_basic.c:231:27:231:49 | Constant | | openssl_pkey.c:21:10:21:28 | KeyGeneration | Algorithm | openssl_pkey.c:21:10:21:28 | KeyGeneration | | openssl_pkey.c:21:10:21:28 | KeyGeneration | Output | openssl_pkey.c:21:30:21:32 | Key | | openssl_pkey.c:21:10:21:28 | KeyOperationAlgorithm | Mode | openssl_pkey.c:21:10:21:28 | KeyOperationAlgorithm | diff --git a/cpp/ql/test/experimental/library-tests/quantum/node_properties.expected b/cpp/ql/test/experimental/library-tests/quantum/node_properties.expected index 2a9cac52beb..61d4a8725fe 100644 --- a/cpp/ql/test/experimental/library-tests/quantum/node_properties.expected +++ b/cpp/ql/test/experimental/library-tests/quantum/node_properties.expected @@ -32,6 +32,21 @@ | openssl_basic.c:180:42:180:59 | Constant | Description | 0123456789012345 | openssl_basic.c:180:42:180:59 | openssl_basic.c:180:42:180:59 | | openssl_basic.c:181:49:181:87 | Constant | Description | This is a test message for encryption | openssl_basic.c:181:49:181:87 | openssl_basic.c:181:49:181:87 | | openssl_basic.c:218:32:218:33 | Constant | Description | 32 | openssl_basic.c:218:32:218:33 | openssl_basic.c:218:32:218:33 | +| openssl_basic.c:231:27:231:49 | Constant | Description | Encrypt me with OAEP! | openssl_basic.c:231:27:231:49 | openssl_basic.c:231:27:231:49 | +| openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Name | RSA | openssl_basic.c:235:51:235:55 | openssl_basic.c:235:51:235:55 | +| openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | RawName | RSA | openssl_basic.c:235:51:235:55 | openssl_basic.c:235:51:235:55 | +| openssl_basic.c:237:54:237:57 | Constant | Description | 2048 | openssl_basic.c:237:54:237:57 | openssl_basic.c:237:54:237:57 | +| openssl_basic.c:238:39:238:43 | Key | KeyType | Asymmetric | openssl_basic.c:238:39:238:43 | openssl_basic.c:238:39:238:43 | +| openssl_basic.c:243:52:243:55 | Key | KeyType | Unknown | openssl_basic.c:243:52:243:55 | openssl_basic.c:243:52:243:55 | +| openssl_basic.c:249:51:249:72 | PaddingAlgorithm | Name | OAEP | openssl_basic.c:249:51:249:72 | openssl_basic.c:249:51:249:72 | +| openssl_basic.c:249:51:249:72 | PaddingAlgorithm | RawName | 4 | openssl_basic.c:249:51:249:72 | openssl_basic.c:249:51:249:72 | +| openssl_basic.c:250:51:250:60 | HashAlgorithm | DigestSize | 256 | openssl_basic.c:250:51:250:60 | openssl_basic.c:250:51:250:60 | +| openssl_basic.c:250:51:250:60 | HashAlgorithm | Name | SHA2 | openssl_basic.c:250:51:250:60 | openssl_basic.c:250:51:250:60 | +| openssl_basic.c:250:51:250:60 | HashAlgorithm | RawName | EVP_sha256 | openssl_basic.c:250:51:250:60 | openssl_basic.c:250:51:250:60 | +| openssl_basic.c:251:51:251:60 | HashAlgorithm | DigestSize | 256 | openssl_basic.c:251:51:251:60 | openssl_basic.c:251:51:251:60 | +| openssl_basic.c:251:51:251:60 | HashAlgorithm | Name | SHA2 | openssl_basic.c:251:51:251:60 | openssl_basic.c:251:51:251:60 | +| openssl_basic.c:251:51:251:60 | HashAlgorithm | RawName | EVP_sha256 | openssl_basic.c:251:51:251:60 | openssl_basic.c:251:51:251:60 | +| openssl_basic.c:262:24:262:39 | EncryptOperation | KeyOperationSubtype | Encrypt | openssl_basic.c:262:24:262:39 | openssl_basic.c:262:24:262:39 | | openssl_pkey.c:21:10:21:28 | KeyOperationAlgorithm | Name | RSA | openssl_pkey.c:21:10:21:28 | openssl_pkey.c:21:10:21:28 | | openssl_pkey.c:21:10:21:28 | KeyOperationAlgorithm | RawName | RSA_generate_key_ex | openssl_pkey.c:21:10:21:28 | openssl_pkey.c:21:10:21:28 | | openssl_pkey.c:21:30:21:32 | Key | KeyType | Asymmetric | openssl_pkey.c:21:30:21:32 | openssl_pkey.c:21:30:21:32 | diff --git a/cpp/ql/test/experimental/library-tests/quantum/nodes.expected b/cpp/ql/test/experimental/library-tests/quantum/nodes.expected index 9b5bf547604..e7fb960d84f 100644 --- a/cpp/ql/test/experimental/library-tests/quantum/nodes.expected +++ b/cpp/ql/test/experimental/library-tests/quantum/nodes.expected @@ -34,6 +34,18 @@ | openssl_basic.c:180:42:180:59 | Constant | | openssl_basic.c:181:49:181:87 | Constant | | openssl_basic.c:218:32:218:33 | Constant | +| openssl_basic.c:231:27:231:49 | Constant | +| openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | +| openssl_basic.c:237:54:237:57 | Constant | +| openssl_basic.c:238:9:238:25 | KeyGeneration | +| openssl_basic.c:238:39:238:43 | Key | +| openssl_basic.c:243:52:243:55 | Key | +| openssl_basic.c:249:51:249:72 | PaddingAlgorithm | +| openssl_basic.c:250:51:250:60 | HashAlgorithm | +| openssl_basic.c:251:51:251:60 | HashAlgorithm | +| openssl_basic.c:262:24:262:39 | EncryptOperation | +| openssl_basic.c:262:54:262:63 | KeyOperationOutput | +| openssl_basic.c:263:64:263:70 | Message | | openssl_pkey.c:21:10:21:28 | KeyGeneration | | openssl_pkey.c:21:10:21:28 | KeyOperationAlgorithm | | openssl_pkey.c:21:30:21:32 | Key | diff --git a/cpp/ql/test/experimental/library-tests/quantum/openssl_basic.c b/cpp/ql/test/experimental/library-tests/quantum/openssl_basic.c index f1ffbfa24d3..04504070ddd 100644 --- a/cpp/ql/test/experimental/library-tests/quantum/openssl_basic.c +++ b/cpp/ql/test/experimental/library-tests/quantum/openssl_basic.c @@ -1,7 +1,7 @@ #include "openssl/evp.h" #include "openssl/obj_mac.h" #include "openssl/rand.h" - +#include "openssl/rsa.h" size_t strlen(const char* str); // Sample OpenSSL code that demonstrates various cryptographic operations @@ -218,4 +218,58 @@ int test_main() { calculate_hmac_sha256(key, 32, plaintext, plaintext_len, hmac); return 0; -} \ No newline at end of file +} + +/** + * Simplified signature test + */ +int test_rsa_oaep_basic(void) { + EVP_PKEY_CTX *keygen_ctx = NULL, *encrypt_ctx = NULL; + EVP_PKEY *pkey = NULL; + unsigned char *ciphertext = NULL; + size_t ciphertext_len = 0; + const char *message = "Encrypt me with OAEP!"; + int ret = 1; + + // Generate RSA key + keygen_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + if (!keygen_ctx || EVP_PKEY_keygen_init(keygen_ctx) <= 0 || + EVP_PKEY_CTX_set_rsa_keygen_bits(keygen_ctx, 2048) <= 0 || + EVP_PKEY_generate(keygen_ctx, &pkey) <= 0) { + goto cleanup; + } + + // Create encryption context + encrypt_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL); + if (!encrypt_ctx || EVP_PKEY_encrypt_init(encrypt_ctx) <= 0) { + goto cleanup; + } + + // Set OAEP padding + if (EVP_PKEY_CTX_set_rsa_padding(encrypt_ctx, RSA_PKCS1_OAEP_PADDING) <= 0 || + EVP_PKEY_CTX_set_rsa_oaep_md(encrypt_ctx, EVP_sha256()) <= 0 || + EVP_PKEY_CTX_set_rsa_mgf1_md(encrypt_ctx, EVP_sha256()) <= 0) { + goto cleanup; + } + + // Determine buffer size + if (EVP_PKEY_encrypt(encrypt_ctx, NULL, &ciphertext_len, + (const unsigned char *)message, strlen(message)) <= 0) { + goto cleanup; + } + + ciphertext = OPENSSL_malloc(ciphertext_len); + if (!ciphertext || EVP_PKEY_encrypt(encrypt_ctx, ciphertext, &ciphertext_len, + (const unsigned char *)message, strlen(message)) <= 0) { + goto cleanup; + } + + ret = 0; + +cleanup: + EVP_PKEY_CTX_free(keygen_ctx); + EVP_PKEY_CTX_free(encrypt_ctx); + EVP_PKEY_free(pkey); + OPENSSL_free(ciphertext); + return ret; +} \ No newline at end of file From e6b363b81bf34e1028a696ebb83c18a6eb62cd6d Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 30 Jun 2025 11:08:30 -0400 Subject: [PATCH 0011/1955] Crypto: fix Ql-for-QL alerts. --- .../OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll | 3 --- 1 file changed, 3 deletions(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll index 6ba8fa15c7d..e78b09dee7a 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll @@ -2,13 +2,10 @@ import cpp private import experimental.quantum.Language private import KnownAlgorithmConstants private import Crypto::KeyOpAlg as KeyOpAlg -private import OpenSSLAlgorithmInstanceBase -private import PaddingAlgorithmInstance private import experimental.quantum.OpenSSL.Operations.OpenSSLOperationBase private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers private import OpenSSLAlgorithmInstances private import AlgToAVCFlow -private import BlockAlgorithmInstance /** * Given a `KnownOpenSslCipherAlgorithmExpr`, converts this to a cipher family type. From 8b64a72fe19cbac707c213c4ab8c32ae482a8449 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 30 Jun 2025 15:36:55 -0400 Subject: [PATCH 0012/1955] Crypto: Initial sketch for refactoring MAC and signatures to account for APIs having one function to do both. Incomplete. Work in progress. --- .../MACAlgorithmInstance.qll | 38 ++- .../PaddingAlgorithmInstance.qll | 3 +- .../OpenSSL/Operations/CipherOperation.qll | 37 +-- .../OpenSSL/Operations/HashOperation.qll | 22 +- .../OpenSSL/Operations/KeyGenOperation.qll | 5 +- .../OpenSSL/Operations/SignatureOperation.qll | 236 +++++++++++++++-- .../codeql/quantum/experimental/Model.qll | 241 ++++++++++-------- .../quantum/experimental/Standardization.qll | 28 +- 8 files changed, 423 insertions(+), 187 deletions(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll index 97b183b7e7d..b6d6112e1c6 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll @@ -2,12 +2,13 @@ import cpp private import experimental.quantum.Language private import KnownAlgorithmConstants private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers -private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances private import experimental.quantum.OpenSSL.Operations.OpenSSLOperations +private import Crypto::KeyOpAlg as KeyOpAlg private import AlgToAVCFlow class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance, - Crypto::MacAlgorithmInstance instanceof KnownOpenSslMacAlgorithmExpr + Crypto::KeyOperationAlgorithmInstance instanceof KnownOpenSslMacAlgorithmExpr { OpenSslAlgorithmValueConsumer getterCall; @@ -33,17 +34,34 @@ class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance, override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall } - override string getRawMacAlgorithmName() { + override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() or result = this.(Call).getTarget().getName() } - override Crypto::MacType getMacType() { - this instanceof KnownOpenSslHMacAlgorithmExpr and result = Crypto::HMAC() - or - this instanceof KnownOpenSslCMacAlgorithmExpr and result = Crypto::CMAC() + override Crypto::KeyOpAlg::AlgorithmType getAlgorithmType() { + if this instanceof KnownOpenSslHMacAlgorithmExpr + then result = KeyOpAlg::TMac(KeyOpAlg::HMAC()) + else + if this instanceof KnownOpenSslCMacAlgorithmExpr + then result = KeyOpAlg::TMac(KeyOpAlg::CMAC()) + else result = KeyOpAlg::TMac(KeyOpAlg::OtherMacAlgorithmType()) } + + override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() { + // TODO: trace to any key size initializer? + none() + } + + override int getKeySizeFixed() { + // TODO: are there known fixed key sizes to consider? + none() + } + + override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() } + + override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() } } class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HmacAlgorithmInstance, @@ -60,9 +78,13 @@ class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HmacAlgorithmIns // where the current AVC traces to a HashAlgorithmIO consuming operation step. // TODO: need to consider getting reset values, tracing down to the first set for now exists(OperationStep s, AvcContextCreationStep avc | - avc = this.getAvc() and + avc = super.getAvc() and avc.flowsToOperationStep(s) and s.getAlgorithmValueConsumerForInput(HashAlgorithmIO()) = result ) } + + override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() } + + override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() } } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll index b1d31c1a09c..c9d2c7a21b6 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll @@ -4,8 +4,7 @@ private import OpenSSLAlgorithmInstanceBase private import experimental.quantum.OpenSSL.Operations.OpenSSLOperationBase private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants private import AlgToAVCFlow -private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer -private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg /** diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/CipherOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/CipherOperation.qll index b423013b6c3..d5fe4e383f4 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/CipherOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/CipherOperation.qll @@ -3,6 +3,26 @@ private import OpenSSLOperationBase private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers import EVPPKeyCtxInitializer +/** + * A base class for all final cipher operation steps. + */ +abstract class FinalCipherOperationStep extends OperationStep { + override OperationStepType getStepType() { result = FinalStep() } +} + +/** + * A base configuration for all EVP cipher operations. + */ +abstract class EvpCipherOperationFinalStep extends FinalCipherOperationStep { + override DataFlow::Node getInput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + } + + override DataFlow::Node getOutput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + } +} + /** * A base class for all EVP cipher operations. */ @@ -155,21 +175,6 @@ class EvpCipherUpdateCall extends OperationStep { override OperationStepType getStepType() { result = UpdateStep() } } -/** - * A base configuration for all EVP cipher operations. - */ -abstract class EvpCipherOperationFinalStep extends OperationStep { - override DataFlow::Node getInput(IOType type) { - result.asExpr() = this.getArgument(0) and type = ContextIO() - } - - override DataFlow::Node getOutput(IOType type) { - result.asExpr() = this.getArgument(0) and type = ContextIO() - } - - override OperationStepType getStepType() { result = FinalStep() } -} - /** * A Call to EVP_Cipher. */ @@ -259,7 +264,7 @@ class EvpPKeyCipherOperation extends EvpCipherOperationFinalStep { * An EVP cipher operation instance. * Any operation step that is a final operation step for EVP cipher operation steps. */ -class EvpCipherOperationInstance extends Crypto::KeyOperationInstance instanceof EvpCipherOperationFinalStep +class OpenSslCipherOperationInstance extends Crypto::KeyOperationInstance instanceof FinalCipherOperationStep { override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() { super.getPrimaryAlgorithmValueConsumer() = result diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/HashOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/HashOperation.qll index 1878bfbe09f..1922f04c3c6 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/HashOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/HashOperation.qll @@ -6,6 +6,13 @@ private import experimental.quantum.Language private import OpenSSLOperationBase private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +/** + * A base class for final digest operations. + */ +abstract class FinalDigestOperation extends OperationStep { + override OperationStepType getStepType() { result = FinalStep() } +} + /** * A call to and EVP digest initializer, such as: * - `EVP_DigestInit` @@ -51,18 +58,11 @@ class EvpDigestUpdateCall extends OperationStep instanceof Call { override OperationStepType getStepType() { result = UpdateStep() } } -/** - * A base class for final digest operations. - */ -abstract class EvpFinalDigestOperationStep extends OperationStep { - override OperationStepType getStepType() { result = FinalStep() } -} - /** * A call to `EVP_Q_digest` * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis */ -class EvpQDigestOperation extends EvpFinalDigestOperationStep instanceof Call { +class EvpQDigestOperation extends FinalDigestOperation instanceof Call { EvpQDigestOperation() { this.getTarget().getName() = "EVP_Q_digest" } override DataFlow::Node getInput(IOType type) { @@ -81,7 +81,7 @@ class EvpQDigestOperation extends EvpFinalDigestOperationStep instanceof Call { } } -class EvpDigestOperation extends EvpFinalDigestOperationStep instanceof Call { +class EvpDigestOperation extends FinalDigestOperation instanceof Call { EvpDigestOperation() { this.getTarget().getName() = "EVP_Digest" } override DataFlow::Node getInput(IOType type) { @@ -98,7 +98,7 @@ class EvpDigestOperation extends EvpFinalDigestOperationStep instanceof Call { /** * A call to EVP_DigestFinal variants */ -class EvpDigestFinalCall extends EvpFinalDigestOperationStep instanceof Call { +class EvpDigestFinalCall extends FinalDigestOperation instanceof Call { EvpDigestFinalCall() { this.getTarget().getName() in ["EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"] } @@ -118,7 +118,7 @@ class EvpDigestFinalCall extends EvpFinalDigestOperationStep instanceof Call { /** * An openssl digest final hash operation instance */ -class EvpDigestFinalOperationInstance extends Crypto::HashOperationInstance instanceof EvpFinalDigestOperationStep +class OpenSslDigestFinalOperationInstance extends Crypto::HashOperationInstance instanceof FinalDigestOperation { override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() { super.getPrimaryAlgorithmValueConsumer() = result diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/KeyGenOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/KeyGenOperation.qll index 2c146aec97f..0685938b885 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/KeyGenOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/KeyGenOperation.qll @@ -43,6 +43,9 @@ class EvpKeyGenInitialize extends OperationStep { override OperationStepType getStepType() { result = InitializerStep() } } +/** + * A base class for final key generation operation steps. + */ abstract class KeyGenFinalOperationStep extends OperationStep { override OperationStepType getStepType() { result = FinalStep() } } @@ -165,7 +168,7 @@ class EvpNewMacKey extends KeyGenFinalOperationStep { /** * An `KeyGenerationOperationInstance` for the for all key gen final operation steps. */ -class KeyGenOperationInstance extends Crypto::KeyGenerationOperationInstance instanceof KeyGenFinalOperationStep +class OpenSslKeyGenOperationInstance extends Crypto::KeyGenerationOperationInstance instanceof KeyGenFinalOperationStep { override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() { super.getPrimaryAlgorithmValueConsumer() = result diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/SignatureOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/SignatureOperation.qll index b9b498ee8df..d097f68a494 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/SignatureOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/SignatureOperation.qll @@ -6,12 +6,24 @@ private import experimental.quantum.Language private import experimental.quantum.OpenSSL.AvcFlow private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers private import experimental.quantum.OpenSSL.Operations.OpenSSLOperations +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances -// TODO: verification functions /** * A base class for final signature operations. + * The operation must be known to always be a signature operation, + * and not a MAC operation. + * NOTE: even an operation that may be a mac or signature but is known to take in + * only signature configurations should extend `SignatureOrMacFinalOperation`. */ -abstract class EvpSignatureFinalOperation extends OperationStep { +abstract class SignatureFinalOperation extends OperationStep { + override OperationStepType getStepType() { result = FinalStep() } +} + +/** + * A base class for final signature or MAC operations. + * The operation must be known to always be a signature or MAC operation. + */ +abstract class SignatureOrMacFinalOperation extends OperationStep { override OperationStepType getStepType() { result = FinalStep() } } @@ -141,7 +153,7 @@ class EvpSignatureUpdateCall extends OperationStep { /** * A call to EVP_SignFinal or EVP_SignFinal_ex. */ -class EvpSignFinal extends EvpSignatureFinalOperation { +class EvpSignFinal extends SignatureFinalOperation { EvpSignFinal() { this.getTarget().getName() in ["EVP_SignFinal_ex", "EVP_SignFinal"] } override DataFlow::Node getInput(IOType type) { @@ -162,10 +174,10 @@ class EvpSignFinal extends EvpSignatureFinalOperation { } /** - * A call to EVP_DigestSign or EVP_PKEY_sign. + * A call to EVP_PKEY_sign. */ -class EvpDigestSign extends EvpSignatureFinalOperation { - EvpDigestSign() { this.getTarget().getName() in ["EVP_DigestSign", "EVP_PKEY_sign"] } +class EvpPkeySign extends SignatureFinalOperation { + EvpPkeySign() { this.getTarget().getName() = "EVP_PKEY_sign" } override DataFlow::Node getInput(IOType type) { result.asExpr() = this.getArgument(0) and type = ContextIO() @@ -181,16 +193,31 @@ class EvpDigestSign extends EvpSignatureFinalOperation { } /** - * A call to EVP_DigestSignFinal or EVP_PKEY_sign_message_final. + * A call to EVP_DigestSign. + * This is a mac or sign operation. */ -class EvpDigestAndPkeySignFinal extends EvpSignatureFinalOperation { - EvpDigestAndPkeySignFinal() { - this.getTarget().getName() in [ - "EVP_DigestSignFinal", - "EVP_PKEY_sign_message_final" - ] +class EvpDigestSign extends SignatureOrMacFinalOperation { + EvpDigestSign() { this.getTarget().getName() = "EVP_DigestSign" } + + override DataFlow::Node getInput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + or + result.asExpr() = this.getArgument(3) and type = PlaintextIO() } + override DataFlow::Node getOutput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + or + result.asExpr() = this.getArgument(1) and type = SignatureIO() + } +} + +/** + * A call to EVP_PKEY_sign_message_final. + */ +class EvpPkeySignFinal extends SignatureFinalOperation { + EvpPkeySignFinal() { this.getTarget().getName() = "EVP_PKEY_sign_message_final" } + override DataFlow::Node getInput(IOType type) { result.asExpr() = this.getArgument(0) and type = ContextIO() } @@ -205,9 +232,124 @@ class EvpDigestAndPkeySignFinal extends EvpSignatureFinalOperation { } /** - * An EVP signature operation instance. + * A call to EVP_DigestSignFinal. + * This is a mac or sign operation. */ -class EvpSignatureOperationInstance extends Crypto::SignatureOperationInstance instanceof EvpSignatureFinalOperation +class EvpDigestSignFinal extends SignatureOrMacFinalOperation { + EvpDigestSignFinal() { this.getTarget().getName() = "EVP_DigestSignFinal" } + + override DataFlow::Node getInput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + } + + override DataFlow::Node getOutput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + or + result.asExpr() = this.getArgument(1) and type = SignatureIO() + } + + override OperationStepType getStepType() { result = FinalStep() } +} + +/** + * A call to EVP_DigestVerifyInit or EVP_DigestVerifyInit_ex. + */ +class EvpDigestVerifyInit extends OperationStep { + EvpDigestVerifyInit() { + this.getTarget().getName() in ["EVP_DigestVerifyInit", "EVP_DigestVerifyInit_ex"] + } + + override DataFlow::Node getInput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + or + result.asExpr() = this.getArgument(2) and type = HashAlgorithmIO() + or + this.getTarget().getName() = "EVP_DigestVerifyInit_ex" and + result.asExpr() = this.getArgument(3) and + type = OsslLibContextIO() + or + this.getTarget().getName() = "EVP_DigestVerifyInit_ex" and + result.asExpr() = this.getArgument(5) and + type = KeyIO() + or + this.getTarget().getName() = "EVP_DigestVerifyInit" and + result.asExpr() = this.getArgument(4) and + type = KeyIO() + or + this.getTarget().getName() = "EVP_DigestVerifyInit_ex" and + result.asExpr() = this.getArgument(6) and + type = OsslParamIO() + } + + override DataFlow::Node getOutput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + or + result.asExpr() = this.getArgument(1) and type = ContextIO() + } + + override OperationStepType getStepType() { result = InitializerStep() } +} + +/** + * A call to EVP_DigestVerifyUpdate. + */ +class EvpDigestVerifyUpdate extends OperationStep { + EvpDigestVerifyUpdate() { this.getTarget().getName() = "EVP_DigestVerifyUpdate" } + + override DataFlow::Node getInput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + or + result.asExpr() = this.getArgument(1) and type = PlaintextIO() + } + + override DataFlow::Node getOutput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + } + + override OperationStepType getStepType() { result = UpdateStep() } +} + +/** + * A call to EVP_DigestVerifyFinal + */ +class EvpDigestVerifyFinal extends SignatureFinalOperation { + EvpDigestVerifyFinal() { this.getTarget().getName() = "EVP_DigestVerifyFinal" } + + override DataFlow::Node getInput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + or + result.asExpr() = this.getArgument(1) and type = SignatureIO() + } + + override DataFlow::Node getOutput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + } +} + +/** + * A call to EVP_DigestVerify + */ +class EvpDigestVerify extends SignatureFinalOperation { + EvpDigestVerify() { this.getTarget().getName() = "EVP_DigestVerify" } + + override DataFlow::Node getInput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + or + result.asExpr() = this.getArgument(1) and type = SignatureIO() + or + result.asExpr() = this.getArgument(3) and type = PlaintextIO() + } + + override DataFlow::Node getOutput(IOType type) { + result.asExpr() = this.getArgument(0) and type = ContextIO() + } +} + +/** + * An instance of a signature operation. + * This is an OpenSSL specific class that extends the base SignatureOperationInstance. + */ +class OpenSslSignatureOperationInstance extends Crypto::SignatureOperationInstance instanceof SignatureFinalOperation { override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() { super.getPrimaryAlgorithmValueConsumer() = result @@ -217,7 +359,7 @@ class EvpSignatureOperationInstance extends Crypto::SignatureOperationInstance i * Signing, verification or unknown. */ override Crypto::KeyOperationSubtype getKeyOperationSubtype() { - // TODO: if this KeyOperationSubtype does not match initialization call's KeyOperationSubtype then we found a bug + // NOTE: if this KeyOperationSubtype does not match initialization call's KeyOperationSubtype then we found a bug if super.getTarget().getName().toLowerCase().matches("%sign%") then result instanceof Crypto::TSignMode else @@ -227,14 +369,59 @@ class EvpSignatureOperationInstance extends Crypto::SignatureOperationInstance i } override Crypto::ConsumerInputDataFlowNode getNonceConsumer() { - // TODO: some signing operations may have explicit nonce generators - none() + // some signing operations may have explicit nonce generators + super.getDominatingInitializersToStep(IVorNonceIO()).getInput(IVorNonceIO()) = result + } + + override Crypto::ConsumerInputDataFlowNode getKeyConsumer() { + super.getDominatingInitializersToStep(KeyIO()).getInput(KeyIO()) = result + } + + override Crypto::ConsumerInputDataFlowNode getSignatureConsumer() { + super.getDominatingInitializersToStep(SignatureIO()).getInput(SignatureIO()) = result + } + + override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { + super.getOutputStepFlowingToStep(SignatureIO()).getOutput(SignatureIO()) = result + } + + override Crypto::ConsumerInputDataFlowNode getInputConsumer() { + super.getDominatingInitializersToStep(PlaintextIO()).getInput(PlaintextIO()) = result + } + + override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() { + super + .getDominatingInitializersToStep(HashAlgorithmIO()) + .getAlgorithmValueConsumerForInput(HashAlgorithmIO()) = result + } + + override predicate hasHashAlgorithmConsumer() { + exists(super.getDominatingInitializersToStep(HashAlgorithmIO())) + } +} + +/** + * A class for signature or MAC operation instances. + * This is an OpenSSL specific class that extends the base SignatureOrMacOperationInstance. + */ +class OpenSslSignatureOrMacOperationInstance extends Crypto::SignatureOrMacOperationInstance instanceof SignatureOrMacFinalOperation +{ + override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() { + super.getPrimaryAlgorithmValueConsumer() = result } /** - * Keys provided in the initialization call or in a context are found by this method. - * Keys in explicit arguments are found by overridden methods in extending classes. + * Signing, verification or unknown. */ + override Crypto::KeyOperationSubtype getKeyOperationSubtype() { + result instanceof Crypto::TSignMode or result instanceof Crypto::TMacMode + } + + override Crypto::ConsumerInputDataFlowNode getNonceConsumer() { + // some signing operations may have explicit nonce generators + super.getDominatingInitializersToStep(IVorNonceIO()).getInput(IVorNonceIO()) = result + } + override Crypto::ConsumerInputDataFlowNode getKeyConsumer() { super.getDominatingInitializersToStep(KeyIO()).getInput(KeyIO()) = result } @@ -247,14 +434,13 @@ class EvpSignatureOperationInstance extends Crypto::SignatureOperationInstance i super.getDominatingInitializersToStep(PlaintextIO()).getInput(PlaintextIO()) = result } - /** - * TODO: only signing operations for now, change when verificaiton is added - */ - override Crypto::ConsumerInputDataFlowNode getSignatureConsumer() { none() } - override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() { super .getDominatingInitializersToStep(HashAlgorithmIO()) .getAlgorithmValueConsumerForInput(HashAlgorithmIO()) = result } + + override predicate hasHashAlgorithmConsumer() { + exists(super.getDominatingInitializersToStep(HashAlgorithmIO())) + } } diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index d8b1402b5e8..01448a2feb8 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -409,8 +409,6 @@ module CryptographyBase Input> { or exists(KeyDerivationOperationInstance op | inputNode = op.getInputConsumer()) or - exists(MacOperationInstance op | inputNode = op.getMessageConsumer()) - or exists(HashOperationInstance op | inputNode = op.getInputConsumer()) ) and this = Input::dfn_to_element(inputNode) @@ -545,8 +543,6 @@ module CryptographyBase Input> { or exists(KeyGenerationOperationInstance op | inputNode = op.getKeyValueConsumer()) or - exists(MacOperationInstance op | inputNode = op.getKeyConsumer()) - or exists(KeyAgreementSecretGenerationOperationInstance op | inputNode = op.getServerKeyConsumer() or inputNode = op.getPeerKeyConsumer() @@ -562,9 +558,10 @@ module CryptographyBase Input> { /** * A key-based cryptographic operation instance, encompassing: - * 1. **Ciphers**: Encryption and decryption, both symmetric and asymmetric - * 1. **Signing**: Signing and verifying, **NOT** including MACs (see `MACOperationInstance`) - * 1. **Key encapsulation**: Key wrapping and unwrapping + * - **Ciphers**: Encryption and decryption, both symmetric and asymmetric + * - **Signing**: Signing and verifying + * - **MACs**: Mac generation + * - **Key encapsulation**: Key wrapping and unwrapping * * This class represents a generic key operation that transforms input data * using a cryptographic key, producing an output artifact such as ciphertext, @@ -598,7 +595,8 @@ module CryptographyBase Input> { /** * Gets the consumer of the primary message input for this key operation. * For example: plaintext (for encryption), ciphertext (for decryption), - * message to be signed, or wrapped key to be unwrapped. + * a message to be signed or verified, the message on which a mac is generated, + * or a wrapped key to be unwrapped. */ abstract ConsumerInputDataFlowNode getInputConsumer(); @@ -614,25 +612,6 @@ module CryptographyBase Input> { abstract ArtifactOutputDataFlowNode getOutputArtifact(); } - /** - * A key operation instance representing a signature being generated or verified. - */ - abstract class SignatureOperationInstance extends KeyOperationInstance { - /** - * Gets the consumer of the signature that is being verified in case of a - * verification operation. - */ - abstract ConsumerInputDataFlowNode getSignatureConsumer(); - - /** - * Gets the consumer of a hash algorithm. - * This is intended for signature operations they are explicitly configured - * with a hash algorithm. If a signature is not configured with an explicit - * hash algorithm, users do not need to provide a consumer (set none()). - */ - abstract AlgorithmValueConsumer getHashAlgorithmValueConsumer(); - } - /** * A key-based algorithm instance used in cryptographic operations such as encryption, decryption, * signing, verification, and key wrapping. @@ -651,6 +630,7 @@ module CryptographyBase Input> { * - `TSymmetricCipher(OtherSymmetricCipherType())` * - `TAsymmetricCipher(OtherAsymmetricCipherType())` * - `TSignature(OtherSignatureAlgorithmType())` + * - `TMacAlgorithm(OtherMacAlgorithmType())` * - `TKeyEncapsulation(OtherKEMAlgorithmType())` * * If the category of algorithm is not known, the following type should be used: @@ -710,6 +690,58 @@ module CryptographyBase Input> { predicate shouldHavePaddingScheme() { any() } } + // abstract class SignatureOrMacAlgorithmInstance extends KeyOperationAlgorithmInstance { + // SignatureOrMacAlgorithmInstance() { + // this.getAlgorithmType() = KeyOpAlg::TSignature(_) + // or + // this.getAlgorithmType() = KeyOpAlg::TMac(_) + // } + // override predicate shouldHaveModeOfOperation() { none() } + // /** + // * Gets the hash algorithm used by this signature algorithm. + // */ + // abstract AlgorithmValueConsumer getHashAlgorithmValueConsumer(); + // } + // abstract class SignatureAlgorithmInstance extends SignatureOrMacAlgorithmInstance { + // SignatureAlgorithmInstance() { this.getAlgorithmType() = KeyOpAlg::TSignature(_) } + // } + abstract class MacOperationInstance extends KeyOperationAlgorithmInstance { } + + abstract class HmacAlgorithmInstance extends KeyOperationAlgorithmInstance { + HmacAlgorithmInstance() { this.getAlgorithmType() = KeyOpAlg::TMac(KeyOpAlg::HMAC()) } + + /** + * Gets the hash algorithm used by this HMAC algorithm. + */ + abstract AlgorithmValueConsumer getHashAlgorithmValueConsumer(); + + /** + * CMACs will have algorithms that have modes of operation but that + * is associated with the cipher algorithm, that is itself + * associated to the MAC algorithm. + */ + override predicate shouldHaveModeOfOperation() { none() } + + override ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() } + + /** + * CMACs may have padding but the padding is associated with the cipher algorithm, + * that is itself associated to the MAC algorithm. + */ + override predicate shouldHavePaddingScheme() { none() } + + override PaddingAlgorithmInstance getPaddingAlgorithm() { none() } + } + + abstract class CmacAlgorithmInstance extends KeyOperationAlgorithmInstance { + CmacAlgorithmInstance() { this.getAlgorithmType() = KeyOpAlg::TMac(KeyOpAlg::CMAC()) } + + /** + * Gets the cipher algorithm used by this CMAC algorithm. + */ + abstract AlgorithmValueConsumer getCipherAlgorithmValueConsumer(); + } + abstract class ModeOfOperationAlgorithmInstance extends AlgorithmInstance { /** * Gets the type of this mode of operation, e.g., "ECB" or "CBC". @@ -760,39 +792,44 @@ module CryptographyBase Input> { abstract HashAlgorithmInstance getMgf1HashAlgorithm(); } - abstract class MacAlgorithmInstance extends AlgorithmInstance { + /** + * A parent class for signature and MAC operations. + * Signatures and macs are the asymmetric and symmetric analogs of each other, + * and some APIs can reuse a single operation to do either signing on mac. + * Users should extend this class when an operation can be either a signature or a MAC, + * and where the instance is not obviously one or the other from use. + */ + abstract class SignatureOrMacOperationInstance extends KeyOperationInstance { /** - * Gets the type of this MAC algorithm, e.g., "HMAC" or "CMAC". - */ - abstract MacType getMacType(); - - /** - * Gets the isolated name as it appears in source, e.g., "HMAC-SHA256" in "HMAC-SHA256/UnrelatedInformation". - * - * This name should not be parsed or formatted beyond isolating the raw MAC name if necessary. - */ - abstract string getRawMacAlgorithmName(); - } - - abstract class MacOperationInstance extends OperationInstance { - /** - * Gets the message input used in this operation. - */ - abstract ConsumerInputDataFlowNode getMessageConsumer(); - - /** - * Gets the key used in this operation. - */ - abstract ConsumerInputDataFlowNode getKeyConsumer(); - } - - abstract class HmacAlgorithmInstance extends MacAlgorithmInstance { - HmacAlgorithmInstance() { this.getMacType() = HMAC() } - - /** - * Gets the hash algorithm used by this HMAC algorithm. + * Gets the consumer of a hash algorithm. + * This is intended for mac/signing operations they are explicitly configured + * with a hash algorithm. If the operation is not configured with an explicit + * hash algorithm, users do not need to provide a consumer (set none()). */ abstract AlgorithmValueConsumer getHashAlgorithmValueConsumer(); + + /** + * Holds if this operation has a hash algorithm consumer. + * I.e., holds if the operation is configured to perform a hash + * on a message before signing and algorithm is passed in. + * The hash algorithm consumer must be specified through + * `getHashAlgorithmValueConsumer()`. + */ + abstract predicate hasHashAlgorithmConsumer(); + } + + /** + * A key operation instance representing a signature being generated or verified. + * Note: These instances are known to always be signature operations. + * If an API allows an operation to be used for both MAC and signature, + * it should be modeled as a `SignatureOrMacOperationInstance` instead, + * even if all configuration paths to the current operation only configure it as a signature operation. + */ + abstract class SignatureOperationInstance extends SignatureOrMacOperationInstance { + /** + * Gets the consumer of the signature when this operation is a verification operation. + */ + abstract ConsumerInputDataFlowNode getSignatureConsumer(); } abstract class EllipticCurveInstance extends AlgorithmInstance { @@ -1063,11 +1100,6 @@ module CryptographyBase Input> { exists(KeyOperationInstance op | op.getAnAlgorithmValueConsumer() = avc) } - private predicate isMacAvc(AlgorithmValueConsumer avc) { - exists(MacOperationInstance op | op.getAnAlgorithmValueConsumer() = avc) or - exists(Pbkdf2AlgorithmInstance alg | avc = alg.getHmacAlgorithmValueConsumer()) - } - private predicate isKeyDerivationAvc(AlgorithmValueConsumer avc) { exists(KeyDerivationOperationInstance op | op.getAnAlgorithmValueConsumer() = avc) } @@ -1091,9 +1123,6 @@ module CryptographyBase Input> { final private class HashAlgorithmInstanceOrValueConsumer = AlgorithmInstanceOrValueConsumer::Union; - final private class MacAlgorithmInstanceOrValueConsumer = - AlgorithmInstanceOrValueConsumer::Union; - final private class KeyDerivationAlgorithmInstanceOrValueConsumer = AlgorithmInstanceOrValueConsumer::Union; @@ -1128,13 +1157,11 @@ module CryptographyBase Input> { TPaddingAlgorithm(PaddingAlgorithmInstance e) or // All other operations THashOperation(HashOperationInstance e) or - TMacOperation(MacOperationInstance e) or TKeyAgreementOperation(KeyAgreementSecretGenerationOperationInstance e) or // All other algorithms TEllipticCurve(EllipticCurveInstanceOrValueConsumer e) or THashAlgorithm(HashAlgorithmInstanceOrValueConsumer e) or TKeyDerivationAlgorithm(KeyDerivationAlgorithmInstanceOrValueConsumer e) or - TMacAlgorithm(MacAlgorithmInstanceOrValueConsumer e) or TKeyAgreementAlgorithm(KeyAgreementAlgorithmInstanceOrValueConsumer e) or // Generic source nodes, i.e., sources of data that are not resolvable to a specific known asset. TGenericSourceNode(GenericSourceInstance e) { @@ -1582,60 +1609,36 @@ module CryptographyBase Input> { /** * A MAC operation that produces a MAC value. */ - final class MacOperationNode extends OperationNode, TMacOperation { - MacOperationInstance instance; - - MacOperationNode() { this = TMacOperation(instance) } + final class MacOperationNode extends SignatureOrMacOperationNode { + MacOperationNode() { + this.getKeyOperationSubtype() = TMacMode() and + // Consider any operation a mac operation only if all algorithms going to the sink + // are MAC or unknown. This addresses the issue where an API allows for reuse of + // MAC operations for signatures. + forex(KeyOperationAlgorithmNode n | n = this.getAnAlgorithmOrGenericSource() | + n.getAlgorithmType() = KeyOpAlg::TMac(_) + ) + } final override string getInternalType() { result = "MACOperation" } override LocatableElement asElement() { result = instance } - override predicate isCandidateAlgorithmNode(AlgorithmNode node) { - node instanceof MacAlgorithmNode - } - MessageArtifactNode getAMessage() { - result.asElement() = instance.getMessageConsumer().getConsumer() + result.asElement() = instance.getInputConsumer().getConsumer() } - KeyArtifactNode getAKey() { result.asElement() = instance.getKeyConsumer().getConsumer() } - + //KeyArtifactNode getAKey() { result.asElement() = instance.getKeyConsumer().getConsumer() } override NodeBase getChild(string edgeName) { result = super.getChild(edgeName) or // [KNOWN_OR_UNKNOWN] edgeName = "Message" and - if exists(this.getAMessage()) then result = this.getAMessage() else result = this - or - // [KNOWN_OR_UNKNOWN] - edgeName = "Key" and - if exists(this.getAKey()) then result = this.getAKey() else result = this + (if exists(this.getAMessage()) then result = this.getAMessage() else result = this) } } - /** - * A MAC algorithm, such as HMAC or CMAC. - */ - class MacAlgorithmNode extends AlgorithmNode, TMacAlgorithm { - MacAlgorithmInstanceOrValueConsumer instance; - - MacAlgorithmNode() { this = TMacAlgorithm(instance) } - - final override string getInternalType() { result = "MACAlgorithm" } - - override LocatableElement asElement() { result = instance } - - final override string getRawAlgorithmName() { - result = instance.asAlg().getRawMacAlgorithmName() - } - - MacType getMacType() { result = instance.asAlg().getMacType() } - - override string getAlgorithmName() { result = this.getMacType().toString() } - } - - final class HmacAlgorithmNode extends MacAlgorithmNode { + final class HmacAlgorithmNode extends KeyAgreementAlgorithmNode { HmacAlgorithmInstance hmacInstance; HmacAlgorithmNode() { hmacInstance = instance.asAlg() } @@ -1871,6 +1874,7 @@ module CryptographyBase Input> { TUnwrapMode() or TSignMode() or TVerifyMode() or + TMacMode() or TUnknownKeyOperationMode() /** @@ -1890,6 +1894,8 @@ module CryptographyBase Input> { or result = "Verify" and this = TVerifyMode() or + result = "Mac" and this = TMacMode() + or result = "Unknown" and this = TUnknownKeyOperationMode() } } @@ -2001,14 +2007,31 @@ module CryptographyBase Input> { override string getInternalType() { result = nodeName } } - class SignatureOperationNode extends KeyOperationNode { + class SignatureOrMacOperationNode extends KeyOperationNode { + SignatureOrMacOperationNode() { + this.getKeyOperationSubtype() = TSignMode() + or + this.getKeyOperationSubtype() = TVerifyMode() + or + this.getKeyOperationSubtype() = TMacMode() + } + + override string getInternalType() { result = "SignatureOrMACOperation" } + } + + class SignatureOperationNode extends SignatureOrMacOperationNode { override SignatureOperationInstance instance; string nodeName; SignatureOperationNode() { - this.getKeyOperationSubtype() = TSignMode() and nodeName = "SignOperation" - or - this.getKeyOperationSubtype() = TVerifyMode() and nodeName = "VerifyOperation" + ( + this.getKeyOperationSubtype() = TSignMode() and nodeName = "SignOperation" + or + this.getKeyOperationSubtype() = TVerifyMode() and nodeName = "VerifyOperation" + ) and + not exists(KeyOperationAlgorithmNode n | + n = this.getAnAlgorithmOrGenericSource() and n.getAlgorithmType() = KeyOpAlg::TMac(_) + ) } override string getInternalType() { result = nodeName } diff --git a/shared/quantum/codeql/quantum/experimental/Standardization.qll b/shared/quantum/codeql/quantum/experimental/Standardization.qll index 29c5b58d343..929c92aefff 100644 --- a/shared/quantum/codeql/quantum/experimental/Standardization.qll +++ b/shared/quantum/codeql/quantum/experimental/Standardization.qll @@ -14,6 +14,7 @@ module Types { TSymmetricCipher(TSymmetricCipherType t) or TAsymmetricCipher(TAsymmetricCipherType t) or TSignature(TSignatureAlgorithmType t) or + TMac(TMacAlgorithmType t) or TKeyEncapsulation(TKemAlgorithmType t) or TUnknownKeyOperationAlgorithmType() @@ -55,6 +56,11 @@ module Types { FRODO_KEM() or OtherKemAlgorithmType() + newtype TMacAlgorithmType = + HMAC() or + CMAC() or + OtherMacAlgorithmType() + newtype TCipherStructureType = Block() or Stream() or @@ -143,6 +149,13 @@ module Types { or this = TKeyEncapsulation(OtherKemAlgorithmType()) and result = "UnknownKEM" or + // MAC algorithms + this = TMac(HMAC()) and result = "HMAC" + or + this = TMac(CMAC()) and result = "CMAC" + or + this = TMac(OtherMacAlgorithmType()) and result = "UnknownMac" + or // Unknown this = TUnknownKeyOperationAlgorithmType() and result = "Unknown" } @@ -305,21 +318,6 @@ module Types { } } - newtype TMacType = - HMAC() or - CMAC() or - OtherMacType() - - class MacType extends TMacType { - string toString() { - this = HMAC() and result = "HMAC" - or - this = CMAC() and result = "CMAC" - or - this = OtherMacType() and result = "UnknownMacType" - } - } - // Key agreement algorithms newtype TKeyAgreementType = DH() or // Diffie-Hellman From d32e09ac3752d07c100d0dcd781b163d369b9447 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 1 Jul 2025 10:37:09 -0400 Subject: [PATCH 0013/1955] Crypto: Misc. cleanup and completed model refactor for Mac. Passing tests for openssl, refactor still required for JCA. --- .../Operations/OpenSSLOperationBase.qll | 42 +++----- .../library-tests/quantum/node_edges.expected | 99 ++++++++++++------- .../quantum/node_properties.expected | 23 +++-- .../library-tests/quantum/nodes.expected | 20 ++-- .../codeql/quantum/experimental/Model.qll | 45 ++++++--- 5 files changed, 137 insertions(+), 92 deletions(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll index 389cb249058..bddb7ef0728 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll @@ -127,7 +127,6 @@ class IOType extends TIOType { } } -//TODO: add more initializers as needed /** * The type of step in an `OperationStep`. * - `ContextCreationStep`: the creation of a context from an algorithm or key. @@ -249,8 +248,10 @@ abstract class OperationStep extends Call { /** * Gets an AVC for the primary algorithm for this operation. - * A primary algorithm is an AVC that flows to a ctx input directly or - * an AVC that flows to a primary algorithm input directly. + * A primary algorithm is an AVC that either: + * 1) flows to a ctx input directly or + * 2) flows to a primary algorithm input directly + * 3) flows to a key input directly (algorithm held in a key will be considered primary) * See `AvcContextCreationStep` for details about resetting scenarios. * Gets the first OperationStep an AVC flows to. If a context input, * the AVC is considered primary. @@ -259,15 +260,16 @@ abstract class OperationStep extends Call { */ Crypto::AlgorithmValueConsumer getPrimaryAlgorithmValueConsumer() { exists(DataFlow::Node src, DataFlow::Node sink, IOType t, OperationStep avcConsumingPred | - (t = PrimaryAlgorithmIO() or t = ContextIO()) and + (t = PrimaryAlgorithmIO() or t = ContextIO() or t = KeyIO()) and avcConsumingPred.flowsToOperationStep(this) and src.asExpr() = result and sink = avcConsumingPred.getInput(t) and AvcToOperationStepFlow::flow(src, sink) and ( - // Case 1: the avcConsumingPred step is a dominating initialization step - t = PrimaryAlgorithmIO() and - avcConsumingPred = this.getDominatingInitializersToStep(PrimaryAlgorithmIO()) + // Case 1: the avcConsumingPred step is a dominating primary algorithm initialization step + // or dominating key initialization step + (t = PrimaryAlgorithmIO() or t = KeyIO()) and + avcConsumingPred = this.getDominatingInitializersToStep(t) or // Case 2: the pred is a context input t = ContextIO() @@ -393,7 +395,9 @@ private class CtxCopyReturnCall extends CtxPassThroughCall, CtxPointerExpr { override DataFlow::Node getNode2() { result.asExpr() = this } } -// TODO: is this still needed? +// TODO: is this still needed? It appears to be (tests fail without it) but +// I don't know why as EVP_PKEY_paramgen is an operation step and we pass through +// operation steps already. /** * A call to `EVP_PKEY_paramgen` acts as a kind of pass through. * It's output pkey is eventually used in a new operation generating @@ -420,28 +424,6 @@ private class CtxParamGenCall extends CtxPassThroughCall { override DataFlow::Node getNode2() { result = n2 } } -//TODO: I am not sure CallArgToCtxRet is needed anymore -/** - * If the current node is an argument to a function - * that returns a pointer type, immediately flow through. - * NOTE: this passthrough is required if we allow - * intermediate steps to go into variables that are not a CTX type. - * See for example `CtxParamGenCall`. - */ -private class CallArgToCtxRet extends CtxPassThroughCall, CtxPointerExpr { - DataFlow::Node n1; - DataFlow::Node n2; - - CallArgToCtxRet() { - this.getAnArgument() = n1.asExpr() and - n2.asExpr() = this - } - - override DataFlow::Node getNode1() { result = n1 } - - override DataFlow::Node getNode2() { result = n2 } -} - /** * A flow configuration from any non-final `OperationStep` to any other `OperationStep`. */ diff --git a/cpp/ql/test/experimental/library-tests/quantum/node_edges.expected b/cpp/ql/test/experimental/library-tests/quantum/node_edges.expected index 15d72d697fc..348ba678bc6 100644 --- a/cpp/ql/test/experimental/library-tests/quantum/node_edges.expected +++ b/cpp/ql/test/experimental/library-tests/quantum/node_edges.expected @@ -34,15 +34,16 @@ | openssl_basic.c:155:22:155:41 | KeyGeneration | Algorithm | openssl_basic.c:155:22:155:41 | KeyGeneration | | openssl_basic.c:155:22:155:41 | KeyGeneration | KeyInput | openssl_basic.c:155:64:155:66 | Key | | openssl_basic.c:155:22:155:41 | KeyGeneration | Output | openssl_basic.c:155:22:155:41 | Key | -| openssl_basic.c:155:43:155:55 | MACAlgorithm | H | openssl_basic.c:160:39:160:48 | HashAlgorithm | +| openssl_basic.c:155:43:155:55 | HMACAlgorithm | H | openssl_basic.c:160:39:160:48 | HashAlgorithm | | openssl_basic.c:155:64:155:66 | Key | Source | openssl_basic.c:179:43:179:76 | Constant | | openssl_basic.c:160:59:160:62 | Key | Source | openssl_basic.c:155:22:155:41 | Key | | openssl_basic.c:163:35:163:41 | Message | Source | openssl_basic.c:181:49:181:87 | Constant | -| openssl_basic.c:167:9:167:27 | SignOperation | Algorithm | openssl_basic.c:167:9:167:27 | SignOperation | -| openssl_basic.c:167:9:167:27 | SignOperation | HashAlgorithm | openssl_basic.c:160:39:160:48 | HashAlgorithm | -| openssl_basic.c:167:9:167:27 | SignOperation | Input | openssl_basic.c:163:35:163:41 | Message | -| openssl_basic.c:167:9:167:27 | SignOperation | Key | openssl_basic.c:160:59:160:62 | Key | -| openssl_basic.c:167:9:167:27 | SignOperation | Output | openssl_basic.c:167:34:167:36 | SignatureOutput | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Algorithm | openssl_basic.c:155:43:155:55 | HMACAlgorithm | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | HashAlgorithm | openssl_basic.c:160:39:160:48 | HashAlgorithm | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Input | openssl_basic.c:163:35:163:41 | Message | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Key | openssl_basic.c:160:59:160:62 | Key | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Nonce | openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Output | openssl_basic.c:167:34:167:36 | SignatureOutput | | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Mode | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Padding | openssl_basic.c:249:51:249:72 | PaddingAlgorithm | | openssl_basic.c:238:9:238:25 | KeyGeneration | Algorithm | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | @@ -97,37 +98,67 @@ | openssl_signature.c:133:52:133:55 | Key | Source | openssl_signature.c:548:34:548:37 | Key | | openssl_signature.c:133:52:133:55 | Key | Source | openssl_signature.c:578:34:578:37 | Key | | openssl_signature.c:134:38:134:44 | Message | Source | openssl_signature.c:602:37:602:77 | Constant | -| openssl_signature.c:135:9:135:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | -| openssl_signature.c:135:9:135:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | -| openssl_signature.c:135:9:135:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | -| openssl_signature.c:135:9:135:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | -| openssl_signature.c:135:9:135:27 | SignOperation | Input | openssl_signature.c:134:38:134:44 | Message | -| openssl_signature.c:135:9:135:27 | SignOperation | Key | openssl_signature.c:133:52:133:55 | Key | -| openssl_signature.c:135:9:135:27 | SignOperation | Output | openssl_signature.c:135:37:135:40 | SignatureOutput | -| openssl_signature.c:142:9:142:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | -| openssl_signature.c:142:9:142:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | -| openssl_signature.c:142:9:142:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | -| openssl_signature.c:142:9:142:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | -| openssl_signature.c:142:9:142:27 | SignOperation | Input | openssl_signature.c:134:38:134:44 | Message | -| openssl_signature.c:142:9:142:27 | SignOperation | Key | openssl_signature.c:133:52:133:55 | Key | -| openssl_signature.c:142:9:142:27 | SignOperation | Output | openssl_signature.c:142:37:142:46 | SignatureOutput | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Input | openssl_signature.c:134:38:134:44 | Message | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Key | openssl_signature.c:133:52:133:55 | Key | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Output | openssl_signature.c:135:37:135:40 | SignatureOutput | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Input | openssl_signature.c:134:38:134:44 | Message | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Key | openssl_signature.c:133:52:133:55 | Key | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Output | openssl_signature.c:142:37:142:46 | SignatureOutput | +| openssl_signature.c:165:54:165:57 | Key | Source | openssl_signature.c:548:34:548:37 | Key | +| openssl_signature.c:165:54:165:57 | Key | Source | openssl_signature.c:578:34:578:37 | Key | +| openssl_signature.c:166:40:166:46 | Message | Source | openssl_signature.c:602:37:602:77 | Constant | +| openssl_signature.c:167:9:167:29 | VerifyOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | +| openssl_signature.c:167:9:167:29 | VerifyOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | +| openssl_signature.c:167:9:167:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | +| openssl_signature.c:167:9:167:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | +| openssl_signature.c:167:9:167:29 | VerifyOperation | Input | openssl_signature.c:134:38:134:44 | Message | +| openssl_signature.c:167:9:167:29 | VerifyOperation | Input | openssl_signature.c:166:40:166:46 | Message | +| openssl_signature.c:167:9:167:29 | VerifyOperation | Key | openssl_signature.c:133:52:133:55 | Key | +| openssl_signature.c:167:9:167:29 | VerifyOperation | Key | openssl_signature.c:165:54:165:57 | Key | +| openssl_signature.c:167:9:167:29 | VerifyOperation | Signature | openssl_signature.c:167:39:167:47 | SignatureInput | +| openssl_signature.c:167:39:167:47 | SignatureInput | Source | openssl_signature.c:142:37:142:46 | SignatureOutput | | openssl_signature.c:190:57:190:60 | Key | Source | openssl_signature.c:548:34:548:37 | Key | | openssl_signature.c:190:57:190:60 | Key | Source | openssl_signature.c:578:34:578:37 | Key | | openssl_signature.c:196:38:196:44 | Message | Source | openssl_signature.c:602:37:602:77 | Constant | -| openssl_signature.c:197:9:197:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | -| openssl_signature.c:197:9:197:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | -| openssl_signature.c:197:9:197:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | -| openssl_signature.c:197:9:197:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | -| openssl_signature.c:197:9:197:27 | SignOperation | Input | openssl_signature.c:196:38:196:44 | Message | -| openssl_signature.c:197:9:197:27 | SignOperation | Key | openssl_signature.c:190:57:190:60 | Key | -| openssl_signature.c:197:9:197:27 | SignOperation | Output | openssl_signature.c:197:37:197:40 | SignatureOutput | -| openssl_signature.c:204:9:204:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | -| openssl_signature.c:204:9:204:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | -| openssl_signature.c:204:9:204:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | -| openssl_signature.c:204:9:204:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | -| openssl_signature.c:204:9:204:27 | SignOperation | Input | openssl_signature.c:196:38:196:44 | Message | -| openssl_signature.c:204:9:204:27 | SignOperation | Key | openssl_signature.c:190:57:190:60 | Key | -| openssl_signature.c:204:9:204:27 | SignOperation | Output | openssl_signature.c:204:37:204:46 | SignatureOutput | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Input | openssl_signature.c:196:38:196:44 | Message | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Key | openssl_signature.c:190:57:190:60 | Key | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Output | openssl_signature.c:197:37:197:40 | SignatureOutput | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Input | openssl_signature.c:196:38:196:44 | Message | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Key | openssl_signature.c:190:57:190:60 | Key | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Output | openssl_signature.c:204:37:204:46 | SignatureOutput | +| openssl_signature.c:228:59:228:62 | Key | Source | openssl_signature.c:548:34:548:37 | Key | +| openssl_signature.c:228:59:228:62 | Key | Source | openssl_signature.c:578:34:578:37 | Key | +| openssl_signature.c:234:40:234:46 | Message | Source | openssl_signature.c:602:37:602:77 | Constant | +| openssl_signature.c:235:9:235:29 | VerifyOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | +| openssl_signature.c:235:9:235:29 | VerifyOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | +| openssl_signature.c:235:9:235:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm | +| openssl_signature.c:235:9:235:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm | +| openssl_signature.c:235:9:235:29 | VerifyOperation | Input | openssl_signature.c:196:38:196:44 | Message | +| openssl_signature.c:235:9:235:29 | VerifyOperation | Input | openssl_signature.c:234:40:234:46 | Message | +| openssl_signature.c:235:9:235:29 | VerifyOperation | Key | openssl_signature.c:190:57:190:60 | Key | +| openssl_signature.c:235:9:235:29 | VerifyOperation | Key | openssl_signature.c:228:59:228:62 | Key | +| openssl_signature.c:235:9:235:29 | VerifyOperation | Signature | openssl_signature.c:235:39:235:47 | SignatureInput | +| openssl_signature.c:235:39:235:47 | SignatureInput | Source | openssl_signature.c:204:37:204:46 | SignatureOutput | | openssl_signature.c:260:39:260:42 | Key | Source | openssl_signature.c:548:34:548:37 | Key | | openssl_signature.c:260:39:260:42 | Key | Source | openssl_signature.c:578:34:578:37 | Key | | openssl_signature.c:263:9:263:21 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm | diff --git a/cpp/ql/test/experimental/library-tests/quantum/node_properties.expected b/cpp/ql/test/experimental/library-tests/quantum/node_properties.expected index 5192e9c8c05..2acaf5b0ed8 100644 --- a/cpp/ql/test/experimental/library-tests/quantum/node_properties.expected +++ b/cpp/ql/test/experimental/library-tests/quantum/node_properties.expected @@ -21,14 +21,15 @@ | openssl_basic.c:144:67:144:73 | HashAlgorithm | Name | MD5 | openssl_basic.c:144:67:144:73 | openssl_basic.c:144:67:144:73 | | openssl_basic.c:144:67:144:73 | HashAlgorithm | RawName | EVP_md5 | openssl_basic.c:144:67:144:73 | openssl_basic.c:144:67:144:73 | | openssl_basic.c:155:22:155:41 | Key | KeyType | Asymmetric | openssl_basic.c:155:22:155:41 | openssl_basic.c:155:22:155:41 | -| openssl_basic.c:155:43:155:55 | MACAlgorithm | Name | HMAC | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 | -| openssl_basic.c:155:43:155:55 | MACAlgorithm | RawName | 855 | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 | +| openssl_basic.c:155:43:155:55 | HMACAlgorithm | Name | HMAC | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 | +| openssl_basic.c:155:43:155:55 | HMACAlgorithm | RawName | 855 | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 | | openssl_basic.c:155:64:155:66 | Key | KeyType | Unknown | openssl_basic.c:155:64:155:66 | openssl_basic.c:155:64:155:66 | | openssl_basic.c:160:39:160:48 | HashAlgorithm | DigestSize | 256 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 | | openssl_basic.c:160:39:160:48 | HashAlgorithm | Name | SHA2 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 | | openssl_basic.c:160:39:160:48 | HashAlgorithm | RawName | EVP_sha256 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 | | openssl_basic.c:160:59:160:62 | Key | KeyType | Unknown | openssl_basic.c:160:59:160:62 | openssl_basic.c:160:59:160:62 | -| openssl_basic.c:167:9:167:27 | SignOperation | KeyOperationSubtype | Sign | openssl_basic.c:167:9:167:27 | openssl_basic.c:167:9:167:27 | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_basic.c:167:9:167:27 | openssl_basic.c:167:9:167:27 | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_basic.c:167:9:167:27 | openssl_basic.c:167:9:167:27 | | openssl_basic.c:179:43:179:76 | Constant | Description | 01234567890123456789012345678901 | openssl_basic.c:179:43:179:76 | openssl_basic.c:179:43:179:76 | | openssl_basic.c:180:42:180:59 | Constant | Description | 0123456789012345 | openssl_basic.c:180:42:180:59 | openssl_basic.c:180:42:180:59 | | openssl_basic.c:181:49:181:87 | Constant | Description | This is a test message for encryption | openssl_basic.c:181:49:181:87 | openssl_basic.c:181:49:181:87 | @@ -61,11 +62,19 @@ | openssl_signature.c:80:9:80:21 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:80:9:80:21 | openssl_signature.c:80:9:80:21 | | openssl_signature.c:80:53:80:56 | Key | KeyType | Unknown | openssl_signature.c:80:53:80:56 | openssl_signature.c:80:53:80:56 | | openssl_signature.c:133:52:133:55 | Key | KeyType | Unknown | openssl_signature.c:133:52:133:55 | openssl_signature.c:133:52:133:55 | -| openssl_signature.c:135:9:135:27 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:135:9:135:27 | openssl_signature.c:135:9:135:27 | -| openssl_signature.c:142:9:142:27 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:142:9:142:27 | openssl_signature.c:142:9:142:27 | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_signature.c:135:9:135:27 | openssl_signature.c:135:9:135:27 | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_signature.c:135:9:135:27 | openssl_signature.c:135:9:135:27 | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_signature.c:142:9:142:27 | openssl_signature.c:142:9:142:27 | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_signature.c:142:9:142:27 | openssl_signature.c:142:9:142:27 | +| openssl_signature.c:165:54:165:57 | Key | KeyType | Unknown | openssl_signature.c:165:54:165:57 | openssl_signature.c:165:54:165:57 | +| openssl_signature.c:167:9:167:29 | VerifyOperation | KeyOperationSubtype | Verify | openssl_signature.c:167:9:167:29 | openssl_signature.c:167:9:167:29 | | openssl_signature.c:190:57:190:60 | Key | KeyType | Unknown | openssl_signature.c:190:57:190:60 | openssl_signature.c:190:57:190:60 | -| openssl_signature.c:197:9:197:27 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:197:9:197:27 | openssl_signature.c:197:9:197:27 | -| openssl_signature.c:204:9:204:27 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:204:9:204:27 | openssl_signature.c:204:9:204:27 | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_signature.c:197:9:197:27 | openssl_signature.c:197:9:197:27 | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_signature.c:197:9:197:27 | openssl_signature.c:197:9:197:27 | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_signature.c:204:9:204:27 | openssl_signature.c:204:9:204:27 | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_signature.c:204:9:204:27 | openssl_signature.c:204:9:204:27 | +| openssl_signature.c:228:59:228:62 | Key | KeyType | Unknown | openssl_signature.c:228:59:228:62 | openssl_signature.c:228:59:228:62 | +| openssl_signature.c:235:9:235:29 | VerifyOperation | KeyOperationSubtype | Verify | openssl_signature.c:235:9:235:29 | openssl_signature.c:235:9:235:29 | | openssl_signature.c:260:39:260:42 | Key | KeyType | Unknown | openssl_signature.c:260:39:260:42 | openssl_signature.c:260:39:260:42 | | openssl_signature.c:263:9:263:21 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:263:9:263:21 | openssl_signature.c:263:9:263:21 | | openssl_signature.c:270:9:270:21 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:270:9:270:21 | openssl_signature.c:270:9:270:21 | diff --git a/cpp/ql/test/experimental/library-tests/quantum/nodes.expected b/cpp/ql/test/experimental/library-tests/quantum/nodes.expected index 750a4367f22..6245926f211 100644 --- a/cpp/ql/test/experimental/library-tests/quantum/nodes.expected +++ b/cpp/ql/test/experimental/library-tests/quantum/nodes.expected @@ -24,12 +24,12 @@ | openssl_basic.c:144:67:144:73 | HashAlgorithm | | openssl_basic.c:155:22:155:41 | Key | | openssl_basic.c:155:22:155:41 | KeyGeneration | -| openssl_basic.c:155:43:155:55 | MACAlgorithm | +| openssl_basic.c:155:43:155:55 | HMACAlgorithm | | openssl_basic.c:155:64:155:66 | Key | | openssl_basic.c:160:39:160:48 | HashAlgorithm | | openssl_basic.c:160:59:160:62 | Key | | openssl_basic.c:163:35:163:41 | Message | -| openssl_basic.c:167:9:167:27 | SignOperation | +| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | | openssl_basic.c:167:34:167:36 | SignatureOutput | | openssl_basic.c:179:43:179:76 | Constant | | openssl_basic.c:180:42:180:59 | Constant | @@ -69,16 +69,24 @@ | openssl_signature.c:80:53:80:56 | Key | | openssl_signature.c:133:52:133:55 | Key | | openssl_signature.c:134:38:134:44 | Message | -| openssl_signature.c:135:9:135:27 | SignOperation | +| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | | openssl_signature.c:135:37:135:40 | SignatureOutput | -| openssl_signature.c:142:9:142:27 | SignOperation | +| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | | openssl_signature.c:142:37:142:46 | SignatureOutput | +| openssl_signature.c:165:54:165:57 | Key | +| openssl_signature.c:166:40:166:46 | Message | +| openssl_signature.c:167:9:167:29 | VerifyOperation | +| openssl_signature.c:167:39:167:47 | SignatureInput | | openssl_signature.c:190:57:190:60 | Key | | openssl_signature.c:196:38:196:44 | Message | -| openssl_signature.c:197:9:197:27 | SignOperation | +| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | | openssl_signature.c:197:37:197:40 | SignatureOutput | -| openssl_signature.c:204:9:204:27 | SignOperation | +| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | | openssl_signature.c:204:37:204:46 | SignatureOutput | +| openssl_signature.c:228:59:228:62 | Key | +| openssl_signature.c:234:40:234:46 | Message | +| openssl_signature.c:235:9:235:29 | VerifyOperation | +| openssl_signature.c:235:39:235:47 | SignatureInput | | openssl_signature.c:260:39:260:42 | Key | | openssl_signature.c:263:9:263:21 | SignOperation | | openssl_signature.c:263:33:263:36 | SignatureOutput | diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index 01448a2feb8..fa3145e4aec 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -1612,12 +1612,8 @@ module CryptographyBase Input> { final class MacOperationNode extends SignatureOrMacOperationNode { MacOperationNode() { this.getKeyOperationSubtype() = TMacMode() and - // Consider any operation a mac operation only if all algorithms going to the sink - // are MAC or unknown. This addresses the issue where an API allows for reuse of - // MAC operations for signatures. - forex(KeyOperationAlgorithmNode n | n = this.getAnAlgorithmOrGenericSource() | - n.getAlgorithmType() = KeyOpAlg::TMac(_) - ) + // If the type type could be a mac, then we will not consider it a mac operation exclusively. + not exists(KeyOperationSubtype t | t = this.getKeyOperationSubtype() and t = TMacMode()) } final override string getInternalType() { result = "MACOperation" } @@ -1628,7 +1624,6 @@ module CryptographyBase Input> { result.asElement() = instance.getInputConsumer().getConsumer() } - //KeyArtifactNode getAKey() { result.asElement() = instance.getKeyConsumer().getConsumer() } override NodeBase getChild(string edgeName) { result = super.getChild(edgeName) or @@ -1638,11 +1633,21 @@ module CryptographyBase Input> { } } - final class HmacAlgorithmNode extends KeyAgreementAlgorithmNode { + abstract class MacAlgorithmNode extends KeyOperationAlgorithmNode { + MacAlgorithmNode() { + instance.(KeyOperationAlgorithmInstance).getAlgorithmType() = KeyOpAlg::TMac(_) + } + + override string getInternalType() { result = "MACAlgorithm" } + } + + final class HmacAlgorithmNode extends MacAlgorithmNode { HmacAlgorithmInstance hmacInstance; HmacAlgorithmNode() { hmacInstance = instance.asAlg() } + override string getInternalType() { result = "HMACAlgorithm" } + NodeBase getHashAlgorithmOrUnknown() { result.asElement() = hmacInstance.getHashAlgorithmValueConsumer().getASource() } @@ -1658,6 +1663,7 @@ module CryptographyBase Input> { } } + // TODO: CMAC model class KeyAgreementOperationNode extends OperationNode, TKeyAgreementOperation { KeyAgreementSecretGenerationOperationInstance instance; @@ -2008,6 +2014,8 @@ module CryptographyBase Input> { } class SignatureOrMacOperationNode extends KeyOperationNode { + override SignatureOrMacOperationInstance instance; + SignatureOrMacOperationNode() { this.getKeyOperationSubtype() = TSignMode() or @@ -2017,6 +2025,18 @@ module CryptographyBase Input> { } override string getInternalType() { result = "SignatureOrMACOperation" } + + HashAlgorithmNode getHashAlgorithm() { + result = instance.getHashAlgorithmValueConsumer().getAKnownSourceNode() + } + + override NodeBase getChild(string key) { + result = super.getChild(key) + or + // [KNOWN_OR_UNKNOWN] + key = "HashAlgorithm" and + (if exists(this.getHashAlgorithm()) then result = this.getHashAlgorithm() else result = this) + } } class SignatureOperationNode extends SignatureOrMacOperationNode { @@ -2029,9 +2049,8 @@ module CryptographyBase Input> { or this.getKeyOperationSubtype() = TVerifyMode() and nodeName = "VerifyOperation" ) and - not exists(KeyOperationAlgorithmNode n | - n = this.getAnAlgorithmOrGenericSource() and n.getAlgorithmType() = KeyOpAlg::TMac(_) - ) + // If the type could be a mac, then we will not consider it a signature operation exclusively. + not exists(KeyOperationSubtype t | t = this.getKeyOperationSubtype() and t = TMacMode()) } override string getInternalType() { result = nodeName } @@ -2040,10 +2059,6 @@ module CryptographyBase Input> { result.asElement() = instance.getSignatureConsumer().getConsumer() } - HashAlgorithmNode getHashAlgorithm() { - result = instance.getHashAlgorithmValueConsumer().getAKnownSourceNode() - } - override NodeBase getChild(string key) { result = super.getChild(key) or From 0270fac4e771f897ec4ae5a6d731ad39f75066a7 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 1 Jul 2025 11:51:40 -0400 Subject: [PATCH 0014/1955] Crypto: Update model to have a mac operation instance that extends the signature or mac operation instance. --- .../codeql/quantum/experimental/Model.qll | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index fa3145e4aec..672077d71e6 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -690,23 +690,6 @@ module CryptographyBase Input> { predicate shouldHavePaddingScheme() { any() } } - // abstract class SignatureOrMacAlgorithmInstance extends KeyOperationAlgorithmInstance { - // SignatureOrMacAlgorithmInstance() { - // this.getAlgorithmType() = KeyOpAlg::TSignature(_) - // or - // this.getAlgorithmType() = KeyOpAlg::TMac(_) - // } - // override predicate shouldHaveModeOfOperation() { none() } - // /** - // * Gets the hash algorithm used by this signature algorithm. - // */ - // abstract AlgorithmValueConsumer getHashAlgorithmValueConsumer(); - // } - // abstract class SignatureAlgorithmInstance extends SignatureOrMacAlgorithmInstance { - // SignatureAlgorithmInstance() { this.getAlgorithmType() = KeyOpAlg::TSignature(_) } - // } - abstract class MacOperationInstance extends KeyOperationAlgorithmInstance { } - abstract class HmacAlgorithmInstance extends KeyOperationAlgorithmInstance { HmacAlgorithmInstance() { this.getAlgorithmType() = KeyOpAlg::TMac(KeyOpAlg::HMAC()) } @@ -832,6 +815,8 @@ module CryptographyBase Input> { abstract ConsumerInputDataFlowNode getSignatureConsumer(); } + abstract class MacOperationInstance extends SignatureOrMacOperationInstance { } + abstract class EllipticCurveInstance extends AlgorithmInstance { /** * Gets the isolated name as it appears in source From 88d36aa57435211d6c3e62a65b13e118a665f559 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 1 Jul 2025 12:19:15 -0400 Subject: [PATCH 0015/1955] Crypto: Intermediate JCA updates to support new MAC model. Work in progress. --- java/ql/lib/experimental/quantum/JCA.qll | 38 ++++++++++++++++-------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/java/ql/lib/experimental/quantum/JCA.qll b/java/ql/lib/experimental/quantum/JCA.qll index dc86c463750..e4092d2f4fb 100644 --- a/java/ql/lib/experimental/quantum/JCA.qll +++ b/java/ql/lib/experimental/quantum/JCA.qll @@ -5,6 +5,7 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.controlflow.Dominance +private import Crypto::KeyOpAlg as KeyOpAlg module JCAModel { import Language @@ -205,12 +206,6 @@ module JCAModel { ) } - bindingset[name] - predicate mac_name_to_mac_type_known(Crypto::TMacType type, string name) { - type = Crypto::HMAC() and - name.toUpperCase().matches("HMAC%") - } - bindingset[name] predicate key_agreement_name_to_type_known(Crypto::TKeyAgreementType type, string name) { type = Crypto::DH() and @@ -1480,7 +1475,7 @@ module JCAModel { module MacInitCallToMacOperationFlow = DataFlow::Global; - class KnownMacAlgorithm extends Crypto::MacAlgorithmInstance instanceof StringLiteral { + class KnownMacAlgorithm extends Crypto::KeyOperationAlgorithmInstance instanceof StringLiteral { MacGetInstanceAlgorithmValueConsumer consumer; KnownMacAlgorithm() { @@ -1490,13 +1485,30 @@ module JCAModel { MacGetInstanceAlgorithmValueConsumer getConsumer() { result = consumer } - override string getRawMacAlgorithmName() { result = super.getValue() } + override string getRawAlgorithmName() { result = super.getValue() } - override Crypto::MacType getMacType() { - if mac_name_to_mac_type_known(_, super.getValue()) - then mac_name_to_mac_type_known(result, super.getValue()) - else result = Crypto::OtherMacType() + override Crypto::KeyOpAlg::AlgorithmType getAlgorithmType() { + if super.getValue().toUpperCase().matches("HMAC%") + then result = KeyOpAlg::TMac(KeyOpAlg::HMAC()) + else + if super.getValue().toUpperCase().matches("CMAC%") + then result = KeyOpAlg::TMac(KeyOpAlg::CMAC()) + else result = KeyOpAlg::TMac(KeyOpAlg::OtherMacAlgorithmType()) } + + override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() { + // TODO: trace to any key size initializer? + none() + } + + override int getKeySizeFixed() { + // TODO: are there known fixed key sizes to consider? + none() + } + + override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() } + + override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() } } class MacGetInstanceCall extends MethodCall { @@ -1566,7 +1578,7 @@ module JCAModel { ) } - override Crypto::ConsumerInputDataFlowNode getMessageConsumer() { + override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result.asExpr() = super.getArgument(0) and super.getMethod().getParameterType(0).hasName("byte[]") } From ff930459387d997aa9f4cc297cba5cc8c7f6e58f Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 1 Jul 2025 12:21:51 -0400 Subject: [PATCH 0016/1955] Crypto: remove JCA bad import. --- java/ql/lib/experimental/quantum/JCA.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/java/ql/lib/experimental/quantum/JCA.qll b/java/ql/lib/experimental/quantum/JCA.qll index e4092d2f4fb..f6f5ba71ec2 100644 --- a/java/ql/lib/experimental/quantum/JCA.qll +++ b/java/ql/lib/experimental/quantum/JCA.qll @@ -5,7 +5,6 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.TaintTracking import semmle.code.java.controlflow.Dominance -private import Crypto::KeyOpAlg as KeyOpAlg module JCAModel { import Language From a98f4c29d3567c44c8499e198b81195a720a7961 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Tue, 1 Jul 2025 12:26:50 -0400 Subject: [PATCH 0017/1955] Crypto: Code scanning warning fix. --- shared/quantum/codeql/quantum/experimental/Model.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index 672077d71e6..ec09468b5d2 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -1597,7 +1597,7 @@ module CryptographyBase Input> { final class MacOperationNode extends SignatureOrMacOperationNode { MacOperationNode() { this.getKeyOperationSubtype() = TMacMode() and - // If the type type could be a mac, then we will not consider it a mac operation exclusively. + // If the type could be a mac, then we will not consider it a mac operation exclusively. not exists(KeyOperationSubtype t | t = this.getKeyOperationSubtype() and t = TMacMode()) } From fccdc30ac544ca6af17c132b69814543102d969f Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 8 Jul 2025 11:10:38 +0100 Subject: [PATCH 0018/1955] Modernize incomplete ordering query --- python/ql/src/Classes/IncompleteOrdering.ql | 88 +++++++++------------ 1 file changed, 36 insertions(+), 52 deletions(-) diff --git a/python/ql/src/Classes/IncompleteOrdering.ql b/python/ql/src/Classes/IncompleteOrdering.ql index d6cd1230ece..bbb6ca5cf6d 100644 --- a/python/ql/src/Classes/IncompleteOrdering.ql +++ b/python/ql/src/Classes/IncompleteOrdering.ql @@ -2,7 +2,8 @@ * @name Incomplete ordering * @description Class defines one or more ordering method but does not define all 4 ordering comparison methods * @kind problem - * @tags reliability + * @tags quality + * reliability * correctness * @problem.severity warning * @sub-severity low @@ -11,63 +12,46 @@ */ import python +import semmle.python.dataflow.new.internal.DataFlowDispatch +import semmle.python.ApiGraphs -predicate total_ordering(Class cls) { - exists(Attribute a | a = cls.getADecorator() | a.getName() = "total_ordering") +predicate totalOrdering(Class cls) { + cls.getADecorator() = + API::moduleImport("functools").getMember("total_ordering").asSource().asExpr() +} + +Function getMethod(Class cls, string name) { + result = cls.getAMethod() and + result.getName() = name +} + +predicate definesStrictOrdering(Class cls, Function meth) { + meth = getMethod(cls, "__lt__") or - exists(Name n | n = cls.getADecorator() | n.getId() = "total_ordering") + not exists(getMethod(cls, "__lt__")) and + meth = getMethod(cls, "__gt__") } -string ordering_name(int n) { - result = "__lt__" and n = 1 +predicate definesNonStrictOrdering(Class cls, Function meth) { + meth = getMethod(cls, "__le__") or - result = "__le__" and n = 2 + not exists(getMethod(cls, "__le__")) and + meth = getMethod(cls, "__ge__") +} + +predicate missingComparison(Class cls, Function defined, string missing) { + definesStrictOrdering(cls, defined) and + not definesNonStrictOrdering(getADirectSuperclass*(cls), _) and + missing = "__le__ or __ge__" or - result = "__gt__" and n = 3 - or - result = "__ge__" and n = 4 + definesNonStrictOrdering(cls, defined) and + not definesStrictOrdering(getADirectSuperclass*(cls), _) and + missing = "__lt__ or __gt__" } -predicate overrides_ordering_method(ClassValue c, string name) { - name = ordering_name(_) and - ( - c.declaresAttribute(name) - or - exists(ClassValue sup | sup = c.getASuperType() and not sup = Value::named("object") | - sup.declaresAttribute(name) - ) - ) -} - -string unimplemented_ordering(ClassValue c, int n) { - not c = Value::named("object") and - not overrides_ordering_method(c, result) and - result = ordering_name(n) -} - -string unimplemented_ordering_methods(ClassValue c, int n) { - n = 0 and result = "" and exists(unimplemented_ordering(c, _)) - or - exists(string prefix, int nm1 | n = nm1 + 1 and prefix = unimplemented_ordering_methods(c, nm1) | - prefix = "" and result = unimplemented_ordering(c, n) - or - result = prefix and not exists(unimplemented_ordering(c, n)) and n < 5 - or - prefix != "" and result = prefix + " or " + unimplemented_ordering(c, n) - ) -} - -Value ordering_method(ClassValue c, string name) { - /* If class doesn't declare a method then don't blame this class (the superclass will be blamed). */ - name = ordering_name(_) and result = c.declaredAttribute(name) -} - -from ClassValue c, Value ordering, string name +from Class cls, Function defined, string missing where - not c.failedInference(_) and - not total_ordering(c.getScope()) and - ordering = ordering_method(c, name) and - exists(unimplemented_ordering(c, _)) -select c, - "Class " + c.getName() + " implements $@, but does not implement " + - unimplemented_ordering_methods(c, 4) + ".", ordering, name + not totalOrdering(cls) and + missingComparison(cls, defined, missing) +select cls, "This class implements $@, but does not implement an " + missing + " method.", defined, + defined.getName() From e71af8fd6d2b834a1de6629a82896900c79b1c11 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 8 Jul 2025 11:14:19 +0100 Subject: [PATCH 0019/1955] Move to subfolder --- python/ql/src/Classes/{ => Comparisons}/IncompleteOrdering.qhelp | 0 python/ql/src/Classes/{ => Comparisons}/IncompleteOrdering.ql | 0 .../src/Classes/{ => Comparisons/examples}/IncompleteOrdering.py | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename python/ql/src/Classes/{ => Comparisons}/IncompleteOrdering.qhelp (100%) rename python/ql/src/Classes/{ => Comparisons}/IncompleteOrdering.ql (100%) rename python/ql/src/Classes/{ => Comparisons/examples}/IncompleteOrdering.py (100%) diff --git a/python/ql/src/Classes/IncompleteOrdering.qhelp b/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp similarity index 100% rename from python/ql/src/Classes/IncompleteOrdering.qhelp rename to python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp diff --git a/python/ql/src/Classes/IncompleteOrdering.ql b/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql similarity index 100% rename from python/ql/src/Classes/IncompleteOrdering.ql rename to python/ql/src/Classes/Comparisons/IncompleteOrdering.ql diff --git a/python/ql/src/Classes/IncompleteOrdering.py b/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py similarity index 100% rename from python/ql/src/Classes/IncompleteOrdering.py rename to python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py From 4c5c4e06c3b0c0d80cf930a2910fe5a668bf21c4 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 8 Jul 2025 11:33:47 +0100 Subject: [PATCH 0020/1955] Move inconsistentEquality and equals-hash-mismatch to subfolder --- python/ql/src/Classes/{ => Comparisons}/EqualsOrHash.qhelp | 0 python/ql/src/Classes/{ => Comparisons}/EqualsOrHash.ql | 0 python/ql/src/Classes/{ => Comparisons}/EqualsOrNotEquals.qhelp | 0 python/ql/src/Classes/{ => Comparisons}/EqualsOrNotEquals.ql | 0 python/ql/src/Classes/{ => Comparisons/examples}/EqualsOrHash.py | 0 .../src/Classes/{ => Comparisons/examples}/EqualsOrNotEquals.py | 0 6 files changed, 0 insertions(+), 0 deletions(-) rename python/ql/src/Classes/{ => Comparisons}/EqualsOrHash.qhelp (100%) rename python/ql/src/Classes/{ => Comparisons}/EqualsOrHash.ql (100%) rename python/ql/src/Classes/{ => Comparisons}/EqualsOrNotEquals.qhelp (100%) rename python/ql/src/Classes/{ => Comparisons}/EqualsOrNotEquals.ql (100%) rename python/ql/src/Classes/{ => Comparisons/examples}/EqualsOrHash.py (100%) rename python/ql/src/Classes/{ => Comparisons/examples}/EqualsOrNotEquals.py (100%) diff --git a/python/ql/src/Classes/EqualsOrHash.qhelp b/python/ql/src/Classes/Comparisons/EqualsOrHash.qhelp similarity index 100% rename from python/ql/src/Classes/EqualsOrHash.qhelp rename to python/ql/src/Classes/Comparisons/EqualsOrHash.qhelp diff --git a/python/ql/src/Classes/EqualsOrHash.ql b/python/ql/src/Classes/Comparisons/EqualsOrHash.ql similarity index 100% rename from python/ql/src/Classes/EqualsOrHash.ql rename to python/ql/src/Classes/Comparisons/EqualsOrHash.ql diff --git a/python/ql/src/Classes/EqualsOrNotEquals.qhelp b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp similarity index 100% rename from python/ql/src/Classes/EqualsOrNotEquals.qhelp rename to python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp diff --git a/python/ql/src/Classes/EqualsOrNotEquals.ql b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql similarity index 100% rename from python/ql/src/Classes/EqualsOrNotEquals.ql rename to python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql diff --git a/python/ql/src/Classes/EqualsOrHash.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrHash.py similarity index 100% rename from python/ql/src/Classes/EqualsOrHash.py rename to python/ql/src/Classes/Comparisons/examples/EqualsOrHash.py diff --git a/python/ql/src/Classes/EqualsOrNotEquals.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py similarity index 100% rename from python/ql/src/Classes/EqualsOrNotEquals.py rename to python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py From eb1b5a35d790d851bbbd469915a0288f6b01ad4f Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 8 Jul 2025 15:33:59 +0100 Subject: [PATCH 0021/1955] Modernize inconsistent equality --- python/ql/lib/semmle/python/Class.qll | 6 ++ .../src/Classes/Comparisons/Comparisons.qll | 10 ++++ .../Classes/Comparisons/EqualsOrNotEquals.ql | 56 ++++++++----------- .../Classes/Comparisons/IncompleteOrdering.ql | 25 +++------ .../Comparisons/examples/EqualsOrNotEquals.py | 24 ++++++++ python/ql/src/Classes/Equality.qll | 25 +++++++-- 6 files changed, 92 insertions(+), 54 deletions(-) create mode 100644 python/ql/src/Classes/Comparisons/Comparisons.qll diff --git a/python/ql/lib/semmle/python/Class.qll b/python/ql/lib/semmle/python/Class.qll index 52c6c5aa389..58a6504b547 100644 --- a/python/ql/lib/semmle/python/Class.qll +++ b/python/ql/lib/semmle/python/Class.qll @@ -91,6 +91,12 @@ class Class extends Class_, Scope, AstNode { /** Gets a method defined in this class */ Function getAMethod() { result.getScope() = this } + /** Gets the method defined in this class with the specified name, if any. */ + Function getMethod(string name) { + result = this.getAMethod() and + result.getName() = name + } + override Location getLocation() { py_scope_location(result, this) } /** Gets the scope (module, class or function) in which this class is defined */ diff --git a/python/ql/src/Classes/Comparisons/Comparisons.qll b/python/ql/src/Classes/Comparisons/Comparisons.qll new file mode 100644 index 00000000000..b835b07ef44 --- /dev/null +++ b/python/ql/src/Classes/Comparisons/Comparisons.qll @@ -0,0 +1,10 @@ +/** Helper definitions for reasoning about comparison methods. */ + +import python +import semmle.python.ApiGraphs + +/** Holds if `cls` has the `functools.total_ordering` decorator. */ +predicate totalOrdering(Class cls) { + cls.getADecorator() = + API::moduleImport("functools").getMember("total_ordering").asSource().asExpr() +} diff --git a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql index adac5a20e87..feeada86682 100644 --- a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql +++ b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql @@ -2,7 +2,8 @@ * @name Inconsistent equality and inequality * @description Defining only an equality method or an inequality method for a class violates the object model. * @kind problem - * @tags reliability + * @tags quality + * reliability * correctness * @problem.severity warning * @sub-severity high @@ -11,38 +12,29 @@ */ import python -import Equality +import Comparisons +import semmle.python.dataflow.new.internal.DataFlowDispatch +import Classes.Equality -string equals_or_ne() { result = "__eq__" or result = "__ne__" } - -predicate total_ordering(Class cls) { - exists(Attribute a | a = cls.getADecorator() | a.getName() = "total_ordering") +predicate missingEquality(Class cls, Function defined, string missing) { + defined = cls.getMethod("__ne__") and + not exists(cls.getMethod("__eq__")) and + missing = "__eq__" or - exists(Name n | n = cls.getADecorator() | n.getId() = "total_ordering") + // In python 3, __ne__ automatically delegates to __eq__ if its not defined in the hierarchy + // However if it is defined in a superclass (and isn't a delegation method) then it will use the superclass method (which may be incorrect) + defined = cls.getMethod("__eq__") and + not exists(cls.getMethod("__ne__")) and + exists(Function neMeth | + neMeth = getADirectSuperclass+(cls).getMethod("__ne__") and + not neMeth instanceof DelegatingEqualityMethod + ) and + missing = "__ne__" } -CallableValue implemented_method(ClassValue c, string name) { - result = c.declaredAttribute(name) and name = equals_or_ne() -} - -string unimplemented_method(ClassValue c) { - not c.declaresAttribute(result) and result = equals_or_ne() -} - -predicate violates_equality_contract( - ClassValue c, string present, string missing, CallableValue method -) { - missing = unimplemented_method(c) and - method = implemented_method(c, present) and - not c.failedInference(_) and - not total_ordering(c.getScope()) and - /* Python 3 automatically implements __ne__ if __eq__ is defined, but not vice-versa */ - not (major_version() = 3 and present = "__eq__" and missing = "__ne__") and - not method.getScope() instanceof DelegatingEqualityMethod and - not c.lookup(missing).(CallableValue).getScope() instanceof DelegatingEqualityMethod -} - -from ClassValue c, string present, string missing, CallableValue method -where violates_equality_contract(c, present, missing, method) -select method, "Class $@ implements " + present + " but does not implement " + missing + ".", c, - c.getName() +from Class cls, Function defined, string missing +where + not totalOrdering(cls) and + missingEquality(cls, defined, missing) +select cls, "This class implements $@, but does not implement " + missing + ".", defined, + defined.getName() diff --git a/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql b/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql index bbb6ca5cf6d..882321cc3f5 100644 --- a/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql +++ b/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql @@ -14,29 +14,20 @@ import python import semmle.python.dataflow.new.internal.DataFlowDispatch import semmle.python.ApiGraphs - -predicate totalOrdering(Class cls) { - cls.getADecorator() = - API::moduleImport("functools").getMember("total_ordering").asSource().asExpr() -} - -Function getMethod(Class cls, string name) { - result = cls.getAMethod() and - result.getName() = name -} +import Comparisons predicate definesStrictOrdering(Class cls, Function meth) { - meth = getMethod(cls, "__lt__") + meth = cls.getMethod("__lt__") or - not exists(getMethod(cls, "__lt__")) and - meth = getMethod(cls, "__gt__") + not exists(cls.getMethod("__lt__")) and + meth = cls.getMethod("__gt__") } predicate definesNonStrictOrdering(Class cls, Function meth) { - meth = getMethod(cls, "__le__") + meth = cls.getMethod("__le__") or - not exists(getMethod(cls, "__le__")) and - meth = getMethod(cls, "__ge__") + not exists(cls.getMethod("__le__")) and + meth = cls.getMethod("__ge__") } predicate missingComparison(Class cls, Function defined, string missing) { @@ -53,5 +44,5 @@ from Class cls, Function defined, string missing where not totalOrdering(cls) and missingComparison(cls, defined, missing) -select cls, "This class implements $@, but does not implement an " + missing + " method.", defined, +select cls, "This class implements $@, but does not implement " + missing + ".", defined, defined.getName() diff --git a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py index 7e1ece7685c..32bc26d4737 100644 --- a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py +++ b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py @@ -30,3 +30,27 @@ class PointUpdated(object): def __ne__(self, other): # Improved: equality and inequality method defined (hash method still missing) return not self == other + + +class A: + def __init__(self, a): + self.a = a + + def __eq__(self, other): + print("A eq") + return self.a == other.a + + def __ne__(self, other): + print("A ne") + return self.a != other.a + +class B(A): + def __init__(self, a, b): + self.a = a + self.b = b + + def __eq__(self, other): + print("B eq") + return self.a == other.a and self.b == other.b + +print(B(1,2) != B(1,3)) diff --git a/python/ql/src/Classes/Equality.qll b/python/ql/src/Classes/Equality.qll index 347f5057c38..08162399e3e 100644 --- a/python/ql/src/Classes/Equality.qll +++ b/python/ql/src/Classes/Equality.qll @@ -1,4 +1,7 @@ +/** Utility definitions for reasoning about equality methods. */ + import python +import semmle.python.dataflow.new.DataFlow private Attribute dictAccess(LocalVariable var) { result.getName() = "__dict__" and @@ -59,16 +62,28 @@ class IdentityEqMethod extends Function { /** An (in)equality method that delegates to its complement */ class DelegatingEqualityMethod extends Function { DelegatingEqualityMethod() { - exists(Return ret, UnaryExpr not_, Compare comp, Cmpop op, Parameter p0, Parameter p1 | + exists(Return ret, UnaryExpr not_, Expr comp, Parameter p0, Parameter p1 | ret.getScope() = this and ret.getValue() = not_ and not_.getOp() instanceof Not and - not_.getOperand() = comp and - comp.compares(p0.getVariable().getAnAccess(), op, p1.getVariable().getAnAccess()) + not_.getOperand() = comp | - this.getName() = "__eq__" and op instanceof NotEq + exists(Cmpop op | + comp.(Compare).compares(p0.getVariable().getAnAccess(), op, p1.getVariable().getAnAccess()) + | + this.getName() = "__eq__" and op instanceof NotEq + or + this.getName() = "__ne__" and op instanceof Eq + ) or - this.getName() = "__ne__" and op instanceof Eq + exists(DataFlow::MethodCallNode call, string name | + call.calls(DataFlow::exprNode(p0.getVariable().getAnAccess()), name) and + call.getArg(0).asExpr() = p1.getVariable().getAnAccess() + | + this.getName() = "__eq__" and name = "__ne__" + or + this.getName() = "__ne__" and name = "__eq__" + ) ) } } From a687b60af987f948ef7df79b8d2825f930512ca4 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 9 Jul 2025 13:32:13 +0100 Subject: [PATCH 0022/1955] Modernise equals-hash-mismatch --- .../src/Classes/Comparisons/EqualsOrHash.ql | 53 +++---------------- 1 file changed, 8 insertions(+), 45 deletions(-) diff --git a/python/ql/src/Classes/Comparisons/EqualsOrHash.ql b/python/ql/src/Classes/Comparisons/EqualsOrHash.ql index 4c8cf2c1169..4e73cef92fd 100644 --- a/python/ql/src/Classes/Comparisons/EqualsOrHash.ql +++ b/python/ql/src/Classes/Comparisons/EqualsOrHash.ql @@ -14,50 +14,13 @@ import python -CallableValue defines_equality(ClassValue c, string name) { - ( - name = "__eq__" - or - major_version() = 2 and name = "__cmp__" - ) and - result = c.declaredAttribute(name) +predicate missingEquality(Class cls, Function defined) { + defined = cls.getMethod("__hash__") and + not exists(cls.getMethod("__eq__")) + // In python 3, the case of defined eq without hash automatically makes the class unhashable (even if a superclass defined hash) + // So this is not an issue. } -CallableValue implemented_method(ClassValue c, string name) { - result = defines_equality(c, name) - or - result = c.declaredAttribute("__hash__") and name = "__hash__" -} - -string unimplemented_method(ClassValue c) { - not exists(defines_equality(c, _)) and - ( - result = "__eq__" and major_version() = 3 - or - major_version() = 2 and result = "__eq__ or __cmp__" - ) - or - /* Python 3 automatically makes classes unhashable if __eq__ is defined, but __hash__ is not */ - not c.declaresAttribute(result) and result = "__hash__" and major_version() = 2 -} - -/** Holds if this class is unhashable */ -predicate unhashable(ClassValue cls) { - cls.lookup("__hash__") = Value::named("None") - or - cls.lookup("__hash__").(CallableValue).neverReturns() -} - -predicate violates_hash_contract(ClassValue c, string present, string missing, Value method) { - not unhashable(c) and - missing = unimplemented_method(c) and - method = implemented_method(c, present) and - not c.failedInference(_) -} - -from ClassValue c, string present, string missing, CallableValue method -where - violates_hash_contract(c, present, missing, method) and - exists(c.getScope()) // Suppress results that aren't from source -select method, "Class $@ implements " + present + " but does not define " + missing + ".", c, - c.getName() +from Class cls, Function defined +where missingEquality(cls, defined) +select cls, "This class implements $@, but does not implement __eq__.", defined, defined.getName() From 8fb9bdd0afb985b3d7e566db40177f4452286e6e Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 9 Jul 2025 15:25:21 +0100 Subject: [PATCH 0023/1955] move equals attr test to equals attr folder --- .../equals-attr/DefineEqualsWhenAddingAttributes.expected | 1 + .../Classes/{equals-hash => equals-attr}/attr_eq_test.py | 0 .../Classes/equals-hash/DefineEqualsWhenAddingFields.expected | 1 - .../Classes/equals-hash/DefineEqualsWhenAddingFields.qlref | 1 - 4 files changed, 1 insertion(+), 2 deletions(-) rename python/ql/test/query-tests/Classes/{equals-hash => equals-attr}/attr_eq_test.py (100%) delete mode 100644 python/ql/test/query-tests/Classes/equals-hash/DefineEqualsWhenAddingFields.expected delete mode 100644 python/ql/test/query-tests/Classes/equals-hash/DefineEqualsWhenAddingFields.qlref diff --git a/python/ql/test/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.expected b/python/ql/test/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.expected index e69de29bb2d..2f5a5a249f5 100644 --- a/python/ql/test/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.expected +++ b/python/ql/test/query-tests/Classes/equals-attr/DefineEqualsWhenAddingAttributes.expected @@ -0,0 +1 @@ +| attr_eq_test.py:21:1:21:27 | class BadColorPoint | The class 'BadColorPoint' does not override $@, but adds the new attribute $@. | attr_eq_test.py:10:5:10:28 | Function Point.__eq__ | '__eq__' | attr_eq_test.py:25:9:25:19 | Attribute | _color | diff --git a/python/ql/test/query-tests/Classes/equals-hash/attr_eq_test.py b/python/ql/test/query-tests/Classes/equals-attr/attr_eq_test.py similarity index 100% rename from python/ql/test/query-tests/Classes/equals-hash/attr_eq_test.py rename to python/ql/test/query-tests/Classes/equals-attr/attr_eq_test.py diff --git a/python/ql/test/query-tests/Classes/equals-hash/DefineEqualsWhenAddingFields.expected b/python/ql/test/query-tests/Classes/equals-hash/DefineEqualsWhenAddingFields.expected deleted file mode 100644 index 2f5a5a249f5..00000000000 --- a/python/ql/test/query-tests/Classes/equals-hash/DefineEqualsWhenAddingFields.expected +++ /dev/null @@ -1 +0,0 @@ -| attr_eq_test.py:21:1:21:27 | class BadColorPoint | The class 'BadColorPoint' does not override $@, but adds the new attribute $@. | attr_eq_test.py:10:5:10:28 | Function Point.__eq__ | '__eq__' | attr_eq_test.py:25:9:25:19 | Attribute | _color | diff --git a/python/ql/test/query-tests/Classes/equals-hash/DefineEqualsWhenAddingFields.qlref b/python/ql/test/query-tests/Classes/equals-hash/DefineEqualsWhenAddingFields.qlref deleted file mode 100644 index e542a6176ad..00000000000 --- a/python/ql/test/query-tests/Classes/equals-hash/DefineEqualsWhenAddingFields.qlref +++ /dev/null @@ -1 +0,0 @@ -Classes/DefineEqualsWhenAddingAttributes.ql \ No newline at end of file From 083d258585b0a226763b5301867c213b66456d25 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 11 Jul 2025 15:10:45 +0100 Subject: [PATCH 0024/1955] Add/update unit tests --- .../src/Classes/Comparisons/Comparisons.qll | 6 +- .../Classes/equals-hash/EqualsOrHash.expected | 2 + .../Classes/equals-hash/EqualsOrHash.qlref | 2 + .../Classes/equals-hash/equalsHash.py | 19 +++ .../EqualsOrNotEquals.expected | 2 + .../equals-not-equals/EqualsOrNotEquals.py | 147 ++++++++++++++++++ .../equals-not-equals/EqualsOrNotEquals.qlref | 2 + .../IncompleteOrdering.expected | 3 +- .../IncompleteOrdering.qlref | 3 +- .../incomplete_ordering.py | 30 +++- 10 files changed, 208 insertions(+), 8 deletions(-) create mode 100644 python/ql/test/query-tests/Classes/equals-hash/EqualsOrHash.expected create mode 100644 python/ql/test/query-tests/Classes/equals-hash/EqualsOrHash.qlref create mode 100644 python/ql/test/query-tests/Classes/equals-hash/equalsHash.py create mode 100644 python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.expected create mode 100644 python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.py create mode 100644 python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.qlref diff --git a/python/ql/src/Classes/Comparisons/Comparisons.qll b/python/ql/src/Classes/Comparisons/Comparisons.qll index b835b07ef44..5c049410c69 100644 --- a/python/ql/src/Classes/Comparisons/Comparisons.qll +++ b/python/ql/src/Classes/Comparisons/Comparisons.qll @@ -5,6 +5,8 @@ import semmle.python.ApiGraphs /** Holds if `cls` has the `functools.total_ordering` decorator. */ predicate totalOrdering(Class cls) { - cls.getADecorator() = - API::moduleImport("functools").getMember("total_ordering").asSource().asExpr() + API::moduleImport("functools") + .getMember("total_ordering") + .asSource() + .flowsTo(DataFlow::exprNode(cls.getADecorator())) } diff --git a/python/ql/test/query-tests/Classes/equals-hash/EqualsOrHash.expected b/python/ql/test/query-tests/Classes/equals-hash/EqualsOrHash.expected new file mode 100644 index 00000000000..bd584939b43 --- /dev/null +++ b/python/ql/test/query-tests/Classes/equals-hash/EqualsOrHash.expected @@ -0,0 +1,2 @@ +| equalsHash.py:13:1:13:8 | Class C | This class implements $@, but does not implement __eq__. | equalsHash.py:14:5:14:23 | Function __hash__ | __hash__ | +| equalsHash.py:17:1:17:11 | Class D | This class implements $@, but does not implement __eq__. | equalsHash.py:18:5:18:23 | Function __hash__ | __hash__ | diff --git a/python/ql/test/query-tests/Classes/equals-hash/EqualsOrHash.qlref b/python/ql/test/query-tests/Classes/equals-hash/EqualsOrHash.qlref new file mode 100644 index 00000000000..e531bbc62e3 --- /dev/null +++ b/python/ql/test/query-tests/Classes/equals-hash/EqualsOrHash.qlref @@ -0,0 +1,2 @@ +query: Classes/Comparisons/EqualsOrHash.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Classes/equals-hash/equalsHash.py b/python/ql/test/query-tests/Classes/equals-hash/equalsHash.py new file mode 100644 index 00000000000..6b3ec5d2b02 --- /dev/null +++ b/python/ql/test/query-tests/Classes/equals-hash/equalsHash.py @@ -0,0 +1,19 @@ +class A: + def __eq__(self, other): + return True + + def __hash__(self, other): + return 7 + +# B is automatically non-hashable - so eq without hash never needs to alert +class B: + def __eq__(self, other): + return True + +class C: # $ Alert + def __hash__(self): + return 5 + +class D(A): # $ Alert + def __hash__(self): + return 4 \ No newline at end of file diff --git a/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.expected b/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.expected new file mode 100644 index 00000000000..ceec3c1cef9 --- /dev/null +++ b/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.expected @@ -0,0 +1,2 @@ +| EqualsOrNotEquals.py:14:1:14:8 | Class B | This class implements $@, but does not implement __eq__. | EqualsOrNotEquals.py:19:5:19:28 | Function __ne__ | __ne__ | +| EqualsOrNotEquals.py:37:1:37:11 | Class D | This class implements $@, but does not implement __ne__. | EqualsOrNotEquals.py:43:5:43:28 | Function __eq__ | __eq__ | diff --git a/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.py b/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.py new file mode 100644 index 00000000000..2052118e749 --- /dev/null +++ b/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.py @@ -0,0 +1,147 @@ +class A: + def __init__(self, a): + self.a = a + + # OK: __ne__ if not defined delegates to eq automatically + def __eq__(self, other): + return self.a == other.a + +assert (A(1) == A(1)) +assert not (A(1) == A(2)) +assert not (A(1) != A(1)) +assert (A(1) != A(2)) + +class B: # $ Alert + def __init__(self, b): + self.b = b + + # BAD: eq defaults to `is` + def __ne__(self, other): + return self.b != other.b + +assert not (B(1) == B(1)) # potentially unexpected +assert not (B(2) == B(2)) +assert not (B(1) != B(1)) +assert (B(1) != B(2)) + +class C: + def __init__(self, c): + self.c = c + + def __eq__(self, other): + return self.c == other.c + + def __ne__(self, other): + return self.c != other.c + +class D(C): # $ Alert + def __init__(self, c, d): + super().__init__(c) + self.d = d + + # BAD: ne is not defined, but the superclass ne is used instead of delegating, which may be incorrect + def __eq__(self, other): + return self.c == other.c and self.d == other.d + +assert (D(1,2) == D(1,2)) +assert not (D(1,2) == D(1,3)) +assert (D(1,2) != D(3,2)) +assert not (D(1,2) != D(1,3)) # Potentially unexpected + +class E: + def __init__(self, e): + self.e = e + + def __eq__(self, other): + return self.e == other.e + + def __ne__(self, other): + return not self.__eq__(other) + +class F(E): + def __init__(self, e, f): + super().__init__(e) + self.f = f + + # OK: superclass ne delegates to eq + def __eq__(self, other): + return self.e == other.e and self.f == other.f + +assert (F(1,2) == F(1,2)) +assert not (F(1,2) == F(1,3)) +assert (F(1,2) != F(3,2)) +assert (F(1,2) != F(1,3)) + +# Variations + +class E2: + def __init__(self, e): + self.e = e + + def __eq__(self, other): + return self.e == other.e + + def __ne__(self, other): + return not self == other + +class F2(E2): + def __init__(self, e, f): + super().__init__(e) + self.f = f + + # OK: superclass ne delegates to eq + def __eq__(self, other): + return self.e == other.e and self.f == other.f + +assert (F2(1,2) == F2(1,2)) +assert not (F2(1,2) == F2(1,3)) +assert (F2(1,2) != F2(3,2)) +assert (F2(1,2) != F2(1,3)) + +class E3: + def __init__(self, e): + self.e = e + + def __eq__(self, other): + return self.e == other.e + + def __ne__(self, other): + return not other.__eq__(self) + +class F3(E3): + def __init__(self, e, f): + super().__init__(e) + self.f = f + + # OK: superclass ne delegates to eq + def __eq__(self, other): + return self.e == other.e and self.f == other.f + +assert (F3(1,2) == F3(1,2)) +assert not (F3(1,2) == F3(1,3)) +assert (F3(1,2) != F3(3,2)) +assert (F3(1,2) != F3(1,3)) + +class E4: + def __init__(self, e): + self.e = e + + def __eq__(self, other): + return self.e == other.e + + def __ne__(self, other): + return not other == self + +class F4(E4): + def __init__(self, e, f): + super().__init__(e) + self.f = f + + # OK: superclass ne delegates to eq + def __eq__(self, other): + return self.e == other.e and self.f == other.f + +assert (F4(1,2) == F4(1,2)) +assert not (F4(1,2) == F4(1,3)) +assert (F4(1,2) != F4(3,2)) +assert (F4(1,2) != F4(1,3)) \ No newline at end of file diff --git a/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.qlref b/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.qlref new file mode 100644 index 00000000000..9b1e8646c0e --- /dev/null +++ b/python/ql/test/query-tests/Classes/equals-not-equals/EqualsOrNotEquals.qlref @@ -0,0 +1,2 @@ +query: Classes/Comparisons/EqualsOrNotEquals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Classes/incomplete-ordering/IncompleteOrdering.expected b/python/ql/test/query-tests/Classes/incomplete-ordering/IncompleteOrdering.expected index d376a002335..94df0ad1d32 100644 --- a/python/ql/test/query-tests/Classes/incomplete-ordering/IncompleteOrdering.expected +++ b/python/ql/test/query-tests/Classes/incomplete-ordering/IncompleteOrdering.expected @@ -1 +1,2 @@ -| incomplete_ordering.py:3:1:3:26 | class PartOrdered | Class PartOrdered implements $@, but does not implement __le__ or __gt__ or __ge__. | incomplete_ordering.py:13:5:13:28 | Function PartOrdered.__lt__ | __lt__ | +| incomplete_ordering.py:3:1:3:26 | Class LtWithoutLe | This class implements $@, but does not implement __le__ or __ge__. | incomplete_ordering.py:13:5:13:28 | Function __lt__ | __lt__ | +| incomplete_ordering.py:28:1:28:17 | Class LendGeNoLt | This class implements $@, but does not implement __lt__ or __gt__. | incomplete_ordering.py:29:5:29:28 | Function __le__ | __le__ | diff --git a/python/ql/test/query-tests/Classes/incomplete-ordering/IncompleteOrdering.qlref b/python/ql/test/query-tests/Classes/incomplete-ordering/IncompleteOrdering.qlref index 3387dad807a..cb15c6a47ba 100644 --- a/python/ql/test/query-tests/Classes/incomplete-ordering/IncompleteOrdering.qlref +++ b/python/ql/test/query-tests/Classes/incomplete-ordering/IncompleteOrdering.qlref @@ -1 +1,2 @@ -Classes/IncompleteOrdering.ql \ No newline at end of file +query: Classes/Comparisons/IncompleteOrdering.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Classes/incomplete-ordering/incomplete_ordering.py b/python/ql/test/query-tests/Classes/incomplete-ordering/incomplete_ordering.py index 3c7514d7a83..2645819c43b 100644 --- a/python/ql/test/query-tests/Classes/incomplete-ordering/incomplete_ordering.py +++ b/python/ql/test/query-tests/Classes/incomplete-ordering/incomplete_ordering.py @@ -1,6 +1,6 @@ #Incomplete ordering -class PartOrdered(object): +class LtWithoutLe(object): # $ Alert def __eq__(self, other): return self is other @@ -13,6 +13,28 @@ class PartOrdered(object): def __lt__(self, other): return False -#Don't blame a sub-class for super-class's sins. -class DerivedPartOrdered(PartOrdered): - pass \ No newline at end of file +# Don't alert on subclass +class LtWithoutLeSub(LtWithoutLe): + pass + +class LeSub(LtWithoutLe): + def __le__(self, other): + return self < other or self == other + +class GeSub(LtWithoutLe): + def __ge__(self, other): + return self > other or self == other + +class LendGeNoLt: # $ Alert + def __le__(self, other): + return True + + def __ge__(self, other): + return other <= self + +from functools import total_ordering + +@total_ordering +class Total: + def __le__(self, other): + return True \ No newline at end of file From 843a6c8012471c9966bbe8cbb2e6e18c0118fb3e Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 11 Jul 2025 15:12:59 +0100 Subject: [PATCH 0025/1955] Remove total order check from equals not equals (doesn't make sense there; total order doesn't define eq or ne methods at all) --- python/ql/src/Classes/Comparisons/Comparisons.qll | 12 ------------ .../ql/src/Classes/Comparisons/EqualsOrNotEquals.ql | 5 +---- .../ql/src/Classes/Comparisons/IncompleteOrdering.ql | 9 ++++++++- 3 files changed, 9 insertions(+), 17 deletions(-) delete mode 100644 python/ql/src/Classes/Comparisons/Comparisons.qll diff --git a/python/ql/src/Classes/Comparisons/Comparisons.qll b/python/ql/src/Classes/Comparisons/Comparisons.qll deleted file mode 100644 index 5c049410c69..00000000000 --- a/python/ql/src/Classes/Comparisons/Comparisons.qll +++ /dev/null @@ -1,12 +0,0 @@ -/** Helper definitions for reasoning about comparison methods. */ - -import python -import semmle.python.ApiGraphs - -/** Holds if `cls` has the `functools.total_ordering` decorator. */ -predicate totalOrdering(Class cls) { - API::moduleImport("functools") - .getMember("total_ordering") - .asSource() - .flowsTo(DataFlow::exprNode(cls.getADecorator())) -} diff --git a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql index feeada86682..25aafea6db2 100644 --- a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql +++ b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql @@ -12,7 +12,6 @@ */ import python -import Comparisons import semmle.python.dataflow.new.internal.DataFlowDispatch import Classes.Equality @@ -33,8 +32,6 @@ predicate missingEquality(Class cls, Function defined, string missing) { } from Class cls, Function defined, string missing -where - not totalOrdering(cls) and - missingEquality(cls, defined, missing) +where missingEquality(cls, defined, missing) select cls, "This class implements $@, but does not implement " + missing + ".", defined, defined.getName() diff --git a/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql b/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql index 882321cc3f5..2a09b281058 100644 --- a/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql +++ b/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql @@ -14,7 +14,14 @@ import python import semmle.python.dataflow.new.internal.DataFlowDispatch import semmle.python.ApiGraphs -import Comparisons + +/** Holds if `cls` has the `functools.total_ordering` decorator. */ +predicate totalOrdering(Class cls) { + API::moduleImport("functools") + .getMember("total_ordering") + .asSource() + .flowsTo(DataFlow::exprNode(cls.getADecorator())) +} predicate definesStrictOrdering(Class cls, Function meth) { meth = cls.getMethod("__lt__") From 58f503de38cbd8e2cd9dc07a209a6fdfb4fb4376 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 11 Jul 2025 23:08:50 +0100 Subject: [PATCH 0026/1955] Update docs for incomplete ordering + inconsistent hashing --- .../Classes/Comparisons/EqualsOrHash.qhelp | 38 ++++++------ .../src/Classes/Comparisons/EqualsOrHash.ql | 2 +- .../Classes/Comparisons/EqualsOrNotEquals.ql | 2 +- .../Comparisons/IncompleteOrdering.qhelp | 30 +++++----- .../Classes/Comparisons/IncompleteOrdering.ql | 2 +- .../Comparisons/examples/EqualsOrHash.py | 58 +++---------------- .../Comparisons/examples/EqualsOrNotEquals.py | 23 -------- .../examples/IncompleteOrdering.py | 6 +- 8 files changed, 48 insertions(+), 113 deletions(-) diff --git a/python/ql/src/Classes/Comparisons/EqualsOrHash.qhelp b/python/ql/src/Classes/Comparisons/EqualsOrHash.qhelp index 28579a095f7..562ad7be1bd 100644 --- a/python/ql/src/Classes/Comparisons/EqualsOrHash.qhelp +++ b/python/ql/src/Classes/Comparisons/EqualsOrHash.qhelp @@ -4,42 +4,40 @@ -

    In order to conform to the object model, classes that define their own equality method should also -define their own hash method, or be unhashable. If the hash method is not defined then the hash of the -super class is used. This is unlikely to result in the expected behavior.

    +

    A hashable class has an __eq__ method, and a __hash__ method that agrees with equality. +When a hash method is defined, an equality method should also be defined; otherwise object identity is used for equality comparisons +which may not be intended. +

    -

    A class can be made unhashable by setting its __hash__ attribute to None.

    - -

    In Python 3, if you define a class-level equality method and omit a __hash__ method -then the class is automatically marked as unhashable.

    +

    Note that defining an __eq__ method without defining a __hash__ method automatically makes the class unhashable in Python 3. +(even if a superclass defines a hash method).

     -

    When you define an __eq__ method for a class, remember to implement a __hash__ method or set -__hash__ = None.

    +

    +If a __hash__ method is defined, ensure a compatible __eq__ method is also defined. +

    + +

    +To explicitly declare a class as unhashable, set __hash__ = None, rather than defining a __hash__ method that always +raises an exception. Otherwise, the class would be incorrectly identified as hashable by an isinstance(obj, collections.abc.Hashable) call. +

     -

    In the following example the Point class defines an equality method but -no hash method. If hash is called on this class then the hash method defined for object -is used. This is unlikely to give the required behavior. The PointUpdated class -is better as it defines both an equality and a hash method. -If Point was not to be used in dicts or sets, then it could be defined as -UnhashablePoint below. +

    In the following example, the A class defines an hash method but +no equality method. Equality will be determined by object identity, which may not be the expected behaviour.

    -

    -To comply fully with the object model this class should also define an inequality method (identified -by a separate rule).

    - +
  • Python Language Reference: object.__hash__.
    • -
  • Python Glossary: hashable.
    • +
  • Python Glossary: hashable.
    •  diff --git a/python/ql/src/Classes/Comparisons/EqualsOrHash.ql b/python/ql/src/Classes/Comparisons/EqualsOrHash.ql index 4e73cef92fd..54393cf1573 100644 --- a/python/ql/src/Classes/Comparisons/EqualsOrHash.ql +++ b/python/ql/src/Classes/Comparisons/EqualsOrHash.ql @@ -1,6 +1,6 @@ /** * @name Inconsistent equality and hashing - * @description Defining equality for a class without also defining hashability (or vice-versa) violates the object model. + * @description Defining a hash operation without defining equality may be a mistake. * @kind problem * @tags quality * reliability diff --git a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql index 25aafea6db2..ea025f39c2f 100644 --- a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql +++ b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql @@ -1,6 +1,6 @@ /** * @name Inconsistent equality and inequality - * @description Defining only an equality method or an inequality method for a class violates the object model. + * @description Class definitions of equality and inequality operators may be inconsistent. * @kind problem * @tags quality * reliability diff --git a/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp b/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp index 7983985ccee..abb4faef59c 100644 --- a/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp +++ b/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp @@ -3,32 +3,34 @@ "qhelp.dtd"> -

    A class that implements an ordering operator -(__lt__, __gt__, __le__ or __ge__) should implement -all four in order that ordering between two objects is consistent and obeys the usual mathematical rules. -If the ordering is inconsistent with default equality, then __eq__ and __ne__ -should also be implemented. +

    A class that implements the rich comparison operators +(__lt__, __gt__, __le__, or __ge__) should ensure that all four +comparison operations <, <=, >, and >= function as expected, consistent +with expected mathematical rules. +In Python 3, this is ensured by implementing one of __lt__ or __gt__, and one of __le__ or __ge__. +If the ordering is not consistent with default equality, then __eq__ should also be implemented.

    -

    Ensure that all four ordering comparisons are implemented as well as __eq__ and -__ne__ if required.

    +

    Ensure that at least one of __lt__ or __gt__ and at least one of __le__ or __ge__ is defined. +

    -

    It is not necessary to manually implement all four comparisons, -the functools.total_ordering class decorator can be used.

    +

    +The functools.total_ordering class decorator can be used to automatically implement all four comparison methods from a single one, +which is typically the cleanest way to ensure all necessary comparison methods are implemented consistently.

     -

    In this example only the __lt__ operator has been implemented which could lead to -inconsistent behavior. __gt__, __le__, __ge__, and in this case, -__eq__ and __ne__ should be implemented.

    - +

    In the following example, only the __lt__ operator has been implemented, which would lead to unexpected +errors if the <= or >= operators are used on A instances. +The __le__ method should also be defined, as well as __eq__ in this case.

    +     -
  • Python Language Reference: Rich comparisons in Python.
    • +
  • Python Language Reference: Rich comparisons in Python.
    •  diff --git a/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql b/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql index 2a09b281058..e35f0c1a715 100644 --- a/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql +++ b/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql @@ -1,6 +1,6 @@ /** * @name Incomplete ordering - * @description Class defines one or more ordering method but does not define all 4 ordering comparison methods + * @description Class defines ordering comparison methods, but does not define both strict and nonstrict ordering methods, to ensure all four comparison operators behave as expected. * @kind problem * @tags quality * reliability diff --git a/python/ql/src/Classes/Comparisons/examples/EqualsOrHash.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrHash.py index e89c75b30ad..601ce2b18d0 100644 --- a/python/ql/src/Classes/Comparisons/examples/EqualsOrHash.py +++ b/python/ql/src/Classes/Comparisons/examples/EqualsOrHash.py @@ -1,52 +1,8 @@ -# Incorrect: equality method defined but class contains no hash method -class Point(object): - - def __init__(self, x, y): - self._x = x - self._y = y - - def __repr__(self): - return 'Point(%r, %r)' % (self._x, self._y) - - def __eq__(self, other): - if not isinstance(other, Point): - return False - return self._x == other._x and self._y == other._y - - -# Improved: equality and hash method defined (inequality method still missing) -class PointUpdated(object): - - def __init__(self, x, y): - self._x = x - self._y = y - - def __repr__(self): - return 'Point(%r, %r)' % (self._x, self._y) - - def __eq__(self, other): - if not isinstance(other, Point): - return False - return self._x == other._x and self._y == other._y - - def __hash__(self): - return hash(self._x) ^ hash(self._y) - -# Improved: equality method defined and class instances made unhashable -class UnhashablePoint(object): - - def __init__(self, x, y): - self._x = x - self._y = y - - def __repr__(self): - return 'Point(%r, %r)' % (self._x, self._y) - - def __eq__(self, other): - if not isinstance(other, Point): - return False - return self._x == other._x and self._y == other._y - - #Tell the interpreter that instances of this class cannot be hashed - __hash__ = None +class A: + def __init__(self, a, b): + self.a = a + self.b = b + # No equality method is defined + def __hash__(self): + return hash((self.a, self.b)) diff --git a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py index 32bc26d4737..080c9b8f6e4 100644 --- a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py +++ b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py @@ -31,26 +31,3 @@ class PointUpdated(object): return not self == other - -class A: - def __init__(self, a): - self.a = a - - def __eq__(self, other): - print("A eq") - return self.a == other.a - - def __ne__(self, other): - print("A ne") - return self.a != other.a - -class B(A): - def __init__(self, a, b): - self.a = a - self.b = b - - def __eq__(self, other): - print("B eq") - return self.a == other.a and self.b == other.b - -print(B(1,2) != B(1,3)) diff --git a/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py b/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py index 78b306880b0..7ea0f0f82a7 100644 --- a/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py +++ b/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py @@ -1,6 +1,8 @@ -class IncompleteOrdering(object): +class A: def __init__(self, i): self.i = i + # BAD: le is not defined, so `A(1) <= A(2) would result in an error.` def __lt__(self, other): - return self.i < other.i \ No newline at end of file + return self.i < other.i + \ No newline at end of file From ea48fcca8f55b76ed0383182734363b385c9b4cf Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Mon, 14 Jul 2025 10:49:28 +0100 Subject: [PATCH 0027/1955] Update doc for equalsNotEquals --- .../Comparisons/EqualsOrNotEquals.qhelp | 42 ++++++++++++------- .../Comparisons/IncompleteOrdering.qhelp | 3 +- .../Comparisons/examples/EqualsOrNotEquals.py | 33 --------------- .../examples/EqualsOrNotEquals1.py | 15 +++++++ .../examples/EqualsOrNotEquals2.py | 21 ++++++++++ 5 files changed, 66 insertions(+), 48 deletions(-) delete mode 100644 python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py create mode 100644 python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals1.py create mode 100644 python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py diff --git a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp index c49f3d2529e..49e825d7ef4 100644 --- a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp +++ b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp @@ -4,33 +4,47 @@ -

    In order to conform to the object model, classes should define either no equality methods, or both -an equality and an inequality method. If only one of __eq__ or __ne__ is -defined then the method from the super class is used. This is unlikely to result in the expected -behavior.

    +

    In order to ensure the == and != operators behave consistently as expected (i.e. they should be negations of each other), care should be taken when implementing the +__eq__ and __ne__ special methods.

    + +

    In Python 3, if the __eq__ method is defined in a class while the __ne__ is not, +then the != operator will automatically delegate to the __eq__ method in the expected way. +

    + +

    However, if the __ne__ method is defined without a corresponding __eq__ method, + the == operator will still default to object identity (equivalent to the is operator), while the != + operator will use the __ne__ method, which may be inconsistent. + +

    Additionally, if the __ne__ method is defined on a superclass, and the subclass defines its own __eq__ method without overriding +the superclass __ne__ method, the != operator will use this superclass __ne__ method, rather than automatically delegating +to __eq__, which may be incorrect. -

    When you define an equality or an inequality method for a class, remember to implement both an -__eq__ method and an __ne__ method.

    +

    Ensure that when an __ne__ method is defined, the __eq__ method is also defined, and their results are consistent. +In most cases, the __ne__ method does not need to be defined at all, as the default behavior is to delegate to __eq__ and negate the result.

    -

    In the following example the PointOriginal class defines an equality method but -no inequality method. If this class is tested for inequality then a type error will be raised. The -PointUpdated class is better as it defines both an equality and an inequality method. To -comply fully with the object model this class should also define a hash method (identified by -a separate rule).

    +

    In the following example, A defines a __ne__ method, but not an __eq__ method. +This leads to inconsistent results between equality and inequality operators. +

    - + + +

    In the following example, C defines an __eq__ method, but its __ne__ implementation is inherited from B, +which is not consistent with the equality operation. +

    + +     -
  • Python Language Reference: object.__ne__, -Comparisons.
    • +
  • Python Language Reference: object.__ne__, +Comparisons.
    •  diff --git a/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp b/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp index abb4faef59c..6bffaed7b87 100644 --- a/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp +++ b/python/ql/src/Classes/Comparisons/IncompleteOrdering.qhelp @@ -17,7 +17,8 @@ If the ordering is not consistent with default equality, then __eq__

    -The functools.total_ordering class decorator can be used to automatically implement all four comparison methods from a single one, +The functools.total_ordering class decorator can be used to automatically implement all four comparison methods from a +single one, which is typically the cleanest way to ensure all necessary comparison methods are implemented consistently.

    diff --git a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py deleted file mode 100644 index 080c9b8f6e4..00000000000 --- a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals.py +++ /dev/null @@ -1,33 +0,0 @@ -class PointOriginal(object): - - def __init__(self, x, y): - self._x, x - self._y = y - - def __repr__(self): - return 'Point(%r, %r)' % (self._x, self._y) - - def __eq__(self, other): # Incorrect: equality is defined but inequality is not - if not isinstance(other, Point): - return False - return self._x == other._x and self._y == other._y - - -class PointUpdated(object): - - def __init__(self, x, y): - self._x, x - self._y = y - - def __repr__(self): - return 'Point(%r, %r)' % (self._x, self._y) - - def __eq__(self, other): - if not isinstance(other, Point): - return False - return self._x == other._x and self._y == other._y - - def __ne__(self, other): # Improved: equality and inequality method defined (hash method still missing) - return not self == other - - diff --git a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals1.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals1.py new file mode 100644 index 00000000000..2f749ebeb9e --- /dev/null +++ b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals1.py @@ -0,0 +1,15 @@ +class A: + def __init__(self, a): + self.a = a + + # BAD: ne is defined, but not eq. + def __ne__(self, other): + if not isinstance(other, A): + return NotImplemented + return self.a != other.a + +x = A(1) +y = A(1) + +print(x == y) # Prints False (potentially unexpected - object identity is used) +print(x != y) # Prints False diff --git a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py new file mode 100644 index 00000000000..051108be9c5 --- /dev/null +++ b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py @@ -0,0 +1,21 @@ +class B: + def __init__(self, b): + self.b = b + + def __eq__(self, other): + return self.b == other.b + + def __ne__(self, other): + return self.b != other.b + +class C(B): + def __init__(self, b, c): + super().init(b) + self.c = c + + # BAD: eq is defined, but != will use superclass ne method, which is not consistent + def __eq__(self, other): + return self.b == other.b and self.c == other.c + +print(C(1,2) == C(1,3)) # Prints False +print(C(1,2) != C(1,3)) # Prints False (potentially unexpected) \ No newline at end of file From 61af4e451484502a6ff651f3735b4196c2ce944b Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Mon, 14 Jul 2025 11:00:05 +0100 Subject: [PATCH 0028/1955] Add changenote and update integraion test output --- .../query-suite/python-code-quality-extended.qls.expected | 4 +++- .../query-suite/python-code-quality.qls.expected | 4 +++- python/ql/src/change-notes/2025-07-14-comparisons.md | 4 ++++ 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 python/ql/src/change-notes/2025-07-14-comparisons.md diff --git a/python/ql/integration-tests/query-suite/python-code-quality-extended.qls.expected b/python/ql/integration-tests/query-suite/python-code-quality-extended.qls.expected index 960972c508c..cbc32fbd4ca 100644 --- a/python/ql/integration-tests/query-suite/python-code-quality-extended.qls.expected +++ b/python/ql/integration-tests/query-suite/python-code-quality-extended.qls.expected @@ -1,6 +1,8 @@ +ql/python/ql/src/Classes/Comparisons/EqualsOrHash.ql +ql/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql +ql/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql ql/python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql ql/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql -ql/python/ql/src/Classes/EqualsOrHash.ql ql/python/ql/src/Classes/InconsistentMRO.ql ql/python/ql/src/Classes/InitCallsSubclass/InitCallsSubclassMethod.ql ql/python/ql/src/Classes/MissingCallToDel.ql diff --git a/python/ql/integration-tests/query-suite/python-code-quality.qls.expected b/python/ql/integration-tests/query-suite/python-code-quality.qls.expected index 960972c508c..cbc32fbd4ca 100644 --- a/python/ql/integration-tests/query-suite/python-code-quality.qls.expected +++ b/python/ql/integration-tests/query-suite/python-code-quality.qls.expected @@ -1,6 +1,8 @@ +ql/python/ql/src/Classes/Comparisons/EqualsOrHash.ql +ql/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql +ql/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql ql/python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql ql/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql -ql/python/ql/src/Classes/EqualsOrHash.ql ql/python/ql/src/Classes/InconsistentMRO.ql ql/python/ql/src/Classes/InitCallsSubclass/InitCallsSubclassMethod.ql ql/python/ql/src/Classes/MissingCallToDel.ql diff --git a/python/ql/src/change-notes/2025-07-14-comparisons.md b/python/ql/src/change-notes/2025-07-14-comparisons.md new file mode 100644 index 00000000000..a8a2bdacf31 --- /dev/null +++ b/python/ql/src/change-notes/2025-07-14-comparisons.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The queries `py/incomplete-ordering`, `py/inconsistent-equality`, and `py/equals-hash-mismatch` have been modernized; no longer relying on outdated libraries, improved documentation, and no longer producing alerts for problems specific to Python 2. \ No newline at end of file From f784bb0a35ed785abad01968b999844db2d20732 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Mon, 14 Jul 2025 14:26:49 +0100 Subject: [PATCH 0029/1955] Fix qldoc errors + typos --- python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp | 4 +++- .../ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py | 2 +- .../ql/src/Classes/Comparisons/examples/IncompleteOrdering.py | 2 +- python/ql/test/query-tests/Classes/equals-hash/equalsHash.py | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp index 49e825d7ef4..74f20d9f0c5 100644 --- a/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp +++ b/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.qhelp @@ -14,10 +14,12 @@ then the != operator will automatically delegate to the __eq_

    However, if the __ne__ method is defined without a corresponding __eq__ method, the == operator will still default to object identity (equivalent to the is operator), while the != operator will use the __ne__ method, which may be inconsistent. +

    -

    Additionally, if the __ne__ method is defined on a superclass, and the subclass defines its own __eq__ method without overriding +

    Additionally, if the __ne__ method is defined on a superclass, and the subclass defines its own __eq__ method without overriding the superclass __ne__ method, the != operator will use this superclass __ne__ method, rather than automatically delegating to __eq__, which may be incorrect. +

     diff --git a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py index 051108be9c5..9b76a2536a5 100644 --- a/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py +++ b/python/ql/src/Classes/Comparisons/examples/EqualsOrNotEquals2.py @@ -10,7 +10,7 @@ class B: class C(B): def __init__(self, b, c): - super().init(b) + super().__init__(b) self.c = c # BAD: eq is defined, but != will use superclass ne method, which is not consistent diff --git a/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py b/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py index 7ea0f0f82a7..5a18e393620 100644 --- a/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py +++ b/python/ql/src/Classes/Comparisons/examples/IncompleteOrdering.py @@ -2,7 +2,7 @@ class A: def __init__(self, i): self.i = i - # BAD: le is not defined, so `A(1) <= A(2) would result in an error.` + # BAD: le is not defined, so `A(1) <= A(2)` would result in an error. def __lt__(self, other): return self.i < other.i \ No newline at end of file diff --git a/python/ql/test/query-tests/Classes/equals-hash/equalsHash.py b/python/ql/test/query-tests/Classes/equals-hash/equalsHash.py index 6b3ec5d2b02..c9e1e47350f 100644 --- a/python/ql/test/query-tests/Classes/equals-hash/equalsHash.py +++ b/python/ql/test/query-tests/Classes/equals-hash/equalsHash.py @@ -2,7 +2,7 @@ class A: def __eq__(self, other): return True - def __hash__(self, other): + def __hash__(self): return 7 # B is automatically non-hashable - so eq without hash never needs to alert From 0f04a8b2c0eacfba575a0cc9ae41f3e38c5b3721 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Mon, 14 Jul 2025 14:35:12 +0100 Subject: [PATCH 0030/1955] Update integration test output --- .../query-suite/python-security-and-quality.qls.expected | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected b/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected index 170d9f442f9..c7e6e0caad5 100644 --- a/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected +++ b/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected @@ -1,8 +1,8 @@ +ql/python/ql/src/Classes/Comparisons/EqualsOrHash.ql +ql/python/ql/src/Classes/Comparisons/EqualsOrNotEquals.ql +ql/python/ql/src/Classes/Comparisons/IncompleteOrdering.ql ql/python/ql/src/Classes/ConflictingAttributesInBaseClasses.ql ql/python/ql/src/Classes/DefineEqualsWhenAddingAttributes.ql -ql/python/ql/src/Classes/EqualsOrHash.ql -ql/python/ql/src/Classes/EqualsOrNotEquals.ql -ql/python/ql/src/Classes/IncompleteOrdering.ql ql/python/ql/src/Classes/InconsistentMRO.ql ql/python/ql/src/Classes/InitCallsSubclass/InitCallsSubclassMethod.ql ql/python/ql/src/Classes/MissingCallToDel.ql From 1851deb929ee0695fb8d5b48f2ecad92989e490a Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Tue, 15 Jul 2025 08:27:56 +0200 Subject: [PATCH 0031/1955] Removed `libxmljs` from being marked as `sink` for `xml-bomb`. --- .../semmle/javascript/frameworks/XmlParsers.qll | 14 +++++++------- .../query-tests/Security/CWE-776/XmlBomb.expected | 8 -------- .../ql/test/query-tests/Security/CWE-776/libxml.js | 2 +- .../query-tests/Security/CWE-776/libxml.noent.js | 2 +- .../query-tests/Security/CWE-776/libxml.sax.js | 2 +- .../query-tests/Security/CWE-776/libxml.saxpush.js | 2 +- 6 files changed, 11 insertions(+), 19 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll b/javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll index a451182aa21..c0a783c1764 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll @@ -49,9 +49,7 @@ module XML { override JS::Expr getSourceArgument() { result = this.getArgument(0) } override predicate resolvesEntities(EntityKind kind) { - // internal entities are always resolved - kind = InternalEntity() - or + not kind = InternalEntity() and // other entities are only resolved if the configuration option `noent` is set to `true` exists(JS::Expr noent | this.hasOptionArgument(1, "noent", noent) and @@ -126,8 +124,9 @@ module XML { override JS::Expr getSourceArgument() { result = this.getArgument(0) } override predicate resolvesEntities(EntityKind kind) { - // entities are resolved by default - any() + // SAX parsers in libxmljs also inherit libxml2's protection against XML bombs + kind = ExternalEntity(_) or + kind = ParameterEntity(true) } override DataFlow::Node getAResult() { @@ -149,8 +148,9 @@ module XML { override JS::Expr getSourceArgument() { result = this.getArgument(0) } override predicate resolvesEntities(EntityKind kind) { - // entities are resolved by default - any() + // SAX push parsers in libxmljs also inherit libxml2's protection against XML bombs + kind = ExternalEntity(_) or + kind = ParameterEntity(true) } override DataFlow::Node getAResult() { diff --git a/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected b/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected index 2b4d4180491..6a5c2adfb7a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected +++ b/javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected @@ -5,10 +5,6 @@ | domparser.js:11:57:11:59 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:11:57:11:59 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value | | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | expat.js:6:16:6:36 | req.par ... e-xml") | user-provided value | | jquery.js:4:14:4:16 | src | jquery.js:2:13:2:36 | documen ... .search | jquery.js:4:14:4:16 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:36 | documen ... .search | user-provided value | -| libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.js:5:21:5:41 | req.par ... e-xml") | user-provided value | -| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | user-provided value | -| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value | -| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value | edges | closure.js:2:7:2:36 | src | closure.js:3:24:3:26 | src | provenance | | | closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src | provenance | | @@ -31,8 +27,4 @@ nodes | jquery.js:2:7:2:36 | src | semmle.label | src | | jquery.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search | | jquery.js:4:14:4:16 | src | semmle.label | src | -| libxml.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") | -| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") | -| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | semmle.label | req.par ... e-xml") | -| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | semmle.label | req.par ... e-xml") | subpaths diff --git a/javascript/ql/test/query-tests/Security/CWE-776/libxml.js b/javascript/ql/test/query-tests/Security/CWE-776/libxml.js index 6af2da17ef5..3f16e457dc3 100644 --- a/javascript/ql/test/query-tests/Security/CWE-776/libxml.js +++ b/javascript/ql/test/query-tests/Security/CWE-776/libxml.js @@ -2,5 +2,5 @@ const express = require('express'); const libxmljs = require('libxmljs'); express().get('/some/path', function(req) { - libxmljs.parseXml(req.param("some-xml")); // $ Alert - libxml expands internal general entities by default + libxmljs.parseXml(req.param("some-xml")); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js b/javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js index da133cc782e..de633c04688 100644 --- a/javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js +++ b/javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js @@ -2,5 +2,5 @@ const express = require('express'); const libxmljs = require('libxmljs'); express().get('/some/path', function(req) { - libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert - unguarded entity expansion + libxmljs.parseXml(req.param("some-xml"), { noent: true }); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js b/javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js index 6049a8297a9..dc7ec2ddec0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js +++ b/javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js @@ -3,5 +3,5 @@ const libxmljs = require('libxmljs'); express().get('/some/path', function(req) { const parser = new libxmljs.SaxParser(); - parser.parseString(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default + parser.parseString(req.param("some-xml")); }); diff --git a/javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js b/javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js index 2fc4afc8ce4..15e63bf5d53 100644 --- a/javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js +++ b/javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js @@ -3,5 +3,5 @@ const libxmljs = require('libxmljs'); express().get('/some/path', function(req) { const parser = new libxmljs.SaxPushParser(); - parser.push(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default + parser.push(req.param("some-xml")); }); From 887d80f49f22392bdc62b79b7d173d733a51d488 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Tue, 15 Jul 2025 09:37:34 +0200 Subject: [PATCH 0032/1955] Added change note --- javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md diff --git a/javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md b/javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md new file mode 100644 index 00000000000..b10509c0e06 --- /dev/null +++ b/javascript/ql/lib/change-notes/2025-07-15-xml-bomb-sinks.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Removed `libxmljs` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/GNOME/libxml2/blob/0c948334a8f5c66d50e9f8992e62998017dc4fc6/NEWS#L905-L908) that prevents XML bomb attacks. From 15115f50c1914acce65cd1ee786bc831fe6345a9 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 15 Jul 2025 09:50:21 +0100 Subject: [PATCH 0033/1955] Remove old tests --- .../Classes/equals-hash/EqualsOrHash.expected | 1 - .../Classes/equals-hash/EqualsOrHash.qlref | 1 - .../Classes/equals-hash/equals_hash.py | 63 ------------------- .../equals-ne/EqualsOrNotEquals.expected | 1 - .../Classes/equals-ne/EqualsOrNotEquals.qlref | 1 - .../3/query-tests/Classes/equals-ne/test.py | 10 --- 6 files changed, 77 deletions(-) delete mode 100644 python/ql/test/3/query-tests/Classes/equals-hash/EqualsOrHash.expected delete mode 100644 python/ql/test/3/query-tests/Classes/equals-hash/EqualsOrHash.qlref delete mode 100644 python/ql/test/3/query-tests/Classes/equals-hash/equals_hash.py delete mode 100644 python/ql/test/3/query-tests/Classes/equals-ne/EqualsOrNotEquals.expected delete mode 100644 python/ql/test/3/query-tests/Classes/equals-ne/EqualsOrNotEquals.qlref delete mode 100644 python/ql/test/3/query-tests/Classes/equals-ne/test.py diff --git a/python/ql/test/3/query-tests/Classes/equals-hash/EqualsOrHash.expected b/python/ql/test/3/query-tests/Classes/equals-hash/EqualsOrHash.expected deleted file mode 100644 index 87cf5d1e464..00000000000 --- a/python/ql/test/3/query-tests/Classes/equals-hash/EqualsOrHash.expected +++ /dev/null @@ -1 +0,0 @@ -| equals_hash.py:24:5:24:23 | Function Hash.__hash__ | Class $@ implements __hash__ but does not define __eq__. | equals_hash.py:19:1:19:19 | class Hash | Hash | diff --git a/python/ql/test/3/query-tests/Classes/equals-hash/EqualsOrHash.qlref b/python/ql/test/3/query-tests/Classes/equals-hash/EqualsOrHash.qlref deleted file mode 100644 index 7eb0f07e51c..00000000000 --- a/python/ql/test/3/query-tests/Classes/equals-hash/EqualsOrHash.qlref +++ /dev/null @@ -1 +0,0 @@ -Classes/EqualsOrHash.ql \ No newline at end of file diff --git a/python/ql/test/3/query-tests/Classes/equals-hash/equals_hash.py b/python/ql/test/3/query-tests/Classes/equals-hash/equals_hash.py deleted file mode 100644 index d5a58d0b78c..00000000000 --- a/python/ql/test/3/query-tests/Classes/equals-hash/equals_hash.py +++ /dev/null @@ -1,63 +0,0 @@ -#Equals and hash - -class Eq(object): - - def __init__(self, data): - self.data = data - - def __eq__(self, other): - return self.data == other.data - -class Ne(object): - - def __init__(self, data): - self.data = data - - def __ne__(self, other): - return self.data != other.data - -class Hash(object): - - def __init__(self, data): - self.data = data - - def __hash__(self): - return hash(self.data) - -class Unhashable1(object): - - __hash__ = None - - -class EqOK1(Unhashable1): - - def __eq__(self, other): - return False - - def __ne__(self, other): - return True - -class Unhashable2(object): - - #Not the idiomatic way of doing it, but not uncommon either - def __hash__(self): - raise TypeError("unhashable object") - - -class EqOK2(Unhashable2): - - def __eq__(self, other): - return False - - def __ne__(self, other): - return True - -class ReflectiveNotEquals(object): - - def __ne__(self, other): - return not self == other - -class EqOK3(ReflectiveNotEquals, Unhashable1): - - def __eq__(self, other): - return self.data == other.data diff --git a/python/ql/test/3/query-tests/Classes/equals-ne/EqualsOrNotEquals.expected b/python/ql/test/3/query-tests/Classes/equals-ne/EqualsOrNotEquals.expected deleted file mode 100644 index 7e9c9458120..00000000000 --- a/python/ql/test/3/query-tests/Classes/equals-ne/EqualsOrNotEquals.expected +++ /dev/null @@ -1 +0,0 @@ -| test.py:9:5:9:28 | Function NotOK2.__ne__ | Class $@ implements __ne__ but does not implement __eq__. | test.py:7:1:7:13 | class NotOK2 | NotOK2 | diff --git a/python/ql/test/3/query-tests/Classes/equals-ne/EqualsOrNotEquals.qlref b/python/ql/test/3/query-tests/Classes/equals-ne/EqualsOrNotEquals.qlref deleted file mode 100644 index 163a9f3b667..00000000000 --- a/python/ql/test/3/query-tests/Classes/equals-ne/EqualsOrNotEquals.qlref +++ /dev/null @@ -1 +0,0 @@ -Classes/EqualsOrNotEquals.ql \ No newline at end of file diff --git a/python/ql/test/3/query-tests/Classes/equals-ne/test.py b/python/ql/test/3/query-tests/Classes/equals-ne/test.py deleted file mode 100644 index 15097820bf4..00000000000 --- a/python/ql/test/3/query-tests/Classes/equals-ne/test.py +++ /dev/null @@ -1,10 +0,0 @@ - -class OK: - - def __eq__(self, other): - return False - -class NotOK2: - - def __ne__(self, other): - return True From 638f6498f0058900ff046ef2af8a087a0af027c3 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Tue, 15 Jul 2025 09:54:55 +0200 Subject: [PATCH 0034/1955] Removed `lxml.etree.XMLParser` from xml bomb sinks --- python/ql/lib/semmle/python/frameworks/Lxml.qll | 10 ++-------- .../ql/test/library-tests/frameworks/lxml/parsing.py | 4 ++-- .../Security/CWE-776-XmlBomb/XmlBomb.expected | 10 ---------- 3 files changed, 4 insertions(+), 20 deletions(-) diff --git a/python/ql/lib/semmle/python/frameworks/Lxml.qll b/python/ql/lib/semmle/python/frameworks/Lxml.qll index c503d7d5cfb..e043093ed49 100644 --- a/python/ql/lib/semmle/python/frameworks/Lxml.qll +++ b/python/ql/lib/semmle/python/frameworks/Lxml.qll @@ -129,11 +129,6 @@ module Lxml { any(True t) ) or - kind.isXmlBomb() and - this.getKeywordParameter("huge_tree").getAValueReachingSink().asExpr() = any(True t) and - not this.getKeywordParameter("resolve_entities").getAValueReachingSink().asExpr() = - any(False t) - or kind.isDtdRetrieval() and this.getKeywordParameter("load_dtd").getAValueReachingSink().asExpr() = any(True t) and this.getKeywordParameter("no_network").getAValueReachingSink().asExpr() = any(False t) @@ -305,9 +300,8 @@ module Lxml { // note that there is no `resolve_entities` argument, so it's not possible to turn off XXE :O kind.isXxe() or - kind.isXmlBomb() and - this.getKeywordParameter("huge_tree").getAValueReachingSink().asExpr() = any(True t) - or + // libxml2 has built-in protection against XML bombs via entity reference loop detection, + // so lxml is not vulnerable to XML bomb attacks. kind.isDtdRetrieval() and this.getKeywordParameter("load_dtd").getAValueReachingSink().asExpr() = any(True t) and this.getKeywordParameter("no_network").getAValueReachingSink().asExpr() = any(False t) diff --git a/python/ql/test/library-tests/frameworks/lxml/parsing.py b/python/ql/test/library-tests/frameworks/lxml/parsing.py index 63cdc79b4c1..bff508f24ab 100644 --- a/python/ql/test/library-tests/frameworks/lxml/parsing.py +++ b/python/ql/test/library-tests/frameworks/lxml/parsing.py @@ -50,7 +50,7 @@ lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVu # Billion laughs vuln (also XXE) parser = lxml.etree.XMLParser(huge_tree=True) -lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) +lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) # Safe for both Billion laughs and XXE parser = lxml.etree.XMLParser(resolve_entities=False, huge_tree=True) @@ -63,5 +63,5 @@ lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVu # iterparse configurations ... this doesn't use a parser argument but takes MOST (!) of # the normal XMLParser arguments. Specifically, it doesn't allow disabling XXE :O -lxml.etree.iterparse(xml_file, huge_tree=True) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XML bomb' xmlVuln='XXE' decodeOutput=lxml.etree.iterparse(..) getAPathArgument=xml_file +lxml.etree.iterparse(xml_file, huge_tree=True) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XXE' decodeOutput=lxml.etree.iterparse(..) getAPathArgument=xml_file lxml.etree.iterparse(xml_file, load_dtd=True, no_network=False) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='DTD retrieval' xmlVuln='XXE' decodeOutput=lxml.etree.iterparse(..) getAPathArgument=xml_file diff --git a/python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected b/python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected index 8a7d7bc75e3..e217064d1df 100644 --- a/python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected +++ b/python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected @@ -1,14 +1,4 @@ edges -| test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:1:26:1:32 | ControlFlowNode for request | provenance | | -| test.py:1:26:1:32 | ControlFlowNode for request | test.py:19:19:19:25 | ControlFlowNode for request | provenance | | -| test.py:19:5:19:15 | ControlFlowNode for xml_content | test.py:30:34:30:44 | ControlFlowNode for xml_content | provenance | | -| test.py:19:19:19:25 | ControlFlowNode for request | test.py:19:5:19:15 | ControlFlowNode for xml_content | provenance | AdditionalTaintStep | nodes -| test.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | -| test.py:1:26:1:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:19:5:19:15 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content | -| test.py:19:19:19:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | -| test.py:30:34:30:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content | subpaths #select -| test.py:30:34:30:44 | ControlFlowNode for xml_content | test.py:1:26:1:32 | ControlFlowNode for ImportMember | test.py:30:34:30:44 | ControlFlowNode for xml_content | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value | From ea93b392f790f125f648738c46b3f6fb771b1d45 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Tue, 15 Jul 2025 09:57:02 +0200 Subject: [PATCH 0035/1955] Added change note for python --- .../ql/lib/change-notes/2025-07-15-xml-bomb-sinks-python.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 python/ql/lib/change-notes/2025-07-15-xml-bomb-sinks-python.md diff --git a/python/ql/lib/change-notes/2025-07-15-xml-bomb-sinks-python.md b/python/ql/lib/change-notes/2025-07-15-xml-bomb-sinks-python.md new file mode 100644 index 00000000000..11ff0181a01 --- /dev/null +++ b/python/ql/lib/change-notes/2025-07-15-xml-bomb-sinks-python.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks. From f0466ae9ca6fba695583bba90a0d6755aa9d9f7b Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 15 Jul 2025 14:14:39 +0200 Subject: [PATCH 0036/1955] Cargo: upgrade dependencies --- Cargo.lock | 578 +++++++++++++++++++------------ rust/ast-generator/Cargo.toml | 2 +- rust/extractor/Cargo.toml | 36 +- rust/extractor/macros/Cargo.toml | 2 +- 4 files changed, 375 insertions(+), 243 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 263b16482a9..80adcc3e270 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -40,9 +40,9 @@ dependencies = [ [[package]] name = "anstream" -version = "0.6.18" +version = "0.6.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b" +checksum = "301af1932e46185686725e0fad2f8f2aa7da69dd70bf6ecc44d6b703844a3933" dependencies = [ "anstyle", "anstyle-parse", @@ -55,36 +55,36 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" +checksum = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd" [[package]] name = "anstyle-parse" -version = "0.2.6" +version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9" +checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2" dependencies = [ "utf8parse", ] [[package]] name = "anstyle-query" -version = "1.1.2" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c" +checksum = "6c8bdeb6047d8983be085bab0ba1472e6dc604e7041dbf6fcd5e71523014fae9" dependencies = [ "windows-sys 0.59.0", ] [[package]] name = "anstyle-wincon" -version = "3.0.7" +version = "3.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca3534e77181a9cc07539ad51f2141fe32f6c3ffd4df76db8ad92346b003ae4e" +checksum = "403f75924867bb1033c59fbf0797484329750cfbe3c4325cd33127941fabc882" dependencies = [ "anstyle", - "once_cell", + "once_cell_polyfill", "windows-sys 0.59.0", ] @@ -136,9 +136,9 @@ dependencies = [ [[package]] name = "autocfg" -version = "1.4.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" +checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" [[package]] name = "base64" @@ -160,9 +160,9 @@ checksum = "1b8e56985ec62d17e9c1001dc89c88ecd7dc08e47eba5ec7c29c7b5eeecde967" [[package]] name = "borsh" -version = "1.5.5" +version = "1.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5430e3be710b68d984d1391c854eb431a9d548640711faa54eecb1df93db91cc" +checksum = "ad8646f98db542e39fc66e68a20b2144f6a732636df7c2354e74645faaa433ce" dependencies = [ "cfg_aliases", ] @@ -185,9 +185,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.16.0" +version = "3.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c" +checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43" [[package]] name = "bytemuck" @@ -221,25 +221,25 @@ dependencies = [ [[package]] name = "cargo-util-schemas" -version = "0.2.0" +version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e63d2780ac94487eb9f1fea7b0d56300abc9eb488800854ca217f102f5caccca" +checksum = "7dc1a6f7b5651af85774ae5a34b4e8be397d9cf4bc063b7e6dbd99a841837830" dependencies = [ "semver", "serde", "serde-untagged", "serde-value", - "thiserror 1.0.69", - "toml", + "thiserror", + "toml 0.8.23", "unicode-xid", "url", ] [[package]] name = "cargo_metadata" -version = "0.20.0" +version = "0.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4f7835cfc6135093070e95eb2b53e5d9b5c403dc3a6be6040ee026270aa82502" +checksum = "5cfca2aaa699835ba88faf58a06342a314a950d2b9686165e038286c30316868" dependencies = [ "camino", "cargo-platform", @@ -247,14 +247,14 @@ dependencies = [ "semver", "serde", "serde_json", - "thiserror 2.0.12", + "thiserror", ] [[package]] name = "cc" -version = "1.2.7" +version = "1.2.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7" +checksum = "5c1599538de2394445747c8cf7935946e3cc27e9625f889d979bfb2aaf569362" dependencies = [ "jobserver", "libc", @@ -317,7 +317,7 @@ dependencies = [ "chalk-derive", "chalk-ir", "ena", - "indexmap 2.9.0", + "indexmap 2.10.0", "itertools 0.12.1", "petgraph", "rustc-hash 1.1.0", @@ -341,9 +341,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.40" +version = "4.5.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40b6887a1d8685cebccf115538db5c0efe625ccac9696ad45c409d96566e910f" +checksum = "be92d32e80243a54711e5d7ce823c35c41c9d929dc4ab58e1276f625841aadf9" dependencies = [ "clap_builder", "clap_derive", @@ -351,9 +351,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.40" +version = "4.5.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0c66c08ce9f0c698cbce5c0279d0bb6ac936d8674174fe48f736533b964f59e" +checksum = "707eab41e9622f9139419d573eca0900137718000c517d47da73045f54331c3d" dependencies = [ "anstream", "anstyle", @@ -363,9 +363,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "4.5.40" +version = "4.5.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2c7947ae4cc3d851207c1adb5b5e260ff0cca11446b1d6d1423788e442257ce" +checksum = "ef4f52386a59ca4c860f7393bcf8abd8dfd91ecccc0f774635ff68e92eeef491" dependencies = [ "heck", "proc-macro2", @@ -375,9 +375,9 @@ dependencies = [ [[package]] name = "clap_lex" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" +checksum = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675" [[package]] name = "codeql-autobuilder-rust" @@ -462,7 +462,7 @@ dependencies = [ "serde", "serde_json", "serde_with", - "toml", + "toml 0.9.2", "tracing", "tracing-flame", "tracing-subscriber", @@ -471,9 +471,9 @@ dependencies = [ [[package]] name = "colorchoice" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" +checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75" [[package]] name = "core-foundation-sys" @@ -547,9 +547,9 @@ checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" [[package]] name = "darling" -version = "0.20.10" +version = "0.20.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f63b86c8a8826a49b8c21f08a2d07338eec8d900540f8630dc76284be802989" +checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee" dependencies = [ "darling_core", "darling_macro", @@ -557,9 +557,9 @@ dependencies = [ [[package]] name = "darling_core" -version = "0.20.10" +version = "0.20.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95133861a8032aaea082871032f5815eb9e98cef03fa916ab4500513994df9e5" +checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e" dependencies = [ "fnv", "ident_case", @@ -571,9 +571,9 @@ dependencies = [ [[package]] name = "darling_macro" -version = "0.20.10" +version = "0.20.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d336a2a514f6ccccaa3e09b02d41d35330c07ddf03a62165fcec10bb561c7806" +checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead" dependencies = [ "darling_core", "quote", @@ -596,9 +596,9 @@ dependencies = [ [[package]] name = "deranged" -version = "0.3.11" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4" +checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e" dependencies = [ "powerfmt", "serde", @@ -860,9 +860,9 @@ checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" [[package]] name = "hashbrown" -version = "0.15.2" +version = "0.15.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289" +checksum = "5971ac85611da7067dbfcabef3c70ebb5606018acd9e2a3903a0da507521e0d5" dependencies = [ "allocator-api2", "equivalent", @@ -875,7 +875,7 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1" dependencies = [ - "hashbrown 0.15.2", + "hashbrown 0.15.4", ] [[package]] @@ -907,14 +907,15 @@ dependencies = [ [[package]] name = "iana-time-zone" -version = "0.1.61" +version = "0.1.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220" +checksum = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8" dependencies = [ "android_system_properties", "core-foundation-sys", "iana-time-zone-haiku", "js-sys", + "log 0.4.27", "wasm-bindgen", "windows-core", ] @@ -1054,12 +1055,12 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.9.0" +version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e" +checksum = "fe4cd85333e22411419a0bcae1297d25e58c9443848b11dc6a86fefe8c78a661" dependencies = [ "equivalent", - "hashbrown 0.15.2", + "hashbrown 0.15.4", "serde", ] @@ -1089,6 +1090,15 @@ dependencies = [ "libc", ] +[[package]] +name = "intrusive-collections" +version = "0.9.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "189d0897e4cbe8c75efedf3502c18c887b05046e59d28404d4d8e46cbc4d1e86" +dependencies = [ + "memoffset", +] + [[package]] name = "is_terminal_polyfill" version = "1.70.1" @@ -1136,9 +1146,9 @@ checksum = "a037eddb7d28de1d0fc42411f501b53b75838d313908078d6698d064f3029b24" [[package]] name = "js-sys" -version = "0.3.76" +version = "0.3.77" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6717b6b5b077764fb5966237269cb3c64edddde4b14ce42647430a78ced9e7b7" +checksum = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f" dependencies = [ "once_cell", "wasm-bindgen", @@ -1146,9 +1156,9 @@ dependencies = [ [[package]] name = "kqueue" -version = "1.0.8" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7447f1ca1b7b563588a205fe93dea8df60fd981423a768bc1c0ded35ed147d0c" +checksum = "eac30106d7dce88daf4a3fcb4879ea939476d5074a9b7ddd0fb97fa4bed5596a" dependencies = [ "kqueue-sys", "libc", @@ -1184,9 +1194,9 @@ checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776" [[package]] name = "libredox" -version = "0.1.3" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d" +checksum = "1580801010e535496706ba011c15f8532df6b42297d2e471fec38ceadd8c0638" dependencies = [ "bitflags 2.9.1", "libc", @@ -1211,9 +1221,9 @@ checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956" [[package]] name = "lock_api" -version = "0.4.12" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17" +checksum = "96936507f153605bddfcda068dd804796c84324ed2510809e5b2a624c81da765" dependencies = [ "autocfg", "scopeguard", @@ -1269,14 +1279,14 @@ dependencies = [ [[package]] name = "mio" -version = "1.0.3" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" +checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c" dependencies = [ "libc", "log 0.4.27", - "wasi 0.11.0+wasi-snapshot-preview1", - "windows-sys 0.52.0", + "wasi 0.11.1+wasi-snapshot-preview1", + "windows-sys 0.59.0", ] [[package]] @@ -1366,9 +1376,15 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.20.3" +version = "1.21.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e" +checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d" + +[[package]] +name = "once_cell_polyfill" +version = "1.70.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad" [[package]] name = "oorandom" @@ -1401,10 +1417,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" [[package]] -name = "parking_lot" -version = "0.12.3" +name = "papaya" +version = "0.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27" +checksum = "f92dd0b07c53a0a0c764db2ace8c541dc47320dad97c2200c2a637ab9dd2328f" +dependencies = [ + "equivalent", + "seize", +] + +[[package]] +name = "parking_lot" +version = "0.12.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70d58bf43669b5795d1576d0641cfb6fbb2057bf629506267a92807158584a13" dependencies = [ "lock_api", "parking_lot_core", @@ -1412,9 +1438,9 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.10" +version = "0.9.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8" +checksum = "bc838d2a56b5b1a6c25f55575dfc605fabb63bb2365f6c2353ef9159aa69e4a5" dependencies = [ "cfg-if", "libc", @@ -1478,7 +1504,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.9.0", + "indexmap 2.10.0", ] [[package]] @@ -1495,9 +1521,9 @@ checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" [[package]] name = "portable-atomic" -version = "1.11.0" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "350e9b48cbc6b0e028b0473b114454c6316e57336ee184ceab6e53f72c178b3e" +checksum = "f84267b20a16ea918e43c6a88433c2d54fa145c92a811b5b047ccbe153674483" [[package]] name = "potential_utf" @@ -1632,12 +1658,12 @@ dependencies = [ [[package]] name = "ra_ap_base_db" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "edf27fccb119fe85faf51f51847df9695d3cca30c2427fed9b4d71e6adebb54f" +checksum = "3daac3b2c8e4e3d02d47f177c75360c85f16f4f9e6d60ee358a47532ccb35647" dependencies = [ "dashmap", - "indexmap 2.9.0", + "indexmap 2.10.0", "la-arena", "ra_ap_cfg", "ra_ap_intern", @@ -1655,9 +1681,9 @@ dependencies = [ [[package]] name = "ra_ap_cfg" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3cea86a5d6e84fd73824c26f52442807af911db038db821124b2ac65fac24209" +checksum = "bfcada4b644f965cf8972f31c28a343737c9c500c87d59d026a77bf5ce8ad76b" dependencies = [ "ra_ap_intern", "ra_ap_tt", @@ -1667,19 +1693,19 @@ dependencies = [ [[package]] name = "ra_ap_edition" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fb5538d534eeb8526071610664dc64b71ca336b78f6933ff7241d10c1f37e91b" +checksum = "732efa3d4cd5edc1578be0a33fa0f8052a348e52e6b95e7e161199f7166445b7" [[package]] name = "ra_ap_hir" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44796828650900565917ddcc944fecdf6c7d5c3a8a31141f17268ea8c1d2e6f0" +checksum = "6de0998ba9f6d4f2b70e6be16c7beeda661bdf25cdae932ed10c45b8b6cc6d8f" dependencies = [ "arrayvec", "either", - "indexmap 2.9.0", + "indexmap 2.10.0", "itertools 0.14.0", "ra_ap_base_db", "ra_ap_cfg", @@ -1699,9 +1725,9 @@ dependencies = [ [[package]] name = "ra_ap_hir_def" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8949b2fb362a1e4eab4d90c7299f0fad3f2c887d9f7d9c286ac6530da4141f85" +checksum = "af1a22912226cfbc1909c09f30896cbbfd9acb5c051db9d55e1c557b5d7aa6f4" dependencies = [ "arrayvec", "bitflags 2.9.1", @@ -1709,7 +1735,7 @@ dependencies = [ "drop_bomb", "either", "fst", - "indexmap 2.9.0", + "indexmap 2.10.0", "itertools 0.14.0", "la-arena", "ra-ap-rustc_abi", @@ -1737,9 +1763,9 @@ dependencies = [ [[package]] name = "ra_ap_hir_expand" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22457a431b5eeb67517e03266fddefe48839b060a674a6b18bd84269012ede1e" +checksum = "7ef269bd496048dd39288122ee05805c672df3a26cc9c05ce7bdde42f0656324" dependencies = [ "cov-mark", "either", @@ -1765,9 +1791,9 @@ dependencies = [ [[package]] name = "ra_ap_hir_ty" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a4b7a7531414203e11ae447627e2909250eff392c06278ab53ae2a022ecc9fc" +checksum = "1d26605356ec9541148ce2dcf00e45b9bbe90424c9e04baeca3fb6c463ce2487" dependencies = [ "arrayvec", "bitflags 2.9.1", @@ -1778,7 +1804,7 @@ dependencies = [ "cov-mark", "either", "ena", - "indexmap 2.9.0", + "indexmap 2.10.0", "itertools 0.14.0", "la-arena", "oorandom", @@ -1806,9 +1832,9 @@ dependencies = [ [[package]] name = "ra_ap_ide_db" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77741ceb096d4f5ecf5384210ea5a2b46878125047c6b0df2bdcfac08a20ea0c" +checksum = "087858853882a6dc56a2bd1da01ab0fc15d9e0ba2afd613d22df69097acc47a9" dependencies = [ "arrayvec", "bitflags 2.9.1", @@ -1816,7 +1842,7 @@ dependencies = [ "crossbeam-channel", "either", "fst", - "indexmap 2.9.0", + "indexmap 2.10.0", "itertools 0.14.0", "line-index", "memchr", @@ -1840,9 +1866,9 @@ dependencies = [ [[package]] name = "ra_ap_intern" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a1872cd5a425db6d5247a7deca11526e3104757f6732447ac6ee93c3e795725" +checksum = "5ec1af1e540f93cc4c9642454c1ad7aa155d54d1533804da771ff05f19bb57fa" dependencies = [ "dashmap", "hashbrown 0.14.5", @@ -1852,9 +1878,9 @@ dependencies = [ [[package]] name = "ra_ap_load-cargo" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f30f5433f056594b02f1879c5c2ce76ea9fd395f21e2a55df6ce3229db993caa" +checksum = "a3343d16dc4b0f3337d4654f9d0c41363be4197aaf6f62a02b711440fdb3eaae" dependencies = [ "anyhow", "crossbeam-channel", @@ -1873,9 +1899,9 @@ dependencies = [ [[package]] name = "ra_ap_mbe" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "222a993acaec35e90c08357aecd530b7170cc3a7f13b3ddfd15a200029ccd555" +checksum = "c2253eeeef2ee51d8a7b43f86fe43883654b8a3bb56c9cb801de1bf457ca24d6" dependencies = [ "arrayvec", "cov-mark", @@ -1892,33 +1918,33 @@ dependencies = [ [[package]] name = "ra_ap_parser" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c5693f5efd27832e1ac572ea756a1a4a3f7eba07f1287268ca111710971c2e5" +checksum = "df3bf4cde715c2343c24a39283534e7bd5498e29b6b938615ba0e02ba4e262b4" dependencies = [ "drop_bomb", "ra-ap-rustc_lexer", "ra_ap_edition", - "rustc-literal-escaper 0.0.3", + "rustc-literal-escaper 0.0.4", "tracing", ] [[package]] name = "ra_ap_paths" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39418eff64e59d4bf90dd825ac7d242576e9554669824ebc55a6628bde0aaf10" +checksum = "c610195e29090ebc387061aa8d55c5d741004df2e15e11c62e34cf3037e61fe8" dependencies = [ "camino", ] [[package]] name = "ra_ap_proc_macro_api" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "14a315af8c4a9379c26abe7baa143d62e3975ff26f27c65332f9a5edccc56d38" +checksum = "537a1866f6e63a1405bac2aa9e32ae47ea2e38b0879d1e7ab00e53b03d787512" dependencies = [ - "indexmap 2.9.0", + "indexmap 2.10.0", "ra_ap_intern", "ra_ap_paths", "ra_ap_span", @@ -1933,9 +1959,9 @@ dependencies = [ [[package]] name = "ra_ap_profile" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08274a0adbf8255f8b2672302452e31bbb2ed4d38324da9c72a7bf9cf1428483" +checksum = "4824370708bd413f38e697831d37878c44366ff18aa7dd95ab0af5e3a484c558" dependencies = [ "cfg-if", "libc", @@ -1945,9 +1971,9 @@ dependencies = [ [[package]] name = "ra_ap_project_model" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33deecb3724faf91f13b0f1b5115af7c4f5c9dc1dfbbf45f55261aa28f874838" +checksum = "d97b1f2d3d8b6cd838264624192c0dbded200d7b7944a4731ab20bb18fab79b9" dependencies = [ "anyhow", "cargo_metadata", @@ -1971,9 +1997,9 @@ dependencies = [ [[package]] name = "ra_ap_query-group-macro" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5fdefdc9c8d6fd7d85ac572649378e83266262e09400bfdb7c8a7407d3cc2a3e" +checksum = "9d9c2a0a9519e59eeb2cc42991477e4cf4214c2e9e1ac29453d6bd6ccd05ed58" dependencies = [ "proc-macro2", "quote", @@ -1982,9 +2008,9 @@ dependencies = [ [[package]] name = "ra_ap_span" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c20071c89e1f7dd63c803130634f4bb6ce7783dc0e7ff90839d1d0f4e625b7a8" +checksum = "a2a224089b92abb04b36fa9dbd3e348a41997917e155eb9598d686766b15b4e9" dependencies = [ "hashbrown 0.14.5", "la-arena", @@ -1998,9 +2024,9 @@ dependencies = [ [[package]] name = "ra_ap_stdx" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "552df390b26624eca7936aea1dbbb3786d7a12477e26ef917ffabba19f75ad44" +checksum = "b565a5d6e364b3c6f955a5b20e1633e5db15df9f804fba26615150524eeccb2c" dependencies = [ "crossbeam-channel", "crossbeam-utils", @@ -2014,9 +2040,9 @@ dependencies = [ [[package]] name = "ra_ap_syntax" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a78db1a9966c0fa05446b8185da35a325680741119366c6246e4a9800f29143a" +checksum = "092f544af4e1c974924417ec5d1864544d99329d26ecc72cded2c99a86e6f710" dependencies = [ "either", "itertools 0.14.0", @@ -2024,7 +2050,7 @@ dependencies = [ "ra_ap_stdx", "rowan", "rustc-hash 2.1.1", - "rustc-literal-escaper 0.0.3", + "rustc-literal-escaper 0.0.4", "smol_str", "tracing", "triomphe", @@ -2032,9 +2058,9 @@ dependencies = [ [[package]] name = "ra_ap_syntax-bridge" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e69ef7fad8598d5c9f14a375d56ec12200fa927bc805b600af419611f4642fdb" +checksum = "3dcebacacf0a3fa1eac8f8ae57260602652fe4b2dbc3a1931cd854855fc744b2" dependencies = [ "ra_ap_intern", "ra_ap_parser", @@ -2047,9 +2073,9 @@ dependencies = [ [[package]] name = "ra_ap_toolchain" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "628f3f190def67b1116d8bdd6ec4f6f206fada2c93b84ba71086d60c63429282" +checksum = "08f64f934312af8dde360d0327322452f14e772e6ddc5449629a3bd840127cdd" dependencies = [ "camino", "home", @@ -2057,9 +2083,9 @@ dependencies = [ [[package]] name = "ra_ap_tt" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e050f4ad13df59e90e38332860304a3e85ff2fa8d4585b8cc44fc982923c82b1" +checksum = "48c511a2238fb0b8a1437ad99d8361f48d60ca5267faf457748d47657bddbf55" dependencies = [ "arrayvec", "ra-ap-rustc_lexer", @@ -2070,13 +2096,13 @@ dependencies = [ [[package]] name = "ra_ap_vfs" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62082190f0b3551e4d941bcaaac51a7c39c85b2e193bcc50d0807e1701da4083" +checksum = "7b8a98fbdf277b873c08937c0d5357f44b33c6d689b96f331653c2df1bb82d29" dependencies = [ "crossbeam-channel", "fst", - "indexmap 2.9.0", + "indexmap 2.10.0", "nohash-hasher", "ra_ap_paths", "ra_ap_stdx", @@ -2086,9 +2112,9 @@ dependencies = [ [[package]] name = "ra_ap_vfs-notify" -version = "0.0.288" +version = "0.0.294" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "efd7cfa1095b81bd1994ab70e5543c97a8733987eb0ddf390cf3ad58d4e2dc57" +checksum = "9e1c54fc0e6b8bc6204a160019c80a26d4ca26c99729387e12d06c0bc421acdd" dependencies = [ "crossbeam-channel", "notify", @@ -2153,9 +2179,9 @@ dependencies = [ [[package]] name = "redox_syscall" -version = "0.5.8" +version = "0.5.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834" +checksum = "0d04b7d0ee6b4a0207a0a7adb104d23ecb0b47d6beae7152d0fa34b692b29fd6" dependencies = [ "bitflags 2.9.1", ] @@ -2265,15 +2291,15 @@ checksum = "0041b6238913c41fe704213a4a9329e2f685a156d1781998128b4149c230ad04" [[package]] name = "rustc-literal-escaper" -version = "0.0.3" +version = "0.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78744cd17f5d01c75b709e49807d1363e02a940ccee2e9e72435843fdb0d076e" +checksum = "ab03008eb631b703dd16978282ae36c73282e7922fe101a4bd072a40ecea7b8b" [[package]] name = "rustc-stable-hash" -version = "0.1.1" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2febf9acc5ee5e99d1ad0afcdbccc02d87aa3f857a1f01f825b80eacf8edfcd1" +checksum = "781442f29170c5c93b7185ad559492601acdc71d5bb0706f5868094f45cfcd08" [[package]] name = "rustc_apfloat" @@ -2286,23 +2312,31 @@ dependencies = [ ] [[package]] -name = "ryu" -version = "1.0.19" +name = "rustversion" +version = "1.0.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ea1a2d0a644769cc99faa24c3ad26b379b786fe7c36fd3c546254801650e6dd" +checksum = "8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d" + +[[package]] +name = "ryu" +version = "1.0.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" [[package]] name = "salsa" -version = "0.22.0" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8fff508e3d6ef42a32607f7538e17171a877a12015e32036f46e99d00c95781" +checksum = "2e235afdb8e510f38a07138fbe5a0b64691894358a9c0cbd813b1aade110efc9" dependencies = [ "boxcar", "crossbeam-queue", - "dashmap", - "hashbrown 0.15.2", + "crossbeam-utils", + "hashbrown 0.15.4", "hashlink", - "indexmap 2.9.0", + "indexmap 2.10.0", + "intrusive-collections", + "papaya", "parking_lot", "portable-atomic", "rayon", @@ -2316,17 +2350,16 @@ dependencies = [ [[package]] name = "salsa-macro-rules" -version = "0.22.0" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ea72b3c06f2ce6350fe3a0eeb7aaaf842d1d8352b706973c19c4f02e298a87c" +checksum = "2edb86a7e9c91f6d30c9ce054312721dbe773a162db27bbfae834d16177b30ce" [[package]] name = "salsa-macros" -version = "0.22.0" +version = "0.23.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ce92025bc160b27814a207cb78d680973af17f863c7f4fc56cf3a535e22f378" +checksum = "d0778d6e209051bc4e75acfe83bcd7848601ec3dbe9c3dbb982829020e9128af" dependencies = [ - "heck", "proc-macro2", "quote", "syn", @@ -2354,6 +2387,18 @@ dependencies = [ "serde_json", ] +[[package]] +name = "schemars" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82d20c4491bc164fa2f6c5d44565947a52ad80b9505d8e36f8d54c27c739fcd0" +dependencies = [ + "dyn-clone", + "ref-cast", + "serde", + "serde_json", +] + [[package]] name = "scoped-tls" version = "1.0.1" @@ -2366,6 +2411,16 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" +[[package]] +name = "seize" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e4b8d813387d566f627f3ea1b914c068aac94c40ae27ec43f5f33bde65abefe7" +dependencies = [ + "libc", + "windows-sys 0.52.0", +] + [[package]] name = "semver" version = "1.0.26" @@ -2438,17 +2493,27 @@ dependencies = [ ] [[package]] -name = "serde_with" -version = "3.13.0" +name = "serde_spanned" +version = "1.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf65a400f8f66fb7b0552869ad70157166676db75ed8181f8104ea91cf9d0b42" +checksum = "40734c41988f7306bb04f0ecf60ec0f3f1caa34290e4e8ea471dcd3346483b83" +dependencies = [ + "serde", +] + +[[package]] +name = "serde_with" +version = "3.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f2c45cd61fefa9db6f254525d46e392b852e0e61d9a1fd36e5bd183450a556d5" dependencies = [ "base64", "chrono", "hex", "indexmap 1.9.3", - "indexmap 2.9.0", - "schemars", + "indexmap 2.10.0", + "schemars 0.9.0", + "schemars 1.0.4", "serde", "serde_derive", "serde_json", @@ -2458,9 +2523,9 @@ dependencies = [ [[package]] name = "serde_with_macros" -version = "3.13.0" +version = "3.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81679d9ed988d5e9a5e6531dc3f2c28efbd639cbd1dfb628df08edea6004da77" +checksum = "de90945e6565ce0d9a25098082ed4ee4002e047cb59892c318d66821e14bb30f" dependencies = [ "darling", "proc-macro2", @@ -2474,7 +2539,7 @@ version = "0.9.34+deprecated" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47" dependencies = [ - "indexmap 2.9.0", + "indexmap 2.10.0", "itoa", "ryu", "serde", @@ -2532,9 +2597,9 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" [[package]] name = "syn" -version = "2.0.103" +version = "2.0.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4307e30089d6fd6aff212f2da3a1f9e32f3223b1f010fb09b7c95f90f3ca1e8" +checksum = "17b6f705963418cdb9927482fa304bc562ece2fdd4f616084c50b7023b435a40" dependencies = [ "proc-macro2", "quote", @@ -2543,9 +2608,9 @@ dependencies = [ [[package]] name = "synstructure" -version = "0.13.1" +version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" +checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" dependencies = [ "proc-macro2", "quote", @@ -2564,33 +2629,13 @@ version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "144f754d318415ac792f9d69fc87abbbfc043ce2ef041c60f16ad828f638717d" -[[package]] -name = "thiserror" -version = "1.0.69" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52" -dependencies = [ - "thiserror-impl 1.0.69", -] - [[package]] name = "thiserror" version = "2.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "567b8a2dae586314f7be2a752ec7474332959c6460e02bde30d702a66d488708" dependencies = [ - "thiserror-impl 2.0.12", -] - -[[package]] -name = "thiserror-impl" -version = "1.0.69" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" -dependencies = [ - "proc-macro2", - "quote", - "syn", + "thiserror-impl", ] [[package]] @@ -2616,9 +2661,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.37" +version = "0.3.41" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21" +checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40" dependencies = [ "deranged", "itoa", @@ -2631,15 +2676,15 @@ dependencies = [ [[package]] name = "time-core" -version = "0.1.2" +version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3" +checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c" [[package]] name = "time-macros" -version = "0.2.19" +version = "0.2.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de" +checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49" dependencies = [ "num-conv", "time-core", @@ -2662,11 +2707,26 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362" dependencies = [ "serde", - "serde_spanned", - "toml_datetime", + "serde_spanned 0.6.9", + "toml_datetime 0.6.11", "toml_edit", ] +[[package]] +name = "toml" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed0aee96c12fa71097902e0bb061a5e1ebd766a6636bb605ba401c45c1650eac" +dependencies = [ + "indexmap 2.10.0", + "serde", + "serde_spanned 1.0.0", + "toml_datetime 0.7.0", + "toml_parser", + "toml_writer", + "winnow", +] + [[package]] name = "toml_datetime" version = "0.6.11" @@ -2676,26 +2736,50 @@ dependencies = [ "serde", ] +[[package]] +name = "toml_datetime" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bade1c3e902f58d73d3f294cd7f20391c1cb2fbcb643b73566bc773971df91e3" +dependencies = [ + "serde", +] + [[package]] name = "toml_edit" version = "0.22.27" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a" dependencies = [ - "indexmap 2.9.0", + "indexmap 2.10.0", "serde", - "serde_spanned", - "toml_datetime", + "serde_spanned 0.6.9", + "toml_datetime 0.6.11", "toml_write", "winnow", ] +[[package]] +name = "toml_parser" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97200572db069e74c512a14117b296ba0a80a30123fbbb5aa1f4a348f639ca30" +dependencies = [ + "winnow", +] + [[package]] name = "toml_write" version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801" +[[package]] +name = "toml_writer" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fcc842091f2def52017664b53082ecbbeb5c7731092bad69d2c63050401dfd64" + [[package]] name = "tracing" version = "0.1.41" @@ -2709,9 +2793,9 @@ dependencies = [ [[package]] name = "tracing-attributes" -version = "0.1.28" +version = "0.1.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d" +checksum = "81383ab64e72a7a8b8e13130c49e3dab29def6d0c7d76a03087b3cf71c5c6903" dependencies = [ "proc-macro2", "quote", @@ -2720,9 +2804,9 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.33" +version = "0.1.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c" +checksum = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678" dependencies = [ "once_cell", "valuable", @@ -2866,9 +2950,9 @@ checksum = "a3e5df347f0bf3ec1d670aad6ca5c6a1859cd9ea61d2113125794654ccced68f" [[package]] name = "unicode-ident" -version = "1.0.17" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00e2473a93778eb0bad35909dff6a10d28e63f792f16ed15e404fca9d5eeedbe" +checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512" [[package]] name = "unicode-properties" @@ -2913,9 +2997,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "valuable" -version = "0.1.0" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" +checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65" [[package]] name = "version_check" @@ -2935,9 +3019,9 @@ dependencies = [ [[package]] name = "wasi" -version = "0.11.0+wasi-snapshot-preview1" +version = "0.11.1+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b" [[package]] name = "wasi" @@ -2950,20 +3034,21 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.99" +version = "0.2.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a474f6281d1d70c17ae7aa6a613c87fce69a127e2624002df63dcb39d6cf6396" +checksum = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5" dependencies = [ "cfg-if", "once_cell", + "rustversion", "wasm-bindgen-macro", ] [[package]] name = "wasm-bindgen-backend" -version = "0.2.99" +version = "0.2.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79" +checksum = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6" dependencies = [ "bumpalo", "log 0.4.27", @@ -2975,9 +3060,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.99" +version = "0.2.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2cc6181fd9a7492eef6fef1f33961e3695e4579b9872a6f7c83aee556666d4fe" +checksum = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -2985,9 +3070,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.99" +version = "0.2.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2" +checksum = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de" dependencies = [ "proc-macro2", "quote", @@ -2998,9 +3083,12 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.99" +version = "0.2.100" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "943aab3fdaaa029a6e0271b35ea10b72b943135afe9bffca82384098ad0e06a6" +checksum = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d" +dependencies = [ + "unicode-ident", +] [[package]] name = "winapi" @@ -3035,18 +3123,62 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" [[package]] name = "windows-core" -version = "0.52.0" +version = "0.61.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" +checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3" dependencies = [ - "windows-targets 0.52.6", + "windows-implement", + "windows-interface", + "windows-link", + "windows-result", + "windows-strings", +] + +[[package]] +name = "windows-implement" +version = "0.60.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "windows-interface" +version = "0.59.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8" +dependencies = [ + "proc-macro2", + "quote", + "syn", ] [[package]] name = "windows-link" -version = "0.1.1" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38" +checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a" + +[[package]] +name = "windows-result" +version = "0.3.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6" +dependencies = [ + "windows-link", +] + +[[package]] +name = "windows-strings" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57" +dependencies = [ + "windows-link", +] [[package]] name = "windows-sys" diff --git a/rust/ast-generator/Cargo.toml b/rust/ast-generator/Cargo.toml index 78c8a9b6d5b..634c3c34fc8 100644 --- a/rust/ast-generator/Cargo.toml +++ b/rust/ast-generator/Cargo.toml @@ -10,7 +10,7 @@ ungrammar = "1.16.1" proc-macro2 = "1.0.95" quote = "1.0.40" either = "1.15.0" -stdx = {package = "ra_ap_stdx", version = "0.0.288"} +stdx = {package = "ra_ap_stdx", version = "0.0.294"} itertools = "0.14.0" mustache = "0.9.0" serde = { version = "1.0.219", features = ["derive"] } diff --git a/rust/extractor/Cargo.toml b/rust/extractor/Cargo.toml index 88a3e203a27..31a18ad15b3 100644 --- a/rust/extractor/Cargo.toml +++ b/rust/extractor/Cargo.toml @@ -7,26 +7,26 @@ license = "MIT" # When updating these dependencies, run `rust/update_cargo_deps.sh` [dependencies] anyhow = "1.0.98" -clap = { version = "4.5.40", features = ["derive"] } +clap = { version = "4.5.41", features = ["derive"] } figment = { version = "0.10.19", features = ["env", "yaml"] } num-traits = "0.2.19" -ra_ap_base_db = "0.0.288" -ra_ap_hir = "0.0.288" -ra_ap_hir_def = "0.0.288" -ra_ap_ide_db = "0.0.288" -ra_ap_hir_ty = "0.0.288" -ra_ap_hir_expand = "0.0.288" -ra_ap_load-cargo = "0.0.288" -ra_ap_paths = "0.0.288" -ra_ap_project_model = "0.0.288" -ra_ap_syntax = "0.0.288" -ra_ap_vfs = "0.0.288" -ra_ap_parser = "0.0.288" -ra_ap_span = "0.0.288" -ra_ap_cfg = "0.0.288" -ra_ap_intern = "0.0.288" +ra_ap_base_db = "0.0.294" +ra_ap_hir = "0.0.294" +ra_ap_hir_def = "0.0.294" +ra_ap_ide_db = "0.0.294" +ra_ap_hir_ty = "0.0.294" +ra_ap_hir_expand = "0.0.294" +ra_ap_load-cargo = "0.0.294" +ra_ap_paths = "0.0.294" +ra_ap_project_model = "0.0.294" +ra_ap_syntax = "0.0.294" +ra_ap_vfs = "0.0.294" +ra_ap_parser = "0.0.294" +ra_ap_span = "0.0.294" +ra_ap_cfg = "0.0.294" +ra_ap_intern = "0.0.294" serde = "1.0.219" -serde_with = "3.13.0" +serde_with = "3.14.0" triomphe = "0.1.14" argfile = "0.2.1" codeql-extractor = { path = "../../shared/tree-sitter-extractor" } @@ -36,7 +36,7 @@ glob = "0.3.2" chrono = { version = "0.4.41", features = ["serde"] } serde_json = "1.0.140" dunce = "1.0.5" -toml = "0.8.23" +toml = "0.9.2" tracing = "0.1.41" tracing-flame = "0.2.0" tracing-subscriber = "0.3.19" diff --git a/rust/extractor/macros/Cargo.toml b/rust/extractor/macros/Cargo.toml index 3444aa98758..e666bf75510 100644 --- a/rust/extractor/macros/Cargo.toml +++ b/rust/extractor/macros/Cargo.toml @@ -10,4 +10,4 @@ proc-macro = true # When updating these dependencies, run `rust/update_cargo_deps.sh` [dependencies] quote = "1.0.40" -syn = { version = "2.0.103", features = ["full"] } +syn = { version = "2.0.104", features = ["full"] } From 7b48cb2ce8eac208ca838f466f7ba8a81ed4f340 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 15 Jul 2025 14:20:32 +0200 Subject: [PATCH 0037/1955] Bazel: regenerate cargo vendored files --- MODULE.bazel | 40 +- ...6.18.bazel => BUILD.anstream-0.6.19.bazel} | 16 +- ....0.10.bazel => BUILD.anstyle-1.0.11.bazel} | 2 +- ....bazel => BUILD.anstyle-parse-0.2.7.bazel} | 2 +- ....bazel => BUILD.anstyle-query-1.1.3.bazel} | 2 +- ...bazel => BUILD.anstyle-wincon-3.0.9.bazel} | 10 +- ...-1.4.0.bazel => BUILD.autocfg-1.5.0.bazel} | 2 +- .../tree_sitter_extractors_deps/BUILD.bazel | 124 +- ...sh-1.5.5.bazel => BUILD.borsh-1.5.7.bazel} | 6 +- ....16.0.bazel => BUILD.bumpalo-3.19.0.bazel} | 2 +- ...l => BUILD.cargo-util-schemas-0.8.2.bazel} | 4 +- ...azel => BUILD.cargo_metadata-0.21.0.bazel} | 4 +- ...D.cc-1.2.7.bazel => BUILD.cc-1.2.29.bazel} | 2 +- .../BUILD.chalk-derive-0.103.0.bazel | 4 +- .../BUILD.chalk-solve-0.103.0.bazel | 2 +- .../BUILD.chrono-0.4.41.bazel | 58 +- ...p-4.5.40.bazel => BUILD.clap-4.5.41.bazel} | 6 +- ....bazel => BUILD.clap_builder-4.5.41.bazel} | 8 +- ...0.bazel => BUILD.clap_derive-4.5.41.bazel} | 4 +- ...0.7.4.bazel => BUILD.clap_lex-0.7.5.bazel} | 2 +- ....3.bazel => BUILD.colorchoice-1.0.4.bazel} | 2 +- ...0.10.bazel => BUILD.darling-0.20.11.bazel} | 6 +- ...bazel => BUILD.darling_core-0.20.11.bazel} | 4 +- ...azel => BUILD.darling_macro-0.20.11.bazel} | 6 +- .../BUILD.dashmap-6.1.0.bazel | 6 +- ....3.11.bazel => BUILD.deranged-0.4.0.bazel} | 2 +- .../BUILD.displaydoc-0.2.5.bazel | 2 +- .../BUILD.fs-err-2.11.0.bazel | 2 +- ...5.2.bazel => BUILD.hashbrown-0.15.4.bazel} | 2 +- .../BUILD.hashlink-0.10.0.bazel | 2 +- ...azel => BUILD.iana-time-zone-0.1.63.bazel} | 27 +- .../BUILD.iana-time-zone-haiku-0.1.2.bazel | 2 +- .../BUILD.indexmap-1.9.3.bazel | 2 +- ....9.0.bazel => BUILD.indexmap-2.10.0.bazel} | 4 +- .../BUILD.intrusive-collections-0.9.7.bazel | 90 ++ ...0.3.76.bazel => BUILD.js-sys-0.3.77.bazel} | 6 +- ...e-1.0.8.bazel => BUILD.kqueue-1.1.1.bazel} | 4 +- ...0.1.3.bazel => BUILD.libredox-0.1.4.bazel} | 4 +- ...4.12.bazel => BUILD.lock_api-0.4.13.bazel} | 8 +- .../BUILD.memoffset-0.9.1.bazel | 2 +- ....mio-1.0.3.bazel => BUILD.mio-1.0.4.bazel} | 10 +- .../BUILD.notify-8.0.0.bazel | 46 +- .../BUILD.num-traits-0.2.19.bazel | 2 +- ...0.3.bazel => BUILD.once_cell-1.21.3.bazel} | 2 +- .../BUILD.once_cell_polyfill-1.70.1.bazel | 86 ++ .../BUILD.papaya-0.2.3.bazel | 90 ++ ...3.bazel => BUILD.parking_lot-0.12.4.bazel} | 6 +- ...el => BUILD.parking_lot_core-0.9.11.bazel} | 6 +- .../BUILD.pear_codegen-0.2.9.bazel | 2 +- .../BUILD.petgraph-0.6.5.bazel | 2 +- ...zel => BUILD.portable-atomic-1.11.1.bazel} | 6 +- .../BUILD.proc-macro2-1.0.95.bazel | 2 +- ...BUILD.proc-macro2-diagnostics-0.10.1.bazel | 2 +- .../BUILD.ra-ap-rustc_hashes-0.116.0.bazel | 2 +- ...ILD.ra-ap-rustc_index_macros-0.116.0.bazel | 2 +- ...azel => BUILD.ra_ap_base_db-0.0.294.bazel} | 32 +- ...88.bazel => BUILD.ra_ap_cfg-0.0.294.bazel} | 10 +- ...azel => BUILD.ra_ap_edition-0.0.294.bazel} | 2 +- ...88.bazel => BUILD.ra_ap_hir-0.0.294.bazel} | 44 +- ...azel => BUILD.ra_ap_hir_def-0.0.294.bazel} | 48 +- ...l => BUILD.ra_ap_hir_expand-0.0.294.bazel} | 50 +- ...bazel => BUILD.ra_ap_hir_ty-0.0.294.bazel} | 40 +- ...bazel => BUILD.ra_ap_ide_db-0.0.294.bazel} | 44 +- ...bazel => BUILD.ra_ap_intern-0.0.294.bazel} | 2 +- ...l => BUILD.ra_ap_load-cargo-0.0.294.bazel} | 38 +- ...88.bazel => BUILD.ra_ap_mbe-0.0.294.bazel} | 26 +- ...bazel => BUILD.ra_ap_parser-0.0.294.bazel} | 8 +- ....bazel => BUILD.ra_ap_paths-0.0.294.bazel} | 2 +- ... BUILD.ra_ap_proc_macro_api-0.0.294.bazel} | 24 +- ...azel => BUILD.ra_ap_profile-0.0.294.bazel} | 2 +- ...> BUILD.ra_ap_project_model-0.0.294.bazel} | 32 +- ...ILD.ra_ap_query-group-macro-0.0.294.bazel} | 4 +- ...8.bazel => BUILD.ra_ap_span-0.0.294.bazel} | 16 +- ...8.bazel => BUILD.ra_ap_stdx-0.0.294.bazel} | 2 +- ...bazel => BUILD.ra_ap_syntax-0.0.294.bazel} | 12 +- ...> BUILD.ra_ap_syntax-bridge-0.0.294.bazel} | 26 +- ...el => BUILD.ra_ap_toolchain-0.0.294.bazel} | 2 +- ...288.bazel => BUILD.ra_ap_tt-0.0.294.bazel} | 10 +- ...88.bazel => BUILD.ra_ap_vfs-0.0.294.bazel} | 12 +- ...l => BUILD.ra_ap_vfs-notify-0.0.294.bazel} | 14 +- ...bazel => BUILD.redox_syscall-0.5.13.bazel} | 2 +- .../BUILD.ref-cast-impl-1.0.24.bazel | 2 +- ...> BUILD.rustc-literal-escaper-0.0.4.bazel} | 2 +- ...el => BUILD.rustc-stable-hash-0.1.2.bazel} | 2 +- ...9.bazel => BUILD.rustversion-1.0.21.bazel} | 27 +- ...yu-1.0.19.bazel => BUILD.ryu-1.0.20.bazel} | 2 +- ...-0.22.0.bazel => BUILD.salsa-0.23.0.bazel} | 18 +- ...l => BUILD.salsa-macro-rules-0.23.0.bazel} | 2 +- ....bazel => BUILD.salsa-macros-0.23.0.bazel} | 7 +- .../BUILD.schemars-1.0.4.bazel | 89 ++ .../BUILD.seize-0.5.0.bazel | 103 ++ .../BUILD.serde_derive-1.0.219.bazel | 2 +- .../BUILD.serde_json-1.0.140.bazel | 2 +- .../BUILD.serde_spanned-1.0.0.bazel | 91 ++ ....0.bazel => BUILD.serde_with-3.14.0.bazel} | 4 +- ...l => BUILD.serde_with_macros-3.14.0.bazel} | 6 +- .../BUILD.serde_yaml-0.9.34+deprecated.bazel | 4 +- ...-2.0.103.bazel => BUILD.syn-2.0.104.bazel} | 4 +- ....bazel => BUILD.synstructure-0.13.2.bazel} | 4 +- .../BUILD.thiserror-impl-2.0.12.bazel | 2 +- .../BUILD.thread_local-1.1.8.bazel | 2 +- ...e-0.3.37.bazel => BUILD.time-0.3.41.bazel} | 6 +- ....1.2.bazel => BUILD.time-core-0.1.4.bazel} | 2 +- ...9.bazel => BUILD.time-macros-0.2.22.bazel} | 4 +- .../BUILD.toml-0.9.2.bazel | 98 ++ .../BUILD.toml_datetime-0.7.0.bazel | 91 ++ .../BUILD.toml_edit-0.22.27.bazel | 2 +- .../BUILD.toml_parser-1.0.1.bazel | 90 ++ .../BUILD.toml_writer-1.0.2.bazel | 88 ++ .../BUILD.tracing-0.1.41.bazel | 4 +- ... => BUILD.tracing-attributes-0.1.30.bazel} | 4 +- ....bazel => BUILD.tracing-core-0.1.34.bazel} | 4 +- .../BUILD.tracing-log-0.2.0.bazel | 4 +- .../BUILD.tracing-subscriber-0.3.19.bazel | 4 +- .../BUILD.tree-sitter-0.24.6.bazel | 2 +- ...tree-sitter-embedded-template-0.23.2.bazel | 2 +- .../BUILD.tree-sitter-json-0.24.8.bazel | 2 +- .../BUILD.tree-sitter-ql-0.23.1.bazel | 2 +- .../BUILD.tree-sitter-ruby-0.23.1.bazel | 2 +- ...bazel => BUILD.unicode-ident-1.0.18.bazel} | 2 +- ...0.1.0.bazel => BUILD.valuable-0.1.1.bazel} | 10 +- ....wasi-0.11.1+wasi-snapshot-preview1.bazel} | 2 +- ...bazel => BUILD.wasm-bindgen-0.2.100.bazel} | 17 +- ... BUILD.wasm-bindgen-backend-0.2.100.bazel} | 12 +- ...=> BUILD.wasm-bindgen-macro-0.2.100.bazel} | 8 +- ....wasm-bindgen-macro-support-0.2.100.bazel} | 12 +- ...> BUILD.wasm-bindgen-shared-0.2.100.bazel} | 7 +- .../BUILD.windows-core-0.61.2.bazel | 92 ++ ...l => BUILD.windows-implement-0.60.0.bazel} | 8 +- .../BUILD.windows-interface-0.59.1.bazel | 88 ++ ...1.bazel => BUILD.windows-link-0.1.3.bazel} | 2 +- ...bazel => BUILD.windows-result-0.3.4.bazel} | 8 +- .../BUILD.windows-strings-0.4.2.bazel | 86 ++ .../BUILD.windows-sys-0.52.0.bazel | 6 + .../BUILD.yoke-derive-0.8.0.bazel | 4 +- .../BUILD.zerocopy-derive-0.7.35.bazel | 2 +- .../BUILD.zerocopy-derive-0.8.20.bazel | 2 +- .../BUILD.zerofrom-derive-0.1.6.bazel | 4 +- .../BUILD.zerovec-derive-0.11.1.bazel | 2 +- .../BUILD.zstd-sys-2.0.15+zstd.1.5.7.bazel | 2 +- .../tree_sitter_extractors_deps/defs.bzl | 1086 +++++++++-------- 141 files changed, 2405 insertions(+), 1096 deletions(-) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.anstream-0.6.18.bazel => BUILD.anstream-0.6.19.bazel} (90%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.anstyle-1.0.10.bazel => BUILD.anstyle-1.0.11.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.anstyle-parse-0.2.6.bazel => BUILD.anstyle-parse-0.2.7.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.anstyle-query-1.1.2.bazel => BUILD.anstyle-query-1.1.3.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.anstyle-wincon-3.0.7.bazel => BUILD.anstyle-wincon-3.0.9.bazel} (92%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.autocfg-1.4.0.bazel => BUILD.autocfg-1.5.0.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.borsh-1.5.5.bazel => BUILD.borsh-1.5.7.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.bumpalo-3.16.0.bazel => BUILD.bumpalo-3.19.0.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.cargo-util-schemas-0.2.0.bazel => BUILD.cargo-util-schemas-0.8.2.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.cargo_metadata-0.20.0.bazel => BUILD.cargo_metadata-0.21.0.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.cc-1.2.7.bazel => BUILD.cc-1.2.29.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.clap-4.5.40.bazel => BUILD.clap-4.5.41.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.clap_builder-4.5.40.bazel => BUILD.clap_builder-4.5.41.bazel} (95%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.clap_derive-4.5.40.bazel => BUILD.clap_derive-4.5.41.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.clap_lex-0.7.4.bazel => BUILD.clap_lex-0.7.5.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.colorchoice-1.0.3.bazel => BUILD.colorchoice-1.0.4.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.darling-0.20.10.bazel => BUILD.darling-0.20.11.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.darling_core-0.20.10.bazel => BUILD.darling_core-0.20.11.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.darling_macro-0.20.10.bazel => BUILD.darling_macro-0.20.11.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.deranged-0.3.11.bazel => BUILD.deranged-0.4.0.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.hashbrown-0.15.2.bazel => BUILD.hashbrown-0.15.4.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.iana-time-zone-0.1.61.bazel => BUILD.iana-time-zone-0.1.63.bazel} (87%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.indexmap-2.9.0.bazel => BUILD.indexmap-2.10.0.bazel} (98%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.intrusive-collections-0.9.7.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.js-sys-0.3.76.bazel => BUILD.js-sys-0.3.77.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.kqueue-1.0.8.bazel => BUILD.kqueue-1.1.1.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.libredox-0.1.3.bazel => BUILD.libredox-0.1.4.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.lock_api-0.4.12.bazel => BUILD.lock_api-0.4.13.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.mio-1.0.3.bazel => BUILD.mio-1.0.4.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.once_cell-1.20.3.bazel => BUILD.once_cell-1.21.3.bazel} (99%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell_polyfill-1.70.1.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.papaya-0.2.3.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.parking_lot-0.12.3.bazel => BUILD.parking_lot-0.12.4.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.parking_lot_core-0.9.10.bazel => BUILD.parking_lot_core-0.9.11.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.portable-atomic-1.11.0.bazel => BUILD.portable-atomic-1.11.1.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_base_db-0.0.288.bazel => BUILD.ra_ap_base_db-0.0.294.bazel} (81%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_cfg-0.0.288.bazel => BUILD.ra_ap_cfg-0.0.294.bazel} (93%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_edition-0.0.288.bazel => BUILD.ra_ap_edition-0.0.294.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_hir-0.0.288.bazel => BUILD.ra_ap_hir-0.0.294.bazel} (75%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_hir_def-0.0.288.bazel => BUILD.ra_ap_hir_def-0.0.294.bazel} (77%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_hir_expand-0.0.288.bazel => BUILD.ra_ap_hir_expand-0.0.294.bazel} (73%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_hir_ty-0.0.288.bazel => BUILD.ra_ap_hir_ty-0.0.294.bazel} (80%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_ide_db-0.0.288.bazel => BUILD.ra_ap_ide_db-0.0.294.bazel} (77%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_intern-0.0.288.bazel => BUILD.ra_ap_intern-0.0.294.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_load-cargo-0.0.288.bazel => BUILD.ra_ap_load-cargo-0.0.294.bazel} (77%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_mbe-0.0.288.bazel => BUILD.ra_ap_mbe-0.0.294.bazel} (84%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_parser-0.0.288.bazel => BUILD.ra_ap_parser-0.0.294.bazel} (94%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_paths-0.0.288.bazel => BUILD.ra_ap_paths-0.0.294.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_proc_macro_api-0.0.288.bazel => BUILD.ra_ap_proc_macro_api-0.0.294.bazel} (85%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_profile-0.0.288.bazel => BUILD.ra_ap_profile-0.0.294.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_project_model-0.0.288.bazel => BUILD.ra_ap_project_model-0.0.294.bazel} (81%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_query-group-macro-0.0.288.bazel => BUILD.ra_ap_query-group-macro-0.0.294.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_span-0.0.288.bazel => BUILD.ra_ap_span-0.0.294.bazel} (90%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_stdx-0.0.288.bazel => BUILD.ra_ap_stdx-0.0.294.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_syntax-0.0.288.bazel => BUILD.ra_ap_syntax-0.0.294.bazel} (92%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_syntax-bridge-0.0.288.bazel => BUILD.ra_ap_syntax-bridge-0.0.294.bazel} (83%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_toolchain-0.0.288.bazel => BUILD.ra_ap_toolchain-0.0.294.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_tt-0.0.288.bazel => BUILD.ra_ap_tt-0.0.294.bazel} (93%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_vfs-0.0.288.bazel => BUILD.ra_ap_vfs-0.0.294.bazel} (92%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ra_ap_vfs-notify-0.0.288.bazel => BUILD.ra_ap_vfs-notify-0.0.294.bazel} (91%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.redox_syscall-0.5.8.bazel => BUILD.redox_syscall-0.5.13.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.rustc-literal-escaper-0.0.3.bazel => BUILD.rustc-literal-escaper-0.0.4.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.rustc-stable-hash-0.1.1.bazel => BUILD.rustc-stable-hash-0.1.2.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.thiserror-1.0.69.bazel => BUILD.rustversion-1.0.21.bazel} (90%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.ryu-1.0.19.bazel => BUILD.ryu-1.0.20.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.salsa-0.22.0.bazel => BUILD.salsa-0.23.0.bazel} (88%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.salsa-macro-rules-0.22.0.bazel => BUILD.salsa-macro-rules-0.23.0.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.salsa-macros-0.22.0.bazel => BUILD.salsa-macros-0.23.0.bazel} (95%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.schemars-1.0.4.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.seize-0.5.0.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_spanned-1.0.0.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.serde_with-3.13.0.bazel => BUILD.serde_with-3.14.0.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.serde_with_macros-3.13.0.bazel => BUILD.serde_with_macros-3.14.0.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.syn-2.0.103.bazel => BUILD.syn-2.0.104.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.synstructure-0.13.1.bazel => BUILD.synstructure-0.13.2.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.time-0.3.37.bazel => BUILD.time-0.3.41.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.time-core-0.1.2.bazel => BUILD.time-core-0.1.4.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.time-macros-0.2.19.bazel => BUILD.time-macros-0.2.22.bazel} (97%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.9.2.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_datetime-0.7.0.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_parser-1.0.1.bazel create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_writer-1.0.2.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.tracing-attributes-0.1.28.bazel => BUILD.tracing-attributes-0.1.30.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.tracing-core-0.1.33.bazel => BUILD.tracing-core-0.1.34.bazel} (97%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.unicode-ident-1.0.17.bazel => BUILD.unicode-ident-1.0.18.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.valuable-0.1.0.bazel => BUILD.valuable-0.1.1.bazel} (96%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.wasi-0.11.0+wasi-snapshot-preview1.bazel => BUILD.wasi-0.11.1+wasi-snapshot-preview1.bazel} (98%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.wasm-bindgen-0.2.99.bazel => BUILD.wasm-bindgen-0.2.100.bazel} (93%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.wasm-bindgen-backend-0.2.99.bazel => BUILD.wasm-bindgen-backend-0.2.100.bazel} (93%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.wasm-bindgen-macro-0.2.99.bazel => BUILD.wasm-bindgen-macro-0.2.100.bazel} (95%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.wasm-bindgen-macro-support-0.2.99.bazel => BUILD.wasm-bindgen-macro-support-0.2.100.bazel} (93%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.wasm-bindgen-shared-0.2.99.bazel => BUILD.wasm-bindgen-shared-0.2.100.bazel} (96%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.61.2.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.thiserror-impl-1.0.69.bazel => BUILD.windows-implement-0.60.0.bazel} (96%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-interface-0.59.1.bazel rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.windows-link-0.1.1.bazel => BUILD.windows-link-0.1.3.bazel} (99%) rename misc/bazel/3rdparty/tree_sitter_extractors_deps/{BUILD.windows-core-0.52.0.bazel => BUILD.windows-result-0.3.4.bazel} (95%) create mode 100644 misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-strings-0.4.2.bazel diff --git a/MODULE.bazel b/MODULE.bazel index 474e6df0aba..2d0898ebae6 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -99,7 +99,7 @@ use_repo( "vendor_ts__argfile-0.2.1", "vendor_ts__chalk-ir-0.103.0", "vendor_ts__chrono-0.4.41", - "vendor_ts__clap-4.5.40", + "vendor_ts__clap-4.5.41", "vendor_ts__dunce-1.0.5", "vendor_ts__either-1.15.0", "vendor_ts__encoding-0.2.33", @@ -114,30 +114,30 @@ use_repo( "vendor_ts__num_cpus-1.17.0", "vendor_ts__proc-macro2-1.0.95", "vendor_ts__quote-1.0.40", - "vendor_ts__ra_ap_base_db-0.0.288", - "vendor_ts__ra_ap_cfg-0.0.288", - "vendor_ts__ra_ap_hir-0.0.288", - "vendor_ts__ra_ap_hir_def-0.0.288", - "vendor_ts__ra_ap_hir_expand-0.0.288", - "vendor_ts__ra_ap_hir_ty-0.0.288", - "vendor_ts__ra_ap_ide_db-0.0.288", - "vendor_ts__ra_ap_intern-0.0.288", - "vendor_ts__ra_ap_load-cargo-0.0.288", - "vendor_ts__ra_ap_parser-0.0.288", - "vendor_ts__ra_ap_paths-0.0.288", - "vendor_ts__ra_ap_project_model-0.0.288", - "vendor_ts__ra_ap_span-0.0.288", - "vendor_ts__ra_ap_stdx-0.0.288", - "vendor_ts__ra_ap_syntax-0.0.288", - "vendor_ts__ra_ap_vfs-0.0.288", + "vendor_ts__ra_ap_base_db-0.0.294", + "vendor_ts__ra_ap_cfg-0.0.294", + "vendor_ts__ra_ap_hir-0.0.294", + "vendor_ts__ra_ap_hir_def-0.0.294", + "vendor_ts__ra_ap_hir_expand-0.0.294", + "vendor_ts__ra_ap_hir_ty-0.0.294", + "vendor_ts__ra_ap_ide_db-0.0.294", + "vendor_ts__ra_ap_intern-0.0.294", + "vendor_ts__ra_ap_load-cargo-0.0.294", + "vendor_ts__ra_ap_parser-0.0.294", + "vendor_ts__ra_ap_paths-0.0.294", + "vendor_ts__ra_ap_project_model-0.0.294", + "vendor_ts__ra_ap_span-0.0.294", + "vendor_ts__ra_ap_stdx-0.0.294", + "vendor_ts__ra_ap_syntax-0.0.294", + "vendor_ts__ra_ap_vfs-0.0.294", "vendor_ts__rand-0.9.1", "vendor_ts__rayon-1.10.0", "vendor_ts__regex-1.11.1", "vendor_ts__serde-1.0.219", "vendor_ts__serde_json-1.0.140", - "vendor_ts__serde_with-3.13.0", - "vendor_ts__syn-2.0.103", - "vendor_ts__toml-0.8.23", + "vendor_ts__serde_with-3.14.0", + "vendor_ts__syn-2.0.104", + "vendor_ts__toml-0.9.2", "vendor_ts__tracing-0.1.41", "vendor_ts__tracing-flame-0.2.0", "vendor_ts__tracing-subscriber-0.3.19", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.18.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.19.bazel similarity index 90% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.18.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.19.bazel index 3221dab6e8b..be3ff03ea10 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.18.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstream-0.6.19.bazel @@ -84,23 +84,23 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.6.18", + version = "0.6.19", deps = [ - "@vendor_ts__anstyle-1.0.10//:anstyle", - "@vendor_ts__anstyle-parse-0.2.6//:anstyle_parse", - "@vendor_ts__anstyle-query-1.1.2//:anstyle_query", - "@vendor_ts__colorchoice-1.0.3//:colorchoice", + "@vendor_ts__anstyle-1.0.11//:anstyle", + "@vendor_ts__anstyle-parse-0.2.7//:anstyle_parse", + "@vendor_ts__anstyle-query-1.1.3//:anstyle_query", + "@vendor_ts__colorchoice-1.0.4//:colorchoice", "@vendor_ts__is_terminal_polyfill-1.70.1//:is_terminal_polyfill", "@vendor_ts__utf8parse-0.2.2//:utf8parse", ] + select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor_ts__anstyle-wincon-3.0.7//:anstyle_wincon", # aarch64-pc-windows-msvc + "@vendor_ts__anstyle-wincon-3.0.9//:anstyle_wincon", # aarch64-pc-windows-msvc ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor_ts__anstyle-wincon-3.0.7//:anstyle_wincon", # i686-pc-windows-msvc + "@vendor_ts__anstyle-wincon-3.0.9//:anstyle_wincon", # i686-pc-windows-msvc ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor_ts__anstyle-wincon-3.0.7//:anstyle_wincon", # x86_64-pc-windows-msvc + "@vendor_ts__anstyle-wincon-3.0.9//:anstyle_wincon", # x86_64-pc-windows-msvc ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-1.0.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-1.0.11.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-1.0.10.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-1.0.11.bazel index 456e2c24eb4..e7bc9599432 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-1.0.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-1.0.11.bazel @@ -83,5 +83,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.10", + version = "1.0.11", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.7.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.6.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.7.bazel index afc929f1694..5a872223e57 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-parse-0.2.7.bazel @@ -83,7 +83,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.2.6", + version = "0.2.7", deps = [ "@vendor_ts__utf8parse-0.2.2//:utf8parse", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.3.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.2.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.3.bazel index 2c8e86e0445..9c8ca69c641 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-query-1.1.3.bazel @@ -79,7 +79,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.1.2", + version = "1.1.3", deps = select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.7.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.9.bazel similarity index 92% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.7.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.9.bazel index b3491e3a059..771e6b35222 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.7.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.anstyle-wincon-3.0.9.bazel @@ -79,20 +79,20 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "3.0.7", + version = "3.0.9", deps = [ - "@vendor_ts__anstyle-1.0.10//:anstyle", + "@vendor_ts__anstyle-1.0.11//:anstyle", ] + select({ "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor_ts__once_cell-1.20.3//:once_cell", # cfg(windows) + "@vendor_ts__once_cell_polyfill-1.70.1//:once_cell_polyfill", # cfg(windows) "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor_ts__once_cell-1.20.3//:once_cell", # cfg(windows) + "@vendor_ts__once_cell_polyfill-1.70.1//:once_cell_polyfill", # cfg(windows) "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor_ts__once_cell-1.20.3//:once_cell", # cfg(windows) + "@vendor_ts__once_cell_polyfill-1.70.1//:once_cell_polyfill", # cfg(windows) "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "//conditions:default": [], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.autocfg-1.4.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.autocfg-1.5.0.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.autocfg-1.4.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.autocfg-1.5.0.bazel index 8064dd79adc..2fb8648afd5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.autocfg-1.4.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.autocfg-1.5.0.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.4.0", + version = "1.5.0", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel index 8b09c0613aa..df3166a9673 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel @@ -80,14 +80,14 @@ alias( ) alias( - name = "clap-4.5.40", - actual = "@vendor_ts__clap-4.5.40//:clap", + name = "clap-4.5.41", + actual = "@vendor_ts__clap-4.5.41//:clap", tags = ["manual"], ) alias( name = "clap", - actual = "@vendor_ts__clap-4.5.40//:clap", + actual = "@vendor_ts__clap-4.5.41//:clap", tags = ["manual"], ) @@ -260,200 +260,200 @@ alias( ) alias( - name = "ra_ap_base_db-0.0.288", - actual = "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db", + name = "ra_ap_base_db-0.0.294", + actual = "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db", tags = ["manual"], ) alias( name = "ra_ap_base_db", - actual = "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db", + actual = "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db", tags = ["manual"], ) alias( - name = "ra_ap_cfg-0.0.288", - actual = "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg", + name = "ra_ap_cfg-0.0.294", + actual = "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg", tags = ["manual"], ) alias( name = "ra_ap_cfg", - actual = "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg", + actual = "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg", tags = ["manual"], ) alias( - name = "ra_ap_hir-0.0.288", - actual = "@vendor_ts__ra_ap_hir-0.0.288//:ra_ap_hir", + name = "ra_ap_hir-0.0.294", + actual = "@vendor_ts__ra_ap_hir-0.0.294//:ra_ap_hir", tags = ["manual"], ) alias( name = "ra_ap_hir", - actual = "@vendor_ts__ra_ap_hir-0.0.288//:ra_ap_hir", + actual = "@vendor_ts__ra_ap_hir-0.0.294//:ra_ap_hir", tags = ["manual"], ) alias( - name = "ra_ap_hir_def-0.0.288", - actual = "@vendor_ts__ra_ap_hir_def-0.0.288//:ra_ap_hir_def", + name = "ra_ap_hir_def-0.0.294", + actual = "@vendor_ts__ra_ap_hir_def-0.0.294//:ra_ap_hir_def", tags = ["manual"], ) alias( name = "ra_ap_hir_def", - actual = "@vendor_ts__ra_ap_hir_def-0.0.288//:ra_ap_hir_def", + actual = "@vendor_ts__ra_ap_hir_def-0.0.294//:ra_ap_hir_def", tags = ["manual"], ) alias( - name = "ra_ap_hir_expand-0.0.288", - actual = "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand", + name = "ra_ap_hir_expand-0.0.294", + actual = "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand", tags = ["manual"], ) alias( name = "ra_ap_hir_expand", - actual = "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand", + actual = "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand", tags = ["manual"], ) alias( - name = "ra_ap_hir_ty-0.0.288", - actual = "@vendor_ts__ra_ap_hir_ty-0.0.288//:ra_ap_hir_ty", + name = "ra_ap_hir_ty-0.0.294", + actual = "@vendor_ts__ra_ap_hir_ty-0.0.294//:ra_ap_hir_ty", tags = ["manual"], ) alias( name = "ra_ap_hir_ty", - actual = "@vendor_ts__ra_ap_hir_ty-0.0.288//:ra_ap_hir_ty", + actual = "@vendor_ts__ra_ap_hir_ty-0.0.294//:ra_ap_hir_ty", tags = ["manual"], ) alias( - name = "ra_ap_ide_db-0.0.288", - actual = "@vendor_ts__ra_ap_ide_db-0.0.288//:ra_ap_ide_db", + name = "ra_ap_ide_db-0.0.294", + actual = "@vendor_ts__ra_ap_ide_db-0.0.294//:ra_ap_ide_db", tags = ["manual"], ) alias( name = "ra_ap_ide_db", - actual = "@vendor_ts__ra_ap_ide_db-0.0.288//:ra_ap_ide_db", + actual = "@vendor_ts__ra_ap_ide_db-0.0.294//:ra_ap_ide_db", tags = ["manual"], ) alias( - name = "ra_ap_intern-0.0.288", - actual = "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", + name = "ra_ap_intern-0.0.294", + actual = "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", tags = ["manual"], ) alias( name = "ra_ap_intern", - actual = "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", + actual = "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", tags = ["manual"], ) alias( - name = "ra_ap_load-cargo-0.0.288", - actual = "@vendor_ts__ra_ap_load-cargo-0.0.288//:ra_ap_load_cargo", + name = "ra_ap_load-cargo-0.0.294", + actual = "@vendor_ts__ra_ap_load-cargo-0.0.294//:ra_ap_load_cargo", tags = ["manual"], ) alias( name = "ra_ap_load-cargo", - actual = "@vendor_ts__ra_ap_load-cargo-0.0.288//:ra_ap_load_cargo", + actual = "@vendor_ts__ra_ap_load-cargo-0.0.294//:ra_ap_load_cargo", tags = ["manual"], ) alias( - name = "ra_ap_parser-0.0.288", - actual = "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser", + name = "ra_ap_parser-0.0.294", + actual = "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser", tags = ["manual"], ) alias( name = "ra_ap_parser", - actual = "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser", + actual = "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser", tags = ["manual"], ) alias( - name = "ra_ap_paths-0.0.288", - actual = "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths", + name = "ra_ap_paths-0.0.294", + actual = "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths", tags = ["manual"], ) alias( name = "ra_ap_paths", - actual = "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths", + actual = "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths", tags = ["manual"], ) alias( - name = "ra_ap_project_model-0.0.288", - actual = "@vendor_ts__ra_ap_project_model-0.0.288//:ra_ap_project_model", + name = "ra_ap_project_model-0.0.294", + actual = "@vendor_ts__ra_ap_project_model-0.0.294//:ra_ap_project_model", tags = ["manual"], ) alias( name = "ra_ap_project_model", - actual = "@vendor_ts__ra_ap_project_model-0.0.288//:ra_ap_project_model", + actual = "@vendor_ts__ra_ap_project_model-0.0.294//:ra_ap_project_model", tags = ["manual"], ) alias( - name = "ra_ap_span-0.0.288", - actual = "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", + name = "ra_ap_span-0.0.294", + actual = "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", tags = ["manual"], ) alias( name = "ra_ap_span", - actual = "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", + actual = "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", tags = ["manual"], ) alias( - name = "ra_ap_stdx-0.0.288", - actual = "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", + name = "ra_ap_stdx-0.0.294", + actual = "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", tags = ["manual"], ) alias( - name = "stdx-0.0.288", - actual = "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", + name = "stdx-0.0.294", + actual = "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", tags = ["manual"], ) alias( name = "stdx", - actual = "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", + actual = "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", tags = ["manual"], ) alias( - name = "ra_ap_syntax-0.0.288", - actual = "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", + name = "ra_ap_syntax-0.0.294", + actual = "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", tags = ["manual"], ) alias( name = "ra_ap_syntax", - actual = "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", + actual = "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", tags = ["manual"], ) alias( - name = "ra_ap_vfs-0.0.288", - actual = "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs", + name = "ra_ap_vfs-0.0.294", + actual = "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs", tags = ["manual"], ) alias( name = "ra_ap_vfs", - actual = "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs", + actual = "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs", tags = ["manual"], ) @@ -518,38 +518,38 @@ alias( ) alias( - name = "serde_with-3.13.0", - actual = "@vendor_ts__serde_with-3.13.0//:serde_with", + name = "serde_with-3.14.0", + actual = "@vendor_ts__serde_with-3.14.0//:serde_with", tags = ["manual"], ) alias( name = "serde_with", - actual = "@vendor_ts__serde_with-3.13.0//:serde_with", + actual = "@vendor_ts__serde_with-3.14.0//:serde_with", tags = ["manual"], ) alias( - name = "syn-2.0.103", - actual = "@vendor_ts__syn-2.0.103//:syn", + name = "syn-2.0.104", + actual = "@vendor_ts__syn-2.0.104//:syn", tags = ["manual"], ) alias( name = "syn", - actual = "@vendor_ts__syn-2.0.103//:syn", + actual = "@vendor_ts__syn-2.0.104//:syn", tags = ["manual"], ) alias( - name = "toml-0.8.23", - actual = "@vendor_ts__toml-0.8.23//:toml", + name = "toml-0.9.2", + actual = "@vendor_ts__toml-0.9.2//:toml", tags = ["manual"], ) alias( name = "toml", - actual = "@vendor_ts__toml-0.8.23//:toml", + actual = "@vendor_ts__toml-0.9.2//:toml", tags = ["manual"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.7.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.5.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.7.bazel index 062d394288f..7e848f9a02d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.borsh-1.5.7.bazel @@ -80,9 +80,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.5.5", + version = "1.5.7", deps = [ - "@vendor_ts__borsh-1.5.5//:build_script_build", + "@vendor_ts__borsh-1.5.7//:build_script_build", ], ) @@ -131,7 +131,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "1.5.5", + version = "1.5.7", visibility = ["//visibility:private"], deps = [ "@vendor_ts__cfg_aliases-0.2.1//:cfg_aliases", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bumpalo-3.16.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bumpalo-3.19.0.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bumpalo-3.16.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bumpalo-3.19.0.bazel index cc9164119b0..9cbb1677bb3 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bumpalo-3.16.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bumpalo-3.19.0.bazel @@ -82,5 +82,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "3.16.0", + version = "3.19.0", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-util-schemas-0.2.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-util-schemas-0.8.2.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-util-schemas-0.2.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-util-schemas-0.8.2.bazel index 157f3891512..f5646c65b51 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-util-schemas-0.2.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo-util-schemas-0.8.2.bazel @@ -79,13 +79,13 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.2.0", + version = "0.8.2", deps = [ "@vendor_ts__semver-1.0.26//:semver", "@vendor_ts__serde-1.0.219//:serde", "@vendor_ts__serde-untagged-0.1.7//:serde_untagged", "@vendor_ts__serde-value-0.7.0//:serde_value", - "@vendor_ts__thiserror-1.0.69//:thiserror", + "@vendor_ts__thiserror-2.0.12//:thiserror", "@vendor_ts__toml-0.8.23//:toml", "@vendor_ts__unicode-xid-0.2.6//:unicode_xid", "@vendor_ts__url-2.5.4//:url", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.20.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.21.0.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.20.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.21.0.bazel index d005068efc1..fc0229a7f84 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.20.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cargo_metadata-0.21.0.bazel @@ -82,11 +82,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.20.0", + version = "0.21.0", deps = [ "@vendor_ts__camino-1.1.10//:camino", "@vendor_ts__cargo-platform-0.2.0//:cargo_platform", - "@vendor_ts__cargo-util-schemas-0.2.0//:cargo_util_schemas", + "@vendor_ts__cargo-util-schemas-0.8.2//:cargo_util_schemas", "@vendor_ts__semver-1.0.26//:semver", "@vendor_ts__serde-1.0.219//:serde", "@vendor_ts__serde_json-1.0.140//:serde_json", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.7.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.29.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.7.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.29.bazel index 17f020da447..51f4136d1a1 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.7.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.29.bazel @@ -82,7 +82,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.2.7", + version = "1.2.29", deps = [ "@vendor_ts__jobserver-0.1.32//:jobserver", "@vendor_ts__shlex-1.3.0//:shlex", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.103.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.103.0.bazel index 15da420c019..94432c0b330 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.103.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-derive-0.103.0.bazel @@ -83,7 +83,7 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", - "@vendor_ts__synstructure-0.13.1//:synstructure", + "@vendor_ts__syn-2.0.104//:syn", + "@vendor_ts__synstructure-0.13.2//:synstructure", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.103.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.103.0.bazel index 178d593115b..dd409a748c8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.103.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chalk-solve-0.103.0.bazel @@ -86,7 +86,7 @@ rust_library( deps = [ "@vendor_ts__chalk-ir-0.103.0//:chalk_ir", "@vendor_ts__ena-0.14.3//:ena", - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__itertools-0.12.1//:itertools", "@vendor_ts__petgraph-0.6.5//:petgraph", "@vendor_ts__rustc-hash-1.1.0//:rustc_hash", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chrono-0.4.41.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chrono-0.4.41.bazel index b2e5f4d1900..1e98ae71ac5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chrono-0.4.41.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.chrono-0.4.41.bazel @@ -101,93 +101,93 @@ rust_library( "@vendor_ts__serde-1.0.219//:serde", ] + select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-darwin + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # aarch64-apple-darwin ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-ios + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # aarch64-apple-ios ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-apple-ios-sim + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # aarch64-apple-ios-sim ], "@rules_rust//rust/platform:aarch64-linux-android": [ "@vendor_ts__android-tzdata-0.1.1//:android_tzdata", # aarch64-linux-android - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-linux-android + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # aarch64-linux-android ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor_ts__windows-link-0.1.1//:windows_link", # aarch64-pc-windows-msvc + "@vendor_ts__windows-link-0.1.3//:windows_link", # aarch64-pc-windows-msvc ], "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-fuchsia + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # aarch64-unknown-fuchsia ], "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # aarch64-unknown-linux-gnu ], "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-linux-gnu, aarch64-unknown-nixos-gnu + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # aarch64-unknown-linux-gnu, aarch64-unknown-nixos-gnu ], "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # aarch64-unknown-nto-qnx710 + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # aarch64-unknown-nto-qnx710 ], "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # arm-unknown-linux-gnueabi + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # arm-unknown-linux-gnueabi ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ "@vendor_ts__android-tzdata-0.1.1//:android_tzdata", # armv7-linux-androideabi - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # armv7-linux-androideabi + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # armv7-linux-androideabi ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # armv7-unknown-linux-gnueabi + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # armv7-unknown-linux-gnueabi ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # i686-apple-darwin + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # i686-apple-darwin ], "@rules_rust//rust/platform:i686-linux-android": [ "@vendor_ts__android-tzdata-0.1.1//:android_tzdata", # i686-linux-android - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # i686-linux-android + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # i686-linux-android ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor_ts__windows-link-0.1.1//:windows_link", # i686-pc-windows-msvc + "@vendor_ts__windows-link-0.1.3//:windows_link", # i686-pc-windows-msvc ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # i686-unknown-freebsd + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # i686-unknown-freebsd ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # i686-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # i686-unknown-linux-gnu ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # powerpc-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # powerpc-unknown-linux-gnu ], "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # s390x-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # s390x-unknown-linux-gnu ], "@rules_rust//rust/platform:wasm32-unknown-unknown": [ - "@vendor_ts__js-sys-0.3.76//:js_sys", # wasm32-unknown-unknown - "@vendor_ts__wasm-bindgen-0.2.99//:wasm_bindgen", # wasm32-unknown-unknown + "@vendor_ts__js-sys-0.3.77//:js_sys", # wasm32-unknown-unknown + "@vendor_ts__wasm-bindgen-0.2.100//:wasm_bindgen", # wasm32-unknown-unknown ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-apple-darwin + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # x86_64-apple-darwin ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-apple-ios + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # x86_64-apple-ios ], "@rules_rust//rust/platform:x86_64-linux-android": [ "@vendor_ts__android-tzdata-0.1.1//:android_tzdata", # x86_64-linux-android - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-linux-android + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # x86_64-linux-android ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor_ts__windows-link-0.1.1//:windows_link", # x86_64-pc-windows-msvc + "@vendor_ts__windows-link-0.1.3//:windows_link", # x86_64-pc-windows-msvc ], "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-freebsd + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # x86_64-unknown-freebsd ], "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-fuchsia + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # x86_64-unknown-fuchsia ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-linux-gnu + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # x86_64-unknown-linux-gnu ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ - "@vendor_ts__iana-time-zone-0.1.61//:iana_time_zone", # x86_64-unknown-linux-gnu, x86_64-unknown-nixos-gnu + "@vendor_ts__iana-time-zone-0.1.63//:iana_time_zone", # x86_64-unknown-linux-gnu, x86_64-unknown-nixos-gnu ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.40.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.41.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.40.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.41.bazel index a5a64da0b5b..80bdcb9866d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.40.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap-4.5.41.bazel @@ -41,7 +41,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor_ts__clap_derive-4.5.40//:clap_derive", + "@vendor_ts__clap_derive-4.5.41//:clap_derive", ], rustc_flags = [ "--cap-lints=allow", @@ -92,8 +92,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "4.5.40", + version = "4.5.41", deps = [ - "@vendor_ts__clap_builder-4.5.40//:clap_builder", + "@vendor_ts__clap_builder-4.5.41//:clap_builder", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.40.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.41.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.40.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.41.bazel index 9460432135e..4ab8f147d5c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.40.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_builder-4.5.41.bazel @@ -87,11 +87,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "4.5.40", + version = "4.5.41", deps = [ - "@vendor_ts__anstream-0.6.18//:anstream", - "@vendor_ts__anstyle-1.0.10//:anstyle", - "@vendor_ts__clap_lex-0.7.4//:clap_lex", + "@vendor_ts__anstream-0.6.19//:anstream", + "@vendor_ts__anstyle-1.0.11//:anstyle", + "@vendor_ts__clap_lex-0.7.5//:clap_lex", "@vendor_ts__strsim-0.11.1//:strsim", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.40.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.41.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.40.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.41.bazel index e8af21de157..817a7c4c469 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.40.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_derive-4.5.41.bazel @@ -82,11 +82,11 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "4.5.40", + version = "4.5.41", deps = [ "@vendor_ts__heck-0.5.0//:heck", "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_lex-0.7.4.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_lex-0.7.5.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_lex-0.7.4.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_lex-0.7.5.bazel index deef0a7853e..452a009728f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_lex-0.7.4.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.clap_lex-0.7.5.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.7.4", + version = "0.7.5", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.colorchoice-1.0.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.colorchoice-1.0.4.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.colorchoice-1.0.3.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.colorchoice-1.0.4.bazel index 0fa4d069ec1..2c240f27082 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.colorchoice-1.0.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.colorchoice-1.0.4.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.3", + version = "1.0.4", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.11.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.10.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.11.bazel index 81ba24ba954..d95e83f5e2d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling-0.20.11.bazel @@ -35,7 +35,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor_ts__darling_macro-0.20.10//:darling_macro", + "@vendor_ts__darling_macro-0.20.11//:darling_macro", ], rustc_flags = [ "--cap-lints=allow", @@ -86,8 +86,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.20.10", + version = "0.20.11", deps = [ - "@vendor_ts__darling_core-0.20.10//:darling_core", + "@vendor_ts__darling_core-0.20.11//:darling_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.11.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.10.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.11.bazel index a974cf03b4b..11b4c8a57d3 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_core-0.20.11.bazel @@ -83,13 +83,13 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.20.10", + version = "0.20.11", deps = [ "@vendor_ts__fnv-1.0.7//:fnv", "@vendor_ts__ident_case-1.0.1//:ident_case", "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", "@vendor_ts__strsim-0.11.1//:strsim", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.11.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.10.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.11.bazel index cd5a5dd199b..ea316fe5316 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.darling_macro-0.20.11.bazel @@ -79,10 +79,10 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.20.10", + version = "0.20.11", deps = [ - "@vendor_ts__darling_core-0.20.10//:darling_core", + "@vendor_ts__darling_core-0.20.11//:darling_core", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.dashmap-6.1.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.dashmap-6.1.0.bazel index 8f6dcced0c0..51f50afa5a4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.dashmap-6.1.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.dashmap-6.1.0.bazel @@ -88,8 +88,8 @@ rust_library( "@vendor_ts__cfg-if-1.0.1//:cfg_if", "@vendor_ts__crossbeam-utils-0.8.21//:crossbeam_utils", "@vendor_ts__hashbrown-0.14.5//:hashbrown", - "@vendor_ts__lock_api-0.4.12//:lock_api", - "@vendor_ts__once_cell-1.20.3//:once_cell", - "@vendor_ts__parking_lot_core-0.9.10//:parking_lot_core", + "@vendor_ts__lock_api-0.4.13//:lock_api", + "@vendor_ts__once_cell-1.21.3//:once_cell", + "@vendor_ts__parking_lot_core-0.9.11//:parking_lot_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.deranged-0.3.11.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.deranged-0.4.0.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.deranged-0.3.11.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.deranged-0.4.0.bazel index 7f394c0c6be..84300161e03 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.deranged-0.3.11.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.deranged-0.4.0.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.3.11", + version = "0.4.0", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.displaydoc-0.2.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.displaydoc-0.2.5.bazel index ef61d1a12af..8bad701502d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.displaydoc-0.2.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.displaydoc-0.2.5.bazel @@ -83,6 +83,6 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fs-err-2.11.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fs-err-2.11.0.bazel index 59751efc4aa..7a912b77abe 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fs-err-2.11.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.fs-err-2.11.0.bazel @@ -134,7 +134,7 @@ cargo_build_script( version = "2.11.0", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.5.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashbrown-0.15.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashbrown-0.15.4.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashbrown-0.15.2.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashbrown-0.15.4.bazel index ab42e90e017..e1a32ac34e2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashbrown-0.15.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashbrown-0.15.4.bazel @@ -87,7 +87,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.15.2", + version = "0.15.4", deps = [ "@vendor_ts__allocator-api2-0.2.21//:allocator_api2", "@vendor_ts__equivalent-1.0.2//:equivalent", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashlink-0.10.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashlink-0.10.0.bazel index 291406fff11..65e211d7a82 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashlink-0.10.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.hashlink-0.10.0.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.10.0", deps = [ - "@vendor_ts__hashbrown-0.15.2//:hashbrown", + "@vendor_ts__hashbrown-0.15.4//:hashbrown", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.61.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.63.bazel similarity index 87% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.61.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.63.bazel index 98fd2110ebb..eb60c95d310 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.61.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-0.1.63.bazel @@ -32,7 +32,7 @@ rust_library( "fallback", ], crate_root = "src/lib.rs", - edition = "2018", + edition = "2021", rustc_flags = [ "--cap-lints=allow", ], @@ -82,50 +82,51 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.1.61", + version = "0.1.63", deps = select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ - "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(target_vendor = "apple") ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(target_vendor = "apple") ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(target_vendor = "apple") ], "@rules_rust//rust/platform:aarch64-linux-android": [ "@vendor_ts__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor_ts__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") + "@vendor_ts__windows-core-0.61.2//:windows_core", # cfg(target_os = "windows") ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ "@vendor_ts__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") ], "@rules_rust//rust/platform:i686-apple-darwin": [ - "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(target_vendor = "apple") ], "@rules_rust//rust/platform:i686-linux-android": [ "@vendor_ts__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor_ts__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") + "@vendor_ts__windows-core-0.61.2//:windows_core", # cfg(target_os = "windows") ], "@rules_rust//rust/platform:wasm32-unknown-unknown": [ - "@vendor_ts__js-sys-0.3.76//:js_sys", # cfg(all(target_arch = "wasm32", target_os = "unknown")) - "@vendor_ts__wasm-bindgen-0.2.99//:wasm_bindgen", # cfg(all(target_arch = "wasm32", target_os = "unknown")) + "@vendor_ts__js-sys-0.3.77//:js_sys", # cfg(all(target_arch = "wasm32", target_os = "unknown")) + "@vendor_ts__log-0.4.27//:log", # cfg(all(target_arch = "wasm32", target_os = "unknown")) + "@vendor_ts__wasm-bindgen-0.2.100//:wasm_bindgen", # cfg(all(target_arch = "wasm32", target_os = "unknown")) ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ - "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(target_vendor = "apple") ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(any(target_os = "macos", target_os = "ios")) + "@vendor_ts__core-foundation-sys-0.8.7//:core_foundation_sys", # cfg(target_vendor = "apple") ], "@rules_rust//rust/platform:x86_64-linux-android": [ "@vendor_ts__android_system_properties-0.1.5//:android_system_properties", # cfg(target_os = "android") ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor_ts__windows-core-0.52.0//:windows_core", # cfg(target_os = "windows") + "@vendor_ts__windows-core-0.61.2//:windows_core", # cfg(target_os = "windows") ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel index c07a773cbea..77cfe795fab 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel @@ -134,7 +134,7 @@ cargo_build_script( version = "0.1.2", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.29//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-1.9.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-1.9.3.bazel index f5728f60e0e..b7acfc279c8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-1.9.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-1.9.3.bazel @@ -135,7 +135,7 @@ cargo_build_script( version = "1.9.3", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.5.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.9.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.10.0.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.9.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.10.0.bazel index f3d360378d5..66bf0b14704 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.9.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.indexmap-2.10.0.bazel @@ -84,10 +84,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "2.9.0", + version = "2.10.0", deps = [ "@vendor_ts__equivalent-1.0.2//:equivalent", - "@vendor_ts__hashbrown-0.15.2//:hashbrown", + "@vendor_ts__hashbrown-0.15.4//:hashbrown", "@vendor_ts__serde-1.0.219//:serde", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.intrusive-collections-0.9.7.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.intrusive-collections-0.9.7.bazel new file mode 100644 index 00000000000..c8d8fb2743e --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.intrusive-collections-0.9.7.bazel @@ -0,0 +1,90 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "intrusive_collections", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "alloc", + "default", + ], + crate_root = "src/lib.rs", + edition = "2018", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=intrusive-collections", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.9.7", + deps = [ + "@vendor_ts__memoffset-0.9.1//:memoffset", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.76.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.77.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.76.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.77.bazel index c4c24532926..924333e1964 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.76.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.js-sys-0.3.77.bazel @@ -83,9 +83,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.3.76", + version = "0.3.77", deps = [ - "@vendor_ts__once_cell-1.20.3//:once_cell", - "@vendor_ts__wasm-bindgen-0.2.99//:wasm_bindgen", + "@vendor_ts__once_cell-1.21.3//:once_cell", + "@vendor_ts__wasm-bindgen-0.2.100//:wasm_bindgen", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.0.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.1.1.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.0.8.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.1.1.bazel index 805b5abb897..92c8ab02ced 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.0.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.kqueue-1.1.1.bazel @@ -29,7 +29,7 @@ rust_library( ], ), crate_root = "src/lib.rs", - edition = "2018", + edition = "2021", rustc_flags = [ "--cap-lints=allow", ], @@ -79,7 +79,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.8", + version = "1.1.1", deps = [ "@vendor_ts__kqueue-sys-1.0.4//:kqueue_sys", "@vendor_ts__libc-0.2.174//:libc", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.4.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.3.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.4.bazel index 1a5916bf230..e1f40827124 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.libredox-0.1.4.bazel @@ -79,10 +79,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.1.3", + version = "0.1.4", deps = [ "@vendor_ts__bitflags-2.9.1//:bitflags", "@vendor_ts__libc-0.2.174//:libc", - "@vendor_ts__redox_syscall-0.5.8//:syscall", + "@vendor_ts__redox_syscall-0.5.13//:syscall", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.12.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.13.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.12.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.13.bazel index 3044c127692..529db737e58 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.12.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.lock_api-0.4.13.bazel @@ -84,9 +84,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.4.12", + version = "0.4.13", deps = [ - "@vendor_ts__lock_api-0.4.12//:build_script_build", + "@vendor_ts__lock_api-0.4.13//:build_script_build", "@vendor_ts__scopeguard-1.2.0//:scopeguard", ], ) @@ -140,10 +140,10 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "0.4.12", + version = "0.4.13", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.5.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.memoffset-0.9.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.memoffset-0.9.1.bazel index 19d3d136021..2cc7640b300 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.memoffset-0.9.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.memoffset-0.9.1.bazel @@ -140,7 +140,7 @@ cargo_build_script( version = "0.9.1", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.5.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.4.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.3.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.4.bazel index 51e25b92464..d7ec807e4de 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.mio-1.0.4.bazel @@ -85,7 +85,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.3", + version = "1.0.4", deps = [ "@vendor_ts__log-0.4.27//:log", ] + select({ @@ -102,7 +102,7 @@ rust_library( "@vendor_ts__libc-0.2.174//:libc", # cfg(unix) ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ - "@vendor_ts__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [ "@vendor_ts__libc-0.2.174//:libc", # cfg(unix) @@ -132,7 +132,7 @@ rust_library( "@vendor_ts__libc-0.2.174//:libc", # cfg(unix) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ - "@vendor_ts__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ "@vendor_ts__libc-0.2.174//:libc", # cfg(unix) @@ -148,7 +148,7 @@ rust_library( ], "@rules_rust//rust/platform:wasm32-wasip1": [ "@vendor_ts__libc-0.2.174//:libc", # cfg(target_os = "wasi") - "@vendor_ts__wasi-0.11.0-wasi-snapshot-preview1//:wasi", # cfg(target_os = "wasi") + "@vendor_ts__wasi-0.11.1-wasi-snapshot-preview1//:wasi", # cfg(target_os = "wasi") ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ "@vendor_ts__libc-0.2.174//:libc", # cfg(unix) @@ -160,7 +160,7 @@ rust_library( "@vendor_ts__libc-0.2.174//:libc", # cfg(unix) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ - "@vendor_ts__windows-sys-0.52.0//:windows_sys", # cfg(windows) + "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ "@vendor_ts__libc-0.2.174//:libc", # cfg(unix) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-8.0.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-8.0.0.bazel index 2d42cdcc214..03c0fc1ab2f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-8.0.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.notify-8.0.0.bazel @@ -97,39 +97,39 @@ rust_library( "@vendor_ts__fsevent-sys-4.1.0//:fsevent_sys", # aarch64-apple-darwin ], "@rules_rust//rust/platform:aarch64-apple-ios": [ - "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__kqueue-1.1.1//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) ], "@rules_rust//rust/platform:aarch64-apple-ios-sim": [ - "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__kqueue-1.1.1//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) ], "@rules_rust//rust/platform:aarch64-linux-android": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:armv7-linux-androideabi": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:i686-apple-darwin": [ "@vendor_ts__bitflags-2.9.1//:bitflags", # cfg(target_os = "macos") @@ -137,53 +137,53 @@ rust_library( ], "@rules_rust//rust/platform:i686-linux-android": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:i686-pc-windows-msvc": [ "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:i686-unknown-freebsd": [ - "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__kqueue-1.1.1//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) ], "@rules_rust//rust/platform:i686-unknown-linux-gnu": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:x86_64-apple-darwin": [ "@vendor_ts__bitflags-2.9.1//:bitflags", # cfg(target_os = "macos") "@vendor_ts__fsevent-sys-4.1.0//:fsevent_sys", # x86_64-apple-darwin ], "@rules_rust//rust/platform:x86_64-apple-ios": [ - "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__kqueue-1.1.1//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) ], "@rules_rust//rust/platform:x86_64-linux-android": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ "@vendor_ts__windows-sys-0.59.0//:windows_sys", # cfg(windows) ], "@rules_rust//rust/platform:x86_64-unknown-freebsd": [ - "@vendor_ts__kqueue-1.0.8//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__kqueue-1.1.1//:kqueue", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "freebsd", target_os = "openbsd", target_os = "netbsd", target_os = "dragonflybsd", target_os = "ios")) ], "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [ "@vendor_ts__inotify-0.11.0//:inotify", # cfg(any(target_os = "linux", target_os = "android")) - "@vendor_ts__mio-1.0.3//:mio", # cfg(any(target_os = "linux", target_os = "android")) + "@vendor_ts__mio-1.0.4//:mio", # cfg(any(target_os = "linux", target_os = "android")) ], "//conditions:default": [], }), diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num-traits-0.2.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num-traits-0.2.19.bazel index 96213437ade..48edd376679 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num-traits-0.2.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.num-traits-0.2.19.bazel @@ -142,7 +142,7 @@ cargo_build_script( version = "0.2.19", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__autocfg-1.4.0//:autocfg", + "@vendor_ts__autocfg-1.5.0//:autocfg", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.21.3.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.3.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.21.3.bazel index 5b194f587bb..cdeee345efa 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.20.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell-1.21.3.bazel @@ -85,5 +85,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.20.3", + version = "1.21.3", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell_polyfill-1.70.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell_polyfill-1.70.1.bazel new file mode 100644 index 00000000000..28c43629922 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.once_cell_polyfill-1.70.1.bazel @@ -0,0 +1,86 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "once_cell_polyfill", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "default", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=once_cell_polyfill", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "1.70.1", +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.papaya-0.2.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.papaya-0.2.3.bazel new file mode 100644 index 00000000000..08d725ad912 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.papaya-0.2.3.bazel @@ -0,0 +1,90 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "papaya", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "default", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=papaya", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.2.3", + deps = [ + "@vendor_ts__equivalent-1.0.2//:equivalent", + "@vendor_ts__seize-0.5.0//:seize", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.4.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.3.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.4.bazel index 8dc49b684be..21ca868e69a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot-0.12.4.bazel @@ -82,9 +82,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.12.3", + version = "0.12.4", deps = [ - "@vendor_ts__lock_api-0.4.12//:lock_api", - "@vendor_ts__parking_lot_core-0.9.10//:parking_lot_core", + "@vendor_ts__lock_api-0.4.13//:lock_api", + "@vendor_ts__parking_lot_core-0.9.11//:parking_lot_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.10.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.11.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.10.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.11.bazel index 0ecb5f8d20d..5ccbe980ef5 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.10.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.parking_lot_core-0.9.11.bazel @@ -80,10 +80,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.9.10", + version = "0.9.11", deps = [ "@vendor_ts__cfg-if-1.0.1//:cfg_if", - "@vendor_ts__parking_lot_core-0.9.10//:build_script_build", + "@vendor_ts__parking_lot_core-0.9.11//:build_script_build", "@vendor_ts__smallvec-1.15.1//:smallvec", ] + select({ "@rules_rust//rust/platform:aarch64-apple-darwin": [ @@ -216,7 +216,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "0.9.10", + version = "0.9.11", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear_codegen-0.2.9.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear_codegen-0.2.9.bazel index 4cdca3b4365..7639db0cadd 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear_codegen-0.2.9.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.pear_codegen-0.2.9.bazel @@ -84,6 +84,6 @@ rust_proc_macro( "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__proc-macro2-diagnostics-0.10.1//:proc_macro2_diagnostics", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.petgraph-0.6.5.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.petgraph-0.6.5.bazel index ac85fb246bd..4adeb22a182 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.petgraph-0.6.5.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.petgraph-0.6.5.bazel @@ -88,6 +88,6 @@ rust_library( version = "0.6.5", deps = [ "@vendor_ts__fixedbitset-0.4.2//:fixedbitset", - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.portable-atomic-1.11.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.portable-atomic-1.11.1.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.portable-atomic-1.11.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.portable-atomic-1.11.1.bazel index e246d3aa71d..146cc410b04 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.portable-atomic-1.11.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.portable-atomic-1.11.1.bazel @@ -84,9 +84,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.11.0", + version = "1.11.1", deps = [ - "@vendor_ts__portable-atomic-1.11.0//:build_script_build", + "@vendor_ts__portable-atomic-1.11.1//:build_script_build", ], ) @@ -139,7 +139,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "1.11.0", + version = "1.11.1", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-1.0.95.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-1.0.95.bazel index 4466b330c77..2045bcf6e0c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-1.0.95.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-1.0.95.bazel @@ -87,7 +87,7 @@ rust_library( version = "1.0.95", deps = [ "@vendor_ts__proc-macro2-1.0.95//:build_script_build", - "@vendor_ts__unicode-ident-1.0.17//:unicode_ident", + "@vendor_ts__unicode-ident-1.0.18//:unicode_ident", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-diagnostics-0.10.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-diagnostics-0.10.1.bazel index 39640ee37a5..5ea9654963f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-diagnostics-0.10.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.proc-macro2-diagnostics-0.10.1.bazel @@ -90,7 +90,7 @@ rust_library( "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__proc-macro2-diagnostics-0.10.1//:build_script_build", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", "@vendor_ts__yansi-1.0.1//:yansi", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_hashes-0.116.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_hashes-0.116.0.bazel index 2c21da8c43a..beae7e9f947 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_hashes-0.116.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_hashes-0.116.0.bazel @@ -81,6 +81,6 @@ rust_library( }), version = "0.116.0", deps = [ - "@vendor_ts__rustc-stable-hash-0.1.1//:rustc_stable_hash", + "@vendor_ts__rustc-stable-hash-0.1.2//:rustc_stable_hash", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.116.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.116.0.bazel index 7e4ec5d88a9..9185230c160 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.116.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra-ap-rustc_index_macros-0.116.0.bazel @@ -83,6 +83,6 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.294.bazel similarity index 81% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.294.bazel index 41eee11ea51..925e2c41264 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_base_db-0.0.294.bazel @@ -17,12 +17,12 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg": "cfg", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro": "query_group", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax": "syntax", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro": "query_group", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs": "vfs", }, compile_data = glob( include = ["**"], @@ -39,8 +39,8 @@ rust_library( crate_root = "src/lib.rs", edition = "2024", proc_macro_deps = [ - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro", - "@vendor_ts__salsa-macros-0.22.0//:salsa_macros", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro", + "@vendor_ts__salsa-macros-0.23.0//:salsa_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -91,18 +91,18 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__dashmap-6.1.0//:dashmap", - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__la-arena-0.3.1//:la_arena", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", - "@vendor_ts__salsa-0.22.0//:salsa", + "@vendor_ts__salsa-0.23.0//:salsa", "@vendor_ts__semver-1.0.26//:semver", "@vendor_ts__tracing-0.1.41//:tracing", "@vendor_ts__triomphe-0.1.14//:triomphe", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.294.bazel similarity index 93% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.294.bazel index 825ae24a823..7e7adc784db 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_cfg-0.0.294.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -86,10 +86,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__tracing-0.1.41//:tracing", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.294.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.294.bazel index c0bdb7f2461..682e6af5823 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_edition-0.0.294.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.294.bazel similarity index 75% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.294.bazel index 72ba942959f..98321aa0bbe 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir-0.0.294.bazel @@ -17,16 +17,16 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db": "base_db", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg": "cfg", - "@vendor_ts__ra_ap_hir_def-0.0.288//:ra_ap_hir_def": "hir_def", - "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand": "hir_expand", - "@vendor_ts__ra_ap_hir_ty-0.0.288//:ra_ap_hir_ty": "hir_ty", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax": "syntax", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_hir_def-0.0.294//:ra_ap_hir_def": "hir_def", + "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand": "hir_expand", + "@vendor_ts__ra_ap_hir_ty-0.0.294//:ra_ap_hir_ty": "hir_ty", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -91,22 +91,22 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__arrayvec-0.7.6//:arrayvec", "@vendor_ts__either-1.15.0//:either", - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__itertools-0.14.0//:itertools", - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg", - "@vendor_ts__ra_ap_hir_def-0.0.288//:ra_ap_hir_def", - "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand", - "@vendor_ts__ra_ap_hir_ty-0.0.288//:ra_ap_hir_ty", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg", + "@vendor_ts__ra_ap_hir_def-0.0.294//:ra_ap_hir_def", + "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand", + "@vendor_ts__ra_ap_hir_ty-0.0.294//:ra_ap_hir_ty", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__smallvec-1.15.1//:smallvec", "@vendor_ts__tracing-0.1.41//:tracing", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.294.bazel similarity index 77% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.294.bazel index 1e3a2a50bf8..86e3c2bef42 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_def-0.0.294.bazel @@ -17,16 +17,16 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db": "base_db", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg": "cfg", - "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand": "hir_expand", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_mbe-0.0.288//:ra_ap_mbe": "mbe", - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro": "query_group", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax": "syntax", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand": "hir_expand", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_mbe-0.0.294//:ra_ap_mbe": "mbe", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro": "query_group", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -43,8 +43,8 @@ rust_library( crate_root = "src/lib.rs", edition = "2024", proc_macro_deps = [ - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro", - "@vendor_ts__salsa-macros-0.22.0//:salsa_macros", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro", + "@vendor_ts__salsa-macros-0.23.0//:salsa_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -95,7 +95,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__arrayvec-0.7.6//:arrayvec", "@vendor_ts__bitflags-2.9.1//:bitflags", @@ -103,23 +103,23 @@ rust_library( "@vendor_ts__drop_bomb-0.1.5//:drop_bomb", "@vendor_ts__either-1.15.0//:either", "@vendor_ts__fst-0.4.7//:fst", - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__itertools-0.14.0//:itertools", "@vendor_ts__la-arena-0.3.1//:la_arena", "@vendor_ts__ra-ap-rustc_abi-0.116.0//:ra_ap_rustc_abi", "@vendor_ts__ra-ap-rustc_parse_format-0.116.0//:ra_ap_rustc_parse_format", - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg", - "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_mbe-0.0.288//:ra_ap_mbe", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg", + "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_mbe-0.0.294//:ra_ap_mbe", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__rustc_apfloat-0.2.3-llvm-462a31f5a5ab//:rustc_apfloat", - "@vendor_ts__salsa-0.22.0//:salsa", + "@vendor_ts__salsa-0.23.0//:salsa", "@vendor_ts__smallvec-1.15.1//:smallvec", "@vendor_ts__text-size-1.1.1//:text_size", "@vendor_ts__thin-vec-0.2.14//:thin_vec", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.294.bazel similarity index 73% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.294.bazel index e3ef7c1e509..1dd7396ce9d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_expand-0.0.294.bazel @@ -17,17 +17,17 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db": "base_db", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg": "cfg", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_mbe-0.0.288//:ra_ap_mbe": "mbe", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser": "parser", - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro": "query_group", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax": "syntax", - "@vendor_ts__ra_ap_syntax-bridge-0.0.288//:ra_ap_syntax_bridge": "syntax_bridge", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_mbe-0.0.294//:ra_ap_mbe": "mbe", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro": "query_group", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_syntax-bridge-0.0.294//:ra_ap_syntax_bridge": "syntax_bridge", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -44,8 +44,8 @@ rust_library( crate_root = "src/lib.rs", edition = "2024", proc_macro_deps = [ - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro", - "@vendor_ts__salsa-macros-0.22.0//:salsa_macros", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro", + "@vendor_ts__salsa-macros-0.23.0//:salsa_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -96,23 +96,23 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__cov-mark-2.0.0//:cov_mark", "@vendor_ts__either-1.15.0//:either", "@vendor_ts__itertools-0.14.0//:itertools", - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_mbe-0.0.288//:ra_ap_mbe", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", - "@vendor_ts__ra_ap_syntax-bridge-0.0.288//:ra_ap_syntax_bridge", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_mbe-0.0.294//:ra_ap_mbe", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", + "@vendor_ts__ra_ap_syntax-bridge-0.0.294//:ra_ap_syntax_bridge", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", - "@vendor_ts__salsa-0.22.0//:salsa", + "@vendor_ts__salsa-0.23.0//:salsa", "@vendor_ts__smallvec-1.15.1//:smallvec", "@vendor_ts__tracing-0.1.41//:tracing", "@vendor_ts__triomphe-0.1.14//:triomphe", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.294.bazel similarity index 80% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.294.bazel index 443f9de8a47..1d10f88015c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_hir_ty-0.0.294.bazel @@ -17,14 +17,14 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db": "base_db", - "@vendor_ts__ra_ap_hir_def-0.0.288//:ra_ap_hir_def": "hir_def", - "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand": "hir_expand", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro": "query_group", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_hir_def-0.0.294//:ra_ap_hir_def": "hir_def", + "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand": "hir_expand", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro": "query_group", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax": "syntax", }, compile_data = glob( include = ["**"], @@ -42,8 +42,8 @@ rust_library( edition = "2024", proc_macro_deps = [ "@vendor_ts__chalk-derive-0.103.0//:chalk_derive", - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro", - "@vendor_ts__salsa-macros-0.22.0//:salsa_macros", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro", + "@vendor_ts__salsa-macros-0.23.0//:salsa_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -94,7 +94,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__arrayvec-0.7.6//:arrayvec", "@vendor_ts__bitflags-2.9.1//:bitflags", @@ -104,23 +104,23 @@ rust_library( "@vendor_ts__cov-mark-2.0.0//:cov_mark", "@vendor_ts__either-1.15.0//:either", "@vendor_ts__ena-0.14.3//:ena", - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__itertools-0.14.0//:itertools", "@vendor_ts__la-arena-0.3.1//:la_arena", "@vendor_ts__oorandom-11.1.5//:oorandom", "@vendor_ts__ra-ap-rustc_abi-0.116.0//:ra_ap_rustc_abi", "@vendor_ts__ra-ap-rustc_index-0.116.0//:ra_ap_rustc_index", "@vendor_ts__ra-ap-rustc_pattern_analysis-0.116.0//:ra_ap_rustc_pattern_analysis", - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db", - "@vendor_ts__ra_ap_hir_def-0.0.288//:ra_ap_hir_def", - "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db", + "@vendor_ts__ra_ap_hir_def-0.0.294//:ra_ap_hir_def", + "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__rustc_apfloat-0.2.3-llvm-462a31f5a5ab//:rustc_apfloat", - "@vendor_ts__salsa-0.22.0//:salsa", + "@vendor_ts__salsa-0.23.0//:salsa", "@vendor_ts__scoped-tls-1.0.1//:scoped_tls", "@vendor_ts__smallvec-1.15.1//:smallvec", "@vendor_ts__tracing-0.1.41//:tracing", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.294.bazel similarity index 77% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.294.bazel index fab14c00d3c..4da4d9d21a9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_ide_db-0.0.294.bazel @@ -17,15 +17,15 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db": "base_db", - "@vendor_ts__ra_ap_hir-0.0.288//:ra_ap_hir": "hir", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser": "parser", - "@vendor_ts__ra_ap_profile-0.0.288//:ra_ap_profile": "profile", - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro": "query_group", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax": "syntax", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_hir-0.0.294//:ra_ap_hir": "hir", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_profile-0.0.294//:ra_ap_profile": "profile", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro": "query_group", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs": "vfs", }, compile_data = glob( include = ["**"], @@ -42,8 +42,8 @@ rust_library( crate_root = "src/lib.rs", edition = "2024", proc_macro_deps = [ - "@vendor_ts__ra_ap_query-group-macro-0.0.288//:ra_ap_query_group_macro", - "@vendor_ts__salsa-macros-0.22.0//:salsa_macros", + "@vendor_ts__ra_ap_query-group-macro-0.0.294//:ra_ap_query_group_macro", + "@vendor_ts__salsa-macros-0.23.0//:salsa_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -94,7 +94,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__arrayvec-0.7.6//:arrayvec", "@vendor_ts__bitflags-2.9.1//:bitflags", @@ -102,22 +102,22 @@ rust_library( "@vendor_ts__crossbeam-channel-0.5.15//:crossbeam_channel", "@vendor_ts__either-1.15.0//:either", "@vendor_ts__fst-0.4.7//:fst", - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__itertools-0.14.0//:itertools", "@vendor_ts__line-index-0.1.2//:line_index", "@vendor_ts__memchr-2.7.5//:memchr", "@vendor_ts__nohash-hasher-0.2.0//:nohash_hasher", - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db", - "@vendor_ts__ra_ap_hir-0.0.288//:ra_ap_hir", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser", - "@vendor_ts__ra_ap_profile-0.0.288//:ra_ap_profile", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db", + "@vendor_ts__ra_ap_hir-0.0.294//:ra_ap_hir", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser", + "@vendor_ts__ra_ap_profile-0.0.294//:ra_ap_profile", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs", "@vendor_ts__rayon-1.10.0//:rayon", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", - "@vendor_ts__salsa-0.22.0//:salsa", + "@vendor_ts__salsa-0.23.0//:salsa", "@vendor_ts__tracing-0.1.41//:tracing", "@vendor_ts__triomphe-0.1.14//:triomphe", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.294.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.294.bazel index 69f6bc0b61d..8ebd7d782a0 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_intern-0.0.294.bazel @@ -79,7 +79,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__dashmap-6.1.0//:dashmap", "@vendor_ts__hashbrown-0.14.5//:hashbrown", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.294.bazel similarity index 77% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.294.bazel index ddd508c16ac..d05e5a8887f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_load-cargo-0.0.294.bazel @@ -17,15 +17,15 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand": "hir_expand", - "@vendor_ts__ra_ap_ide_db-0.0.288//:ra_ap_ide_db": "ide_db", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_proc_macro_api-0.0.288//:ra_ap_proc_macro_api": "proc_macro_api", - "@vendor_ts__ra_ap_project_model-0.0.288//:ra_ap_project_model": "project_model", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt": "tt", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs": "vfs", - "@vendor_ts__ra_ap_vfs-notify-0.0.288//:ra_ap_vfs_notify": "vfs_notify", + "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand": "hir_expand", + "@vendor_ts__ra_ap_ide_db-0.0.294//:ra_ap_ide_db": "ide_db", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_proc_macro_api-0.0.294//:ra_ap_proc_macro_api": "proc_macro_api", + "@vendor_ts__ra_ap_project_model-0.0.294//:ra_ap_project_model": "project_model", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_vfs-notify-0.0.294//:ra_ap_vfs_notify": "vfs_notify", }, compile_data = glob( include = ["**"], @@ -90,20 +90,20 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__anyhow-1.0.98//:anyhow", "@vendor_ts__crossbeam-channel-0.5.15//:crossbeam_channel", "@vendor_ts__itertools-0.14.0//:itertools", - "@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand", - "@vendor_ts__ra_ap_ide_db-0.0.288//:ra_ap_ide_db", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_proc_macro_api-0.0.288//:ra_ap_proc_macro_api", - "@vendor_ts__ra_ap_project_model-0.0.288//:ra_ap_project_model", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs", - "@vendor_ts__ra_ap_vfs-notify-0.0.288//:ra_ap_vfs_notify", + "@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand", + "@vendor_ts__ra_ap_ide_db-0.0.294//:ra_ap_ide_db", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_proc_macro_api-0.0.294//:ra_ap_proc_macro_api", + "@vendor_ts__ra_ap_project_model-0.0.294//:ra_ap_project_model", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs", + "@vendor_ts__ra_ap_vfs-notify-0.0.294//:ra_ap_vfs_notify", "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.294.bazel similarity index 84% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.294.bazel index 407345db7b9..81fe285a387 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_mbe-0.0.294.bazel @@ -17,12 +17,12 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser": "parser", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_syntax-bridge-0.0.288//:ra_ap_syntax_bridge": "syntax_bridge", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-bridge-0.0.294//:ra_ap_syntax_bridge": "syntax_bridge", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -87,17 +87,17 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__arrayvec-0.7.6//:arrayvec", "@vendor_ts__cov-mark-2.0.0//:cov_mark", "@vendor_ts__ra-ap-rustc_lexer-0.116.0//:ra_ap_rustc_lexer", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_syntax-bridge-0.0.288//:ra_ap_syntax_bridge", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-bridge-0.0.294//:ra_ap_syntax_bridge", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__smallvec-1.15.1//:smallvec", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.294.bazel similarity index 94% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.294.bazel index 6ba1bc52d66..10b7349d60b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_parser-0.0.294.bazel @@ -17,7 +17,7 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_edition-0.0.288//:ra_ap_edition": "edition", + "@vendor_ts__ra_ap_edition-0.0.294//:ra_ap_edition": "edition", }, compile_data = glob( include = ["**"], @@ -86,12 +86,12 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__drop_bomb-0.1.5//:drop_bomb", "@vendor_ts__ra-ap-rustc_lexer-0.116.0//:ra_ap_rustc_lexer", - "@vendor_ts__ra_ap_edition-0.0.288//:ra_ap_edition", - "@vendor_ts__rustc-literal-escaper-0.0.3//:rustc_literal_escaper", + "@vendor_ts__ra_ap_edition-0.0.294//:ra_ap_edition", + "@vendor_ts__rustc-literal-escaper-0.0.4//:rustc_literal_escaper", "@vendor_ts__tracing-0.1.41//:tracing", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.294.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.294.bazel index 402e2decfaf..c832055d4b8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_paths-0.0.294.bazel @@ -82,7 +82,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__camino-1.1.10//:camino", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.294.bazel similarity index 85% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.294.bazel index 9fb6f0751c1..3d6e5b6ab15 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_proc_macro_api-0.0.294.bazel @@ -17,11 +17,11 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths": "paths", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -89,14 +89,14 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ - "@vendor_ts__indexmap-2.9.0//:indexmap", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt", + "@vendor_ts__indexmap-2.10.0//:indexmap", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__serde-1.0.219//:serde", "@vendor_ts__serde_json-1.0.140//:serde_json", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.294.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.294.bazel index a963209b7a6..cec0a2379d7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_profile-0.0.294.bazel @@ -79,7 +79,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__cfg-if-1.0.1//:cfg_if", ] + select({ diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.294.bazel similarity index 81% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.294.bazel index 0351712c339..4c29ac16ef2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_project_model-0.0.294.bazel @@ -17,13 +17,13 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db": "base_db", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg": "cfg", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths": "paths", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_toolchain-0.0.288//:ra_ap_toolchain": "toolchain", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db": "base_db", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg": "cfg", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_toolchain-0.0.294//:ra_ap_toolchain": "toolchain", }, compile_data = glob( include = ["**"], @@ -91,19 +91,19 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__anyhow-1.0.98//:anyhow", - "@vendor_ts__cargo_metadata-0.20.0//:cargo_metadata", + "@vendor_ts__cargo_metadata-0.21.0//:cargo_metadata", "@vendor_ts__itertools-0.14.0//:itertools", "@vendor_ts__la-arena-0.3.1//:la_arena", - "@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db", - "@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_toolchain-0.0.288//:ra_ap_toolchain", + "@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db", + "@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_toolchain-0.0.294//:ra_ap_toolchain", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__semver-1.0.26//:semver", "@vendor_ts__serde-1.0.219//:serde", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_query-group-macro-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_query-group-macro-0.0.294.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_query-group-macro-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_query-group-macro-0.0.294.bazel index 6563add5373..8c58bf7c2b2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_query-group-macro-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_query-group-macro-0.0.294.bazel @@ -79,10 +79,10 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.294.bazel similarity index 90% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.294.bazel index e2827261e11..e09f30f75cf 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_span-0.0.294.bazel @@ -17,9 +17,9 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax": "syntax", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs": "vfs", }, compile_data = glob( include = ["**"], @@ -88,15 +88,15 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__hashbrown-0.14.5//:hashbrown", "@vendor_ts__la-arena-0.3.1//:la_arena", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", - "@vendor_ts__salsa-0.22.0//:salsa", + "@vendor_ts__salsa-0.23.0//:salsa", "@vendor_ts__text-size-1.1.1//:text_size", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.294.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.294.bazel index 5005ca6a9d7..08348bbf5a3 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_stdx-0.0.294.bazel @@ -79,7 +79,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__crossbeam-channel-0.5.15//:crossbeam_channel", "@vendor_ts__crossbeam-utils-0.8.21//:crossbeam_utils", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.294.bazel similarity index 92% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.294.bazel index 1fab1741dba..5ce9e4aabc8 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-0.0.294.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser": "parser", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", }, compile_data = glob( include = ["**"], @@ -83,15 +83,15 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__either-1.15.0//:either", "@vendor_ts__itertools-0.14.0//:itertools", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", "@vendor_ts__rowan-0.15.15//:rowan", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", - "@vendor_ts__rustc-literal-escaper-0.0.3//:rustc_literal_escaper", + "@vendor_ts__rustc-literal-escaper-0.0.4//:rustc_literal_escaper", "@vendor_ts__smol_str-0.3.2//:smol_str", "@vendor_ts__tracing-0.1.41//:tracing", "@vendor_ts__triomphe-0.1.14//:triomphe", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.294.bazel similarity index 83% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.294.bazel index 06a9e6c70aa..6c96d665264 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_syntax-bridge-0.0.294.bazel @@ -17,12 +17,12 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser": "parser", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span": "span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax": "syntax", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt": "tt", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser": "parser", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span": "span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax": "syntax", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt": "tt", }, compile_data = glob( include = ["**"], @@ -87,14 +87,14 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser", - "@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax", - "@vendor_ts__ra_ap_tt-0.0.288//:ra_ap_tt", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser", + "@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax", + "@vendor_ts__ra_ap_tt-0.0.294//:ra_ap_tt", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.294.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.294.bazel index 34ec9cd3f30..4bd1b2112cd 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_toolchain-0.0.294.bazel @@ -79,7 +79,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__camino-1.1.10//:camino", "@vendor_ts__home-0.5.11//:home", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.294.bazel similarity index 93% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.294.bazel index 6565969411c..8fdeecdaa92 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_tt-0.0.294.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern": "intern", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern": "intern", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", }, compile_data = glob( include = ["**"], @@ -83,12 +83,12 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__arrayvec-0.7.6//:arrayvec", "@vendor_ts__ra-ap-rustc_lexer-0.116.0//:ra_ap_rustc_lexer", - "@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", + "@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", "@vendor_ts__text-size-1.1.1//:text_size", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.294.bazel similarity index 92% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.294.bazel index 644f31160cd..c3ba38e79bb 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-0.0.294.bazel @@ -17,8 +17,8 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths": "paths", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", }, compile_data = glob( include = ["**"], @@ -83,14 +83,14 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__crossbeam-channel-0.5.15//:crossbeam_channel", "@vendor_ts__fst-0.4.7//:fst", - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__nohash-hasher-0.2.0//:nohash_hasher", - "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", + "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__tracing-0.1.41//:tracing", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.288.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.294.bazel similarity index 91% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.288.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.294.bazel index 16fcf42360d..0a1edaedf3a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.288.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ra_ap_vfs-notify-0.0.294.bazel @@ -17,9 +17,9 @@ rust_library( allow_empty = True, ), aliases = { - "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths": "paths", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx": "stdx", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs": "vfs", + "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths": "paths", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx": "stdx", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs": "vfs", }, compile_data = glob( include = ["**"], @@ -84,13 +84,13 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.288", + version = "0.0.294", deps = [ "@vendor_ts__crossbeam-channel-0.5.15//:crossbeam_channel", "@vendor_ts__notify-8.0.0//:notify", - "@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths", - "@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx", - "@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs", + "@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths", + "@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx", + "@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs", "@vendor_ts__rayon-1.10.0//:rayon", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", "@vendor_ts__tracing-0.1.41//:tracing", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.13.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.8.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.13.bazel index e7e3f80495d..2eb917c7923 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.redox_syscall-0.5.13.bazel @@ -79,7 +79,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.5.8", + version = "0.5.13", deps = [ "@vendor_ts__bitflags-2.9.1//:bitflags", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ref-cast-impl-1.0.24.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ref-cast-impl-1.0.24.bazel index 9b5797483ab..ec0ae118e76 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ref-cast-impl-1.0.24.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ref-cast-impl-1.0.24.bazel @@ -83,6 +83,6 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-literal-escaper-0.0.3.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-literal-escaper-0.0.4.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-literal-escaper-0.0.3.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-literal-escaper-0.0.4.bazel index cc9e8257f7b..07cfe4ebb32 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-literal-escaper-0.0.3.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-literal-escaper-0.0.4.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.0.3", + version = "0.0.4", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.2.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.1.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.2.bazel index 82ce1ee9312..3b8c86af30a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustc-stable-hash-0.1.2.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.1.1", + version = "0.1.2", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-1.0.69.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustversion-1.0.21.bazel similarity index 90% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-1.0.69.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustversion-1.0.21.bazel index a79c49f5eea..3f441b4bff7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-1.0.69.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.rustversion-1.0.21.bazel @@ -7,12 +7,12 @@ ############################################################################### load("@rules_rust//cargo:defs.bzl", "cargo_build_script") -load("@rules_rust//rust:defs.bzl", "rust_library") +load("@rules_rust//rust:defs.bzl", "rust_proc_macro") package(default_visibility = ["//visibility:public"]) -rust_library( - name = "thiserror", +rust_proc_macro( + name = "rustversion", srcs = glob( include = ["**/*.rs"], allow_empty = True, @@ -30,16 +30,13 @@ rust_library( ], ), crate_root = "src/lib.rs", - edition = "2021", - proc_macro_deps = [ - "@vendor_ts__thiserror-impl-1.0.69//:thiserror_impl", - ], + edition = "2018", rustc_flags = [ "--cap-lints=allow", ], tags = [ "cargo-bazel", - "crate-name=thiserror", + "crate-name=rustversion", "manual", "noclippy", "norustfmt", @@ -83,9 +80,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.69", + version = "1.0.21", deps = [ - "@vendor_ts__thiserror-1.0.69//:build_script_build", + "@vendor_ts__rustversion-1.0.21//:build_script_build", ], ) @@ -109,7 +106,7 @@ cargo_build_script( ], ), crate_name = "build_script_build", - crate_root = "build.rs", + crate_root = "build/build.rs", data = glob( include = ["**"], allow_empty = True, @@ -122,19 +119,19 @@ cargo_build_script( "WORKSPACE.bazel", ], ), - edition = "2021", - pkg_name = "thiserror", + edition = "2018", + pkg_name = "rustversion", rustc_flags = [ "--cap-lints=allow", ], tags = [ "cargo-bazel", - "crate-name=thiserror", + "crate-name=rustversion", "manual", "noclippy", "norustfmt", ], - version = "1.0.69", + version = "1.0.21", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.20.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.19.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.20.bazel index eb7d8b9c8f1..088f53319a0 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.ryu-1.0.20.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.19", + version = "1.0.20", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-0.22.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-0.23.0.bazel similarity index 88% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-0.22.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-0.23.0.bazel index e4d2825b88b..d0683da74bc 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-0.22.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-0.23.0.bazel @@ -37,7 +37,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor_ts__salsa-macros-0.22.0//:salsa_macros", + "@vendor_ts__salsa-macros-0.23.0//:salsa_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -88,19 +88,21 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.22.0", + version = "0.23.0", deps = [ "@vendor_ts__boxcar-0.2.13//:boxcar", "@vendor_ts__crossbeam-queue-0.3.12//:crossbeam_queue", - "@vendor_ts__dashmap-6.1.0//:dashmap", - "@vendor_ts__hashbrown-0.15.2//:hashbrown", + "@vendor_ts__crossbeam-utils-0.8.21//:crossbeam_utils", + "@vendor_ts__hashbrown-0.15.4//:hashbrown", "@vendor_ts__hashlink-0.10.0//:hashlink", - "@vendor_ts__indexmap-2.9.0//:indexmap", - "@vendor_ts__parking_lot-0.12.3//:parking_lot", - "@vendor_ts__portable-atomic-1.11.0//:portable_atomic", + "@vendor_ts__indexmap-2.10.0//:indexmap", + "@vendor_ts__intrusive-collections-0.9.7//:intrusive_collections", + "@vendor_ts__papaya-0.2.3//:papaya", + "@vendor_ts__parking_lot-0.12.4//:parking_lot", + "@vendor_ts__portable-atomic-1.11.1//:portable_atomic", "@vendor_ts__rayon-1.10.0//:rayon", "@vendor_ts__rustc-hash-2.1.1//:rustc_hash", - "@vendor_ts__salsa-macro-rules-0.22.0//:salsa_macro_rules", + "@vendor_ts__salsa-macro-rules-0.23.0//:salsa_macro_rules", "@vendor_ts__smallvec-1.15.1//:smallvec", "@vendor_ts__thin-vec-0.2.14//:thin_vec", "@vendor_ts__tracing-0.1.41//:tracing", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macro-rules-0.22.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macro-rules-0.23.0.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macro-rules-0.22.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macro-rules-0.23.0.bazel index 26f7161efef..11ba464b99d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macro-rules-0.22.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macro-rules-0.23.0.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.22.0", + version = "0.23.0", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macros-0.22.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macros-0.23.0.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macros-0.22.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macros-0.23.0.bazel index 6e7c245e56d..8e12c246c37 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macros-0.22.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.salsa-macros-0.23.0.bazel @@ -79,12 +79,11 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.22.0", + version = "0.23.0", deps = [ - "@vendor_ts__heck-0.5.0//:heck", "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", - "@vendor_ts__synstructure-0.13.1//:synstructure", + "@vendor_ts__syn-2.0.104//:syn", + "@vendor_ts__synstructure-0.13.2//:synstructure", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.schemars-1.0.4.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.schemars-1.0.4.bazel new file mode 100644 index 00000000000..2c31879f82c --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.schemars-1.0.4.bazel @@ -0,0 +1,89 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "schemars", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=schemars", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "1.0.4", + deps = [ + "@vendor_ts__dyn-clone-1.0.19//:dyn_clone", + "@vendor_ts__ref-cast-1.0.24//:ref_cast", + "@vendor_ts__serde-1.0.219//:serde", + "@vendor_ts__serde_json-1.0.140//:serde_json", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.seize-0.5.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.seize-0.5.0.bazel new file mode 100644 index 00000000000..ed5f5d999e8 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.seize-0.5.0.bazel @@ -0,0 +1,103 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "seize", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "default", + "fast-barrier", + "libc", + "windows-sys", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=seize", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.5.0", + deps = [ + "@vendor_ts__libc-0.2.174//:libc", + ] + select({ + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [ + "@vendor_ts__windows-sys-0.52.0//:windows_sys", # aarch64-pc-windows-msvc + ], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [ + "@vendor_ts__windows-sys-0.52.0//:windows_sys", # i686-pc-windows-msvc + ], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [ + "@vendor_ts__windows-sys-0.52.0//:windows_sys", # x86_64-pc-windows-msvc + ], + "//conditions:default": [], + }), +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.219.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.219.bazel index e2000b88618..f2164040e12 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.219.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_derive-1.0.219.bazel @@ -86,6 +86,6 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.140.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.140.bazel index 62844bd53ea..922f6268281 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.140.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_json-1.0.140.bazel @@ -89,7 +89,7 @@ rust_library( deps = [ "@vendor_ts__itoa-1.0.15//:itoa", "@vendor_ts__memchr-2.7.5//:memchr", - "@vendor_ts__ryu-1.0.19//:ryu", + "@vendor_ts__ryu-1.0.20//:ryu", "@vendor_ts__serde-1.0.219//:serde", "@vendor_ts__serde_json-1.0.140//:build_script_build", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_spanned-1.0.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_spanned-1.0.0.bazel new file mode 100644 index 00000000000..9c0d30218a3 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_spanned-1.0.0.bazel @@ -0,0 +1,91 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "serde_spanned", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "alloc", + "serde", + "std", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=serde_spanned", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "1.0.0", + deps = [ + "@vendor_ts__serde-1.0.219//:serde", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.13.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.14.0.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.13.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.14.0.bazel index 8d767cf92c1..810a3b27684 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.13.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with-3.14.0.bazel @@ -38,7 +38,7 @@ rust_library( edition = "2021", proc_macro_deps = [ "@vendor_ts__serde_derive-1.0.219//:serde_derive", - "@vendor_ts__serde_with_macros-3.13.0//:serde_with_macros", + "@vendor_ts__serde_with_macros-3.14.0//:serde_with_macros", ], rustc_flags = [ "--cap-lints=allow", @@ -89,7 +89,7 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "3.13.0", + version = "3.14.0", deps = [ "@vendor_ts__serde-1.0.219//:serde", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.13.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.14.0.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.13.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.14.0.bazel index eee3714cc13..8ee77607d8f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.13.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_with_macros-3.14.0.bazel @@ -79,11 +79,11 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "3.13.0", + version = "3.14.0", deps = [ - "@vendor_ts__darling-0.20.10//:darling", + "@vendor_ts__darling-0.20.11//:darling", "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_yaml-0.9.34+deprecated.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_yaml-0.9.34+deprecated.bazel index 9ec28ca4440..1e57e377bbf 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_yaml-0.9.34+deprecated.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.serde_yaml-0.9.34+deprecated.bazel @@ -81,9 +81,9 @@ rust_library( }), version = "0.9.34+deprecated", deps = [ - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__itoa-1.0.15//:itoa", - "@vendor_ts__ryu-1.0.19//:ryu", + "@vendor_ts__ryu-1.0.20//:ryu", "@vendor_ts__serde-1.0.219//:serde", "@vendor_ts__unsafe-libyaml-0.2.11//:unsafe_libyaml", ], diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.103.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.104.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.103.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.104.bazel index 2f0a43a1e3f..4a821476537 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.103.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.syn-2.0.104.bazel @@ -92,10 +92,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "2.0.103", + version = "2.0.104", deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__unicode-ident-1.0.17//:unicode_ident", + "@vendor_ts__unicode-ident-1.0.18//:unicode_ident", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.2.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.1.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.2.bazel index e726c441dfb..edeaa4404a3 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.synstructure-0.13.2.bazel @@ -83,10 +83,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.13.1", + version = "0.13.2", deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-2.0.12.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-2.0.12.bazel index eb054e9aa8d..1fde44d65d1 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-2.0.12.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-2.0.12.bazel @@ -83,6 +83,6 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thread_local-1.1.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thread_local-1.1.8.bazel index f1dddcc3984..1c97113bb0e 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thread_local-1.1.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thread_local-1.1.8.bazel @@ -82,6 +82,6 @@ rust_library( version = "1.1.8", deps = [ "@vendor_ts__cfg-if-1.0.1//:cfg_if", - "@vendor_ts__once_cell-1.20.3//:once_cell", + "@vendor_ts__once_cell-1.21.3//:once_cell", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.37.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.41.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.37.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.41.bazel index 83d1b0f07a4..1db3b72f846 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.37.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-0.3.41.bazel @@ -79,11 +79,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.3.37", + version = "0.3.41", deps = [ - "@vendor_ts__deranged-0.3.11//:deranged", + "@vendor_ts__deranged-0.4.0//:deranged", "@vendor_ts__num-conv-0.1.0//:num_conv", "@vendor_ts__powerfmt-0.2.0//:powerfmt", - "@vendor_ts__time-core-0.1.2//:time_core", + "@vendor_ts__time-core-0.1.4//:time_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-core-0.1.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-core-0.1.4.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-core-0.1.2.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-core-0.1.4.bazel index ed9ec07403e..7ce3b7e8c50 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-core-0.1.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-core-0.1.4.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.1.2", + version = "0.1.4", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.22.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.19.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.22.bazel index d35fd00eb5e..a3677c9f586 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.time-macros-0.2.22.bazel @@ -79,9 +79,9 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.2.19", + version = "0.2.22", deps = [ "@vendor_ts__num-conv-0.1.0//:num_conv", - "@vendor_ts__time-core-0.1.2//:time_core", + "@vendor_ts__time-core-0.1.4//:time_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.9.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.9.2.bazel new file mode 100644 index 00000000000..72a06f1955f --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml-0.9.2.bazel @@ -0,0 +1,98 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "toml", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "default", + "display", + "parse", + "serde", + "std", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=toml", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.9.2", + deps = [ + "@vendor_ts__serde-1.0.219//:serde", + "@vendor_ts__serde_spanned-1.0.0//:serde_spanned", + "@vendor_ts__toml_datetime-0.7.0//:toml_datetime", + "@vendor_ts__toml_parser-1.0.1//:toml_parser", + "@vendor_ts__toml_writer-1.0.2//:toml_writer", + "@vendor_ts__winnow-0.7.11//:winnow", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_datetime-0.7.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_datetime-0.7.0.bazel new file mode 100644 index 00000000000..1978e60b2cd --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_datetime-0.7.0.bazel @@ -0,0 +1,91 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "toml_datetime", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "alloc", + "serde", + "std", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=toml_datetime", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.7.0", + deps = [ + "@vendor_ts__serde-1.0.219//:serde", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.27.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.27.bazel index 8a49793f584..f074b69481c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.27.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_edit-0.22.27.bazel @@ -86,7 +86,7 @@ rust_library( }), version = "0.22.27", deps = [ - "@vendor_ts__indexmap-2.9.0//:indexmap", + "@vendor_ts__indexmap-2.10.0//:indexmap", "@vendor_ts__serde-1.0.219//:serde", "@vendor_ts__serde_spanned-0.6.9//:serde_spanned", "@vendor_ts__toml_datetime-0.6.11//:toml_datetime", diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_parser-1.0.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_parser-1.0.1.bazel new file mode 100644 index 00000000000..d4d53a70183 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_parser-1.0.1.bazel @@ -0,0 +1,90 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "toml_parser", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "alloc", + "std", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=toml_parser", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "1.0.1", + deps = [ + "@vendor_ts__winnow-0.7.11//:winnow", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_writer-1.0.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_writer-1.0.2.bazel new file mode 100644 index 00000000000..06dfde95267 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.toml_writer-1.0.2.bazel @@ -0,0 +1,88 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "toml_writer", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_features = [ + "alloc", + "default", + "std", + ], + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=toml_writer", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "1.0.2", +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-0.1.41.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-0.1.41.bazel index 97ea0c0bd80..57cd9586c95 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-0.1.41.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-0.1.41.bazel @@ -37,7 +37,7 @@ rust_library( crate_root = "src/lib.rs", edition = "2018", proc_macro_deps = [ - "@vendor_ts__tracing-attributes-0.1.28//:tracing_attributes", + "@vendor_ts__tracing-attributes-0.1.30//:tracing_attributes", ], rustc_flags = [ "--cap-lints=allow", @@ -91,6 +91,6 @@ rust_library( version = "0.1.41", deps = [ "@vendor_ts__pin-project-lite-0.2.16//:pin_project_lite", - "@vendor_ts__tracing-core-0.1.33//:tracing_core", + "@vendor_ts__tracing-core-0.1.34//:tracing_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.28.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.30.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.28.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.30.bazel index ee4bf997c01..f33e141e5b7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.28.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-attributes-0.1.30.bazel @@ -79,10 +79,10 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.1.28", + version = "0.1.30", deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.33.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.34.bazel similarity index 97% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.33.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.34.bazel index ce9e6c7f486..0b65c9e2485 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.33.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-core-0.1.34.bazel @@ -84,8 +84,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.1.33", + version = "0.1.34", deps = [ - "@vendor_ts__once_cell-1.20.3//:once_cell", + "@vendor_ts__once_cell-1.21.3//:once_cell", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-log-0.2.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-log-0.2.0.bazel index b4f1a8d3ab5..9e5af0d1d03 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-log-0.2.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-log-0.2.0.bazel @@ -86,7 +86,7 @@ rust_library( version = "0.2.0", deps = [ "@vendor_ts__log-0.4.27//:log", - "@vendor_ts__once_cell-1.20.3//:once_cell", - "@vendor_ts__tracing-core-0.1.33//:tracing_core", + "@vendor_ts__once_cell-1.21.3//:once_cell", + "@vendor_ts__tracing-core-0.1.34//:tracing_core", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-subscriber-0.3.19.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-subscriber-0.3.19.bazel index 65c7afaeb70..b2a3103bcf6 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-subscriber-0.3.19.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tracing-subscriber-0.3.19.bazel @@ -101,13 +101,13 @@ rust_library( deps = [ "@vendor_ts__matchers-0.1.0//:matchers", "@vendor_ts__nu-ansi-term-0.46.0//:nu_ansi_term", - "@vendor_ts__once_cell-1.20.3//:once_cell", + "@vendor_ts__once_cell-1.21.3//:once_cell", "@vendor_ts__regex-1.11.1//:regex", "@vendor_ts__sharded-slab-0.1.7//:sharded_slab", "@vendor_ts__smallvec-1.15.1//:smallvec", "@vendor_ts__thread_local-1.1.8//:thread_local", "@vendor_ts__tracing-0.1.41//:tracing", - "@vendor_ts__tracing-core-0.1.33//:tracing_core", + "@vendor_ts__tracing-core-0.1.34//:tracing_core", "@vendor_ts__tracing-log-0.2.0//:tracing_log", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.24.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.24.6.bazel index aec9a765ca6..3fcdb2a9f7c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.24.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.24.6.bazel @@ -147,7 +147,7 @@ cargo_build_script( version = "0.24.6", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.29//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.23.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.23.2.bazel index e65ebd28265..046e08c1489 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.23.2.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.23.2.bazel @@ -135,7 +135,7 @@ cargo_build_script( version = "0.23.2", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.29//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel index a5d58cfff1c..6d02526eac4 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel @@ -135,7 +135,7 @@ cargo_build_script( version = "0.24.8", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.29//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel index 404fe701044..3e467674ce2 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel @@ -135,7 +135,7 @@ cargo_build_script( version = "0.23.1", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.29//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel index 71a3b236984..b189b4bfa8c 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel @@ -135,7 +135,7 @@ cargo_build_script( version = "0.23.1", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.29//:cc", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.17.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.18.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.17.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.18.bazel index 6d4b21156f9..b0ebc51ff78 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.17.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.unicode-ident-1.0.18.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.17", + version = "1.0.18", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.1.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.1.bazel index a8fe7b8a667..bfebc76046d 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.valuable-0.1.1.bazel @@ -30,7 +30,7 @@ rust_library( ], ), crate_root = "src/lib.rs", - edition = "2018", + edition = "2021", rustc_flags = [ "--cap-lints=allow", ], @@ -80,9 +80,9 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.1.0", + version = "0.1.1", deps = [ - "@vendor_ts__valuable-0.1.0//:build_script_build", + "@vendor_ts__valuable-0.1.1//:build_script_build", ], ) @@ -119,7 +119,7 @@ cargo_build_script( "WORKSPACE.bazel", ], ), - edition = "2018", + edition = "2021", pkg_name = "valuable", rustc_flags = [ "--cap-lints=allow", @@ -131,7 +131,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "0.1.0", + version = "0.1.1", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.11.0+wasi-snapshot-preview1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.11.1+wasi-snapshot-preview1.bazel similarity index 98% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.11.0+wasi-snapshot-preview1.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.11.1+wasi-snapshot-preview1.bazel index 54552a7b252..0f6d860867a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.11.0+wasi-snapshot-preview1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasi-0.11.1+wasi-snapshot-preview1.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.11.0+wasi-snapshot-preview1", + version = "0.11.1+wasi-snapshot-preview1", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.100.bazel similarity index 93% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.99.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.100.bazel index bf281cfada1..ac4e42da6ed 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-0.2.100.bazel @@ -31,13 +31,15 @@ rust_library( ), crate_features = [ "default", - "spans", + "msrv", + "rustversion", "std", ], crate_root = "src/lib.rs", edition = "2021", proc_macro_deps = [ - "@vendor_ts__wasm-bindgen-macro-0.2.99//:wasm_bindgen_macro", + "@vendor_ts__rustversion-1.0.21//:rustversion", + "@vendor_ts__wasm-bindgen-macro-0.2.100//:wasm_bindgen_macro", ], rustc_flags = [ "--cap-lints=allow", @@ -88,11 +90,11 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.2.99", + version = "0.2.100", deps = [ "@vendor_ts__cfg-if-1.0.1//:cfg_if", - "@vendor_ts__once_cell-1.20.3//:once_cell", - "@vendor_ts__wasm-bindgen-0.2.99//:build_script_build", + "@vendor_ts__once_cell-1.21.3//:once_cell", + "@vendor_ts__wasm-bindgen-0.2.100//:build_script_build", ], ) @@ -117,7 +119,8 @@ cargo_build_script( ), crate_features = [ "default", - "spans", + "msrv", + "rustversion", "std", ], crate_name = "build_script_build", @@ -146,7 +149,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "0.2.99", + version = "0.2.100", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.100.bazel similarity index 93% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.99.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.100.bazel index 78dbca5d439..3133d7c3c2f 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-backend-0.2.100.bazel @@ -28,10 +28,6 @@ rust_library( "WORKSPACE.bazel", ], ), - crate_features = [ - "spans", - "std", - ], crate_root = "src/lib.rs", edition = "2021", rustc_flags = [ @@ -83,13 +79,13 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.2.99", + version = "0.2.100", deps = [ - "@vendor_ts__bumpalo-3.16.0//:bumpalo", + "@vendor_ts__bumpalo-3.19.0//:bumpalo", "@vendor_ts__log-0.4.27//:log", "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", - "@vendor_ts__wasm-bindgen-shared-0.2.99//:wasm_bindgen_shared", + "@vendor_ts__syn-2.0.104//:syn", + "@vendor_ts__wasm-bindgen-shared-0.2.100//:wasm_bindgen_shared", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.100.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.99.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.100.bazel index 4523fef57ff..7890f71fa78 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-0.2.100.bazel @@ -28,10 +28,6 @@ rust_proc_macro( "WORKSPACE.bazel", ], ), - crate_features = [ - "spans", - "std", - ], crate_root = "src/lib.rs", edition = "2021", rustc_flags = [ @@ -83,9 +79,9 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.2.99", + version = "0.2.100", deps = [ "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__wasm-bindgen-macro-support-0.2.99//:wasm_bindgen_macro_support", + "@vendor_ts__wasm-bindgen-macro-support-0.2.100//:wasm_bindgen_macro_support", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.100.bazel similarity index 93% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.99.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.100.bazel index e83a1630b61..e60d0ec189a 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-macro-support-0.2.100.bazel @@ -28,10 +28,6 @@ rust_library( "WORKSPACE.bazel", ], ), - crate_features = [ - "spans", - "std", - ], crate_root = "src/lib.rs", edition = "2021", rustc_flags = [ @@ -83,12 +79,12 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.2.99", + version = "0.2.100", deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", - "@vendor_ts__wasm-bindgen-backend-0.2.99//:wasm_bindgen_backend", - "@vendor_ts__wasm-bindgen-shared-0.2.99//:wasm_bindgen_shared", + "@vendor_ts__syn-2.0.104//:syn", + "@vendor_ts__wasm-bindgen-backend-0.2.100//:wasm_bindgen_backend", + "@vendor_ts__wasm-bindgen-shared-0.2.100//:wasm_bindgen_shared", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.99.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.100.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.99.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.100.bazel index c22eb09d626..f0ec6b59aaa 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.99.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.wasm-bindgen-shared-0.2.100.bazel @@ -80,9 +80,10 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.2.99", + version = "0.2.100", deps = [ - "@vendor_ts__wasm-bindgen-shared-0.2.99//:build_script_build", + "@vendor_ts__unicode-ident-1.0.18//:unicode_ident", + "@vendor_ts__wasm-bindgen-shared-0.2.100//:build_script_build", ], ) @@ -132,7 +133,7 @@ cargo_build_script( "noclippy", "norustfmt", ], - version = "0.2.99", + version = "0.2.100", visibility = ["//visibility:private"], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.61.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.61.2.bazel new file mode 100644 index 00000000000..dad6e83029c --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.61.2.bazel @@ -0,0 +1,92 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "windows_core", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2021", + proc_macro_deps = [ + "@vendor_ts__windows-implement-0.60.0//:windows_implement", + "@vendor_ts__windows-interface-0.59.1//:windows_interface", + ], + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=windows-core", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.61.2", + deps = [ + "@vendor_ts__windows-link-0.1.3//:windows_link", + "@vendor_ts__windows-result-0.3.4//:windows_result", + "@vendor_ts__windows-strings-0.4.2//:windows_strings", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-1.0.69.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-implement-0.60.0.bazel similarity index 96% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-1.0.69.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-implement-0.60.0.bazel index 52e3dfa4f05..23ba997ba55 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.thiserror-impl-1.0.69.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-implement-0.60.0.bazel @@ -11,7 +11,7 @@ load("@rules_rust//rust:defs.bzl", "rust_proc_macro") package(default_visibility = ["//visibility:public"]) rust_proc_macro( - name = "thiserror_impl", + name = "windows_implement", srcs = glob( include = ["**/*.rs"], allow_empty = True, @@ -35,7 +35,7 @@ rust_proc_macro( ], tags = [ "cargo-bazel", - "crate-name=thiserror-impl", + "crate-name=windows-implement", "manual", "noclippy", "norustfmt", @@ -79,10 +79,10 @@ rust_proc_macro( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "1.0.69", + version = "0.60.0", deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-interface-0.59.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-interface-0.59.1.bazel new file mode 100644 index 00000000000..56416563070 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-interface-0.59.1.bazel @@ -0,0 +1,88 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_proc_macro") + +package(default_visibility = ["//visibility:public"]) + +rust_proc_macro( + name = "windows_interface", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=windows-interface", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.59.1", + deps = [ + "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", + "@vendor_ts__quote-1.0.40//:quote", + "@vendor_ts__syn-2.0.104//:syn", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-link-0.1.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-link-0.1.3.bazel similarity index 99% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-link-0.1.1.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-link-0.1.3.bazel index 9c42ef20e0b..51a9757202b 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-link-0.1.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-link-0.1.3.bazel @@ -79,5 +79,5 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.1.1", + version = "0.1.3", ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.52.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-result-0.3.4.bazel similarity index 95% rename from misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.52.0.bazel rename to misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-result-0.3.4.bazel index 89ebc463e00..125aff0fb29 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-core-0.52.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-result-0.3.4.bazel @@ -11,7 +11,7 @@ load("@rules_rust//rust:defs.bzl", "rust_library") package(default_visibility = ["//visibility:public"]) rust_library( - name = "windows_core", + name = "windows_result", srcs = glob( include = ["**/*.rs"], allow_empty = True, @@ -35,7 +35,7 @@ rust_library( ], tags = [ "cargo-bazel", - "crate-name=windows-core", + "crate-name=windows-result", "manual", "noclippy", "norustfmt", @@ -79,8 +79,8 @@ rust_library( "@rules_rust//rust/platform:x86_64-unknown-uefi": [], "//conditions:default": ["@platforms//:incompatible"], }), - version = "0.52.0", + version = "0.3.4", deps = [ - "@vendor_ts__windows-targets-0.52.6//:windows_targets", + "@vendor_ts__windows-link-0.1.3//:windows_link", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-strings-0.4.2.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-strings-0.4.2.bazel new file mode 100644 index 00000000000..07f976d4711 --- /dev/null +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-strings-0.4.2.bazel @@ -0,0 +1,86 @@ +############################################################################### +# @generated +# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To +# regenerate this file, run the following: +# +# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors +############################################################################### + +load("@rules_rust//rust:defs.bzl", "rust_library") + +package(default_visibility = ["//visibility:public"]) + +rust_library( + name = "windows_strings", + srcs = glob( + include = ["**/*.rs"], + allow_empty = True, + ), + compile_data = glob( + include = ["**"], + allow_empty = True, + exclude = [ + "**/* *", + ".tmp_git_root/**/*", + "BUILD", + "BUILD.bazel", + "WORKSPACE", + "WORKSPACE.bazel", + ], + ), + crate_root = "src/lib.rs", + edition = "2021", + rustc_flags = [ + "--cap-lints=allow", + ], + tags = [ + "cargo-bazel", + "crate-name=windows-strings", + "manual", + "noclippy", + "norustfmt", + ], + target_compatible_with = select({ + "@rules_rust//rust/platform:aarch64-apple-darwin": [], + "@rules_rust//rust/platform:aarch64-apple-ios": [], + "@rules_rust//rust/platform:aarch64-apple-ios-sim": [], + "@rules_rust//rust/platform:aarch64-linux-android": [], + "@rules_rust//rust/platform:aarch64-pc-windows-msvc": [], + "@rules_rust//rust/platform:aarch64-unknown-fuchsia": [], + "@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [], + "@rules_rust//rust/platform:aarch64-unknown-uefi": [], + "@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:armv7-linux-androideabi": [], + "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [], + "@rules_rust//rust/platform:i686-apple-darwin": [], + "@rules_rust//rust/platform:i686-linux-android": [], + "@rules_rust//rust/platform:i686-pc-windows-msvc": [], + "@rules_rust//rust/platform:i686-unknown-freebsd": [], + "@rules_rust//rust/platform:i686-unknown-linux-gnu": [], + "@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [], + "@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [], + "@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [], + "@rules_rust//rust/platform:s390x-unknown-linux-gnu": [], + "@rules_rust//rust/platform:thumbv7em-none-eabi": [], + "@rules_rust//rust/platform:thumbv8m.main-none-eabi": [], + "@rules_rust//rust/platform:wasm32-unknown-unknown": [], + "@rules_rust//rust/platform:wasm32-wasip1": [], + "@rules_rust//rust/platform:x86_64-apple-darwin": [], + "@rules_rust//rust/platform:x86_64-apple-ios": [], + "@rules_rust//rust/platform:x86_64-linux-android": [], + "@rules_rust//rust/platform:x86_64-pc-windows-msvc": [], + "@rules_rust//rust/platform:x86_64-unknown-freebsd": [], + "@rules_rust//rust/platform:x86_64-unknown-fuchsia": [], + "@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [], + "@rules_rust//rust/platform:x86_64-unknown-none": [], + "@rules_rust//rust/platform:x86_64-unknown-uefi": [], + "//conditions:default": ["@platforms//:incompatible"], + }), + version = "0.4.2", + deps = [ + "@vendor_ts__windows-link-0.1.3//:windows_link", + ], +) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.52.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.52.0.bazel index ab36b4cfa4e..02fed93acd9 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.52.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.windows-sys-0.52.0.bazel @@ -28,6 +28,12 @@ rust_library( "WORKSPACE.bazel", ], ), + crate_features = [ + "Win32", + "Win32_System", + "Win32_System_Threading", + "default", + ], crate_root = "src/lib.rs", edition = "2021", rustc_flags = [ diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.yoke-derive-0.8.0.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.yoke-derive-0.8.0.bazel index 96d93eb4031..ce3b63861ad 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.yoke-derive-0.8.0.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.yoke-derive-0.8.0.bazel @@ -83,7 +83,7 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", - "@vendor_ts__synstructure-0.13.1//:synstructure", + "@vendor_ts__syn-2.0.104//:syn", + "@vendor_ts__synstructure-0.13.2//:synstructure", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.7.35.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.7.35.bazel index 0ee91e78c4e..b6addfd7256 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.7.35.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.7.35.bazel @@ -83,6 +83,6 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.8.20.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.8.20.bazel index a64ba674aa4..6532a50eaa1 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.8.20.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerocopy-derive-0.8.20.bazel @@ -83,6 +83,6 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerofrom-derive-0.1.6.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerofrom-derive-0.1.6.bazel index 463d6916e4d..223de956266 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerofrom-derive-0.1.6.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerofrom-derive-0.1.6.bazel @@ -83,7 +83,7 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", - "@vendor_ts__synstructure-0.13.1//:synstructure", + "@vendor_ts__syn-2.0.104//:syn", + "@vendor_ts__synstructure-0.13.2//:synstructure", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerovec-derive-0.11.1.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerovec-derive-0.11.1.bazel index 653c0d360cc..2367041cbd7 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerovec-derive-0.11.1.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zerovec-derive-0.11.1.bazel @@ -83,6 +83,6 @@ rust_proc_macro( deps = [ "@vendor_ts__proc-macro2-1.0.95//:proc_macro2", "@vendor_ts__quote-1.0.40//:quote", - "@vendor_ts__syn-2.0.103//:syn", + "@vendor_ts__syn-2.0.104//:syn", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zstd-sys-2.0.15+zstd.1.5.7.bazel b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zstd-sys-2.0.15+zstd.1.5.7.bazel index 7db2ad80d02..f29b4b091ae 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zstd-sys-2.0.15+zstd.1.5.7.bazel +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zstd-sys-2.0.15+zstd.1.5.7.bazel @@ -145,7 +145,7 @@ cargo_build_script( version = "2.0.15+zstd.1.5.7", visibility = ["//visibility:private"], deps = [ - "@vendor_ts__cc-1.2.7//:cc", + "@vendor_ts__cc-1.2.29//:cc", "@vendor_ts__pkg-config-0.3.32//:pkg_config", ], ) diff --git a/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl b/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl index 7f5a2035841..75cbec05e35 100644 --- a/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl +++ b/misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl @@ -295,7 +295,7 @@ def aliases( _NORMAL_DEPENDENCIES = { "ruby/extractor": { _COMMON_CONDITION: { - "clap": Label("@vendor_ts__clap-4.5.40//:clap"), + "clap": Label("@vendor_ts__clap-4.5.41//:clap"), "encoding": Label("@vendor_ts__encoding-0.2.33//:encoding"), "lazy_static": Label("@vendor_ts__lazy_static-1.5.0//:lazy_static"), "rayon": Label("@vendor_ts__rayon-1.10.0//:rayon"), @@ -317,7 +317,7 @@ _NORMAL_DEPENDENCIES = { "proc-macro2": Label("@vendor_ts__proc-macro2-1.0.95//:proc_macro2"), "quote": Label("@vendor_ts__quote-1.0.40//:quote"), "serde": Label("@vendor_ts__serde-1.0.219//:serde"), - "stdx": Label("@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx"), + "stdx": Label("@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx"), "ungrammar": Label("@vendor_ts__ungrammar-1.16.1//:ungrammar"), }, }, @@ -329,32 +329,32 @@ _NORMAL_DEPENDENCIES = { "argfile": Label("@vendor_ts__argfile-0.2.1//:argfile"), "chalk-ir": Label("@vendor_ts__chalk-ir-0.103.0//:chalk_ir"), "chrono": Label("@vendor_ts__chrono-0.4.41//:chrono"), - "clap": Label("@vendor_ts__clap-4.5.40//:clap"), + "clap": Label("@vendor_ts__clap-4.5.41//:clap"), "dunce": Label("@vendor_ts__dunce-1.0.5//:dunce"), "figment": Label("@vendor_ts__figment-0.10.19//:figment"), "glob": Label("@vendor_ts__glob-0.3.2//:glob"), "itertools": Label("@vendor_ts__itertools-0.14.0//:itertools"), "mustache": Label("@vendor_ts__mustache-0.9.0//:mustache"), "num-traits": Label("@vendor_ts__num-traits-0.2.19//:num_traits"), - "ra_ap_base_db": Label("@vendor_ts__ra_ap_base_db-0.0.288//:ra_ap_base_db"), - "ra_ap_cfg": Label("@vendor_ts__ra_ap_cfg-0.0.288//:ra_ap_cfg"), - "ra_ap_hir": Label("@vendor_ts__ra_ap_hir-0.0.288//:ra_ap_hir"), - "ra_ap_hir_def": Label("@vendor_ts__ra_ap_hir_def-0.0.288//:ra_ap_hir_def"), - "ra_ap_hir_expand": Label("@vendor_ts__ra_ap_hir_expand-0.0.288//:ra_ap_hir_expand"), - "ra_ap_hir_ty": Label("@vendor_ts__ra_ap_hir_ty-0.0.288//:ra_ap_hir_ty"), - "ra_ap_ide_db": Label("@vendor_ts__ra_ap_ide_db-0.0.288//:ra_ap_ide_db"), - "ra_ap_intern": Label("@vendor_ts__ra_ap_intern-0.0.288//:ra_ap_intern"), - "ra_ap_load-cargo": Label("@vendor_ts__ra_ap_load-cargo-0.0.288//:ra_ap_load_cargo"), - "ra_ap_parser": Label("@vendor_ts__ra_ap_parser-0.0.288//:ra_ap_parser"), - "ra_ap_paths": Label("@vendor_ts__ra_ap_paths-0.0.288//:ra_ap_paths"), - "ra_ap_project_model": Label("@vendor_ts__ra_ap_project_model-0.0.288//:ra_ap_project_model"), - "ra_ap_span": Label("@vendor_ts__ra_ap_span-0.0.288//:ra_ap_span"), - "ra_ap_syntax": Label("@vendor_ts__ra_ap_syntax-0.0.288//:ra_ap_syntax"), - "ra_ap_vfs": Label("@vendor_ts__ra_ap_vfs-0.0.288//:ra_ap_vfs"), + "ra_ap_base_db": Label("@vendor_ts__ra_ap_base_db-0.0.294//:ra_ap_base_db"), + "ra_ap_cfg": Label("@vendor_ts__ra_ap_cfg-0.0.294//:ra_ap_cfg"), + "ra_ap_hir": Label("@vendor_ts__ra_ap_hir-0.0.294//:ra_ap_hir"), + "ra_ap_hir_def": Label("@vendor_ts__ra_ap_hir_def-0.0.294//:ra_ap_hir_def"), + "ra_ap_hir_expand": Label("@vendor_ts__ra_ap_hir_expand-0.0.294//:ra_ap_hir_expand"), + "ra_ap_hir_ty": Label("@vendor_ts__ra_ap_hir_ty-0.0.294//:ra_ap_hir_ty"), + "ra_ap_ide_db": Label("@vendor_ts__ra_ap_ide_db-0.0.294//:ra_ap_ide_db"), + "ra_ap_intern": Label("@vendor_ts__ra_ap_intern-0.0.294//:ra_ap_intern"), + "ra_ap_load-cargo": Label("@vendor_ts__ra_ap_load-cargo-0.0.294//:ra_ap_load_cargo"), + "ra_ap_parser": Label("@vendor_ts__ra_ap_parser-0.0.294//:ra_ap_parser"), + "ra_ap_paths": Label("@vendor_ts__ra_ap_paths-0.0.294//:ra_ap_paths"), + "ra_ap_project_model": Label("@vendor_ts__ra_ap_project_model-0.0.294//:ra_ap_project_model"), + "ra_ap_span": Label("@vendor_ts__ra_ap_span-0.0.294//:ra_ap_span"), + "ra_ap_syntax": Label("@vendor_ts__ra_ap_syntax-0.0.294//:ra_ap_syntax"), + "ra_ap_vfs": Label("@vendor_ts__ra_ap_vfs-0.0.294//:ra_ap_vfs"), "serde": Label("@vendor_ts__serde-1.0.219//:serde"), "serde_json": Label("@vendor_ts__serde_json-1.0.140//:serde_json"), - "serde_with": Label("@vendor_ts__serde_with-3.13.0//:serde_with"), - "toml": Label("@vendor_ts__toml-0.8.23//:toml"), + "serde_with": Label("@vendor_ts__serde_with-3.14.0//:serde_with"), + "toml": Label("@vendor_ts__toml-0.9.2//:toml"), "tracing": Label("@vendor_ts__tracing-0.1.41//:tracing"), "tracing-flame": Label("@vendor_ts__tracing-flame-0.2.0//:tracing_flame"), "tracing-subscriber": Label("@vendor_ts__tracing-subscriber-0.3.19//:tracing_subscriber"), @@ -364,7 +364,7 @@ _NORMAL_DEPENDENCIES = { "rust/extractor/macros": { _COMMON_CONDITION: { "quote": Label("@vendor_ts__quote-1.0.40//:quote"), - "syn": Label("@vendor_ts__syn-2.0.103//:syn"), + "syn": Label("@vendor_ts__syn-2.0.104//:syn"), }, }, "shared/tree-sitter-extractor": { @@ -394,7 +394,7 @@ _NORMAL_ALIASES = { }, "rust/ast-generator": { _COMMON_CONDITION: { - Label("@vendor_ts__ra_ap_stdx-0.0.288//:ra_ap_stdx"): "stdx", + Label("@vendor_ts__ra_ap_stdx-0.0.294//:ra_ap_stdx"): "stdx", }, }, "rust/autobuild": { @@ -606,7 +606,6 @@ _CONDITIONS = { "cfg(any(target_os = \"haiku\", target_os = \"redox\", target_os = \"nto\", target_os = \"aix\"))": ["@rules_rust//rust/platform:aarch64-unknown-nto-qnx710"], "cfg(any(target_os = \"ios\", target_os = \"visionos\", target_os = \"watchos\", target_os = \"tvos\"))": ["@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:x86_64-apple-ios"], "cfg(any(target_os = \"linux\", target_os = \"android\"))": ["@rules_rust//rust/platform:aarch64-linux-android", "@rules_rust//rust/platform:aarch64-unknown-linux-gnu", "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu", "@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:s390x-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-linux-android", "@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu"], - "cfg(any(target_os = \"macos\", target_os = \"ios\"))": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-ios"], "cfg(any(target_os = \"macos\", target_os = \"openbsd\", target_os = \"vita\", target_os = \"emscripten\"))": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-darwin"], "cfg(any(target_pointer_width = \"8\", target_pointer_width = \"16\", target_pointer_width = \"32\"))": ["@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-pc-windows-msvc", "@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:riscv32imc-unknown-none-elf", "@rules_rust//rust/platform:thumbv7em-none-eabi", "@rules_rust//rust/platform:thumbv8m.main-none-eabi", "@rules_rust//rust/platform:wasm32-unknown-unknown", "@rules_rust//rust/platform:wasm32-wasip1"], "cfg(not(windows))": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:aarch64-linux-android", "@rules_rust//rust/platform:aarch64-unknown-fuchsia", "@rules_rust//rust/platform:aarch64-unknown-linux-gnu", "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu", "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710", "@rules_rust//rust/platform:aarch64-unknown-uefi", "@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:riscv32imc-unknown-none-elf", "@rules_rust//rust/platform:riscv64gc-unknown-none-elf", "@rules_rust//rust/platform:s390x-unknown-linux-gnu", "@rules_rust//rust/platform:thumbv7em-none-eabi", "@rules_rust//rust/platform:thumbv8m.main-none-eabi", "@rules_rust//rust/platform:wasm32-unknown-unknown", "@rules_rust//rust/platform:wasm32-wasip1", "@rules_rust//rust/platform:x86_64-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-ios", "@rules_rust//rust/platform:x86_64-linux-android", "@rules_rust//rust/platform:x86_64-unknown-freebsd", "@rules_rust//rust/platform:x86_64-unknown-fuchsia", "@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu", "@rules_rust//rust/platform:x86_64-unknown-none", "@rules_rust//rust/platform:x86_64-unknown-uefi"], @@ -620,6 +619,7 @@ _CONDITIONS = { "cfg(target_os = \"vxworks\")": [], "cfg(target_os = \"wasi\")": ["@rules_rust//rust/platform:wasm32-wasip1"], "cfg(target_os = \"windows\")": ["@rules_rust//rust/platform:aarch64-pc-windows-msvc", "@rules_rust//rust/platform:i686-pc-windows-msvc", "@rules_rust//rust/platform:x86_64-pc-windows-msvc"], + "cfg(target_vendor = \"apple\")": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-ios"], "cfg(unix)": ["@rules_rust//rust/platform:aarch64-apple-darwin", "@rules_rust//rust/platform:aarch64-apple-ios", "@rules_rust//rust/platform:aarch64-apple-ios-sim", "@rules_rust//rust/platform:aarch64-linux-android", "@rules_rust//rust/platform:aarch64-unknown-fuchsia", "@rules_rust//rust/platform:aarch64-unknown-linux-gnu", "@rules_rust//rust/platform:aarch64-unknown-nixos-gnu", "@rules_rust//rust/platform:aarch64-unknown-nto-qnx710", "@rules_rust//rust/platform:arm-unknown-linux-gnueabi", "@rules_rust//rust/platform:armv7-linux-androideabi", "@rules_rust//rust/platform:armv7-unknown-linux-gnueabi", "@rules_rust//rust/platform:i686-apple-darwin", "@rules_rust//rust/platform:i686-linux-android", "@rules_rust//rust/platform:i686-unknown-freebsd", "@rules_rust//rust/platform:i686-unknown-linux-gnu", "@rules_rust//rust/platform:powerpc-unknown-linux-gnu", "@rules_rust//rust/platform:s390x-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-apple-darwin", "@rules_rust//rust/platform:x86_64-apple-ios", "@rules_rust//rust/platform:x86_64-linux-android", "@rules_rust//rust/platform:x86_64-unknown-freebsd", "@rules_rust//rust/platform:x86_64-unknown-fuchsia", "@rules_rust//rust/platform:x86_64-unknown-linux-gnu", "@rules_rust//rust/platform:x86_64-unknown-nixos-gnu"], "cfg(windows)": ["@rules_rust//rust/platform:aarch64-pc-windows-msvc", "@rules_rust//rust/platform:i686-pc-windows-msvc", "@rules_rust//rust/platform:x86_64-pc-windows-msvc"], "i686-apple-darwin": ["@rules_rust//rust/platform:i686-apple-darwin"], @@ -711,52 +711,52 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__anstream-0.6.18", - sha256 = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b", + name = "vendor_ts__anstream-0.6.19", + sha256 = "301af1932e46185686725e0fad2f8f2aa7da69dd70bf6ecc44d6b703844a3933", type = "tar.gz", - urls = ["https://static.crates.io/crates/anstream/0.6.18/download"], - strip_prefix = "anstream-0.6.18", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstream-0.6.18.bazel"), + urls = ["https://static.crates.io/crates/anstream/0.6.19/download"], + strip_prefix = "anstream-0.6.19", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstream-0.6.19.bazel"), ) maybe( http_archive, - name = "vendor_ts__anstyle-1.0.10", - sha256 = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9", + name = "vendor_ts__anstyle-1.0.11", + sha256 = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd", type = "tar.gz", - urls = ["https://static.crates.io/crates/anstyle/1.0.10/download"], - strip_prefix = "anstyle-1.0.10", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-1.0.10.bazel"), + urls = ["https://static.crates.io/crates/anstyle/1.0.11/download"], + strip_prefix = "anstyle-1.0.11", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-1.0.11.bazel"), ) maybe( http_archive, - name = "vendor_ts__anstyle-parse-0.2.6", - sha256 = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9", + name = "vendor_ts__anstyle-parse-0.2.7", + sha256 = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2", type = "tar.gz", - urls = ["https://static.crates.io/crates/anstyle-parse/0.2.6/download"], - strip_prefix = "anstyle-parse-0.2.6", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-parse-0.2.6.bazel"), + urls = ["https://static.crates.io/crates/anstyle-parse/0.2.7/download"], + strip_prefix = "anstyle-parse-0.2.7", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-parse-0.2.7.bazel"), ) maybe( http_archive, - name = "vendor_ts__anstyle-query-1.1.2", - sha256 = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c", + name = "vendor_ts__anstyle-query-1.1.3", + sha256 = "6c8bdeb6047d8983be085bab0ba1472e6dc604e7041dbf6fcd5e71523014fae9", type = "tar.gz", - urls = ["https://static.crates.io/crates/anstyle-query/1.1.2/download"], - strip_prefix = "anstyle-query-1.1.2", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-query-1.1.2.bazel"), + urls = ["https://static.crates.io/crates/anstyle-query/1.1.3/download"], + strip_prefix = "anstyle-query-1.1.3", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-query-1.1.3.bazel"), ) maybe( http_archive, - name = "vendor_ts__anstyle-wincon-3.0.7", - sha256 = "ca3534e77181a9cc07539ad51f2141fe32f6c3ffd4df76db8ad92346b003ae4e", + name = "vendor_ts__anstyle-wincon-3.0.9", + sha256 = "403f75924867bb1033c59fbf0797484329750cfbe3c4325cd33127941fabc882", type = "tar.gz", - urls = ["https://static.crates.io/crates/anstyle-wincon/3.0.7/download"], - strip_prefix = "anstyle-wincon-3.0.7", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-wincon-3.0.7.bazel"), + urls = ["https://static.crates.io/crates/anstyle-wincon/3.0.9/download"], + strip_prefix = "anstyle-wincon-3.0.9", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.anstyle-wincon-3.0.9.bazel"), ) maybe( @@ -801,12 +801,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__autocfg-1.4.0", - sha256 = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26", + name = "vendor_ts__autocfg-1.5.0", + sha256 = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8", type = "tar.gz", - urls = ["https://static.crates.io/crates/autocfg/1.4.0/download"], - strip_prefix = "autocfg-1.4.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.autocfg-1.4.0.bazel"), + urls = ["https://static.crates.io/crates/autocfg/1.5.0/download"], + strip_prefix = "autocfg-1.5.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.autocfg-1.5.0.bazel"), ) maybe( @@ -841,12 +841,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__borsh-1.5.5", - sha256 = "5430e3be710b68d984d1391c854eb431a9d548640711faa54eecb1df93db91cc", + name = "vendor_ts__borsh-1.5.7", + sha256 = "ad8646f98db542e39fc66e68a20b2144f6a732636df7c2354e74645faaa433ce", type = "tar.gz", - urls = ["https://static.crates.io/crates/borsh/1.5.5/download"], - strip_prefix = "borsh-1.5.5", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.borsh-1.5.5.bazel"), + urls = ["https://static.crates.io/crates/borsh/1.5.7/download"], + strip_prefix = "borsh-1.5.7", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.borsh-1.5.7.bazel"), ) maybe( @@ -871,12 +871,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__bumpalo-3.16.0", - sha256 = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c", + name = "vendor_ts__bumpalo-3.19.0", + sha256 = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43", type = "tar.gz", - urls = ["https://static.crates.io/crates/bumpalo/3.16.0/download"], - strip_prefix = "bumpalo-3.16.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.bumpalo-3.16.0.bazel"), + urls = ["https://static.crates.io/crates/bumpalo/3.19.0/download"], + strip_prefix = "bumpalo-3.19.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.bumpalo-3.19.0.bazel"), ) maybe( @@ -921,32 +921,32 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__cargo-util-schemas-0.2.0", - sha256 = "e63d2780ac94487eb9f1fea7b0d56300abc9eb488800854ca217f102f5caccca", + name = "vendor_ts__cargo-util-schemas-0.8.2", + sha256 = "7dc1a6f7b5651af85774ae5a34b4e8be397d9cf4bc063b7e6dbd99a841837830", type = "tar.gz", - urls = ["https://static.crates.io/crates/cargo-util-schemas/0.2.0/download"], - strip_prefix = "cargo-util-schemas-0.2.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cargo-util-schemas-0.2.0.bazel"), + urls = ["https://static.crates.io/crates/cargo-util-schemas/0.8.2/download"], + strip_prefix = "cargo-util-schemas-0.8.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cargo-util-schemas-0.8.2.bazel"), ) maybe( http_archive, - name = "vendor_ts__cargo_metadata-0.20.0", - sha256 = "4f7835cfc6135093070e95eb2b53e5d9b5c403dc3a6be6040ee026270aa82502", + name = "vendor_ts__cargo_metadata-0.21.0", + sha256 = "5cfca2aaa699835ba88faf58a06342a314a950d2b9686165e038286c30316868", type = "tar.gz", - urls = ["https://static.crates.io/crates/cargo_metadata/0.20.0/download"], - strip_prefix = "cargo_metadata-0.20.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cargo_metadata-0.20.0.bazel"), + urls = ["https://static.crates.io/crates/cargo_metadata/0.21.0/download"], + strip_prefix = "cargo_metadata-0.21.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cargo_metadata-0.21.0.bazel"), ) maybe( http_archive, - name = "vendor_ts__cc-1.2.7", - sha256 = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7", + name = "vendor_ts__cc-1.2.29", + sha256 = "5c1599538de2394445747c8cf7935946e3cc27e9625f889d979bfb2aaf569362", type = "tar.gz", - urls = ["https://static.crates.io/crates/cc/1.2.7/download"], - strip_prefix = "cc-1.2.7", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cc-1.2.7.bazel"), + urls = ["https://static.crates.io/crates/cc/1.2.29/download"], + strip_prefix = "cc-1.2.29", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cc-1.2.29.bazel"), ) maybe( @@ -1021,52 +1021,52 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__clap-4.5.40", - sha256 = "40b6887a1d8685cebccf115538db5c0efe625ccac9696ad45c409d96566e910f", + name = "vendor_ts__clap-4.5.41", + sha256 = "be92d32e80243a54711e5d7ce823c35c41c9d929dc4ab58e1276f625841aadf9", type = "tar.gz", - urls = ["https://static.crates.io/crates/clap/4.5.40/download"], - strip_prefix = "clap-4.5.40", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap-4.5.40.bazel"), + urls = ["https://static.crates.io/crates/clap/4.5.41/download"], + strip_prefix = "clap-4.5.41", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap-4.5.41.bazel"), ) maybe( http_archive, - name = "vendor_ts__clap_builder-4.5.40", - sha256 = "e0c66c08ce9f0c698cbce5c0279d0bb6ac936d8674174fe48f736533b964f59e", + name = "vendor_ts__clap_builder-4.5.41", + sha256 = "707eab41e9622f9139419d573eca0900137718000c517d47da73045f54331c3d", type = "tar.gz", - urls = ["https://static.crates.io/crates/clap_builder/4.5.40/download"], - strip_prefix = "clap_builder-4.5.40", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_builder-4.5.40.bazel"), + urls = ["https://static.crates.io/crates/clap_builder/4.5.41/download"], + strip_prefix = "clap_builder-4.5.41", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_builder-4.5.41.bazel"), ) maybe( http_archive, - name = "vendor_ts__clap_derive-4.5.40", - sha256 = "d2c7947ae4cc3d851207c1adb5b5e260ff0cca11446b1d6d1423788e442257ce", + name = "vendor_ts__clap_derive-4.5.41", + sha256 = "ef4f52386a59ca4c860f7393bcf8abd8dfd91ecccc0f774635ff68e92eeef491", type = "tar.gz", - urls = ["https://static.crates.io/crates/clap_derive/4.5.40/download"], - strip_prefix = "clap_derive-4.5.40", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_derive-4.5.40.bazel"), + urls = ["https://static.crates.io/crates/clap_derive/4.5.41/download"], + strip_prefix = "clap_derive-4.5.41", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_derive-4.5.41.bazel"), ) maybe( http_archive, - name = "vendor_ts__clap_lex-0.7.4", - sha256 = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6", + name = "vendor_ts__clap_lex-0.7.5", + sha256 = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675", type = "tar.gz", - urls = ["https://static.crates.io/crates/clap_lex/0.7.4/download"], - strip_prefix = "clap_lex-0.7.4", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_lex-0.7.4.bazel"), + urls = ["https://static.crates.io/crates/clap_lex/0.7.5/download"], + strip_prefix = "clap_lex-0.7.5", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.clap_lex-0.7.5.bazel"), ) maybe( http_archive, - name = "vendor_ts__colorchoice-1.0.3", - sha256 = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990", + name = "vendor_ts__colorchoice-1.0.4", + sha256 = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75", type = "tar.gz", - urls = ["https://static.crates.io/crates/colorchoice/1.0.3/download"], - strip_prefix = "colorchoice-1.0.3", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.colorchoice-1.0.3.bazel"), + urls = ["https://static.crates.io/crates/colorchoice/1.0.4/download"], + strip_prefix = "colorchoice-1.0.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.colorchoice-1.0.4.bazel"), ) maybe( @@ -1161,32 +1161,32 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__darling-0.20.10", - sha256 = "6f63b86c8a8826a49b8c21f08a2d07338eec8d900540f8630dc76284be802989", + name = "vendor_ts__darling-0.20.11", + sha256 = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee", type = "tar.gz", - urls = ["https://static.crates.io/crates/darling/0.20.10/download"], - strip_prefix = "darling-0.20.10", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.darling-0.20.10.bazel"), + urls = ["https://static.crates.io/crates/darling/0.20.11/download"], + strip_prefix = "darling-0.20.11", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.darling-0.20.11.bazel"), ) maybe( http_archive, - name = "vendor_ts__darling_core-0.20.10", - sha256 = "95133861a8032aaea082871032f5815eb9e98cef03fa916ab4500513994df9e5", + name = "vendor_ts__darling_core-0.20.11", + sha256 = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e", type = "tar.gz", - urls = ["https://static.crates.io/crates/darling_core/0.20.10/download"], - strip_prefix = "darling_core-0.20.10", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.darling_core-0.20.10.bazel"), + urls = ["https://static.crates.io/crates/darling_core/0.20.11/download"], + strip_prefix = "darling_core-0.20.11", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.darling_core-0.20.11.bazel"), ) maybe( http_archive, - name = "vendor_ts__darling_macro-0.20.10", - sha256 = "d336a2a514f6ccccaa3e09b02d41d35330c07ddf03a62165fcec10bb561c7806", + name = "vendor_ts__darling_macro-0.20.11", + sha256 = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead", type = "tar.gz", - urls = ["https://static.crates.io/crates/darling_macro/0.20.10/download"], - strip_prefix = "darling_macro-0.20.10", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.darling_macro-0.20.10.bazel"), + urls = ["https://static.crates.io/crates/darling_macro/0.20.11/download"], + strip_prefix = "darling_macro-0.20.11", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.darling_macro-0.20.11.bazel"), ) maybe( @@ -1201,12 +1201,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__deranged-0.3.11", - sha256 = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4", + name = "vendor_ts__deranged-0.4.0", + sha256 = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e", type = "tar.gz", - urls = ["https://static.crates.io/crates/deranged/0.3.11/download"], - strip_prefix = "deranged-0.3.11", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.deranged-0.3.11.bazel"), + urls = ["https://static.crates.io/crates/deranged/0.4.0/download"], + strip_prefix = "deranged-0.4.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.deranged-0.4.0.bazel"), ) maybe( @@ -1511,12 +1511,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__hashbrown-0.15.2", - sha256 = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289", + name = "vendor_ts__hashbrown-0.15.4", + sha256 = "5971ac85611da7067dbfcabef3c70ebb5606018acd9e2a3903a0da507521e0d5", type = "tar.gz", - urls = ["https://static.crates.io/crates/hashbrown/0.15.2/download"], - strip_prefix = "hashbrown-0.15.2", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.hashbrown-0.15.2.bazel"), + urls = ["https://static.crates.io/crates/hashbrown/0.15.4/download"], + strip_prefix = "hashbrown-0.15.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.hashbrown-0.15.4.bazel"), ) maybe( @@ -1571,12 +1571,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__iana-time-zone-0.1.61", - sha256 = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220", + name = "vendor_ts__iana-time-zone-0.1.63", + sha256 = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8", type = "tar.gz", - urls = ["https://static.crates.io/crates/iana-time-zone/0.1.61/download"], - strip_prefix = "iana-time-zone-0.1.61", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.iana-time-zone-0.1.61.bazel"), + urls = ["https://static.crates.io/crates/iana-time-zone/0.1.63/download"], + strip_prefix = "iana-time-zone-0.1.63", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.iana-time-zone-0.1.63.bazel"), ) maybe( @@ -1701,12 +1701,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__indexmap-2.9.0", - sha256 = "cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e", + name = "vendor_ts__indexmap-2.10.0", + sha256 = "fe4cd85333e22411419a0bcae1297d25e58c9443848b11dc6a86fefe8c78a661", type = "tar.gz", - urls = ["https://static.crates.io/crates/indexmap/2.9.0/download"], - strip_prefix = "indexmap-2.9.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.indexmap-2.9.0.bazel"), + urls = ["https://static.crates.io/crates/indexmap/2.10.0/download"], + strip_prefix = "indexmap-2.10.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.indexmap-2.10.0.bazel"), ) maybe( @@ -1739,6 +1739,16 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.inotify-sys-0.1.5.bazel"), ) + maybe( + http_archive, + name = "vendor_ts__intrusive-collections-0.9.7", + sha256 = "189d0897e4cbe8c75efedf3502c18c887b05046e59d28404d4d8e46cbc4d1e86", + type = "tar.gz", + urls = ["https://static.crates.io/crates/intrusive-collections/0.9.7/download"], + strip_prefix = "intrusive-collections-0.9.7", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.intrusive-collections-0.9.7.bazel"), + ) + maybe( http_archive, name = "vendor_ts__is_terminal_polyfill-1.70.1", @@ -1801,22 +1811,22 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__js-sys-0.3.76", - sha256 = "6717b6b5b077764fb5966237269cb3c64edddde4b14ce42647430a78ced9e7b7", + name = "vendor_ts__js-sys-0.3.77", + sha256 = "1cfaf33c695fc6e08064efbc1f72ec937429614f25eef83af942d0e227c3a28f", type = "tar.gz", - urls = ["https://static.crates.io/crates/js-sys/0.3.76/download"], - strip_prefix = "js-sys-0.3.76", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.js-sys-0.3.76.bazel"), + urls = ["https://static.crates.io/crates/js-sys/0.3.77/download"], + strip_prefix = "js-sys-0.3.77", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.js-sys-0.3.77.bazel"), ) maybe( http_archive, - name = "vendor_ts__kqueue-1.0.8", - sha256 = "7447f1ca1b7b563588a205fe93dea8df60fd981423a768bc1c0ded35ed147d0c", + name = "vendor_ts__kqueue-1.1.1", + sha256 = "eac30106d7dce88daf4a3fcb4879ea939476d5074a9b7ddd0fb97fa4bed5596a", type = "tar.gz", - urls = ["https://static.crates.io/crates/kqueue/1.0.8/download"], - strip_prefix = "kqueue-1.0.8", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.kqueue-1.0.8.bazel"), + urls = ["https://static.crates.io/crates/kqueue/1.1.1/download"], + strip_prefix = "kqueue-1.1.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.kqueue-1.1.1.bazel"), ) maybe( @@ -1861,12 +1871,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__libredox-0.1.3", - sha256 = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d", + name = "vendor_ts__libredox-0.1.4", + sha256 = "1580801010e535496706ba011c15f8532df6b42297d2e471fec38ceadd8c0638", type = "tar.gz", - urls = ["https://static.crates.io/crates/libredox/0.1.3/download"], - strip_prefix = "libredox-0.1.3", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.libredox-0.1.3.bazel"), + urls = ["https://static.crates.io/crates/libredox/0.1.4/download"], + strip_prefix = "libredox-0.1.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.libredox-0.1.4.bazel"), ) maybe( @@ -1891,12 +1901,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__lock_api-0.4.12", - sha256 = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17", + name = "vendor_ts__lock_api-0.4.13", + sha256 = "96936507f153605bddfcda068dd804796c84324ed2510809e5b2a624c81da765", type = "tar.gz", - urls = ["https://static.crates.io/crates/lock_api/0.4.12/download"], - strip_prefix = "lock_api-0.4.12", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.lock_api-0.4.12.bazel"), + urls = ["https://static.crates.io/crates/lock_api/0.4.13/download"], + strip_prefix = "lock_api-0.4.13", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.lock_api-0.4.13.bazel"), ) maybe( @@ -1961,12 +1971,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__mio-1.0.3", - sha256 = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd", + name = "vendor_ts__mio-1.0.4", + sha256 = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c", type = "tar.gz", - urls = ["https://static.crates.io/crates/mio/1.0.3/download"], - strip_prefix = "mio-1.0.3", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.mio-1.0.3.bazel"), + urls = ["https://static.crates.io/crates/mio/1.0.4/download"], + strip_prefix = "mio-1.0.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.mio-1.0.4.bazel"), ) maybe( @@ -2061,12 +2071,22 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__once_cell-1.20.3", - sha256 = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e", + name = "vendor_ts__once_cell-1.21.3", + sha256 = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d", type = "tar.gz", - urls = ["https://static.crates.io/crates/once_cell/1.20.3/download"], - strip_prefix = "once_cell-1.20.3", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.once_cell-1.20.3.bazel"), + urls = ["https://static.crates.io/crates/once_cell/1.21.3/download"], + strip_prefix = "once_cell-1.21.3", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.once_cell-1.21.3.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__once_cell_polyfill-1.70.1", + sha256 = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad", + type = "tar.gz", + urls = ["https://static.crates.io/crates/once_cell_polyfill/1.70.1/download"], + strip_prefix = "once_cell_polyfill-1.70.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.once_cell_polyfill-1.70.1.bazel"), ) maybe( @@ -2111,22 +2131,32 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__parking_lot-0.12.3", - sha256 = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27", + name = "vendor_ts__papaya-0.2.3", + sha256 = "f92dd0b07c53a0a0c764db2ace8c541dc47320dad97c2200c2a637ab9dd2328f", type = "tar.gz", - urls = ["https://static.crates.io/crates/parking_lot/0.12.3/download"], - strip_prefix = "parking_lot-0.12.3", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.parking_lot-0.12.3.bazel"), + urls = ["https://static.crates.io/crates/papaya/0.2.3/download"], + strip_prefix = "papaya-0.2.3", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.papaya-0.2.3.bazel"), ) maybe( http_archive, - name = "vendor_ts__parking_lot_core-0.9.10", - sha256 = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8", + name = "vendor_ts__parking_lot-0.12.4", + sha256 = "70d58bf43669b5795d1576d0641cfb6fbb2057bf629506267a92807158584a13", type = "tar.gz", - urls = ["https://static.crates.io/crates/parking_lot_core/0.9.10/download"], - strip_prefix = "parking_lot_core-0.9.10", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.parking_lot_core-0.9.10.bazel"), + urls = ["https://static.crates.io/crates/parking_lot/0.12.4/download"], + strip_prefix = "parking_lot-0.12.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.parking_lot-0.12.4.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__parking_lot_core-0.9.11", + sha256 = "bc838d2a56b5b1a6c25f55575dfc605fabb63bb2365f6c2353ef9159aa69e4a5", + type = "tar.gz", + urls = ["https://static.crates.io/crates/parking_lot_core/0.9.11/download"], + strip_prefix = "parking_lot_core-0.9.11", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.parking_lot_core-0.9.11.bazel"), ) maybe( @@ -2211,12 +2241,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__portable-atomic-1.11.0", - sha256 = "350e9b48cbc6b0e028b0473b114454c6316e57336ee184ceab6e53f72c178b3e", + name = "vendor_ts__portable-atomic-1.11.1", + sha256 = "f84267b20a16ea918e43c6a88433c2d54fa145c92a811b5b047ccbe153674483", type = "tar.gz", - urls = ["https://static.crates.io/crates/portable-atomic/1.11.0/download"], - strip_prefix = "portable-atomic-1.11.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.portable-atomic-1.11.0.bazel"), + urls = ["https://static.crates.io/crates/portable-atomic/1.11.1/download"], + strip_prefix = "portable-atomic-1.11.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.portable-atomic-1.11.1.bazel"), ) maybe( @@ -2351,252 +2381,252 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__ra_ap_base_db-0.0.288", - sha256 = "edf27fccb119fe85faf51f51847df9695d3cca30c2427fed9b4d71e6adebb54f", + name = "vendor_ts__ra_ap_base_db-0.0.294", + sha256 = "3daac3b2c8e4e3d02d47f177c75360c85f16f4f9e6d60ee358a47532ccb35647", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_base_db/0.0.288/download"], - strip_prefix = "ra_ap_base_db-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_base_db-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_base_db/0.0.294/download"], + strip_prefix = "ra_ap_base_db-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_base_db-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_cfg-0.0.288", - sha256 = "3cea86a5d6e84fd73824c26f52442807af911db038db821124b2ac65fac24209", + name = "vendor_ts__ra_ap_cfg-0.0.294", + sha256 = "bfcada4b644f965cf8972f31c28a343737c9c500c87d59d026a77bf5ce8ad76b", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_cfg/0.0.288/download"], - strip_prefix = "ra_ap_cfg-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_cfg-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_cfg/0.0.294/download"], + strip_prefix = "ra_ap_cfg-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_cfg-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_edition-0.0.288", - sha256 = "fb5538d534eeb8526071610664dc64b71ca336b78f6933ff7241d10c1f37e91b", + name = "vendor_ts__ra_ap_edition-0.0.294", + sha256 = "732efa3d4cd5edc1578be0a33fa0f8052a348e52e6b95e7e161199f7166445b7", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_edition/0.0.288/download"], - strip_prefix = "ra_ap_edition-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_edition-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_edition/0.0.294/download"], + strip_prefix = "ra_ap_edition-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_edition-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_hir-0.0.288", - sha256 = "44796828650900565917ddcc944fecdf6c7d5c3a8a31141f17268ea8c1d2e6f0", + name = "vendor_ts__ra_ap_hir-0.0.294", + sha256 = "6de0998ba9f6d4f2b70e6be16c7beeda661bdf25cdae932ed10c45b8b6cc6d8f", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_hir/0.0.288/download"], - strip_prefix = "ra_ap_hir-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_hir/0.0.294/download"], + strip_prefix = "ra_ap_hir-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_hir_def-0.0.288", - sha256 = "8949b2fb362a1e4eab4d90c7299f0fad3f2c887d9f7d9c286ac6530da4141f85", + name = "vendor_ts__ra_ap_hir_def-0.0.294", + sha256 = "af1a22912226cfbc1909c09f30896cbbfd9acb5c051db9d55e1c557b5d7aa6f4", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_hir_def/0.0.288/download"], - strip_prefix = "ra_ap_hir_def-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_def-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_hir_def/0.0.294/download"], + strip_prefix = "ra_ap_hir_def-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_def-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_hir_expand-0.0.288", - sha256 = "22457a431b5eeb67517e03266fddefe48839b060a674a6b18bd84269012ede1e", + name = "vendor_ts__ra_ap_hir_expand-0.0.294", + sha256 = "7ef269bd496048dd39288122ee05805c672df3a26cc9c05ce7bdde42f0656324", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_hir_expand/0.0.288/download"], - strip_prefix = "ra_ap_hir_expand-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_expand-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_hir_expand/0.0.294/download"], + strip_prefix = "ra_ap_hir_expand-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_expand-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_hir_ty-0.0.288", - sha256 = "3a4b7a7531414203e11ae447627e2909250eff392c06278ab53ae2a022ecc9fc", + name = "vendor_ts__ra_ap_hir_ty-0.0.294", + sha256 = "1d26605356ec9541148ce2dcf00e45b9bbe90424c9e04baeca3fb6c463ce2487", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_hir_ty/0.0.288/download"], - strip_prefix = "ra_ap_hir_ty-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_ty-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_hir_ty/0.0.294/download"], + strip_prefix = "ra_ap_hir_ty-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_hir_ty-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_ide_db-0.0.288", - sha256 = "77741ceb096d4f5ecf5384210ea5a2b46878125047c6b0df2bdcfac08a20ea0c", + name = "vendor_ts__ra_ap_ide_db-0.0.294", + sha256 = "087858853882a6dc56a2bd1da01ab0fc15d9e0ba2afd613d22df69097acc47a9", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_ide_db/0.0.288/download"], - strip_prefix = "ra_ap_ide_db-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_ide_db-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_ide_db/0.0.294/download"], + strip_prefix = "ra_ap_ide_db-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_ide_db-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_intern-0.0.288", - sha256 = "4a1872cd5a425db6d5247a7deca11526e3104757f6732447ac6ee93c3e795725", + name = "vendor_ts__ra_ap_intern-0.0.294", + sha256 = "5ec1af1e540f93cc4c9642454c1ad7aa155d54d1533804da771ff05f19bb57fa", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_intern/0.0.288/download"], - strip_prefix = "ra_ap_intern-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_intern-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_intern/0.0.294/download"], + strip_prefix = "ra_ap_intern-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_intern-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_load-cargo-0.0.288", - sha256 = "f30f5433f056594b02f1879c5c2ce76ea9fd395f21e2a55df6ce3229db993caa", + name = "vendor_ts__ra_ap_load-cargo-0.0.294", + sha256 = "a3343d16dc4b0f3337d4654f9d0c41363be4197aaf6f62a02b711440fdb3eaae", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_load-cargo/0.0.288/download"], - strip_prefix = "ra_ap_load-cargo-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_load-cargo-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_load-cargo/0.0.294/download"], + strip_prefix = "ra_ap_load-cargo-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_load-cargo-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_mbe-0.0.288", - sha256 = "222a993acaec35e90c08357aecd530b7170cc3a7f13b3ddfd15a200029ccd555", + name = "vendor_ts__ra_ap_mbe-0.0.294", + sha256 = "c2253eeeef2ee51d8a7b43f86fe43883654b8a3bb56c9cb801de1bf457ca24d6", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_mbe/0.0.288/download"], - strip_prefix = "ra_ap_mbe-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_mbe-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_mbe/0.0.294/download"], + strip_prefix = "ra_ap_mbe-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_mbe-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_parser-0.0.288", - sha256 = "1c5693f5efd27832e1ac572ea756a1a4a3f7eba07f1287268ca111710971c2e5", + name = "vendor_ts__ra_ap_parser-0.0.294", + sha256 = "df3bf4cde715c2343c24a39283534e7bd5498e29b6b938615ba0e02ba4e262b4", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_parser/0.0.288/download"], - strip_prefix = "ra_ap_parser-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_parser-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_parser/0.0.294/download"], + strip_prefix = "ra_ap_parser-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_parser-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_paths-0.0.288", - sha256 = "39418eff64e59d4bf90dd825ac7d242576e9554669824ebc55a6628bde0aaf10", + name = "vendor_ts__ra_ap_paths-0.0.294", + sha256 = "c610195e29090ebc387061aa8d55c5d741004df2e15e11c62e34cf3037e61fe8", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_paths/0.0.288/download"], - strip_prefix = "ra_ap_paths-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_paths-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_paths/0.0.294/download"], + strip_prefix = "ra_ap_paths-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_paths-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_proc_macro_api-0.0.288", - sha256 = "14a315af8c4a9379c26abe7baa143d62e3975ff26f27c65332f9a5edccc56d38", + name = "vendor_ts__ra_ap_proc_macro_api-0.0.294", + sha256 = "537a1866f6e63a1405bac2aa9e32ae47ea2e38b0879d1e7ab00e53b03d787512", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_proc_macro_api/0.0.288/download"], - strip_prefix = "ra_ap_proc_macro_api-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_proc_macro_api-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_proc_macro_api/0.0.294/download"], + strip_prefix = "ra_ap_proc_macro_api-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_proc_macro_api-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_profile-0.0.288", - sha256 = "08274a0adbf8255f8b2672302452e31bbb2ed4d38324da9c72a7bf9cf1428483", + name = "vendor_ts__ra_ap_profile-0.0.294", + sha256 = "4824370708bd413f38e697831d37878c44366ff18aa7dd95ab0af5e3a484c558", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_profile/0.0.288/download"], - strip_prefix = "ra_ap_profile-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_profile-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_profile/0.0.294/download"], + strip_prefix = "ra_ap_profile-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_profile-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_project_model-0.0.288", - sha256 = "33deecb3724faf91f13b0f1b5115af7c4f5c9dc1dfbbf45f55261aa28f874838", + name = "vendor_ts__ra_ap_project_model-0.0.294", + sha256 = "d97b1f2d3d8b6cd838264624192c0dbded200d7b7944a4731ab20bb18fab79b9", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_project_model/0.0.288/download"], - strip_prefix = "ra_ap_project_model-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_project_model-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_project_model/0.0.294/download"], + strip_prefix = "ra_ap_project_model-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_project_model-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_query-group-macro-0.0.288", - sha256 = "5fdefdc9c8d6fd7d85ac572649378e83266262e09400bfdb7c8a7407d3cc2a3e", + name = "vendor_ts__ra_ap_query-group-macro-0.0.294", + sha256 = "9d9c2a0a9519e59eeb2cc42991477e4cf4214c2e9e1ac29453d6bd6ccd05ed58", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_query-group-macro/0.0.288/download"], - strip_prefix = "ra_ap_query-group-macro-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_query-group-macro-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_query-group-macro/0.0.294/download"], + strip_prefix = "ra_ap_query-group-macro-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_query-group-macro-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_span-0.0.288", - sha256 = "c20071c89e1f7dd63c803130634f4bb6ce7783dc0e7ff90839d1d0f4e625b7a8", + name = "vendor_ts__ra_ap_span-0.0.294", + sha256 = "a2a224089b92abb04b36fa9dbd3e348a41997917e155eb9598d686766b15b4e9", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_span/0.0.288/download"], - strip_prefix = "ra_ap_span-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_span-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_span/0.0.294/download"], + strip_prefix = "ra_ap_span-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_span-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_stdx-0.0.288", - sha256 = "552df390b26624eca7936aea1dbbb3786d7a12477e26ef917ffabba19f75ad44", + name = "vendor_ts__ra_ap_stdx-0.0.294", + sha256 = "b565a5d6e364b3c6f955a5b20e1633e5db15df9f804fba26615150524eeccb2c", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_stdx/0.0.288/download"], - strip_prefix = "ra_ap_stdx-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_stdx-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_stdx/0.0.294/download"], + strip_prefix = "ra_ap_stdx-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_stdx-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_syntax-0.0.288", - sha256 = "a78db1a9966c0fa05446b8185da35a325680741119366c6246e4a9800f29143a", + name = "vendor_ts__ra_ap_syntax-0.0.294", + sha256 = "092f544af4e1c974924417ec5d1864544d99329d26ecc72cded2c99a86e6f710", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_syntax/0.0.288/download"], - strip_prefix = "ra_ap_syntax-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_syntax-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_syntax/0.0.294/download"], + strip_prefix = "ra_ap_syntax-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_syntax-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_syntax-bridge-0.0.288", - sha256 = "e69ef7fad8598d5c9f14a375d56ec12200fa927bc805b600af419611f4642fdb", + name = "vendor_ts__ra_ap_syntax-bridge-0.0.294", + sha256 = "3dcebacacf0a3fa1eac8f8ae57260602652fe4b2dbc3a1931cd854855fc744b2", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_syntax-bridge/0.0.288/download"], - strip_prefix = "ra_ap_syntax-bridge-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_syntax-bridge-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_syntax-bridge/0.0.294/download"], + strip_prefix = "ra_ap_syntax-bridge-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_syntax-bridge-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_toolchain-0.0.288", - sha256 = "628f3f190def67b1116d8bdd6ec4f6f206fada2c93b84ba71086d60c63429282", + name = "vendor_ts__ra_ap_toolchain-0.0.294", + sha256 = "08f64f934312af8dde360d0327322452f14e772e6ddc5449629a3bd840127cdd", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_toolchain/0.0.288/download"], - strip_prefix = "ra_ap_toolchain-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_toolchain-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_toolchain/0.0.294/download"], + strip_prefix = "ra_ap_toolchain-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_toolchain-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_tt-0.0.288", - sha256 = "e050f4ad13df59e90e38332860304a3e85ff2fa8d4585b8cc44fc982923c82b1", + name = "vendor_ts__ra_ap_tt-0.0.294", + sha256 = "48c511a2238fb0b8a1437ad99d8361f48d60ca5267faf457748d47657bddbf55", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_tt/0.0.288/download"], - strip_prefix = "ra_ap_tt-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_tt-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_tt/0.0.294/download"], + strip_prefix = "ra_ap_tt-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_tt-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_vfs-0.0.288", - sha256 = "62082190f0b3551e4d941bcaaac51a7c39c85b2e193bcc50d0807e1701da4083", + name = "vendor_ts__ra_ap_vfs-0.0.294", + sha256 = "7b8a98fbdf277b873c08937c0d5357f44b33c6d689b96f331653c2df1bb82d29", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_vfs/0.0.288/download"], - strip_prefix = "ra_ap_vfs-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_vfs-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_vfs/0.0.294/download"], + strip_prefix = "ra_ap_vfs-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_vfs-0.0.294.bazel"), ) maybe( http_archive, - name = "vendor_ts__ra_ap_vfs-notify-0.0.288", - sha256 = "efd7cfa1095b81bd1994ab70e5543c97a8733987eb0ddf390cf3ad58d4e2dc57", + name = "vendor_ts__ra_ap_vfs-notify-0.0.294", + sha256 = "9e1c54fc0e6b8bc6204a160019c80a26d4ca26c99729387e12d06c0bc421acdd", type = "tar.gz", - urls = ["https://static.crates.io/crates/ra_ap_vfs-notify/0.0.288/download"], - strip_prefix = "ra_ap_vfs-notify-0.0.288", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_vfs-notify-0.0.288.bazel"), + urls = ["https://static.crates.io/crates/ra_ap_vfs-notify/0.0.294/download"], + strip_prefix = "ra_ap_vfs-notify-0.0.294", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ra_ap_vfs-notify-0.0.294.bazel"), ) maybe( @@ -2651,12 +2681,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__redox_syscall-0.5.8", - sha256 = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834", + name = "vendor_ts__redox_syscall-0.5.13", + sha256 = "0d04b7d0ee6b4a0207a0a7adb104d23ecb0b47d6beae7152d0fa34b692b29fd6", type = "tar.gz", - urls = ["https://static.crates.io/crates/redox_syscall/0.5.8/download"], - strip_prefix = "redox_syscall-0.5.8", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.redox_syscall-0.5.8.bazel"), + urls = ["https://static.crates.io/crates/redox_syscall/0.5.13/download"], + strip_prefix = "redox_syscall-0.5.13", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.redox_syscall-0.5.13.bazel"), ) maybe( @@ -2771,22 +2801,22 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__rustc-literal-escaper-0.0.3", - sha256 = "78744cd17f5d01c75b709e49807d1363e02a940ccee2e9e72435843fdb0d076e", + name = "vendor_ts__rustc-literal-escaper-0.0.4", + sha256 = "ab03008eb631b703dd16978282ae36c73282e7922fe101a4bd072a40ecea7b8b", type = "tar.gz", - urls = ["https://static.crates.io/crates/rustc-literal-escaper/0.0.3/download"], - strip_prefix = "rustc-literal-escaper-0.0.3", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rustc-literal-escaper-0.0.3.bazel"), + urls = ["https://static.crates.io/crates/rustc-literal-escaper/0.0.4/download"], + strip_prefix = "rustc-literal-escaper-0.0.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rustc-literal-escaper-0.0.4.bazel"), ) maybe( http_archive, - name = "vendor_ts__rustc-stable-hash-0.1.1", - sha256 = "2febf9acc5ee5e99d1ad0afcdbccc02d87aa3f857a1f01f825b80eacf8edfcd1", + name = "vendor_ts__rustc-stable-hash-0.1.2", + sha256 = "781442f29170c5c93b7185ad559492601acdc71d5bb0706f5868094f45cfcd08", type = "tar.gz", - urls = ["https://static.crates.io/crates/rustc-stable-hash/0.1.1/download"], - strip_prefix = "rustc-stable-hash-0.1.1", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rustc-stable-hash-0.1.1.bazel"), + urls = ["https://static.crates.io/crates/rustc-stable-hash/0.1.2/download"], + strip_prefix = "rustc-stable-hash-0.1.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rustc-stable-hash-0.1.2.bazel"), ) maybe( @@ -2801,42 +2831,52 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__ryu-1.0.19", - sha256 = "6ea1a2d0a644769cc99faa24c3ad26b379b786fe7c36fd3c546254801650e6dd", + name = "vendor_ts__rustversion-1.0.21", + sha256 = "8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d", type = "tar.gz", - urls = ["https://static.crates.io/crates/ryu/1.0.19/download"], - strip_prefix = "ryu-1.0.19", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ryu-1.0.19.bazel"), + urls = ["https://static.crates.io/crates/rustversion/1.0.21/download"], + strip_prefix = "rustversion-1.0.21", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.rustversion-1.0.21.bazel"), ) maybe( http_archive, - name = "vendor_ts__salsa-0.22.0", - sha256 = "c8fff508e3d6ef42a32607f7538e17171a877a12015e32036f46e99d00c95781", + name = "vendor_ts__ryu-1.0.20", + sha256 = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f", type = "tar.gz", - urls = ["https://static.crates.io/crates/salsa/0.22.0/download"], - strip_prefix = "salsa-0.22.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.salsa-0.22.0.bazel"), + urls = ["https://static.crates.io/crates/ryu/1.0.20/download"], + strip_prefix = "ryu-1.0.20", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.ryu-1.0.20.bazel"), ) maybe( http_archive, - name = "vendor_ts__salsa-macro-rules-0.22.0", - sha256 = "8ea72b3c06f2ce6350fe3a0eeb7aaaf842d1d8352b706973c19c4f02e298a87c", + name = "vendor_ts__salsa-0.23.0", + sha256 = "2e235afdb8e510f38a07138fbe5a0b64691894358a9c0cbd813b1aade110efc9", type = "tar.gz", - urls = ["https://static.crates.io/crates/salsa-macro-rules/0.22.0/download"], - strip_prefix = "salsa-macro-rules-0.22.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.salsa-macro-rules-0.22.0.bazel"), + urls = ["https://static.crates.io/crates/salsa/0.23.0/download"], + strip_prefix = "salsa-0.23.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.salsa-0.23.0.bazel"), ) maybe( http_archive, - name = "vendor_ts__salsa-macros-0.22.0", - sha256 = "0ce92025bc160b27814a207cb78d680973af17f863c7f4fc56cf3a535e22f378", + name = "vendor_ts__salsa-macro-rules-0.23.0", + sha256 = "2edb86a7e9c91f6d30c9ce054312721dbe773a162db27bbfae834d16177b30ce", type = "tar.gz", - urls = ["https://static.crates.io/crates/salsa-macros/0.22.0/download"], - strip_prefix = "salsa-macros-0.22.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.salsa-macros-0.22.0.bazel"), + urls = ["https://static.crates.io/crates/salsa-macro-rules/0.23.0/download"], + strip_prefix = "salsa-macro-rules-0.23.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.salsa-macro-rules-0.23.0.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__salsa-macros-0.23.0", + sha256 = "d0778d6e209051bc4e75acfe83bcd7848601ec3dbe9c3dbb982829020e9128af", + type = "tar.gz", + urls = ["https://static.crates.io/crates/salsa-macros/0.23.0/download"], + strip_prefix = "salsa-macros-0.23.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.salsa-macros-0.23.0.bazel"), ) maybe( @@ -2859,6 +2899,16 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.schemars-0.9.0.bazel"), ) + maybe( + http_archive, + name = "vendor_ts__schemars-1.0.4", + sha256 = "82d20c4491bc164fa2f6c5d44565947a52ad80b9505d8e36f8d54c27c739fcd0", + type = "tar.gz", + urls = ["https://static.crates.io/crates/schemars/1.0.4/download"], + strip_prefix = "schemars-1.0.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.schemars-1.0.4.bazel"), + ) + maybe( http_archive, name = "vendor_ts__scoped-tls-1.0.1", @@ -2879,6 +2929,16 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.scopeguard-1.2.0.bazel"), ) + maybe( + http_archive, + name = "vendor_ts__seize-0.5.0", + sha256 = "e4b8d813387d566f627f3ea1b914c068aac94c40ae27ec43f5f33bde65abefe7", + type = "tar.gz", + urls = ["https://static.crates.io/crates/seize/0.5.0/download"], + strip_prefix = "seize-0.5.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.seize-0.5.0.bazel"), + ) + maybe( http_archive, name = "vendor_ts__semver-1.0.26", @@ -2951,22 +3011,32 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__serde_with-3.13.0", - sha256 = "bf65a400f8f66fb7b0552869ad70157166676db75ed8181f8104ea91cf9d0b42", + name = "vendor_ts__serde_spanned-1.0.0", + sha256 = "40734c41988f7306bb04f0ecf60ec0f3f1caa34290e4e8ea471dcd3346483b83", type = "tar.gz", - urls = ["https://static.crates.io/crates/serde_with/3.13.0/download"], - strip_prefix = "serde_with-3.13.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_with-3.13.0.bazel"), + urls = ["https://static.crates.io/crates/serde_spanned/1.0.0/download"], + strip_prefix = "serde_spanned-1.0.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_spanned-1.0.0.bazel"), ) maybe( http_archive, - name = "vendor_ts__serde_with_macros-3.13.0", - sha256 = "81679d9ed988d5e9a5e6531dc3f2c28efbd639cbd1dfb628df08edea6004da77", + name = "vendor_ts__serde_with-3.14.0", + sha256 = "f2c45cd61fefa9db6f254525d46e392b852e0e61d9a1fd36e5bd183450a556d5", type = "tar.gz", - urls = ["https://static.crates.io/crates/serde_with_macros/3.13.0/download"], - strip_prefix = "serde_with_macros-3.13.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_with_macros-3.13.0.bazel"), + urls = ["https://static.crates.io/crates/serde_with/3.14.0/download"], + strip_prefix = "serde_with-3.14.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_with-3.14.0.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__serde_with_macros-3.14.0", + sha256 = "de90945e6565ce0d9a25098082ed4ee4002e047cb59892c318d66821e14bb30f", + type = "tar.gz", + urls = ["https://static.crates.io/crates/serde_with_macros/3.14.0/download"], + strip_prefix = "serde_with_macros-3.14.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.serde_with_macros-3.14.0.bazel"), ) maybe( @@ -3051,22 +3121,22 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__syn-2.0.103", - sha256 = "e4307e30089d6fd6aff212f2da3a1f9e32f3223b1f010fb09b7c95f90f3ca1e8", + name = "vendor_ts__syn-2.0.104", + sha256 = "17b6f705963418cdb9927482fa304bc562ece2fdd4f616084c50b7023b435a40", type = "tar.gz", - urls = ["https://static.crates.io/crates/syn/2.0.103/download"], - strip_prefix = "syn-2.0.103", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.syn-2.0.103.bazel"), + urls = ["https://static.crates.io/crates/syn/2.0.104/download"], + strip_prefix = "syn-2.0.104", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.syn-2.0.104.bazel"), ) maybe( http_archive, - name = "vendor_ts__synstructure-0.13.1", - sha256 = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971", + name = "vendor_ts__synstructure-0.13.2", + sha256 = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2", type = "tar.gz", - urls = ["https://static.crates.io/crates/synstructure/0.13.1/download"], - strip_prefix = "synstructure-0.13.1", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.synstructure-0.13.1.bazel"), + urls = ["https://static.crates.io/crates/synstructure/0.13.2/download"], + strip_prefix = "synstructure-0.13.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.synstructure-0.13.2.bazel"), ) maybe( @@ -3089,16 +3159,6 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.thin-vec-0.2.14.bazel"), ) - maybe( - http_archive, - name = "vendor_ts__thiserror-1.0.69", - sha256 = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52", - type = "tar.gz", - urls = ["https://static.crates.io/crates/thiserror/1.0.69/download"], - strip_prefix = "thiserror-1.0.69", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.thiserror-1.0.69.bazel"), - ) - maybe( http_archive, name = "vendor_ts__thiserror-2.0.12", @@ -3109,16 +3169,6 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.thiserror-2.0.12.bazel"), ) - maybe( - http_archive, - name = "vendor_ts__thiserror-impl-1.0.69", - sha256 = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1", - type = "tar.gz", - urls = ["https://static.crates.io/crates/thiserror-impl/1.0.69/download"], - strip_prefix = "thiserror-impl-1.0.69", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.thiserror-impl-1.0.69.bazel"), - ) - maybe( http_archive, name = "vendor_ts__thiserror-impl-2.0.12", @@ -3141,32 +3191,32 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__time-0.3.37", - sha256 = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21", + name = "vendor_ts__time-0.3.41", + sha256 = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40", type = "tar.gz", - urls = ["https://static.crates.io/crates/time/0.3.37/download"], - strip_prefix = "time-0.3.37", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.time-0.3.37.bazel"), + urls = ["https://static.crates.io/crates/time/0.3.41/download"], + strip_prefix = "time-0.3.41", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.time-0.3.41.bazel"), ) maybe( http_archive, - name = "vendor_ts__time-core-0.1.2", - sha256 = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3", + name = "vendor_ts__time-core-0.1.4", + sha256 = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c", type = "tar.gz", - urls = ["https://static.crates.io/crates/time-core/0.1.2/download"], - strip_prefix = "time-core-0.1.2", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.time-core-0.1.2.bazel"), + urls = ["https://static.crates.io/crates/time-core/0.1.4/download"], + strip_prefix = "time-core-0.1.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.time-core-0.1.4.bazel"), ) maybe( http_archive, - name = "vendor_ts__time-macros-0.2.19", - sha256 = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de", + name = "vendor_ts__time-macros-0.2.22", + sha256 = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49", type = "tar.gz", - urls = ["https://static.crates.io/crates/time-macros/0.2.19/download"], - strip_prefix = "time-macros-0.2.19", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.time-macros-0.2.19.bazel"), + urls = ["https://static.crates.io/crates/time-macros/0.2.22/download"], + strip_prefix = "time-macros-0.2.22", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.time-macros-0.2.22.bazel"), ) maybe( @@ -3189,6 +3239,16 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml-0.8.23.bazel"), ) + maybe( + http_archive, + name = "vendor_ts__toml-0.9.2", + sha256 = "ed0aee96c12fa71097902e0bb061a5e1ebd766a6636bb605ba401c45c1650eac", + type = "tar.gz", + urls = ["https://static.crates.io/crates/toml/0.9.2/download"], + strip_prefix = "toml-0.9.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml-0.9.2.bazel"), + ) + maybe( http_archive, name = "vendor_ts__toml_datetime-0.6.11", @@ -3199,6 +3259,16 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml_datetime-0.6.11.bazel"), ) + maybe( + http_archive, + name = "vendor_ts__toml_datetime-0.7.0", + sha256 = "bade1c3e902f58d73d3f294cd7f20391c1cb2fbcb643b73566bc773971df91e3", + type = "tar.gz", + urls = ["https://static.crates.io/crates/toml_datetime/0.7.0/download"], + strip_prefix = "toml_datetime-0.7.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml_datetime-0.7.0.bazel"), + ) + maybe( http_archive, name = "vendor_ts__toml_edit-0.22.27", @@ -3209,6 +3279,16 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml_edit-0.22.27.bazel"), ) + maybe( + http_archive, + name = "vendor_ts__toml_parser-1.0.1", + sha256 = "97200572db069e74c512a14117b296ba0a80a30123fbbb5aa1f4a348f639ca30", + type = "tar.gz", + urls = ["https://static.crates.io/crates/toml_parser/1.0.1/download"], + strip_prefix = "toml_parser-1.0.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml_parser-1.0.1.bazel"), + ) + maybe( http_archive, name = "vendor_ts__toml_write-0.1.2", @@ -3219,6 +3299,16 @@ def crate_repositories(): build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml_write-0.1.2.bazel"), ) + maybe( + http_archive, + name = "vendor_ts__toml_writer-1.0.2", + sha256 = "fcc842091f2def52017664b53082ecbbeb5c7731092bad69d2c63050401dfd64", + type = "tar.gz", + urls = ["https://static.crates.io/crates/toml_writer/1.0.2/download"], + strip_prefix = "toml_writer-1.0.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.toml_writer-1.0.2.bazel"), + ) + maybe( http_archive, name = "vendor_ts__tracing-0.1.41", @@ -3231,22 +3321,22 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__tracing-attributes-0.1.28", - sha256 = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d", + name = "vendor_ts__tracing-attributes-0.1.30", + sha256 = "81383ab64e72a7a8b8e13130c49e3dab29def6d0c7d76a03087b3cf71c5c6903", type = "tar.gz", - urls = ["https://static.crates.io/crates/tracing-attributes/0.1.28/download"], - strip_prefix = "tracing-attributes-0.1.28", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tracing-attributes-0.1.28.bazel"), + urls = ["https://static.crates.io/crates/tracing-attributes/0.1.30/download"], + strip_prefix = "tracing-attributes-0.1.30", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tracing-attributes-0.1.30.bazel"), ) maybe( http_archive, - name = "vendor_ts__tracing-core-0.1.33", - sha256 = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c", + name = "vendor_ts__tracing-core-0.1.34", + sha256 = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678", type = "tar.gz", - urls = ["https://static.crates.io/crates/tracing-core/0.1.33/download"], - strip_prefix = "tracing-core-0.1.33", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tracing-core-0.1.33.bazel"), + urls = ["https://static.crates.io/crates/tracing-core/0.1.34/download"], + strip_prefix = "tracing-core-0.1.34", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tracing-core-0.1.34.bazel"), ) maybe( @@ -3391,12 +3481,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__unicode-ident-1.0.17", - sha256 = "00e2473a93778eb0bad35909dff6a10d28e63f792f16ed15e404fca9d5eeedbe", + name = "vendor_ts__unicode-ident-1.0.18", + sha256 = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512", type = "tar.gz", - urls = ["https://static.crates.io/crates/unicode-ident/1.0.17/download"], - strip_prefix = "unicode-ident-1.0.17", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.unicode-ident-1.0.17.bazel"), + urls = ["https://static.crates.io/crates/unicode-ident/1.0.18/download"], + strip_prefix = "unicode-ident-1.0.18", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.unicode-ident-1.0.18.bazel"), ) maybe( @@ -3461,12 +3551,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__valuable-0.1.0", - sha256 = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d", + name = "vendor_ts__valuable-0.1.1", + sha256 = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65", type = "tar.gz", - urls = ["https://static.crates.io/crates/valuable/0.1.0/download"], - strip_prefix = "valuable-0.1.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.valuable-0.1.0.bazel"), + urls = ["https://static.crates.io/crates/valuable/0.1.1/download"], + strip_prefix = "valuable-0.1.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.valuable-0.1.1.bazel"), ) maybe( @@ -3491,12 +3581,12 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__wasi-0.11.0-wasi-snapshot-preview1", - sha256 = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423", + name = "vendor_ts__wasi-0.11.1-wasi-snapshot-preview1", + sha256 = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b", type = "tar.gz", - urls = ["https://static.crates.io/crates/wasi/0.11.0+wasi-snapshot-preview1/download"], - strip_prefix = "wasi-0.11.0+wasi-snapshot-preview1", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasi-0.11.0+wasi-snapshot-preview1.bazel"), + urls = ["https://static.crates.io/crates/wasi/0.11.1+wasi-snapshot-preview1/download"], + strip_prefix = "wasi-0.11.1+wasi-snapshot-preview1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasi-0.11.1+wasi-snapshot-preview1.bazel"), ) maybe( @@ -3511,52 +3601,52 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__wasm-bindgen-0.2.99", - sha256 = "a474f6281d1d70c17ae7aa6a613c87fce69a127e2624002df63dcb39d6cf6396", + name = "vendor_ts__wasm-bindgen-0.2.100", + sha256 = "1edc8929d7499fc4e8f0be2262a241556cfc54a0bea223790e71446f2aab1ef5", type = "tar.gz", - urls = ["https://static.crates.io/crates/wasm-bindgen/0.2.99/download"], - strip_prefix = "wasm-bindgen-0.2.99", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-0.2.99.bazel"), + urls = ["https://static.crates.io/crates/wasm-bindgen/0.2.100/download"], + strip_prefix = "wasm-bindgen-0.2.100", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-0.2.100.bazel"), ) maybe( http_archive, - name = "vendor_ts__wasm-bindgen-backend-0.2.99", - sha256 = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79", + name = "vendor_ts__wasm-bindgen-backend-0.2.100", + sha256 = "2f0a0651a5c2bc21487bde11ee802ccaf4c51935d0d3d42a6101f98161700bc6", type = "tar.gz", - urls = ["https://static.crates.io/crates/wasm-bindgen-backend/0.2.99/download"], - strip_prefix = "wasm-bindgen-backend-0.2.99", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-backend-0.2.99.bazel"), + urls = ["https://static.crates.io/crates/wasm-bindgen-backend/0.2.100/download"], + strip_prefix = "wasm-bindgen-backend-0.2.100", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-backend-0.2.100.bazel"), ) maybe( http_archive, - name = "vendor_ts__wasm-bindgen-macro-0.2.99", - sha256 = "2cc6181fd9a7492eef6fef1f33961e3695e4579b9872a6f7c83aee556666d4fe", + name = "vendor_ts__wasm-bindgen-macro-0.2.100", + sha256 = "7fe63fc6d09ed3792bd0897b314f53de8e16568c2b3f7982f468c0bf9bd0b407", type = "tar.gz", - urls = ["https://static.crates.io/crates/wasm-bindgen-macro/0.2.99/download"], - strip_prefix = "wasm-bindgen-macro-0.2.99", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-macro-0.2.99.bazel"), + urls = ["https://static.crates.io/crates/wasm-bindgen-macro/0.2.100/download"], + strip_prefix = "wasm-bindgen-macro-0.2.100", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-macro-0.2.100.bazel"), ) maybe( http_archive, - name = "vendor_ts__wasm-bindgen-macro-support-0.2.99", - sha256 = "30d7a95b763d3c45903ed6c81f156801839e5ee968bb07e534c44df0fcd330c2", + name = "vendor_ts__wasm-bindgen-macro-support-0.2.100", + sha256 = "8ae87ea40c9f689fc23f209965b6fb8a99ad69aeeb0231408be24920604395de", type = "tar.gz", - urls = ["https://static.crates.io/crates/wasm-bindgen-macro-support/0.2.99/download"], - strip_prefix = "wasm-bindgen-macro-support-0.2.99", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-macro-support-0.2.99.bazel"), + urls = ["https://static.crates.io/crates/wasm-bindgen-macro-support/0.2.100/download"], + strip_prefix = "wasm-bindgen-macro-support-0.2.100", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-macro-support-0.2.100.bazel"), ) maybe( http_archive, - name = "vendor_ts__wasm-bindgen-shared-0.2.99", - sha256 = "943aab3fdaaa029a6e0271b35ea10b72b943135afe9bffca82384098ad0e06a6", + name = "vendor_ts__wasm-bindgen-shared-0.2.100", + sha256 = "1a05d73b933a847d6cccdda8f838a22ff101ad9bf93e33684f39c1f5f0eece3d", type = "tar.gz", - urls = ["https://static.crates.io/crates/wasm-bindgen-shared/0.2.99/download"], - strip_prefix = "wasm-bindgen-shared-0.2.99", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-shared-0.2.99.bazel"), + urls = ["https://static.crates.io/crates/wasm-bindgen-shared/0.2.100/download"], + strip_prefix = "wasm-bindgen-shared-0.2.100", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.wasm-bindgen-shared-0.2.100.bazel"), ) maybe( @@ -3601,22 +3691,62 @@ def crate_repositories(): maybe( http_archive, - name = "vendor_ts__windows-core-0.52.0", - sha256 = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9", + name = "vendor_ts__windows-core-0.61.2", + sha256 = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3", type = "tar.gz", - urls = ["https://static.crates.io/crates/windows-core/0.52.0/download"], - strip_prefix = "windows-core-0.52.0", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.windows-core-0.52.0.bazel"), + urls = ["https://static.crates.io/crates/windows-core/0.61.2/download"], + strip_prefix = "windows-core-0.61.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.windows-core-0.61.2.bazel"), ) maybe( http_archive, - name = "vendor_ts__windows-link-0.1.1", - sha256 = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38", + name = "vendor_ts__windows-implement-0.60.0", + sha256 = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836", type = "tar.gz", - urls = ["https://static.crates.io/crates/windows-link/0.1.1/download"], - strip_prefix = "windows-link-0.1.1", - build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.windows-link-0.1.1.bazel"), + urls = ["https://static.crates.io/crates/windows-implement/0.60.0/download"], + strip_prefix = "windows-implement-0.60.0", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.windows-implement-0.60.0.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__windows-interface-0.59.1", + sha256 = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8", + type = "tar.gz", + urls = ["https://static.crates.io/crates/windows-interface/0.59.1/download"], + strip_prefix = "windows-interface-0.59.1", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.windows-interface-0.59.1.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__windows-link-0.1.3", + sha256 = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a", + type = "tar.gz", + urls = ["https://static.crates.io/crates/windows-link/0.1.3/download"], + strip_prefix = "windows-link-0.1.3", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.windows-link-0.1.3.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__windows-result-0.3.4", + sha256 = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6", + type = "tar.gz", + urls = ["https://static.crates.io/crates/windows-result/0.3.4/download"], + strip_prefix = "windows-result-0.3.4", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.windows-result-0.3.4.bazel"), + ) + + maybe( + http_archive, + name = "vendor_ts__windows-strings-0.4.2", + sha256 = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57", + type = "tar.gz", + urls = ["https://static.crates.io/crates/windows-strings/0.4.2/download"], + strip_prefix = "windows-strings-0.4.2", + build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.windows-strings-0.4.2.bazel"), ) maybe( @@ -4104,7 +4234,7 @@ def crate_repositories(): struct(repo = "vendor_ts__argfile-0.2.1", is_dev_dep = False), struct(repo = "vendor_ts__chalk-ir-0.103.0", is_dev_dep = False), struct(repo = "vendor_ts__chrono-0.4.41", is_dev_dep = False), - struct(repo = "vendor_ts__clap-4.5.40", is_dev_dep = False), + struct(repo = "vendor_ts__clap-4.5.41", is_dev_dep = False), struct(repo = "vendor_ts__dunce-1.0.5", is_dev_dep = False), struct(repo = "vendor_ts__either-1.15.0", is_dev_dep = False), struct(repo = "vendor_ts__encoding-0.2.33", is_dev_dep = False), @@ -4119,29 +4249,29 @@ def crate_repositories(): struct(repo = "vendor_ts__num_cpus-1.17.0", is_dev_dep = False), struct(repo = "vendor_ts__proc-macro2-1.0.95", is_dev_dep = False), struct(repo = "vendor_ts__quote-1.0.40", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_base_db-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_cfg-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_hir-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_hir_def-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_hir_expand-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_hir_ty-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_ide_db-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_intern-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_load-cargo-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_parser-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_paths-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_project_model-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_span-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_stdx-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_syntax-0.0.288", is_dev_dep = False), - struct(repo = "vendor_ts__ra_ap_vfs-0.0.288", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_base_db-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_cfg-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_hir-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_hir_def-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_hir_expand-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_hir_ty-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_ide_db-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_intern-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_load-cargo-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_parser-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_paths-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_project_model-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_span-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_stdx-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_syntax-0.0.294", is_dev_dep = False), + struct(repo = "vendor_ts__ra_ap_vfs-0.0.294", is_dev_dep = False), struct(repo = "vendor_ts__rayon-1.10.0", is_dev_dep = False), struct(repo = "vendor_ts__regex-1.11.1", is_dev_dep = False), struct(repo = "vendor_ts__serde-1.0.219", is_dev_dep = False), struct(repo = "vendor_ts__serde_json-1.0.140", is_dev_dep = False), - struct(repo = "vendor_ts__serde_with-3.13.0", is_dev_dep = False), - struct(repo = "vendor_ts__syn-2.0.103", is_dev_dep = False), - struct(repo = "vendor_ts__toml-0.8.23", is_dev_dep = False), + struct(repo = "vendor_ts__serde_with-3.14.0", is_dev_dep = False), + struct(repo = "vendor_ts__syn-2.0.104", is_dev_dep = False), + struct(repo = "vendor_ts__toml-0.9.2", is_dev_dep = False), struct(repo = "vendor_ts__tracing-0.1.41", is_dev_dep = False), struct(repo = "vendor_ts__tracing-flame-0.2.0", is_dev_dep = False), struct(repo = "vendor_ts__tracing-subscriber-0.3.19", is_dev_dep = False), From c5afc65491bd35fe2d69d51b4ded83b1b814bb78 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 15 Jul 2025 14:32:13 +0200 Subject: [PATCH 0038/1955] Rust: run codegen again --- rust/extractor/src/generated/.generated.list | 2 +- rust/extractor/src/generated/top.rs | 161 ++++++++++-------- rust/extractor/src/translate/generated.rs | 1 + rust/ql/.generated.list | 12 +- rust/ql/lib/codeql/rust/elements/AsmExpr.qll | 1 + .../elements/internal/generated/AsmExpr.qll | 3 +- .../internal/generated/ParentChild.qll | 51 +++--- .../rust/elements/internal/generated/Raw.qll | 58 +++---- .../elements/internal/generated/Synth.qll | 8 +- rust/ql/lib/rust.dbscheme | 51 +++--- .../generated/AsmExpr/AsmExpr.ql | 14 ++ rust/schema/ast.py | 2 +- 12 files changed, 209 insertions(+), 155 deletions(-) diff --git a/rust/extractor/src/generated/.generated.list b/rust/extractor/src/generated/.generated.list index 4dcfb5380e1..832ebc8a834 100644 --- a/rust/extractor/src/generated/.generated.list +++ b/rust/extractor/src/generated/.generated.list @@ -1,2 +1,2 @@ mod.rs 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 -top.rs 409eb2e5fb18cb360a7d255fc2d7926a78bcd2d3c9f8dcdfce0419cea49d1489 409eb2e5fb18cb360a7d255fc2d7926a78bcd2d3c9f8dcdfce0419cea49d1489 +top.rs 0fc473b83d7cd550396b5c147829487fa7264121b6823fd371b78f55e48935b0 0fc473b83d7cd550396b5c147829487fa7264121b6823fd371b78f55e48935b0 diff --git a/rust/extractor/src/generated/top.rs b/rust/extractor/src/generated/top.rs index 278f4e59ab9..0b658d2aebb 100644 --- a/rust/extractor/src/generated/top.rs +++ b/rust/extractor/src/generated/top.rs @@ -3615,73 +3615,6 @@ impl From> for trap::Label { } } -#[derive(Debug)] -pub struct AsmExpr { - pub id: trap::TrapId, - pub asm_pieces: Vec>, - pub attrs: Vec>, - pub template: Vec>, -} - -impl trap::TrapEntry for AsmExpr { - fn extract_id(&mut self) -> trap::TrapId { - std::mem::replace(&mut self.id, trap::TrapId::Star) - } - - fn emit(self, id: trap::Label, out: &mut trap::Writer) { - out.add_tuple("asm_exprs", vec![id.into()]); - for (i, v) in self.asm_pieces.into_iter().enumerate() { - out.add_tuple("asm_expr_asm_pieces", vec![id.into(), i.into(), v.into()]); - } - for (i, v) in self.attrs.into_iter().enumerate() { - out.add_tuple("asm_expr_attrs", vec![id.into(), i.into(), v.into()]); - } - for (i, v) in self.template.into_iter().enumerate() { - out.add_tuple("asm_expr_templates", vec![id.into(), i.into(), v.into()]); - } - } -} - -impl trap::TrapClass for AsmExpr { - fn class_name() -> &'static str { "AsmExpr" } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Expr - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of AstNode - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Locatable - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - -impl From> for trap::Label { - fn from(value: trap::Label) -> Self { - // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Element - unsafe { - Self::from_untyped(value.as_untyped()) - } - } -} - #[derive(Debug)] pub struct AsmLabel { pub id: trap::TrapId, @@ -8831,6 +8764,100 @@ impl From> for trap::Label { } } +#[derive(Debug)] +pub struct AsmExpr { + pub id: trap::TrapId, + pub asm_pieces: Vec>, + pub attrs: Vec>, + pub template: Vec>, +} + +impl trap::TrapEntry for AsmExpr { + fn extract_id(&mut self) -> trap::TrapId { + std::mem::replace(&mut self.id, trap::TrapId::Star) + } + + fn emit(self, id: trap::Label, out: &mut trap::Writer) { + out.add_tuple("asm_exprs", vec![id.into()]); + for (i, v) in self.asm_pieces.into_iter().enumerate() { + out.add_tuple("asm_expr_asm_pieces", vec![id.into(), i.into(), v.into()]); + } + for (i, v) in self.attrs.into_iter().enumerate() { + out.add_tuple("asm_expr_attrs", vec![id.into(), i.into(), v.into()]); + } + for (i, v) in self.template.into_iter().enumerate() { + out.add_tuple("asm_expr_templates", vec![id.into(), i.into(), v.into()]); + } + } +} + +impl trap::TrapClass for AsmExpr { + fn class_name() -> &'static str { "AsmExpr" } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Expr + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of AstNode + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Locatable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Element + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Item + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Stmt + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + +impl From> for trap::Label { + fn from(value: trap::Label) -> Self { + // SAFETY: this is safe because in the dbscheme AsmExpr is a subclass of Addressable + unsafe { + Self::from_untyped(value.as_untyped()) + } + } +} + #[derive(Debug)] pub struct AssocItem { _unused: () diff --git a/rust/extractor/src/translate/generated.rs b/rust/extractor/src/translate/generated.rs index 787ce71bf2a..3b9be2e1915 100644 --- a/rust/extractor/src/translate/generated.rs +++ b/rust/extractor/src/translate/generated.rs @@ -212,6 +212,7 @@ impl Translator<'_> { return Some(label); } let label = match node { + ast::Item::AsmExpr(inner) => self.emit_asm_expr(inner).map(Into::into), ast::Item::Const(inner) => self.emit_const(inner).map(Into::into), ast::Item::Enum(inner) => self.emit_enum(inner).map(Into::into), ast::Item::ExternBlock(inner) => self.emit_extern_block(inner).map(Into::into), diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list index 1d2b69ce32e..4cf3e6ab073 100644 --- a/rust/ql/.generated.list +++ b/rust/ql/.generated.list @@ -10,7 +10,7 @@ lib/codeql/rust/elements/ArrayTypeRepr.qll a3e61c99567893aa26c610165696e54d11c16 lib/codeql/rust/elements/AsmClobberAbi.qll eb5628916f41ab47e333b4528fba3fb80caecd2805fb20ba4f5c8d59c9677f14 636fce6b3a7f04141d0d3a53734d08a188a45bcc04f755bb66746d4f0a13fa72 lib/codeql/rust/elements/AsmConst.qll f408468624dd0c80c6dcf62d17e65a94cd477a5a760be1b5fdd07c8189a3b4ea e4159073b3ee6d247e8962ce925da55ea39ee2cd1649f8b785a92aea17dbf144 lib/codeql/rust/elements/AsmDirSpec.qll 0c439c031c9f60596373aee8ae2ee70068582548ae365a3c7c19c8b5e2b030d2 0127b08b99bd8725cb6273c1a930aef4434897f23611cfc4ec2dd1b7c9d7e3d0 -lib/codeql/rust/elements/AsmExpr.qll 33a9a873ba05235dd80103ed22555eee220a4c0cb86605d0f76bcda316605449 c8a99b7bd55aac41e56d05cd5a52692f1d835ed3e1a1bd029bb41d8e2b81b240 +lib/codeql/rust/elements/AsmExpr.qll 0a477c401583a778ea6736070eaf8959f9312135e863e45fafb6c160da2e8f1b 0447b2438c694f9e9bd2629abb66281724d27b17e534fa8e9a19b2ea30af18d2 lib/codeql/rust/elements/AsmLabel.qll 5fa3401c49329ddc845bd95d5f498a455202f685e962dfec9bc91550577da800 f54fe1dcd3c76f36e6abc7b56dc5d6f5b1c30d0fb434db21dd8a1ce731fc6abf lib/codeql/rust/elements/AsmOperand.qll 3987a289233fe09f41f20b27939655cc72fa46847969a55cca6d6393f906969a 8810ff2a64f29d1441a449f5fd74bdc1107782172c7a21baaeb48a40930b7d5a lib/codeql/rust/elements/AsmOperandExpr.qll 72d4455cf742dc977b0a33ea21539422aaf2263f36c6f4420ddcb360ac606a0a 03bd01e81b291c915deb20ce33d5bdf73a709fbc007ab7570490e9a8e7c8604c @@ -469,7 +469,7 @@ lib/codeql/rust/elements/internal/generated/ArrayTypeRepr.qll d1db33bc2c13e5bc6f lib/codeql/rust/elements/internal/generated/AsmClobberAbi.qll 579cabafcf0387a9270112ffa53c0b542c1bfbbebfe5c916ac2e6a9b2453539a 8048f5d8759425c55dc46d8fe502687edc29209e290094e9bcd24ff943c8d801 lib/codeql/rust/elements/internal/generated/AsmConst.qll 26c96fc41f2b517b7756fd602c8b0cd4849c7090013fb3f8a5e290e5eabe80cc f0f1bf3e8ae7e20e1c2ab638428190c58ee242a7d15c480ed9c5f789ce42c9cb lib/codeql/rust/elements/internal/generated/AsmDirSpec.qll 4064e9c98aeebfebf29d013f6280f44548996d6f185b19bf96b1b23384c976b9 2bb0b99d20c0fdd6d54d4a1947a02372b6e4b197fb887ad058290ae97f015953 -lib/codeql/rust/elements/internal/generated/AsmExpr.qll 35df35b391d8bf7ccc53b5ffb1b700984bf423cafc89003cb6e3abd92791a127 0fff4199625c179ab4117cfa9762390a259ea0cba902713efc0f5eb200746b99 +lib/codeql/rust/elements/internal/generated/AsmExpr.qll afabf734bf93040451cb22d22f71ab9b2abb176bd6e0d862f5cc67d687f84e4c 7e35b3bc93b5e6f6b7259f3261234421eb5778a47192bc0f5e54d062d3bc8dde lib/codeql/rust/elements/internal/generated/AsmLabel.qll 3e97e64f0682709f05464218e0182f64537e08079b0f276738c83eae92c22d25 3ce70364762bc8c0eeb13940406a0613a815a0ae68b24f7e3a1a649a6fe05c89 lib/codeql/rust/elements/internal/generated/AsmOperand.qll a18ddb65ba0de6b61fb73e6a39398a127ccd4180b12fea43398e1e8f3e829ecd 22d2162566bcf18e8bb39eac9c1de0ae563013767ef5efebff6d844cb4038cae lib/codeql/rust/elements/internal/generated/AsmOperandExpr.qll 6ec1db45e8523331d516263476bbda1006251ce137c2cd324d9b6c6fabf358df b6278d4e605fb5422ab1e563649da793bacf28cd587328f9cc36ca57799510d0 @@ -578,7 +578,7 @@ lib/codeql/rust/elements/internal/generated/ParamList.qll eaa0cd4402d3665013d47e lib/codeql/rust/elements/internal/generated/ParenExpr.qll 812d2ff65079277f39f15c084657a955a960a7c1c0e96dd60472a58d56b945eb eb8c607f43e1fcbb41f37a10de203a1db806690e10ff4f04d48ed874189cb0eb lib/codeql/rust/elements/internal/generated/ParenPat.qll 24f9dc7fce75827d6fddb856cd48f80168143151b27295c0bab6db5a06567a09 ebadbc6f5498e9ed754b39893ce0763840409a0721036a25b56e1ead7dcc09aa lib/codeql/rust/elements/internal/generated/ParenTypeRepr.qll 03f5c5b96a37adeb845352d7fcea3e098da9050e534972d14ac0f70d60a2d776 ed3d6e5d02086523087adebce4e89e35461eb95f2a66d1d4100fe23fc691b126 -lib/codeql/rust/elements/internal/generated/ParentChild.qll 3657258593982c34cb5934cf51fe21a0749af3161890b43c20f2b327d89ecf77 83509d01d5735e297057327be7fbb837a4633604cf6641ba34bb4825798187da +lib/codeql/rust/elements/internal/generated/ParentChild.qll c7958f4e110f4afb810b06946309bf766305cc4d92c92695ae8f06b3f321ddcd 8150b0550b639cffc7c989c32fc3951fad32ec82ad838f359527a473bdb95a3f lib/codeql/rust/elements/internal/generated/ParenthesizedArgList.qll d901fdc8142a5b8847cc98fc2afcfd16428b8ace4fbffb457e761b5fd3901a77 5dbb0aea5a13f937da666ccb042494af8f11e776ade1459d16b70a4dd193f9fb lib/codeql/rust/elements/internal/generated/Pat.qll 3605ac062be2f294ee73336e9669027b8b655f4ad55660e1eab35266275154ee 7f9400db2884d336dd1d21df2a8093759c2a110be9bf6482ce8e80ae0fd74ed4 lib/codeql/rust/elements/internal/generated/Path.qll 9b12afb46fc5a9ad3a811b05472621bbecccb900c47504feb7f29d96b28421ca bcacbffc36fb3e0c9b26523b5963af0ffa9fd6b19f00a2a31bdb2316071546bd @@ -593,7 +593,7 @@ lib/codeql/rust/elements/internal/generated/PtrTypeRepr.qll 8d0ea4f6c7f8203340bf lib/codeql/rust/elements/internal/generated/PureSynthConstructors.qll e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f lib/codeql/rust/elements/internal/generated/RangeExpr.qll 23cca03bf43535f33b22a38894f70d669787be4e4f5b8fe5c8f7b964d30e9027 18624cef6c6b679eeace2a98737e472432e0ead354cca02192b4d45330f047c9 lib/codeql/rust/elements/internal/generated/RangePat.qll 80826a6a6868a803aa2372e31c52a03e1811a3f1f2abdb469f91ca0bfdd9ecb6 34ee1e208c1690cba505dff2c588837c0cd91e185e2a87d1fe673191962276a9 -lib/codeql/rust/elements/internal/generated/Raw.qll f5b37458fb9c16829da761323deab22b440c3cb5bf915e07ee3eb2315251020e 0198c8d6ac310f107e4685f6dc0bd2eb58800af41ab4ac4c15c42d8d575f4b0a +lib/codeql/rust/elements/internal/generated/Raw.qll 7448186873413f4aa7762c990c1c699e3a379280f0260bc76524386aefe567f1 07acbe3eabaa87147757989e8616046fff218669677e7d3d6465fbda639519e1 lib/codeql/rust/elements/internal/generated/RefExpr.qll 7d995884e3dc1c25fc719f5d7253179344d63650e217e9ff6530285fe7a57f64 f2c3c12551deea4964b66553fb9b6423ee16fec53bd63db4796191aa60dc6c66 lib/codeql/rust/elements/internal/generated/RefPat.qll 456ede39837463ee22a630ec7ab6c8630d3664a8ea206fcc6e4f199e92fa564c 5622062765f32930465ba6b170e986706f159f6070f48adee3c20e24e8df4e05 lib/codeql/rust/elements/internal/generated/RefTypeRepr.qll 5b0663a6d234572fb3e467e276d019415caa95ef006438cc59b7af4e1783161e 0e27c8a8f0e323c0e4d6db01fca821bf07c0864d293cdf96fa891b10820c1e4b @@ -619,7 +619,7 @@ lib/codeql/rust/elements/internal/generated/StructFieldList.qll 5da528a51a6a5db9 lib/codeql/rust/elements/internal/generated/StructPat.qll c76fa005c2fd0448a8803233e1e8818c4123301eb66ac5cf69d0b9eaafc61e98 6e0dffccdce24bca20e87d5ba0f0995c9a1ae8983283e71e7dbfcf6fffc67a58 lib/codeql/rust/elements/internal/generated/StructPatField.qll 5b5c7302dbc4a902ca8e69ff31875c867e295a16a626ba3cef29cd0aa248f179 4e192a0df79947f5cb0d47fdbbba7986137a6a40a1be92ae119873e2fad67edf lib/codeql/rust/elements/internal/generated/StructPatFieldList.qll 1a95a1bd9f64fb18e9571657cf2d02a8b13c747048a1f0f74baf31b91f0392ad fc274e414ff4ed54386046505920de92755ad0b4d39a7523cdffa4830bd53b37 -lib/codeql/rust/elements/internal/generated/Synth.qll 4390996606c436cb34201d7dba9821a0d775d1707e54fbbe24cbf788d1d1d948 8e8077a387c69f7f5e3bdb2754654625c233283eb39eab33a72bde536f139a16 +lib/codeql/rust/elements/internal/generated/Synth.qll 39bd329c2efef8691106070107356da0c336d10cb395aa2129ceb6108db27357 5369b56fe14c1961b38af4288b512dfaf09fc4264efced468af5fc6da403ac04 lib/codeql/rust/elements/internal/generated/SynthConstructors.qll bcc7f617b775ac0c7f04b1cc333ed7cc0bd91f1fabc8baa03c824d1df03f6076 bcc7f617b775ac0c7f04b1cc333ed7cc0bd91f1fabc8baa03c824d1df03f6076 lib/codeql/rust/elements/internal/generated/Token.qll 77a91a25ca5669703cf3a4353b591cef4d72caa6b0b9db07bb9e005d69c848d1 2fdffc4882ed3a6ca9ac6d1fb5f1ac5a471ca703e2ffdc642885fa558d6e373b lib/codeql/rust/elements/internal/generated/TokenTree.qll 1a3c4f5f30659738641abdd28cb793dab3cfde484196b59656fc0a2767e53511 de2ebb210c7759ef7a6f7ee9f805e1cac879221287281775fc80ba34a5492edf @@ -665,7 +665,7 @@ test/extractor-tests/generated/ArrayTypeRepr/ArrayTypeRepr.ql b262300235ab5bf4fe test/extractor-tests/generated/AsmClobberAbi/AsmClobberAbi.ql adfcfcdc6ac2a9a4849ea592e37da4221b6279cf2ea1112d32b6c89fda33e85e 7438490536e27b7173dec731f6925531a0e3fa839639c97a53905ba72d7efbe5 test/extractor-tests/generated/AsmConst/AsmConst.ql 82f322fc8a01f4ccc86b3ecca86a9515313120764c6a3ac00b968e4441625422 62831f204c5c2d0f155152c661f9b5d4a4b685df6e40693106fbef0379378981 test/extractor-tests/generated/AsmDirSpec/AsmDirSpec.ql 518a739c91481f67b27bfd1989d9dcbada12de54901eb6d598c896cd72f1f5fe 4567661eecf475fb05e13749b9250bcec51056b6db5a6ae7df24b7ba5cfb88c2 -test/extractor-tests/generated/AsmExpr/AsmExpr.ql c6c0128b252a13d5acea9a07b3854625aa51ebcce9dd93c11b423c9929d441fb 7618977e43f202af5b7d21b67531c4795bb791abe3cb03ba4077913c430b31d5 +test/extractor-tests/generated/AsmExpr/AsmExpr.ql 2ecffe80979c6b49ec84466c913ef6424e0b1f61cf8a8d6f68ac24744a08eb0e 0bd5ee2a93d75c4daa1698613b5d5a462341d53b99e3da8af81ad51fa15a7f7e test/extractor-tests/generated/AsmLabel/AsmLabel.ql 130bf49dc1f5ae79e3588415b9a4c25dfdcbcac1884db9b2fb802a68e33180e5 c087e47d8953d312488fcc0b1bcbfca02521e3683e2063eaf380d76399bca037 test/extractor-tests/generated/AsmOperandExpr/AsmOperandExpr.ql e866fd4715e78511352bb286c1120cbd52c4d960664d57dd99f0380eb1db7109 081d6a6267a3e251a123099b4c1e7d3c5a3b56e0efe9db7c7db24db1c08b7e0d test/extractor-tests/generated/AsmOperandNamed/AsmOperandNamed.ql fb1eb1f275ad251ba2e0876cf1d097bb33f20d06b0e50f8c01f7c11c71057688 e308567ffd18671cf172853a5c594f0f211d492c7e2fb58be412703d1b342b41 diff --git a/rust/ql/lib/codeql/rust/elements/AsmExpr.qll b/rust/ql/lib/codeql/rust/elements/AsmExpr.qll index 06cee086b3f..a4b588ff985 100644 --- a/rust/ql/lib/codeql/rust/elements/AsmExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/AsmExpr.qll @@ -7,6 +7,7 @@ private import internal.AsmExprImpl import codeql.rust.elements.AsmPiece import codeql.rust.elements.Attr import codeql.rust.elements.Expr +import codeql.rust.elements.Item /** * An inline assembly expression. For example: diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/AsmExpr.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/AsmExpr.qll index 83f756a4c98..95e4d08aa40 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/AsmExpr.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/AsmExpr.qll @@ -10,6 +10,7 @@ import codeql.rust.elements.AsmPiece import codeql.rust.elements.Attr import codeql.rust.elements.Expr import codeql.rust.elements.internal.ExprImpl::Impl as ExprImpl +import codeql.rust.elements.internal.ItemImpl::Impl as ItemImpl /** * INTERNAL: This module contains the fully generated definition of `AsmExpr` and should not @@ -27,7 +28,7 @@ module Generated { * INTERNAL: Do not reference the `Generated::AsmExpr` class directly. * Use the subclass `AsmExpr`, where the following predicates are available. */ - class AsmExpr extends Synth::TAsmExpr, ExprImpl::Expr { + class AsmExpr extends Synth::TAsmExpr, ExprImpl::Expr, ItemImpl::Item { override string getAPrimaryQlClass() { result = "AsmExpr" } /** diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll index e2aa343f65d..d0b9c397a77 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll @@ -863,27 +863,6 @@ private module Impl { ) } - private Element getImmediateChildOfAsmExpr(AsmExpr e, int index, string partialPredicateCall) { - exists(int n, int nAsmPiece, int nAttr, int nTemplate | - n = 0 and - nAsmPiece = n + 1 + max(int i | i = -1 or exists(e.getAsmPiece(i)) | i) and - nAttr = nAsmPiece + 1 + max(int i | i = -1 or exists(e.getAttr(i)) | i) and - nTemplate = nAttr + 1 + max(int i | i = -1 or exists(e.getTemplate(i)) | i) and - ( - none() - or - result = e.getAsmPiece(index - n) and - partialPredicateCall = "AsmPiece(" + (index - n).toString() + ")" - or - result = e.getAttr(index - nAsmPiece) and - partialPredicateCall = "Attr(" + (index - nAsmPiece).toString() + ")" - or - result = e.getTemplate(index - nAttr) and - partialPredicateCall = "Template(" + (index - nAttr).toString() + ")" - ) - ) - } - private Element getImmediateChildOfAsmLabel(AsmLabel e, int index, string partialPredicateCall) { exists(int n, int nBlockExpr | n = 0 and @@ -2147,6 +2126,32 @@ private module Impl { ) } + private Element getImmediateChildOfAsmExpr(AsmExpr e, int index, string partialPredicateCall) { + exists(int n, int nAttributeMacroExpansion, int nAsmPiece, int nAttr, int nTemplate | + n = 0 and + nAttributeMacroExpansion = n + 1 and + nAsmPiece = nAttributeMacroExpansion + 1 + max(int i | i = -1 or exists(e.getAsmPiece(i)) | i) and + nAttr = nAsmPiece + 1 + max(int i | i = -1 or exists(e.getAttr(i)) | i) and + nTemplate = nAttr + 1 + max(int i | i = -1 or exists(e.getTemplate(i)) | i) and + ( + none() + or + index = n and + result = e.getAttributeMacroExpansion() and + partialPredicateCall = "AttributeMacroExpansion()" + or + result = e.getAsmPiece(index - nAttributeMacroExpansion) and + partialPredicateCall = "AsmPiece(" + (index - nAttributeMacroExpansion).toString() + ")" + or + result = e.getAttr(index - nAsmPiece) and + partialPredicateCall = "Attr(" + (index - nAsmPiece).toString() + ")" + or + result = e.getTemplate(index - nAttr) and + partialPredicateCall = "Template(" + (index - nAttr).toString() + ")" + ) + ) + } + private Element getImmediateChildOfBlockExpr(BlockExpr e, int index, string partialPredicateCall) { exists(int n, int nLabel, int nAttr, int nStmtList | n = 0 and @@ -3153,8 +3158,6 @@ private module Impl { or result = getImmediateChildOfAsmConst(e, index, partialAccessor) or - result = getImmediateChildOfAsmExpr(e, index, partialAccessor) - or result = getImmediateChildOfAsmLabel(e, index, partialAccessor) or result = getImmediateChildOfAsmOperandNamed(e, index, partialAccessor) @@ -3309,6 +3312,8 @@ private module Impl { or result = getImmediateChildOfArrayRepeatExpr(e, index, partialAccessor) or + result = getImmediateChildOfAsmExpr(e, index, partialAccessor) + or result = getImmediateChildOfBlockExpr(e, index, partialAccessor) or result = getImmediateChildOfCallExpr(e, index, partialAccessor) diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll index a8e526e5263..38798573712 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll @@ -1521,35 +1521,6 @@ module Raw { predicate isConst() { asm_const_is_const(this) } } - /** - * INTERNAL: Do not use. - * An inline assembly expression. For example: - * ```rust - * unsafe { - * #[inline(always)] - * builtin # asm("cmp {0}, {1}", in(reg) a, in(reg) b); - * } - * ``` - */ - class AsmExpr extends @asm_expr, Expr { - override string toString() { result = "AsmExpr" } - - /** - * Gets the `index`th asm piece of this asm expression (0-based). - */ - AsmPiece getAsmPiece(int index) { asm_expr_asm_pieces(this, index, result) } - - /** - * Gets the `index`th attr of this asm expression (0-based). - */ - Attr getAttr(int index) { asm_expr_attrs(this, index, result) } - - /** - * Gets the `index`th template of this asm expression (0-based). - */ - Expr getTemplate(int index) { asm_expr_templates(this, index, result) } - } - /** * INTERNAL: Do not use. * A label in an inline assembly block. @@ -3592,6 +3563,35 @@ module Raw { } } + /** + * INTERNAL: Do not use. + * An inline assembly expression. For example: + * ```rust + * unsafe { + * #[inline(always)] + * builtin # asm("cmp {0}, {1}", in(reg) a, in(reg) b); + * } + * ``` + */ + class AsmExpr extends @asm_expr, Expr, Item { + override string toString() { result = "AsmExpr" } + + /** + * Gets the `index`th asm piece of this asm expression (0-based). + */ + AsmPiece getAsmPiece(int index) { asm_expr_asm_pieces(this, index, result) } + + /** + * Gets the `index`th attr of this asm expression (0-based). + */ + Attr getAttr(int index) { asm_expr_attrs(this, index, result) } + + /** + * Gets the `index`th template of this asm expression (0-based). + */ + Expr getTemplate(int index) { asm_expr_templates(this, index, result) } + } + /** * INTERNAL: Do not use. * An associated item in a `Trait` or `Impl`. diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll index 3d89d74b7e8..3c8b1e87f57 100644 --- a/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll +++ b/rust/ql/lib/codeql/rust/elements/internal/generated/Synth.qll @@ -774,8 +774,8 @@ module Synth { * INTERNAL: Do not use. */ class TItem = - TAdt or TAssocItem or TExternBlock or TExternCrate or TExternItem or TImpl or TMacroDef or - TMacroRules or TModule or TTrait or TTraitAlias or TUse; + TAdt or TAsmExpr or TAssocItem or TExternBlock or TExternCrate or TExternItem or TImpl or + TMacroDef or TMacroRules or TModule or TTrait or TTraitAlias or TUse; /** * INTERNAL: Do not use. @@ -2219,6 +2219,8 @@ module Synth { TItem convertItemFromRaw(Raw::Element e) { result = convertAdtFromRaw(e) or + result = convertAsmExprFromRaw(e) + or result = convertAssocItemFromRaw(e) or result = convertExternBlockFromRaw(e) @@ -3803,6 +3805,8 @@ module Synth { Raw::Element convertItemToRaw(TItem e) { result = convertAdtToRaw(e) or + result = convertAsmExprToRaw(e) + or result = convertAssocItemToRaw(e) or result = convertExternBlockToRaw(e) diff --git a/rust/ql/lib/rust.dbscheme b/rust/ql/lib/rust.dbscheme index 319c933d961..4adb57ee525 100644 --- a/rust/ql/lib/rust.dbscheme +++ b/rust/ql/lib/rust.dbscheme @@ -1272,31 +1272,6 @@ asm_const_is_const( int id: @asm_const ref ); -asm_exprs( - unique int id: @asm_expr -); - -#keyset[id, index] -asm_expr_asm_pieces( - int id: @asm_expr ref, - int index: int ref, - int asm_piece: @asm_piece ref -); - -#keyset[id, index] -asm_expr_attrs( - int id: @asm_expr ref, - int index: int ref, - int attr: @attr ref -); - -#keyset[id, index] -asm_expr_templates( - int id: @asm_expr ref, - int index: int ref, - int template: @expr ref -); - asm_labels( unique int id: @asm_label ); @@ -1905,6 +1880,7 @@ infer_type_reprs( @item = @adt +| @asm_expr | @assoc_item | @extern_block | @extern_crate @@ -2709,6 +2685,31 @@ adt_derive_macro_expansions( int derive_macro_expansion: @macro_items ref ); +asm_exprs( + unique int id: @asm_expr +); + +#keyset[id, index] +asm_expr_asm_pieces( + int id: @asm_expr ref, + int index: int ref, + int asm_piece: @asm_piece ref +); + +#keyset[id, index] +asm_expr_attrs( + int id: @asm_expr ref, + int index: int ref, + int attr: @attr ref +); + +#keyset[id, index] +asm_expr_templates( + int id: @asm_expr ref, + int index: int ref, + int template: @expr ref +); + @assoc_item = @const | @function diff --git a/rust/ql/test/extractor-tests/generated/AsmExpr/AsmExpr.ql b/rust/ql/test/extractor-tests/generated/AsmExpr/AsmExpr.ql index 11cc082dae0..bedbccdd1be 100644 --- a/rust/ql/test/extractor-tests/generated/AsmExpr/AsmExpr.ql +++ b/rust/ql/test/extractor-tests/generated/AsmExpr/AsmExpr.ql @@ -4,6 +4,20 @@ import TestUtils query predicate instances(AsmExpr x) { toBeTested(x) and not x.isUnknown() } +query predicate getExtendedCanonicalPath(AsmExpr x, string getExtendedCanonicalPath) { + toBeTested(x) and not x.isUnknown() and getExtendedCanonicalPath = x.getExtendedCanonicalPath() +} + +query predicate getCrateOrigin(AsmExpr x, string getCrateOrigin) { + toBeTested(x) and not x.isUnknown() and getCrateOrigin = x.getCrateOrigin() +} + +query predicate getAttributeMacroExpansion(AsmExpr x, MacroItems getAttributeMacroExpansion) { + toBeTested(x) and + not x.isUnknown() and + getAttributeMacroExpansion = x.getAttributeMacroExpansion() +} + query predicate getAsmPiece(AsmExpr x, int index, AsmPiece getAsmPiece) { toBeTested(x) and not x.isUnknown() and getAsmPiece = x.getAsmPiece(index) } diff --git a/rust/schema/ast.py b/rust/schema/ast.py index 137e56f8bac..d5b99753f11 100644 --- a/rust/schema/ast.py +++ b/rust/schema/ast.py @@ -69,7 +69,7 @@ class AsmConst(AsmOperand, ): class AsmDirSpec(AstNode, ): pass -class AsmExpr(Expr, ): +class AsmExpr(Expr, Item, ): asm_pieces: list["AsmPiece"] | child attrs: list["Attr"] | child template: list["Expr"] | child From 3a27758d858c9ce6fa53940f87522d4afec6139c Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 15 Jul 2025 13:38:48 +0100 Subject: [PATCH 0039/1955] Remove old py2-specific tests --- .../Classes/equals-hash/EqualsOrHash.expected | 2 - .../Classes/equals-hash/EqualsOrHash.qlref | 1 - .../equals-hash/EqualsOrNotEquals.expected | 2 - .../equals-hash/EqualsOrNotEquals.qlref | 1 - .../Classes/equals-hash/equals_hash.py | 63 ------------------- 5 files changed, 69 deletions(-) delete mode 100644 python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.expected delete mode 100644 python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.qlref delete mode 100644 python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.expected delete mode 100644 python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.qlref delete mode 100644 python/ql/test/2/query-tests/Classes/equals-hash/equals_hash.py diff --git a/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.expected b/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.expected deleted file mode 100644 index 916a9bb4454..00000000000 --- a/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.expected +++ /dev/null @@ -1,2 +0,0 @@ -| equals_hash.py:8:5:8:28 | Function Eq.__eq__ | Class $@ implements __eq__ but does not define __hash__. | equals_hash.py:3:1:3:17 | class Eq | Eq | -| equals_hash.py:24:5:24:23 | Function Hash.__hash__ | Class $@ implements __hash__ but does not define __eq__ or __cmp__. | equals_hash.py:19:1:19:19 | class Hash | Hash | diff --git a/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.qlref b/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.qlref deleted file mode 100644 index 7eb0f07e51c..00000000000 --- a/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrHash.qlref +++ /dev/null @@ -1 +0,0 @@ -Classes/EqualsOrHash.ql \ No newline at end of file diff --git a/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.expected b/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.expected deleted file mode 100644 index 04e395c668b..00000000000 --- a/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.expected +++ /dev/null @@ -1,2 +0,0 @@ -| equals_hash.py:8:5:8:28 | Function Eq.__eq__ | Class $@ implements __eq__ but does not implement __ne__. | equals_hash.py:3:1:3:17 | class Eq | Eq | -| equals_hash.py:16:5:16:28 | Function Ne.__ne__ | Class $@ implements __ne__ but does not implement __eq__. | equals_hash.py:11:1:11:17 | class Ne | Ne | diff --git a/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.qlref b/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.qlref deleted file mode 100644 index 163a9f3b667..00000000000 --- a/python/ql/test/2/query-tests/Classes/equals-hash/EqualsOrNotEquals.qlref +++ /dev/null @@ -1 +0,0 @@ -Classes/EqualsOrNotEquals.ql \ No newline at end of file diff --git a/python/ql/test/2/query-tests/Classes/equals-hash/equals_hash.py b/python/ql/test/2/query-tests/Classes/equals-hash/equals_hash.py deleted file mode 100644 index 447250a5375..00000000000 --- a/python/ql/test/2/query-tests/Classes/equals-hash/equals_hash.py +++ /dev/null @@ -1,63 +0,0 @@ -#Equals and hash - -class Eq(object): - - def __init__(self, data): - self.data = data - - def __eq__(self, other): - return self.data == other.data - -class Ne(object): - - def __init__(self, data): - self.data = data - - def __ne__(self, other): - return self.data != other.data - -class Hash(object): - - def __init__(self, data): - self.data = data - - def __hash__(self): - return hash(self.data) - -class Unhashable1(object): - - __hash__ = None - - -class EqOK1(Unhashable1): - - def __eq__(self, other): - return False - - def __ne__(self, other): - return True - -class Unhashable2(object): - - #Not the idiomatic way of doing it, but not uncommon either - def __hash__(self): - raise TypeError("unhashable object") - - -class EqOK2(Unhashable2): - - def __eq__(self, other): - return False - - def __ne__(self, other): - return True - -class ReflectiveNotEquals(object): - - def __ne__(self, other): - return not self == other - -class EqOK3(ReflectiveNotEquals, Unhashable1): - - def __eq__(self, other): - return self.data == other.data From e79938b5976da542b567e797c5d1a21c56ff665c Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 15 Jul 2025 14:54:52 +0200 Subject: [PATCH 0040/1955] Bazel: bump rust toolchain version to 1.88 --- MODULE.bazel | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/MODULE.bazel b/MODULE.bazel index 2d0898ebae6..5eacf5b85be 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -38,7 +38,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True RUST_EDITION = "2024" # run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo) -RUST_VERSION = "1.86.0" +RUST_VERSION = "1.88.0" rust = use_extension("@rules_rust//rust:extensions.bzl", "rust") rust.toolchain( @@ -50,26 +50,26 @@ rust.toolchain( ], # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo) sha256s = { - "rustc-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "4438b809ce4a083af31ed17aeeedcc8fc60ccffc0625bef1926620751b6989d7", - "rustc-1.86.0-x86_64-apple-darwin.tar.xz": "42b76253626febb7912541a30d3379f463dec89581aad4cb72c6c04fb5a71dc5", - "rustc-1.86.0-aarch64-apple-darwin.tar.xz": "23b8f52102249a47ab5bc859d54c9a3cb588a3259ba3f00f557d50edeca4fde9", - "rustc-1.86.0-x86_64-pc-windows-msvc.tar.xz": "fdde839fea274529a31e51eb85c6df1782cc8479c9d1bc24e2914d66a0de41ab", - "clippy-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "02aaff2c1407d2da8dba19aa4970dd873e311902b120a66cbcdbe51eb8836edf", - "clippy-1.86.0-x86_64-apple-darwin.tar.xz": "bb85efda7bbffaf124867f5ca36d50932b1e8f533c62ee923438afb32ff8fe9a", - "clippy-1.86.0-aarch64-apple-darwin.tar.xz": "239fa3a604b124f0312f2af08537874a1227dba63385484b468cca62e7c4f2f2", - "clippy-1.86.0-x86_64-pc-windows-msvc.tar.xz": "d00498f47d49219f032e2c5eeebdfc3d32317c0dc3d3fd7125327445bc482cb4", - "cargo-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "c5c1590f7e9246ad9f4f97cfe26ffa92707b52a769726596a9ef81565ebd908b", - "cargo-1.86.0-x86_64-apple-darwin.tar.xz": "af163eb02d1a178044d1b4f2375960efd47130f795f6e33d09e345454bb26f4e", - "cargo-1.86.0-aarch64-apple-darwin.tar.xz": "3cb13873d48c3e1e4cc684d42c245226a11fba52af6b047c3346ed654e7a05c0", - "cargo-1.86.0-x86_64-pc-windows-msvc.tar.xz": "e57a9d89619b5604899bac443e68927bdd371e40f2e03e18950b6ceb3eb67966", - "llvm-tools-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "282145ab7a63c98b625856f44b905b4dc726b497246b824632a5790debe95a78", - "llvm-tools-1.86.0-x86_64-apple-darwin.tar.xz": "b55706e92f7da989207c50c13c7add483a9fedd233bc431b106eca2a8f151ec9", - "llvm-tools-1.86.0-aarch64-apple-darwin.tar.xz": "04d3618c686845853585f036e3211eb9e18f2d290f4610a7a78bdc1fcce1ebd9", - "llvm-tools-1.86.0-x86_64-pc-windows-msvc.tar.xz": "721a17cc8dc219177e4277a3592253934ef08daa1e1b12eda669a67d15fad8dd", - "rust-std-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "67be7184ea388d8ce0feaf7fdea46f1775cfc2970930264343b3089898501d37", - "rust-std-1.86.0-x86_64-apple-darwin.tar.xz": "3b1140d54870a080080e84700143f4a342fbd02a410a319b05d9c02e7dcf44cc", - "rust-std-1.86.0-aarch64-apple-darwin.tar.xz": "0fb121fb3b8fa9027d79ff598500a7e5cd086ddbc3557482ed3fdda00832c61b", - "rust-std-1.86.0-x86_64-pc-windows-msvc.tar.xz": "3d5354b7b9cb950b58bff3fce18a652aa374bb30c8f70caebd3bd0b43cb41a33", + "rustc-1.88.0-x86_64-unknown-linux-gnu.tar.xz": "b049fd57fce274d10013e2cf0e05f215f68f6580865abc52178f66ae9bf43fd8", + "rustc-1.88.0-x86_64-apple-darwin.tar.xz": "c8f1ea4fc3e507c8e733809bd3ad91a00f5b209d85620be9013bea5f97f31f24", + "rustc-1.88.0-aarch64-apple-darwin.tar.xz": "249f4cacd3fac1f718af19373c73e9d3b9a595965972d8b1f3947c578110f520", + "rustc-1.88.0-x86_64-pc-windows-msvc.tar.xz": "238616f0a578d6d4c034ffb8897064fa8df68a3823df201df48ab2baf68a639f", + "clippy-1.88.0-x86_64-unknown-linux-gnu.tar.xz": "db09c9e4a8a0b486781d87403f74a203a58d9ef0a58ba10c39264916d93ac603", + "clippy-1.88.0-x86_64-apple-darwin.tar.xz": "d25711565eccaf1ead038a626f14eddb8e7db114fb73c24e93264dae4d4298d3", + "clippy-1.88.0-aarch64-apple-darwin.tar.xz": "9ad90cddc3ebd892c9d69c9ecd45c30d236e1e4af5993312c6f4538af9dcf3e7", + "clippy-1.88.0-x86_64-pc-windows-msvc.tar.xz": "0d02a7b3a8eb407c6a62c75a56f365b312f8ec2732cac5ecfc7a062526fddbe3", + "cargo-1.88.0-x86_64-unknown-linux-gnu.tar.xz": "856962610ee821648cee32e3d6abac667af7bb7ea6ec6f3d184cc31e66044f6b", + "cargo-1.88.0-x86_64-apple-darwin.tar.xz": "e7f672132591df180b58f8e7af875e1971a10fe71243f7d84f9b3f6742f998bc", + "cargo-1.88.0-aarch64-apple-darwin.tar.xz": "71c08c8fab9b7a9cd13b6119886d50ce48efa8261d08e1fd328ed3ee1c84e2e0", + "cargo-1.88.0-x86_64-pc-windows-msvc.tar.xz": "5e3b21d77733e0dbb5542015f89b15de1844bd6e3270fdc90bb821b2a04b1cda", + "llvm-tools-1.88.0-x86_64-unknown-linux-gnu.tar.xz": "16e8d9b4187cc3936feddd9ceccde0157a4a1b2be98ca9c202cda304e0e81853", + "llvm-tools-1.88.0-x86_64-apple-darwin.tar.xz": "92780b5be0950c206d998a6f7094d4ee29b992d1d2f46371465e8bdaa4e619a4", + "llvm-tools-1.88.0-aarch64-apple-darwin.tar.xz": "c9bf981651b573d2abb619a5b3ae038686772e51e7ec53a8b5e585c51c1431e5", + "llvm-tools-1.88.0-x86_64-pc-windows-msvc.tar.xz": "6522371a06d183effaf080c59d2a8c0720088157ae693123386bc7070ba62a73", + "rust-std-1.88.0-x86_64-unknown-linux-gnu.tar.xz": "36d7eacf46bd5199cb433e49a9ed9c9b380d82f8a0ebc05e89b43b51c070c955", + "rust-std-1.88.0-x86_64-apple-darwin.tar.xz": "2570350a6651e60a2fe0aa438be5cd123ed3543b4b44c916284ff7e7e331d16a", + "rust-std-1.88.0-aarch64-apple-darwin.tar.xz": "532be07511af557cb67f33bfc77044a787363ab281b963752542bc837ce90e96", + "rust-std-1.88.0-x86_64-pc-windows-msvc.tar.xz": "6b65df769259ad18428271aea110ec1a5027e922f3e36d77923dc69a38ff6318", }, versions = [RUST_VERSION], ) From 504ae0f35ab9d19265cbbdd8547e814519f1dd5a Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Wed, 16 Jul 2025 06:12:45 +0000 Subject: [PATCH 0041/1955] Update go path sanitizers and sinks --- .../2025-07-15-path-injection-sanitizers.md | 4 ++++ go/ql/lib/ext/os.model.yml | 1 - .../query-tests/Security/CWE-022/TaintedPath.expected | 10 +++++----- go/ql/test/query-tests/Security/CWE-022/TaintedPath.go | 5 +++-- 4 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md diff --git a/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md b/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md new file mode 100644 index 00000000000..e4ff7224ad2 --- /dev/null +++ b/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Remove model`CreateTemp` function, from the `os` package, as a path-injection sink due to proper sanitization by Go. Add check for `os.PathSeparator` in sanitizers for path-injection query. \ No newline at end of file diff --git a/go/ql/lib/ext/os.model.yml b/go/ql/lib/ext/os.model.yml index b4f074146b7..66316b4ff35 100644 --- a/go/ql/lib/ext/os.model.yml +++ b/go/ql/lib/ext/os.model.yml @@ -28,7 +28,6 @@ extensions: - ["os", "", False, "ReadDir", "", "", "Argument[0]", "path-injection", "manual"] - ["os", "", False, "ReadFile", "", "", "Argument[0]", "path-injection", "manual"] - ["os", "", False, "MkdirTemp", "", "", "Argument[0..1]", "path-injection", "manual"] - - ["os", "", False, "CreateTemp", "", "", "Argument[0..1]", "path-injection", "manual"] - ["os", "", False, "WriteFile", "", "", "Argument[0]", "path-injection", "manual"] # command-injection - ["os", "", False, "StartProcess", "", "", "Argument[0]", "command-injection", "manual"] diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected index 839d35f663c..fc6e39f697d 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected @@ -1,14 +1,14 @@ #select | TaintedPath.go:17:29:17:40 | tainted_path | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:17:29:17:40 | tainted_path | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value | | TaintedPath.go:21:28:21:69 | call to Join | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:21:28:21:69 | call to Join | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value | -| TaintedPath.go:68:28:68:57 | call to Clean | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:68:28:68:57 | call to Clean | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value | +| TaintedPath.go:69:28:69:57 | call to Clean | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:69:28:69:57 | call to Clean | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value | edges | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:14:18:14:30 | call to Query | provenance | Src:MaD:2 MaD:3 | | TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:17:29:17:40 | tainted_path | provenance | Sink:MaD:1 | | TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:21:57:21:68 | tainted_path | provenance | | -| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:68:39:68:56 | ...+... | provenance | | +| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:69:39:69:56 | ...+... | provenance | | | TaintedPath.go:21:57:21:68 | tainted_path | TaintedPath.go:21:28:21:69 | call to Join | provenance | FunctionModel Sink:MaD:1 | -| TaintedPath.go:68:39:68:56 | ...+... | TaintedPath.go:68:28:68:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 | +| TaintedPath.go:69:39:69:56 | ...+... | TaintedPath.go:69:28:69:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 | models | 1 | Sink: io/ioutil; ; false; ReadFile; ; ; Argument[0]; path-injection; manual | | 2 | Source: net/http; Request; true; URL; ; ; ; remote; manual | @@ -20,6 +20,6 @@ nodes | TaintedPath.go:17:29:17:40 | tainted_path | semmle.label | tainted_path | | TaintedPath.go:21:28:21:69 | call to Join | semmle.label | call to Join | | TaintedPath.go:21:57:21:68 | tainted_path | semmle.label | tainted_path | -| TaintedPath.go:68:28:68:57 | call to Clean | semmle.label | call to Clean | -| TaintedPath.go:68:39:68:56 | ...+... | semmle.label | ...+... | +| TaintedPath.go:69:28:69:57 | call to Clean | semmle.label | call to Clean | +| TaintedPath.go:69:39:69:56 | ...+... | semmle.label | ...+... | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go index e6a1c49f4c5..99b3a29741b 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go @@ -8,8 +8,8 @@ import ( "path/filepath" "regexp" "strings" + "os" ) - func handler(w http.ResponseWriter, r *http.Request) { tainted_path := r.URL.Query()["path"][0] @@ -58,9 +58,10 @@ func handler(w http.ResponseWriter, r *http.Request) { w.Write(data) } - // GOOD: Sanitized by filepath.Clean with a prepended '/' forcing interpretation + // GOOD: Sanitized by filepath.Clean with a prepended '/' or os.PathSeparator forcing interpretation // as an absolute path, so that Clean will throw away any leading `..` components. data, _ = ioutil.ReadFile(filepath.Clean("/" + tainted_path)) + data, _ = ioutil.ReadFile(filepath.Clean(string(os.PathSeparator) + tainted_path)) w.Write(data) // BAD: Sanitized by path.Clean with a prepended '/' forcing interpretation From f86152d3bd45e57cd2b64aacd7bd28e3c3317ebb Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Wed, 16 Jul 2025 21:27:33 +0000 Subject: [PATCH 0042/1955] Add sanitizer changes and fix test --- .../2025-07-15-path-injection-sanitizers.md | 2 +- .../go/security/TaintedPathCustomizations.qll | 9 +++++- .../Security/CWE-022/TaintedPath.expected | 32 +++++++++---------- .../Security/CWE-022/TaintedPath.go | 9 ++++-- 4 files changed, 32 insertions(+), 20 deletions(-) diff --git a/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md b/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md index e4ff7224ad2..69596cf98d9 100644 --- a/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md +++ b/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* Remove model`CreateTemp` function, from the `os` package, as a path-injection sink due to proper sanitization by Go. Add check for `os.PathSeparator` in sanitizers for path-injection query. \ No newline at end of file +* Remove model `CreateTemp` function, from the `os` package, as a path-injection sink due to proper sanitization by Go. Add check for `os.PathSeparator` in sanitizers for path-injection query. \ No newline at end of file diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll index df601ce1eb8..760de2d9c54 100644 --- a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll +++ b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll @@ -87,7 +87,14 @@ module TaintedPath { exists(DataFlow::CallNode cleanCall, StringOps::Concatenation concatNode | cleanCall = any(Function f | f.hasQualifiedName("path/filepath", "Clean")).getACall() and concatNode = cleanCall.getArgument(0) and - concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/" and + ( + concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/" + or + exists(DeclaredConstant dc | + dc.hasQualifiedName("os", "PathSeparator") and + dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*() + ) + ) and this = cleanCall.getResult() ) } diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected index fc6e39f697d..f5d86e68dbc 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected @@ -1,25 +1,25 @@ #select -| TaintedPath.go:17:29:17:40 | tainted_path | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:17:29:17:40 | tainted_path | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value | -| TaintedPath.go:21:28:21:69 | call to Join | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:21:28:21:69 | call to Join | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value | -| TaintedPath.go:69:28:69:57 | call to Clean | TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:69:28:69:57 | call to Clean | This path depends on a $@. | TaintedPath.go:14:18:14:22 | selection of URL | user-provided value | +| TaintedPath.go:18:29:18:40 | tainted_path | TaintedPath.go:15:18:15:22 | selection of URL | TaintedPath.go:18:29:18:40 | tainted_path | This path depends on a $@. | TaintedPath.go:15:18:15:22 | selection of URL | user-provided value | +| TaintedPath.go:22:28:22:69 | call to Join | TaintedPath.go:15:18:15:22 | selection of URL | TaintedPath.go:22:28:22:69 | call to Join | This path depends on a $@. | TaintedPath.go:15:18:15:22 | selection of URL | user-provided value | +| TaintedPath.go:74:28:74:57 | call to Clean | TaintedPath.go:15:18:15:22 | selection of URL | TaintedPath.go:74:28:74:57 | call to Clean | This path depends on a $@. | TaintedPath.go:15:18:15:22 | selection of URL | user-provided value | edges -| TaintedPath.go:14:18:14:22 | selection of URL | TaintedPath.go:14:18:14:30 | call to Query | provenance | Src:MaD:2 MaD:3 | -| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:17:29:17:40 | tainted_path | provenance | Sink:MaD:1 | -| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:21:57:21:68 | tainted_path | provenance | | -| TaintedPath.go:14:18:14:30 | call to Query | TaintedPath.go:69:39:69:56 | ...+... | provenance | | -| TaintedPath.go:21:57:21:68 | tainted_path | TaintedPath.go:21:28:21:69 | call to Join | provenance | FunctionModel Sink:MaD:1 | -| TaintedPath.go:69:39:69:56 | ...+... | TaintedPath.go:69:28:69:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 | +| TaintedPath.go:15:18:15:22 | selection of URL | TaintedPath.go:15:18:15:30 | call to Query | provenance | Src:MaD:2 MaD:3 | +| TaintedPath.go:15:18:15:30 | call to Query | TaintedPath.go:18:29:18:40 | tainted_path | provenance | Sink:MaD:1 | +| TaintedPath.go:15:18:15:30 | call to Query | TaintedPath.go:22:57:22:68 | tainted_path | provenance | | +| TaintedPath.go:15:18:15:30 | call to Query | TaintedPath.go:74:39:74:56 | ...+... | provenance | | +| TaintedPath.go:22:57:22:68 | tainted_path | TaintedPath.go:22:28:22:69 | call to Join | provenance | FunctionModel Sink:MaD:1 | +| TaintedPath.go:74:39:74:56 | ...+... | TaintedPath.go:74:28:74:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 | models | 1 | Sink: io/ioutil; ; false; ReadFile; ; ; Argument[0]; path-injection; manual | | 2 | Source: net/http; Request; true; URL; ; ; ; remote; manual | | 3 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual | | 4 | Summary: path; ; false; Clean; ; ; Argument[0]; ReturnValue; taint; manual | nodes -| TaintedPath.go:14:18:14:22 | selection of URL | semmle.label | selection of URL | -| TaintedPath.go:14:18:14:30 | call to Query | semmle.label | call to Query | -| TaintedPath.go:17:29:17:40 | tainted_path | semmle.label | tainted_path | -| TaintedPath.go:21:28:21:69 | call to Join | semmle.label | call to Join | -| TaintedPath.go:21:57:21:68 | tainted_path | semmle.label | tainted_path | -| TaintedPath.go:69:28:69:57 | call to Clean | semmle.label | call to Clean | -| TaintedPath.go:69:39:69:56 | ...+... | semmle.label | ...+... | +| TaintedPath.go:15:18:15:22 | selection of URL | semmle.label | selection of URL | +| TaintedPath.go:15:18:15:30 | call to Query | semmle.label | call to Query | +| TaintedPath.go:18:29:18:40 | tainted_path | semmle.label | tainted_path | +| TaintedPath.go:22:28:22:69 | call to Join | semmle.label | call to Join | +| TaintedPath.go:22:57:22:68 | tainted_path | semmle.label | tainted_path | +| TaintedPath.go:74:28:74:57 | call to Clean | semmle.label | call to Clean | +| TaintedPath.go:74:39:74:56 | ...+... | semmle.label | ...+... | subpaths diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go index 99b3a29741b..3949d8408a1 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go @@ -4,12 +4,13 @@ import ( "io/ioutil" "mime/multipart" "net/http" + "os" "path" "path/filepath" "regexp" "strings" - "os" ) + func handler(w http.ResponseWriter, r *http.Request) { tainted_path := r.URL.Query()["path"][0] @@ -58,9 +59,13 @@ func handler(w http.ResponseWriter, r *http.Request) { w.Write(data) } - // GOOD: Sanitized by filepath.Clean with a prepended '/' or os.PathSeparator forcing interpretation + // GOOD: Sanitized by filepath.Clean with a prepended '/' forcing interpretation // as an absolute path, so that Clean will throw away any leading `..` components. data, _ = ioutil.ReadFile(filepath.Clean("/" + tainted_path)) + w.Write(data) + + // GOOD: Sanitized by filepath.Clean with a prepended os.PathSeparator forcing interpretation + // as an absolute path, so that Clean will throw away any leading `..` components. data, _ = ioutil.ReadFile(filepath.Clean(string(os.PathSeparator) + tainted_path)) w.Write(data) From e0d16a863bb7ec749386741f527f99075d9359e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:07:21 +0200 Subject: [PATCH 0043/1955] [DIFF-INFORMED] Go: AllocationSizeOverflow https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql#L24 --- .../lib/semmle/go/security/AllocationSizeOverflow.qll | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll index 9531e279812..079ab35ee36 100644 --- a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll +++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll @@ -56,6 +56,17 @@ module AllocationSizeOverflow { succ = c ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + exists(DataFlow::Node allocsz | + isSinkWithAllocationSize(sink, allocsz) and + result = allocsz.getLocation() + ) + } } /** Tracks taint flow to find allocation-size overflows. */ From 89f760460b303eeb400569d7ecc78297e456bc38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:08:18 +0200 Subject: [PATCH 0044/1955] [DIFF-INFORMED] Go: CommandInjection https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-078/CommandInjection.ql#L28 --- go/ql/lib/semmle/go/security/CommandInjection.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll index 7dc6f3991fc..1774d77af54 100644 --- a/go/ql/lib/semmle/go/security/CommandInjection.qll +++ b/go/ql/lib/semmle/go/security/CommandInjection.qll @@ -24,6 +24,8 @@ module CommandInjection { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -80,6 +82,8 @@ module CommandInjection { node instanceof Sanitizer or node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From 109f6ddc2d0b56407c9c9fb7c591da2322ee745a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:09:28 +0200 Subject: [PATCH 0045/1955] [DIFF-INFORMED] Go: ExternalAPIs https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql#L18 --- go/ql/lib/semmle/go/security/ExternalAPIs.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll index 4a561c17136..f85f939258f 100644 --- a/go/ql/lib/semmle/go/security/ExternalAPIs.qll +++ b/go/ql/lib/semmle/go/security/ExternalAPIs.qll @@ -186,6 +186,8 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From f228818b1f537af85bb77596d697244879dae5b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:21:26 +0200 Subject: [PATCH 0046/1955] [DIFF-INFORMED] Go: HardcodedCredentials https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-798/HardcodedCredentials.ql#L62 --- go/ql/lib/semmle/go/security/HardcodedCredentials.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll index 0be50fc2306..877a2b4570e 100644 --- a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll +++ b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll @@ -30,6 +30,8 @@ module HardcodedCredentials { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks taint flow for reasoning about hardcoded credentials. */ From ce7eb9b16a23d66f480c2665336033237d4334e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:23:10 +0200 Subject: [PATCH 0047/1955] [DIFF-INFORMED] Go: IncorrectIntegerConversion https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql#L23 --- .../semmle/go/security/IncorrectIntegerConversionLib.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll index 9125ab6e400..7864205d1dc 100644 --- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll +++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll @@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf state2 = node2.(FlowStateTransformer).transform(state1) and DataFlow::simpleLocalFlowStep(node1, node2, _) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getASuccessor().getLocation() + } } /** From 4b473622bc26de3809d62335c5d5cb5ba9dfdba8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:24:18 +0200 Subject: [PATCH 0048/1955] [DIFF-INFORMED] Go: InsecureRandomness https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-338/InsecureRandomness.ql#L19 --- go/ql/lib/semmle/go/security/InsecureRandomness.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/lib/semmle/go/security/InsecureRandomness.qll b/go/ql/lib/semmle/go/security/InsecureRandomness.qll index 83746f7b96e..4dac659eabf 100644 --- a/go/ql/lib/semmle/go/security/InsecureRandomness.qll +++ b/go/ql/lib/semmle/go/security/InsecureRandomness.qll @@ -39,6 +39,10 @@ module InsecureRandomness { n2.getType() instanceof IntegerType ) } + + predicate observeDiffInformedIncrementalMode() { + none() // Can't have accurate sink location override because of secondary use of `flowPath` in select. + } } /** From 8c8625d9129128ad2dd83582872c8a4d4d09a1a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:26:12 +0200 Subject: [PATCH 0049/1955] [DIFF-INFORMED] Go: ReflectedXss https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-079/ReflectedXss.ql#L23 --- go/ql/lib/semmle/go/security/ReflectedXss.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/lib/semmle/go/security/ReflectedXss.qll b/go/ql/lib/semmle/go/security/ReflectedXss.qll index 1068c6fae3d..35501269cc1 100644 --- a/go/ql/lib/semmle/go/security/ReflectedXss.qll +++ b/go/ql/lib/semmle/go/security/ReflectedXss.qll @@ -22,6 +22,14 @@ module ReflectedXss { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + result = sink.(SharedXss::Sink).getAssociatedLoc().getLocation() + } } /** Tracks taint flow from untrusted data to XSS attack vectors. */ From d6ef585110ee1d7abf3caa519f69939b68efde13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:33:38 +0200 Subject: [PATCH 0050/1955] [DIFF-INFORMED] Go: RequestForgery, SafeUrlFlow https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-918/RequestForgery.ql#L21 https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql#L24 --- go/ql/lib/semmle/go/security/RequestForgery.qll | 8 ++++++++ go/ql/lib/semmle/go/security/SafeUrlFlow.qll | 4 ++++ 2 files changed, 12 insertions(+) diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll index bdf26a1f18f..176b67403e6 100644 --- a/go/ql/lib/semmle/go/security/RequestForgery.qll +++ b/go/ql/lib/semmle/go/security/RequestForgery.qll @@ -31,6 +31,14 @@ module RequestForgery { w.writesField(v.getAUse(), f, pred) and succ = v.getAUse() ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + result = sink.(Sink).getARequest().getLocation() + } } /** Tracks taint flow from untrusted data to request forgery attack vectors. */ diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll index d74e2156a60..77b7aeda591 100644 --- a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll +++ b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll @@ -36,6 +36,10 @@ module SafeUrlFlow { or node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { + none() // only used as secondary configuration + } } /** Tracks taint flow for reasoning about safe URLs. */ From 19b373aa904e45472a98f58ffdfb911713513bf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:36:52 +0200 Subject: [PATCH 0051/1955] [DIFF-INFORMED] Go: SensitiveConditionBypass https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql#L33 --- .../src/experimental/CWE-807/SensitiveConditionBypass.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll index 2f2ca94fa87..33e6c6c0144 100644 --- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll +++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll @@ -59,6 +59,14 @@ private module Config implements DataFlow::ConfigSig { not c.isPotentialFalsePositive() ) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(ComparisonExpr comp | result = comp.getLocation() | sink.asExpr() = comp.getAnOperand()) + } } /** From 7bd6703f1974a224126c846fd785fbe5129e7c91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:37:34 +0200 Subject: [PATCH 0052/1955] [DIFF-INFORMED] Go: ConditionalBypass --- go/ql/src/experimental/CWE-840/ConditionalBypass.ql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql index b70be1ff42d..64f7c3c9ac2 100644 --- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql +++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql @@ -22,6 +22,10 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + none() // can't override the locations accurately because of secondary use of config. + } } /** Tracks taint flow for reasoning about conditional bypass. */ From a1fe72c423570dc437ce1cbd9671ad2bdf792bc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:39:05 +0200 Subject: [PATCH 0053/1955] [DIFF-INFORMED] Go: SSRF https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-918/SSRF.ql#L23 --- go/ql/src/experimental/CWE-918/SSRF.qll | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll index b1374da8a5f..05abe7bf8e4 100644 --- a/go/ql/src/experimental/CWE-918/SSRF.qll +++ b/go/ql/src/experimental/CWE-918/SSRF.qll @@ -30,6 +30,14 @@ module ServerSideRequestForgery { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.(Sink).getARequest().getLocation() + } } /** Tracks taint flow for reasoning about request forgery vulnerabilities. */ From 7b759f44f817b99d085cb01e641a91309ef2b0fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:43:28 +0200 Subject: [PATCH 0054/1955] [DIFF-INFORMED] Go: AuthCookie https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql#L97 --- go/ql/src/experimental/CWE-1004/AuthCookie.qll | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/go/ql/src/experimental/CWE-1004/AuthCookie.qll b/go/ql/src/experimental/CWE-1004/AuthCookie.qll index 411da5a79fa..b16f09ac185 100644 --- a/go/ql/src/experimental/CWE-1004/AuthCookie.qll +++ b/go/ql/src/experimental/CWE-1004/AuthCookie.qll @@ -116,6 +116,12 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + any() // Merged with other flows in CookieWithoutHttpOnly.ql + } + + Location getASelectedSourceLocation(DataFlow::Node source) { none() } } /** From 188fc0d933adad0f658def161788762540819cdf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:44:30 +0200 Subject: [PATCH 0055/1955] [DIFF-INFORMED] Go: UnhandledCloseWritableHandle --- .../src/InconsistentCode/UnhandledCloseWritableHandle.ql | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql index d3210c48011..3fd09ac040e 100644 --- a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql +++ b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql @@ -128,6 +128,14 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) } predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { + exists(DataFlow::CallNode openCall | result = openCall.getLocation() | + isWritableFileHandle(source, openCall) + ) + } } /** From b4010ac2b4df41803e9f632d5811e39fca4096f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:44:56 +0200 Subject: [PATCH 0056/1955] [DIFF-INFORMED] Go: InsecureHostKeyCallback --- go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql index c0b5898601c..5fef1900713 100644 --- a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql +++ b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql @@ -68,6 +68,8 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From 8824677e87972a758b183bdd2ba616f0174744d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 11:45:25 +0200 Subject: [PATCH 0057/1955] [DIFF-INFORMED] Go: BadRedirectCheck --- go/ql/src/Security/CWE-601/BadRedirectCheck.ql | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql index bc60e1339eb..7b4cc9f99fc 100644 --- a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql +++ b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql @@ -123,6 +123,17 @@ module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSourceLocation(DataFlow::Node source) { + result = source.getLocation() + or + exists(DataFlow::Node check | + isCheckedSource(source, check) and + result = check.getLocation() + ) + } } module Flow = TaintTracking::Global; From 9408a96ba53f62b9588e8c844946a908ad8ff146 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 15 Jul 2025 11:25:17 +0200 Subject: [PATCH 0058/1955] [TEST] Python: TimingAttackAgainstHash: add qlref test to existing source (TODO: add source with true positive) --- .../TimingAttackAgainstHash.expected | 12 ++++++++++++ .../TimingAttackAgainstHash.qlref | 1 + 2 files changed, 13 insertions(+) create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected new file mode 100644 index 00000000000..0b7b2de8ddb --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.expected @@ -0,0 +1,12 @@ +edges +| TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | provenance | | +| TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | provenance | | +| TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | provenance | | +nodes +| TimingAttackAgainstHash.py:26:5:26:13 | ControlFlowNode for signature | semmle.label | ControlFlowNode for signature | +| TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | +| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | semmle.label | ControlFlowNode for signature | +| TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() | +| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() | +subpaths +#select diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref new file mode 100644 index 00000000000..50c9d84b1f9 --- /dev/null +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.qlref @@ -0,0 +1 @@ +experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql From 20030d56a528757bca76b07589c11e46ef03271e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:24:38 +0200 Subject: [PATCH 0059/1955] [DIFF-INFORMED] Python: (Possible)TimingAttackAgainstHash --- .../PossibleTimingAttackAgainstHash.ql | 4 +++- .../TimingAttackAgainstHash/TimingAttackAgainstHash.ql | 6 ++++-- .../PossibleTimingAttackAgainstHash.expected | 4 ++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql index 82ba11c1d4b..c57373f4863 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql @@ -26,6 +26,8 @@ private module PossibleTimingAttackAgainstHashConfig implements DataFlow::Config predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module PossibleTimingAttackAgainstHashFlow = @@ -38,4 +40,4 @@ from PossibleTimingAttackAgainstHashFlow::PathNode sink where PossibleTimingAttackAgainstHashFlow::flowPath(source, sink) select sink.getNode(), source, sink, "Possible Timing attack against $@ validation.", - source.getNode().(ProduceCryptoCall).getResultType(), "message" + source.getNode(), source.getNode().(ProduceCryptoCall).getResultType() + " message" diff --git a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql index e08f1dbb517..d97f6c619f9 100644 --- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql +++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql @@ -25,6 +25,8 @@ private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall } predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module TimingAttackAgainstHashFlow = TaintTracking::Global; @@ -35,5 +37,5 @@ from TimingAttackAgainstHashFlow::PathNode source, TimingAttackAgainstHashFlow:: where TimingAttackAgainstHashFlow::flowPath(source, sink) and sink.getNode().(NonConstantTimeComparisonSink).includesUserInput() -select sink.getNode(), source, sink, "Timing attack against $@ validation.", - source.getNode().(ProduceCryptoCall).getResultType(), "message" +select sink.getNode(), source, sink, "Timing attack against $@ validation.", source.getNode(), + source.getNode().(ProduceCryptoCall).getResultType() + " message" diff --git a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected index 8846e908798..1577182b2dc 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.expected @@ -10,5 +10,5 @@ nodes | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | semmle.label | ControlFlowNode for sign() | subpaths #select -| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | Possible Timing attack against $@ validation. | signature | message | -| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | Possible Timing attack against $@ validation. | MAC | message | +| TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:27:24:27:32 | ControlFlowNode for signature | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:26:17:26:41 | ControlFlowNode for Attribute() | signature message | +| TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | TimingAttackAgainstHash.py:37:19:37:48 | ControlFlowNode for sign() | Possible Timing attack against $@ validation. | TimingAttackAgainstHash.py:30:12:30:47 | ControlFlowNode for Attribute() | MAC message | From a39cb401777d693be6c3cb63220251f27f6c5174 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 9 Jul 2025 16:43:27 -0400 Subject: [PATCH 0060/1955] Java: copy out of experimental --- .../InsecureSpringActuatorConfig.qhelp | 47 +++++++ .../InsecureSpringActuatorConfig.ql | 121 ++++++++++++++++++ .../application.properties | 22 ++++ .../InsecureSpringActuatorConfig/pom_bad.xml | 50 ++++++++ .../InsecureSpringActuatorConfig/pom_good.xml | 50 ++++++++ .../InsecureSpringActuatorConfig.expected | 1 + .../InsecureSpringActuatorConfig.qlref | 1 + .../SensitiveInfo.java | 13 ++ .../application.properties | 14 ++ .../InsecureSpringActuatorConfig/options | 1 + .../InsecureSpringActuatorConfig/pom.xml | 47 +++++++ 11 files changed, 367 insertions(+) create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp new file mode 100644 index 00000000000..7e31b43ba7a --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp @@ -0,0 +1,47 @@ + + + +

    Spring Boot is a popular framework that facilitates the development of stand-alone applications +and micro services. Spring Boot Actuator helps to expose production-ready support features against +Spring Boot applications.

    + +

    Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. +Exposing unprotected actuator endpoints through configuration files can lead to information disclosure +or even remote code execution vulnerability.

    + +

    Rather than programmatically permitting endpoint requests or enforcing access control, frequently +developers simply leave management endpoints publicly accessible in the application configuration file +application.properties without enforcing access control through Spring Security.

    +     + + +

    Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce +security checks on management endpoints using Spring Security. Otherwise accessing management endpoints +on a different HTTP port other than the port that the web application is listening on also helps to +improve the security.

    +     + + +

    The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, +no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, +security is enforced and only endpoints requiring exposure are exposed.

    + + + +     + + +
  • + Spring Boot documentation: + Spring Boot Actuator: Production-ready Features +
    • +
  • + VERACODE Blog: + Exploiting Spring Boot Actuators +
    • +
  • + HackerOne Report: + Spring Actuator endpoints publicly available, leading to account takeover +
    • +     +     diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql new file mode 100644 index 00000000000..b21aa82e8ba --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -0,0 +1,121 @@ +/** + * @name Insecure Spring Boot Actuator Configuration + * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural + * security enforcement leads to information leak or even remote code execution. + * @kind problem + * @problem.severity error + * @precision high + * @id java/insecure-spring-actuator-config + * @tags security + * experimental + * external/cwe/cwe-016 + */ + +/* + * Note this query requires properties files to be indexed before it can produce results. + * If creating your own database with the CodeQL CLI, you should run + * `codeql database index-files --language=properties ...` + * If using lgtm.com, you should add `properties_files: true` to the index block of your + * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) + */ + +import java +import semmle.code.configfiles.ConfigFiles +import semmle.code.xml.MavenPom + +/** The parent node of the `org.springframework.boot` group. */ +class SpringBootParent extends Parent { + SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } +} + +/** Class of Spring Boot dependencies. */ +class SpringBootPom extends Pom { + SpringBootPom() { this.getParentElement() instanceof SpringBootParent } + + /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ + predicate isSpringBootActuatorUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" + } + + /** + * Holds if the Spring Boot Security module is used in the project, which brings in other security + * related libraries. + */ + predicate isSpringBootSecurityUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" + } +} + +/** The properties file `application.properties`. */ +class ApplicationProperties extends ConfigPair { + ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } +} + +/** The configuration property `management.security.enabled`. */ +class ManagementSecurityConfig extends ApplicationProperties { + ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } + + /** Holds if `management.security.enabled` is set to `false`. */ + predicate hasSecurityDisabled() { this.getValue() = "false" } + + /** Holds if `management.security.enabled` is set to `true`. */ + predicate hasSecurityEnabled() { this.getValue() = "true" } +} + +/** The configuration property `management.endpoints.web.exposure.include`. */ +class ManagementEndPointInclude extends ApplicationProperties { + ManagementEndPointInclude() { + this.getNameElement().getName() = "management.endpoints.web.exposure.include" + } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } +} + +/** + * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom + * has a vulnerable configuration of Spring Boot Actuator management endpoints. + */ +predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { + pom.isSpringBootActuatorUsed() and + not pom.isSpringBootSecurityUsed() and + ap.getFile() + .getParentContainer() + .getAbsolutePath() + .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory + exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | + springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 + not exists(ManagementSecurityConfig me | + me.hasSecurityEnabled() and me.getFile() = ap.getFile() + ) + or + springBootVersion.matches("1.5%") and // version 1.5 + exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) + or + springBootVersion.matches("2.%") and //version 2.x + exists(ManagementEndPointInclude mi | + mi.getFile() = ap.getFile() and + ( + mi.getValue() = "*" // all endpoints are enabled + or + mi.getValue() + .matches([ + "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", + "%beans%", "%sessions%" + ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + ) + ) + ) +} + +deprecated query predicate problems(Dependency d, string message) { + exists(SpringBootPom pom | + hasConfidentialEndPointExposed(pom, _) and + d = pom.getADependency() and + d.getArtifact().getValue() = "spring-boot-starter-actuator" + ) and + message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." +} diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties new file mode 100644 index 00000000000..441d752508c --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties @@ -0,0 +1,22 @@ +#management.endpoints.web.base-path=/admin + + +#### BAD: All management endpoints are accessible #### +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default + +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false + +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* + + +#### GOOD: All management endpoints have access control #### +# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=true + +# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=true + +# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. +management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml new file mode 100644 index 00000000000..6bca2829ac4 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml @@ -0,0 +1,50 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + + + + org.springframework.boot + spring-boot-test + + + + diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml new file mode 100644 index 00000000000..03bc257f5bd --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml @@ -0,0 +1,50 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + + org.springframework.boot + spring-boot-starter-security + + + + org.springframework.boot + spring-boot-test + + + + diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected new file mode 100644 index 00000000000..48630293985 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -0,0 +1 @@ +| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref new file mode 100644 index 00000000000..ada54d34dc1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref @@ -0,0 +1 @@ +experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java new file mode 100644 index 00000000000..a3ff69c1b81 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java @@ -0,0 +1,13 @@ +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.RequestMapping; + +@Controller +public class SensitiveInfo { + @RequestMapping + public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { + if (!username.equals("") && password.equals("")) { + //Blank processing + } + } +} \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties new file mode 100644 index 00000000000..797906a3ca3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties @@ -0,0 +1,14 @@ +#management.endpoints.web.base-path=/admin + +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default + +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false + +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* +management.endpoints.web.exposure.exclude=beans + +management.endpoint.shutdown.enabled=true + +management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options new file mode 100644 index 00000000000..2ce7a4743cd --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options @@ -0,0 +1 @@ +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml new file mode 100644 index 00000000000..a9d5fa920c8 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.3.8.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 0dbddbdf0f5787d8ea92bc6f6132447a110b5b91 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 9 Jul 2025 16:46:30 -0400 Subject: [PATCH 0061/1955] Java: remove experimental files --- .../InsecureSpringActuatorConfig.qhelp | 47 ------- .../CWE-016/InsecureSpringActuatorConfig.ql | 121 ------------------ .../CWE/CWE-016/application.properties | 22 ---- .../Security/CWE/CWE-016/pom_bad.xml | 50 -------- .../Security/CWE/CWE-016/pom_good.xml | 50 -------- .../InsecureSpringActuatorConfig.expected | 1 - .../InsecureSpringActuatorConfig.qlref | 1 - .../security/CWE-016/SensitiveInfo.java | 13 -- .../security/CWE-016/application.properties | 14 -- .../query-tests/security/CWE-016/options | 1 - .../query-tests/security/CWE-016/pom.xml | 47 ------- 11 files changed, 367 deletions(-) delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/application.properties delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/application.properties delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/options delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/pom.xml diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp deleted file mode 100644 index e201156728a..00000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp +++ /dev/null @@ -1,47 +0,0 @@ - - - -

    Spring Boot is a popular framework that facilitates the development of stand-alone applications -and micro services. Spring Boot Actuator helps to expose production-ready support features against -Spring Boot applications.

    - -

    Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. -Exposing unprotected actuator endpoints through configuration files can lead to information disclosure -or even remote code execution vulnerability.

    - -

    Rather than programmatically permitting endpoint requests or enforcing access control, frequently -developers simply leave management endpoints publicly accessible in the application configuration file -application.properties without enforcing access control through Spring Security.

    -     - - -

    Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce -security checks on management endpoints using Spring Security. Otherwise accessing management endpoints -on a different HTTP port other than the port that the web application is listening on also helps to -improve the security.

    -     - - -

    The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, -no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, -security is enforced and only endpoints requiring exposure are exposed.

    - - - -     - - -
  • - Spring Boot documentation: - Spring Boot Actuator: Production-ready Features -
    • -
  • - VERACODE Blog: - Exploiting Spring Boot Actuators -
    • -
  • - HackerOne Report: - Spring Actuator endpoints publicly available, leading to account takeover -
    • -     -     diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql deleted file mode 100644 index b21aa82e8ba..00000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +++ /dev/null @@ -1,121 +0,0 @@ -/** - * @name Insecure Spring Boot Actuator Configuration - * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural - * security enforcement leads to information leak or even remote code execution. - * @kind problem - * @problem.severity error - * @precision high - * @id java/insecure-spring-actuator-config - * @tags security - * experimental - * external/cwe/cwe-016 - */ - -/* - * Note this query requires properties files to be indexed before it can produce results. - * If creating your own database with the CodeQL CLI, you should run - * `codeql database index-files --language=properties ...` - * If using lgtm.com, you should add `properties_files: true` to the index block of your - * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) - */ - -import java -import semmle.code.configfiles.ConfigFiles -import semmle.code.xml.MavenPom - -/** The parent node of the `org.springframework.boot` group. */ -class SpringBootParent extends Parent { - SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } -} - -/** Class of Spring Boot dependencies. */ -class SpringBootPom extends Pom { - SpringBootPom() { this.getParentElement() instanceof SpringBootParent } - - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ - predicate isSpringBootActuatorUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" - } - - /** - * Holds if the Spring Boot Security module is used in the project, which brings in other security - * related libraries. - */ - predicate isSpringBootSecurityUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" - } -} - -/** The properties file `application.properties`. */ -class ApplicationProperties extends ConfigPair { - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } -} - -/** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationProperties { - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } - - /** Holds if `management.security.enabled` is set to `false`. */ - predicate hasSecurityDisabled() { this.getValue() = "false" } - - /** Holds if `management.security.enabled` is set to `true`. */ - predicate hasSecurityEnabled() { this.getValue() = "true" } -} - -/** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationProperties { - ManagementEndPointInclude() { - this.getNameElement().getName() = "management.endpoints.web.exposure.include" - } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } -} - -/** - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom - * has a vulnerable configuration of Spring Boot Actuator management endpoints. - */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { - pom.isSpringBootActuatorUsed() and - not pom.isSpringBootSecurityUsed() and - ap.getFile() - .getParentContainer() - .getAbsolutePath() - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() - ) - or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) - or - springBootVersion.matches("2.%") and //version 2.x - exists(ManagementEndPointInclude mi | - mi.getFile() = ap.getFile() and - ( - mi.getValue() = "*" // all endpoints are enabled - or - mi.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", - "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring - ) - ) - ) -} - -deprecated query predicate problems(Dependency d, string message) { - exists(SpringBootPom pom | - hasConfidentialEndPointExposed(pom, _) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" - ) and - message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." -} diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties deleted file mode 100644 index 4f5defdd948..00000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties +++ /dev/null @@ -1,22 +0,0 @@ -#management.endpoints.web.base-path=/admin - - -#### BAD: All management endpoints are accessible #### -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* - - -#### GOOD: All management endpoints have access control #### -# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default -management.security.enabled=true - -# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=true - -# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. -management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml b/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml deleted file mode 100644 index 9dd5c9c188b..00000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml b/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml deleted file mode 100644 index 89f577f21e5..00000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - - org.springframework.boot - spring-boot-starter-security - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected deleted file mode 100644 index 48630293985..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected +++ /dev/null @@ -1 +0,0 @@ -| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref deleted file mode 100644 index 9cd12d5e4fb..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref +++ /dev/null @@ -1 +0,0 @@ -experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java b/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java deleted file mode 100644 index a3ff69c1b81..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java +++ /dev/null @@ -1,13 +0,0 @@ -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RequestMapping; - -@Controller -public class SensitiveInfo { - @RequestMapping - public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { - if (!username.equals("") && password.equals("")) { - //Blank processing - } - } -} \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties deleted file mode 100644 index 797906a3ca3..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties +++ /dev/null @@ -1,14 +0,0 @@ -#management.endpoints.web.base-path=/admin - -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* -management.endpoints.web.exposure.exclude=beans - -management.endpoint.shutdown.enabled=true - -management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/options b/java/ql/test/experimental/query-tests/security/CWE-016/options deleted file mode 100644 index 2ce7a4743cd..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/options +++ /dev/null @@ -1 +0,0 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml b/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml deleted file mode 100644 index a9d5fa920c8..00000000000 --- a/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml +++ /dev/null @@ -1,47 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - org.springframework.boot - spring-boot-test - - - - \ No newline at end of file From 38260e76bfa271483123f330a644153b7ae5ef26 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 10 Jul 2025 10:07:05 -0400 Subject: [PATCH 0062/1955] Java: remove deprecation --- .../InsecureSpringActuatorConfig.ql | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index b21aa82e8ba..800fc6db564 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -111,11 +111,9 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie ) } -deprecated query predicate problems(Dependency d, string message) { - exists(SpringBootPom pom | - hasConfidentialEndPointExposed(pom, _) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" - ) and - message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." -} +from SpringBootPom pom, ApplicationProperties ap, Dependency d +where + hasConfidentialEndPointExposed(pom, ap) and + d = pom.getADependency() and + d.getArtifact().getValue() = "spring-boot-starter-actuator" +select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." From fc930d918463721587fdc02f1a494493e26a8487 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 10 Jul 2025 10:32:02 -0400 Subject: [PATCH 0063/1955] Java: update tests for non-experimental directory --- .../InsecureSpringActuatorConfig.qlref | 2 +- .../CWE-200/semmle/tests/InsecureSpringActuatorConfig/options | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref index ada54d34dc1..bf30c44df85 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref @@ -1 +1 @@ -experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options index 2ce7a4743cd..ab29fd4e46f 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x +//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/springframework-5.8.x From ed8da5e151d29c127f0e099590af62ac6d310477 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 14 Jul 2025 11:59:29 -0400 Subject: [PATCH 0064/1955] Java: convert tests to inline expectations --- .../InsecureSpringActuatorConfig.qlref | 3 ++- .../CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref index bf30c44df85..b826de8eed3 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +query: Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml index a9d5fa920c8..105309271f8 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml @@ -29,7 +29,7 @@ org.springframework.boot spring-boot-starter-actuator - + org.springframework.boot spring-boot-devtools From b479f5c8dcbfc7e0cce817833496e076b0a9d2c3 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 14 Jul 2025 10:06:24 -0400 Subject: [PATCH 0065/1955] Java: fix integration tests --- .../java/query-suite/java-code-scanning.qls.expected | 1 + .../java/query-suite/java-security-and-quality.qls.expected | 1 + .../java/query-suite/java-security-extended.qls.expected | 1 + .../java/query-suite/not_included_in_qls.expected | 1 - 4 files changed, 3 insertions(+), 1 deletion(-) diff --git a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected index 3290e0d84b0..90b5b7ca491 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected @@ -26,6 +26,7 @@ ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql +ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected index f4317f8e2a5..b203ea23a62 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected @@ -142,6 +142,7 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql +ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected index 209777cf4d9..c7dac907a96 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected @@ -45,6 +45,7 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql +ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql diff --git a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected index 1f58e51ad80..304c0387323 100644 --- a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected +++ b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected @@ -196,7 +196,6 @@ ql/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.ql ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryCast.ql ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryImport.ql ql/java/ql/src/definitions.ql -ql/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql ql/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql ql/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql ql/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql From 1b90a30d458aec0aee191ae3a6acbccb0a6b0eab Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 11:13:02 -0400 Subject: [PATCH 0066/1955] Java: move code to .qll file --- .../SpringBootActuatorsConfigQuery.qll | 93 ++++++++++++++++++ .../InsecureSpringActuatorConfig.ql | 98 +------------------ 2 files changed, 94 insertions(+), 97 deletions(-) create mode 100644 java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll new file mode 100644 index 00000000000..5cf54f3436c --- /dev/null +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -0,0 +1,93 @@ +/** Provides classes and predicates to reason about Spring Boot actuators exposed in configuration files. */ + +import java +private import semmle.code.configfiles.ConfigFiles +private import semmle.code.xml.MavenPom + +/** The parent node of the `org.springframework.boot` group. */ +class SpringBootParent extends Parent { + SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } +} + +/** Class of Spring Boot dependencies. */ +class SpringBootPom extends Pom { + SpringBootPom() { this.getParentElement() instanceof SpringBootParent } + + /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ + predicate isSpringBootActuatorUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" + } + + /** + * Holds if the Spring Boot Security module is used in the project, which brings in other security + * related libraries. + */ + predicate isSpringBootSecurityUsed() { + this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" + } +} + +/** The properties file `application.properties`. */ +class ApplicationProperties extends ConfigPair { + ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } +} + +/** The configuration property `management.security.enabled`. */ +class ManagementSecurityConfig extends ApplicationProperties { + ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } + + /** Holds if `management.security.enabled` is set to `false`. */ + predicate hasSecurityDisabled() { this.getValue() = "false" } + + /** Holds if `management.security.enabled` is set to `true`. */ + predicate hasSecurityEnabled() { this.getValue() = "true" } +} + +/** The configuration property `management.endpoints.web.exposure.include`. */ +class ManagementEndPointInclude extends ApplicationProperties { + ManagementEndPointInclude() { + this.getNameElement().getName() = "management.endpoints.web.exposure.include" + } + + /** Gets the whitespace-trimmed value of this property. */ + string getValue() { result = this.getValueElement().getValue().trim() } +} + +/** + * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom + * has a vulnerable configuration of Spring Boot Actuator management endpoints. + */ +predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { + pom.isSpringBootActuatorUsed() and + not pom.isSpringBootSecurityUsed() and + ap.getFile() + .getParentContainer() + .getAbsolutePath() + .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory + exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | + springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 + not exists(ManagementSecurityConfig me | + me.hasSecurityEnabled() and me.getFile() = ap.getFile() + ) + or + springBootVersion.matches("1.5%") and // version 1.5 + exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) + or + springBootVersion.matches("2.%") and //version 2.x + exists(ManagementEndPointInclude mi | + mi.getFile() = ap.getFile() and + ( + mi.getValue() = "*" // all endpoints are enabled + or + mi.getValue() + .matches([ + "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", + "%beans%", "%sessions%" + ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + ) + ) + ) +} diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 800fc6db564..66d9a52c2cf 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -11,105 +11,9 @@ * external/cwe/cwe-016 */ -/* - * Note this query requires properties files to be indexed before it can produce results. - * If creating your own database with the CodeQL CLI, you should run - * `codeql database index-files --language=properties ...` - * If using lgtm.com, you should add `properties_files: true` to the index block of your - * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction) - */ - import java -import semmle.code.configfiles.ConfigFiles import semmle.code.xml.MavenPom - -/** The parent node of the `org.springframework.boot` group. */ -class SpringBootParent extends Parent { - SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } -} - -/** Class of Spring Boot dependencies. */ -class SpringBootPom extends Pom { - SpringBootPom() { this.getParentElement() instanceof SpringBootParent } - - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ - predicate isSpringBootActuatorUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" - } - - /** - * Holds if the Spring Boot Security module is used in the project, which brings in other security - * related libraries. - */ - predicate isSpringBootSecurityUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" - } -} - -/** The properties file `application.properties`. */ -class ApplicationProperties extends ConfigPair { - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } -} - -/** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationProperties { - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } - - /** Holds if `management.security.enabled` is set to `false`. */ - predicate hasSecurityDisabled() { this.getValue() = "false" } - - /** Holds if `management.security.enabled` is set to `true`. */ - predicate hasSecurityEnabled() { this.getValue() = "true" } -} - -/** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationProperties { - ManagementEndPointInclude() { - this.getNameElement().getName() = "management.endpoints.web.exposure.include" - } - - /** Gets the whitespace-trimmed value of this property. */ - string getValue() { result = this.getValueElement().getValue().trim() } -} - -/** - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom - * has a vulnerable configuration of Spring Boot Actuator management endpoints. - */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { - pom.isSpringBootActuatorUsed() and - not pom.isSpringBootSecurityUsed() and - ap.getFile() - .getParentContainer() - .getAbsolutePath() - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() - ) - or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) - or - springBootVersion.matches("2.%") and //version 2.x - exists(ManagementEndPointInclude mi | - mi.getFile() = ap.getFile() and - ( - mi.getValue() = "*" // all endpoints are enabled - or - mi.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", - "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring - ) - ) - ) -} +import semmle.code.java.security.SpringBootActuatorsConfigQuery from SpringBootPom pom, ApplicationProperties ap, Dependency d where From 3823186dc6dc53c87fdd143fbf6d7d95dbbe4e8e Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 19:21:21 -0400 Subject: [PATCH 0067/1955] Java: split tests by versions splitting is required to properly test each scenario --- .../InsecureSpringActuatorConfig.expected | 7 ++- .../bad/default/application.properties | 1 + .../{ => Version1.4-/bad/default}/pom.xml | 2 +- .../bad/false/application.properties | 2 + .../Version1.4-/bad/false/pom.xml | 47 +++++++++++++++++++ .../Version1.4-/good/application.properties | 2 + .../Version1.4-/good/pom.xml | 47 +++++++++++++++++++ .../Version1.5/bad/application.properties | 2 + .../Version1.5/bad/pom.xml | 47 +++++++++++++++++++ .../Version1.5/good/application.properties | 2 + .../Version1.5/good/pom.xml | 47 +++++++++++++++++++ .../{ => Version2+}/application.properties | 0 .../Version2+/bad/application.properties | 7 +++ .../Version2+/bad/pom.xml | 47 +++++++++++++++++++ .../Version2+/good/application.properties | 2 + .../Version2+/good/pom.xml | 47 +++++++++++++++++++ 16 files changed, 307 insertions(+), 2 deletions(-) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{ => Version1.4-/bad/default}/pom.xml (97%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{ => Version2+}/application.properties (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected index 48630293985..da7a570f982 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -1 +1,6 @@ -| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +#select +| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +testFailures +| Version1.4-/bad/default/pom.xml:32:23:32:39 | $ Alert | Missing result: Alert | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties new file mode 100644 index 00000000000..a41bbc9fdca --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties @@ -0,0 +1 @@ +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml similarity index 97% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml index 105309271f8..83c7d2685f3 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/pom.xml +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml @@ -17,7 +17,7 @@ org.springframework.boot spring-boot-starter-parent - 2.3.8.RELEASE + 1.2.6.RELEASE diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties new file mode 100644 index 00000000000..621b859214c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=false \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml new file mode 100644 index 00000000000..83c7d2685f3 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties new file mode 100644 index 00000000000..6cadc4c756d --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default +management.security.enabled=true \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml new file mode 100644 index 00000000000..452d4b69c35 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties new file mode 100644 index 00000000000..f1e8f6587d0 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=false \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml new file mode 100644 index 00000000000..aa1a4bcaf05 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.5.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties new file mode 100644 index 00000000000..bec45a22b82 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators +management.security.enabled=true \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml new file mode 100644 index 00000000000..39b46bef7e4 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 1.5.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties new file mode 100644 index 00000000000..a2e73d7022c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties @@ -0,0 +1,7 @@ +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* +management.endpoints.web.exposure.exclude=beans + +management.endpoint.shutdown.enabled=true + +management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml new file mode 100644 index 00000000000..c22f08d7e7e --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties new file mode 100644 index 00000000000..c14bf64b13b --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. +management.endpoints.web.exposure.include=beans,info,health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml new file mode 100644 index 00000000000..e65ebf04701 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 2bfc4b4ee207a23905eb9ce64bc84b735d83a77f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 19:50:04 -0400 Subject: [PATCH 0068/1955] Java: fix test case for version 1.4 Need the existence of an ApplicationProperties File, not an ApplicationProperties ConfigPair --- .../SpringBootActuatorsConfigQuery.qll | 65 ++++++++++--------- .../InsecureSpringActuatorConfig.ql | 4 +- .../InsecureSpringActuatorConfig.expected | 4 +- 3 files changed, 39 insertions(+), 34 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index 5cf54f3436c..241b64821e8 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -28,12 +28,17 @@ class SpringBootPom extends Pom { } /** The properties file `application.properties`. */ -class ApplicationProperties extends ConfigPair { - ApplicationProperties() { this.getFile().getBaseName() = "application.properties" } +class ApplicationPropertiesFile extends File { + ApplicationPropertiesFile() { this.getBaseName() = "application.properties" } +} + +/** A name-value pair stored in an `application.properties` file. */ +class ApplicationPropertiesConfigPair extends ConfigPair { + ApplicationPropertiesConfigPair() { this.getFile() instanceof ApplicationPropertiesFile } } /** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationProperties { +class ManagementSecurityConfig extends ApplicationPropertiesConfigPair { ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } /** Gets the whitespace-trimmed value of this property. */ @@ -47,7 +52,7 @@ class ManagementSecurityConfig extends ApplicationProperties { } /** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationProperties { +class ManagementEndPointInclude extends ApplicationPropertiesConfigPair { ManagementEndPointInclude() { this.getNameElement().getName() = "management.endpoints.web.exposure.include" } @@ -60,33 +65,35 @@ class ManagementEndPointInclude extends ApplicationProperties { * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom * has a vulnerable configuration of Spring Boot Actuator management endpoints. */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) { +predicate hasConfidentialEndPointExposed(SpringBootPom pom) { pom.isSpringBootActuatorUsed() and not pom.isSpringBootSecurityUsed() and - ap.getFile() - .getParentContainer() - .getAbsolutePath() - .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory - exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() | - springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | - me.hasSecurityEnabled() and me.getFile() = ap.getFile() - ) - or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile()) - or - springBootVersion.matches("2.%") and //version 2.x - exists(ManagementEndPointInclude mi | - mi.getFile() = ap.getFile() and - ( - mi.getValue() = "*" // all endpoints are enabled - or - mi.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", - "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + exists(ApplicationPropertiesFile apFile | + apFile + .getParentContainer() + .getAbsolutePath() + .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory + exists(string springBootVersion | + springBootVersion = pom.getParentElement().getVersionString() + | + springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 + not exists(ManagementSecurityConfig me | me.hasSecurityEnabled() and me.getFile() = apFile) + or + springBootVersion.matches("1.5%") and // version 1.5 + exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = apFile) + or + springBootVersion.matches("2.%") and //version 2.x + exists(ManagementEndPointInclude mi | + mi.getFile() = apFile and + ( + mi.getValue() = "*" // all endpoints are enabled + or + mi.getValue() + .matches([ + "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", + "%env%", "%beans%", "%sessions%" + ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + ) ) ) ) diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 66d9a52c2cf..89f3777f0c2 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -15,9 +15,9 @@ import java import semmle.code.xml.MavenPom import semmle.code.java.security.SpringBootActuatorsConfigQuery -from SpringBootPom pom, ApplicationProperties ap, Dependency d +from SpringBootPom pom, Dependency d where - hasConfidentialEndPointExposed(pom, ap) and + hasConfidentialEndPointExposed(pom) and d = pom.getADependency() and d.getArtifact().getValue() = "spring-boot-starter-actuator" select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected index da7a570f982..d7043f403fb 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -1,6 +1,4 @@ -#select +| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | | Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | | Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | | Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | -testFailures -| Version1.4-/bad/default/pom.xml:32:23:32:39 | $ Alert | Missing result: Alert | From ae163a9f36c0a3d08f6c78404a438bfc7101cf96 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 20:02:30 -0400 Subject: [PATCH 0069/1955] Java: add overlay annotations --- .../code/java/security/SpringBootActuatorsConfigQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index 241b64821e8..ccae3a4f929 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -1,4 +1,6 @@ /** Provides classes and predicates to reason about Spring Boot actuators exposed in configuration files. */ +overlay[local?] +module; import java private import semmle.code.configfiles.ConfigFiles From 0d2a4222fd14fd2290b462d990efa10026d7efb7 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 15 Jul 2025 21:45:50 -0400 Subject: [PATCH 0070/1955] Java: add related location to alert message --- .../SpringBootActuatorsConfigQuery.qll | 41 +++++++++++++++---- .../InsecureSpringActuatorConfig.ql | 8 ++-- .../InsecureSpringActuatorConfig.expected | 8 ++-- 3 files changed, 43 insertions(+), 14 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index ccae3a4f929..f8ff20f9978 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -48,9 +48,6 @@ class ManagementSecurityConfig extends ApplicationPropertiesConfigPair { /** Holds if `management.security.enabled` is set to `false`. */ predicate hasSecurityDisabled() { this.getValue() = "false" } - - /** Holds if `management.security.enabled` is set to `true`. */ - predicate hasSecurityEnabled() { this.getValue() = "true" } } /** The configuration property `management.endpoints.web.exposure.include`. */ @@ -63,11 +60,37 @@ class ManagementEndPointInclude extends ApplicationPropertiesConfigPair { string getValue() { result = this.getValueElement().getValue().trim() } } +private newtype TOption = + TNone() or + TSome(ApplicationPropertiesConfigPair ap) + +/** + * An option type that is either a singleton `None` or a `Some` wrapping + * the `ApplicationPropertiesConfigPair` type. + */ +class ApplicationPropertiesOption extends TOption { + /** Gets a textual representation of this element. */ + string toString() { + this = TNone() and result = "(none)" + or + result = this.asSome().toString() + } + + /** Gets the location of this element. */ + Location getLocation() { result = this.asSome().getLocation() } + + /** Gets the wrapped element, if any. */ + ApplicationPropertiesConfigPair asSome() { this = TSome(result) } + + /** Holds if this option is the singleton `None`. */ + predicate isNone() { this = TNone() } +} + /** * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom * has a vulnerable configuration of Spring Boot Actuator management endpoints. */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom) { +predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertiesOption apOption) { pom.isSpringBootActuatorUsed() and not pom.isSpringBootSecurityUsed() and exists(ApplicationPropertiesFile apFile | @@ -79,14 +102,18 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom) { springBootVersion = pom.getParentElement().getVersionString() | springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | me.hasSecurityEnabled() and me.getFile() = apFile) + not exists(ManagementSecurityConfig me | me.getFile() = apFile) and + apOption.isNone() or - springBootVersion.matches("1.5%") and // version 1.5 - exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = apFile) + springBootVersion.regexpMatch("1\\.[0-5].*") and // version 1.0, 1.1, ..., 1.5 + exists(ManagementSecurityConfig me | + me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome() + ) or springBootVersion.matches("2.%") and //version 2.x exists(ManagementEndPointInclude mi | mi.getFile() = apFile and + mi = apOption.asSome() and ( mi.getValue() = "*" // all endpoints are enabled or diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 89f3777f0c2..2437a77953d 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -15,9 +15,11 @@ import java import semmle.code.xml.MavenPom import semmle.code.java.security.SpringBootActuatorsConfigQuery -from SpringBootPom pom, Dependency d +from SpringBootPom pom, Dependency d, ApplicationPropertiesOption apOption where - hasConfidentialEndPointExposed(pom) and + hasConfidentialEndPointExposed(pom, apOption) and d = pom.getADependency() and d.getArtifact().getValue() = "spring-boot-starter-actuator" -select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." +select d, + "Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (" + + pom.getParentElement().getVersionString() + ").", apOption, "configuration" diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected index d7043f403fb..70a6068ab3f 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -1,4 +1,4 @@ -| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | -| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | -| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | -| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. | +| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | +| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | Version1.4-/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (2.2.6.RELEASE). | Version2+/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | From afa6610cb9978b6a283e5c8dc9700781bf062d6f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 11:00:49 -0400 Subject: [PATCH 0071/1955] Java: update qhelp --- .../InsecureSpringActuatorConfig.qhelp | 44 +++++++--------- .../application.properties | 22 -------- .../application_bad.properties | 10 ++++ .../application_good.properties | 11 ++++ .../InsecureSpringActuatorConfig/pom_bad.xml | 50 ------------------- .../InsecureSpringActuatorConfig/pom_good.xml | 42 +--------------- 6 files changed, 41 insertions(+), 138 deletions(-) delete mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties create mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties delete mode 100644 java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp index 7e31b43ba7a..d3e79e88ed7 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp @@ -1,43 +1,35 @@ -

    Spring Boot is a popular framework that facilitates the development of stand-alone applications -and micro services. Spring Boot Actuator helps to expose production-ready support features against -Spring Boot applications.

    - -

    Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. -Exposing unprotected actuator endpoints through configuration files can lead to information disclosure -or even remote code execution vulnerability.

    - -

    Rather than programmatically permitting endpoint requests or enforcing access control, frequently -developers simply leave management endpoints publicly accessible in the application configuration file -application.properties without enforcing access control through Spring Security.

    +

    Spring Boot includes features called actuators that let you monitor and interact with your web + application. Exposing unprotected actuator endpoints through configuration files can lead to + information disclosure or even to remote code execution.

     -

    Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce -security checks on management endpoints using Spring Security. Otherwise accessing management endpoints -on a different HTTP port other than the port that the web application is listening on also helps to -improve the security.

    +

    Since actuator endpoints may contain sensitive information, carefully consider when to expose them, + and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring + Security, which secures actuators by default, or define a custom security configuration. +

    -

    The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, -no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, -security is enforced and only endpoints requiring exposure are exposed.

    +

    The following examples show application.properties configurations that expose sensitive + actuator endpoints.

    + + +

    The below configurations ensure that sensitive actuator endpoints are not exposed.

    + + +

    To use Spring Security, which secures actuators by default, add the spring-boot-starter-security + dependency in your Maven pom.xml file.

    - -
  • - Spring Boot documentation: - Spring Boot Actuator: Production-ready Features -
    • -
  • - VERACODE Blog: - Exploiting Spring Boot Actuators + Spring Boot Reference Documentation: + Endpoints.
  • HackerOne Report: diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties deleted file mode 100644 index 441d752508c..00000000000 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties +++ /dev/null @@ -1,22 +0,0 @@ -#management.endpoints.web.base-path=/admin - - -#### BAD: All management endpoints are accessible #### -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* - - -#### GOOD: All management endpoints have access control #### -# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default -management.security.enabled=true - -# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=true - -# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. -management.endpoints.web.exposure.include=beans,info,health diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties new file mode 100644 index 00000000000..ccf1cb67881 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties @@ -0,0 +1,10 @@ +# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default + +# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints +management.security.enabled=false + +# vulnerable configuration (Spring Boot 2.x): exposes all endpoints +management.endpoints.web.exposure.include=* + +# vulnerable configuration (Spring Boot 3.x): exposes all endpoints +management.endpoints.web.exposure.include=* diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties new file mode 100644 index 00000000000..1af2b7b0228 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties @@ -0,0 +1,11 @@ +# safe configuration (Spring Boot 1.0 - 1.4) +management.security.enabled=true + +# safe configuration (Spring Boot 1.5+) +management.security.enabled=true + +# safe configuration (Spring Boot 2.x): exposes health and info only by default +management.endpoints.web.exposure.include=health,info + +# safe configuration (Spring Boot 3.x): exposes health only by default +management.endpoints.web.exposure.include=health diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml deleted file mode 100644 index 6bca2829ac4..00000000000 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml +++ /dev/null @@ -1,50 +0,0 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-devtools - - - - - - - org.springframework.boot - spring-boot-test - - - - diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml index 03bc257f5bd..32fad44591e 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml @@ -1,50 +1,12 @@ - - - 4.0.0 - - spring-boot-actuator-app - spring-boot-actuator-app - 1.0-SNAPSHOT - - - UTF-8 - 1.8 - 1.8 - - - - org.springframework.boot - spring-boot-starter-parent - 2.3.8.RELEASE - - - - - - org.springframework.boot - spring-boot-starter-web - +... org.springframework.boot spring-boot-starter-actuator - - org.springframework.boot - spring-boot-devtools - org.springframework.boot spring-boot-starter-security - - - org.springframework.boot - spring-boot-test - - - - +... From ea35fbbe3b0183ca22e94f5a7b4c0d96513c9cd4 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 11:21:17 -0400 Subject: [PATCH 0072/1955] Java: support version 3.x --- .../SpringBootActuatorsConfigQuery.qll | 4 +- .../InsecureSpringActuatorConfig.expected | 9 ++-- .../bad/default/application.properties | 0 .../bad/default/pom.xml | 0 .../bad/false/application.properties | 0 .../bad/false/pom.xml | 0 .../good/application.properties | 0 .../good/pom.xml | 0 .../bad/application.properties | 0 .../{Version1.5 => Version1.5.x}/bad/pom.xml | 0 .../good/application.properties | 0 .../{Version1.5 => Version1.5.x}/good/pom.xml | 0 .../Version2+/application.properties | 14 ------ .../Version2+/bad/application.properties | 7 --- .../Version2+/good/application.properties | 2 - .../Version2.x/bad/application.properties | 2 + .../{Version2+ => Version2.x}/bad/pom.xml | 0 .../Version2.x/good/application.properties | 2 + .../{Version2+ => Version2.x}/good/pom.xml | 0 .../Version3.x/bad/application.properties | 2 + .../Version3.x/bad/pom.xml | 47 +++++++++++++++++++ .../Version3.x/good/application.properties | 2 + .../Version3.x/good/pom.xml | 47 +++++++++++++++++++ 23 files changed, 109 insertions(+), 29 deletions(-) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/bad/default/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/bad/default/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/bad/false/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/bad/false/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.4- => Version1.0.x-1.4.x}/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.5 => Version1.5.x}/bad/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.5 => Version1.5.x}/bad/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.5 => Version1.5.x}/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version1.5 => Version1.5.x}/good/pom.xml (100%) delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version2+ => Version2.x}/bad/pom.xml (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties rename java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/{Version2+ => Version2.x}/good/pom.xml (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index f8ff20f9978..be78380ad3c 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -110,7 +110,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome() ) or - springBootVersion.matches("2.%") and //version 2.x + springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x exists(ManagementEndPointInclude mi | mi.getFile() = apFile and mi = apOption.asSome() and @@ -121,7 +121,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie .matches([ "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring + ]) // confidential endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring ) ) ) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected index 70a6068ab3f..5b29b16b1be 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected @@ -1,4 +1,5 @@ -| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | -| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | Version1.4-/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (2.2.6.RELEASE). | Version2+/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | +| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version2.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version3.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties deleted file mode 100644 index 797906a3ca3..00000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/application.properties +++ /dev/null @@ -1,14 +0,0 @@ -#management.endpoints.web.base-path=/admin - -# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default - -# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators -management.security.enabled=false - -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* -management.endpoints.web.exposure.exclude=beans - -management.endpoint.shutdown.enabled=true - -management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties deleted file mode 100644 index a2e73d7022c..00000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties +++ /dev/null @@ -1,7 +0,0 @@ -# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything -management.endpoints.web.exposure.include=* -management.endpoints.web.exposure.exclude=beans - -management.endpoint.shutdown.enabled=true - -management.endpoint.health.show-details=when_authorized \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties deleted file mode 100644 index c14bf64b13b..00000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties +++ /dev/null @@ -1,2 +0,0 @@ -# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe. -management.endpoints.web.exposure.include=beans,info,health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties new file mode 100644 index 00000000000..bbc1915b05e --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties new file mode 100644 index 00000000000..f7e0c1b43ac --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 2+): exposes health and info only by default +management.endpoints.web.exposure.include=info,health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties new file mode 100644 index 00000000000..c5570065bae --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to expose everything +management.endpoints.web.exposure.include=* \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml new file mode 100644 index 00000000000..12dab1d9421 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 3.3.5 + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties new file mode 100644 index 00000000000..8ba56eadc35 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties @@ -0,0 +1,2 @@ +# safe configuration (spring boot 3+): exposes health only by default. +management.endpoints.web.exposure.include=health \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml new file mode 100644 index 00000000000..a8103e681e4 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 3.3.5 + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 7d5e939a8604db18981a694d5a27369807474adc Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 16:57:53 -0400 Subject: [PATCH 0073/1955] Java: minor refactoring --- .../semmle/code/configfiles/ConfigFiles.qll | 7 +- .../SpringBootActuatorsConfigQuery.qll | 86 +++++++++---------- .../InsecureSpringActuatorConfig.ql | 10 +-- 3 files changed, 51 insertions(+), 52 deletions(-) diff --git a/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll b/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll index 0c69f45c56f..1655ed2d648 100644 --- a/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll +++ b/java/ql/lib/semmle/code/configfiles/ConfigFiles.qll @@ -70,7 +70,12 @@ class ConfigValue extends @configValue, ConfigLocatable { override string toString() { result = this.getValue() } } +/** A `.properties` file. */ +class PropertiesFile extends File { + PropertiesFile() { this.getExtension() = "properties" } +} + /** A Java property is a name-value pair in a `.properties` file. */ class JavaProperty extends ConfigPair { - JavaProperty() { this.getFile().getExtension() = "properties" } + JavaProperty() { this.getFile() instanceof PropertiesFile } } diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index be78380ad3c..d6c889166c1 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -7,41 +7,33 @@ private import semmle.code.configfiles.ConfigFiles private import semmle.code.xml.MavenPom /** The parent node of the `org.springframework.boot` group. */ -class SpringBootParent extends Parent { +private class SpringBootParent extends Parent { SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } } -/** Class of Spring Boot dependencies. */ +// TODO: private once done with version string debugging in alert msg. +/** A `Pom` with a Spring Boot parent node. */ class SpringBootPom extends Pom { SpringBootPom() { this.getParentElement() instanceof SpringBootParent } - /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */ - predicate isSpringBootActuatorUsed() { - this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator" - } - - /** - * Holds if the Spring Boot Security module is used in the project, which brings in other security - * related libraries. - */ + /** Holds if the Spring Boot Security module is used in the project. */ predicate isSpringBootSecurityUsed() { this.getADependency().getArtifact().getValue() = "spring-boot-starter-security" } } -/** The properties file `application.properties`. */ -class ApplicationPropertiesFile extends File { - ApplicationPropertiesFile() { this.getBaseName() = "application.properties" } +/** A dependency with artifactId `spring-boot-starter-actuator`. */ +class SpringBootStarterActuatorDependency extends Dependency { + SpringBootStarterActuatorDependency() { + this.getArtifact().getValue() = "spring-boot-starter-actuator" + } } -/** A name-value pair stored in an `application.properties` file. */ -class ApplicationPropertiesConfigPair extends ConfigPair { - ApplicationPropertiesConfigPair() { this.getFile() instanceof ApplicationPropertiesFile } -} - -/** The configuration property `management.security.enabled`. */ -class ManagementSecurityConfig extends ApplicationPropertiesConfigPair { - ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" } +/** The Spring Boot configuration property `management.security.enabled`. */ +private class ManagementSecurityEnabledProperty extends JavaProperty { + ManagementSecurityEnabledProperty() { + this.getNameElement().getName() = "management.security.enabled" + } /** Gets the whitespace-trimmed value of this property. */ string getValue() { result = this.getValueElement().getValue().trim() } @@ -50,9 +42,9 @@ class ManagementSecurityConfig extends ApplicationPropertiesConfigPair { predicate hasSecurityDisabled() { this.getValue() = "false" } } -/** The configuration property `management.endpoints.web.exposure.include`. */ -class ManagementEndPointInclude extends ApplicationPropertiesConfigPair { - ManagementEndPointInclude() { +/** The Spring Boot configuration property `management.endpoints.web.exposure.include`. */ +private class ManagementEndpointsIncludeProperty extends JavaProperty { + ManagementEndpointsIncludeProperty() { this.getNameElement().getName() = "management.endpoints.web.exposure.include" } @@ -62,13 +54,13 @@ class ManagementEndPointInclude extends ApplicationPropertiesConfigPair { private newtype TOption = TNone() or - TSome(ApplicationPropertiesConfigPair ap) + TSome(JavaProperty jp) /** * An option type that is either a singleton `None` or a `Some` wrapping - * the `ApplicationPropertiesConfigPair` type. + * the `JavaProperty` type. */ -class ApplicationPropertiesOption extends TOption { +class JavaPropertyOption extends TOption { /** Gets a textual representation of this element. */ string toString() { this = TNone() and result = "(none)" @@ -80,21 +72,23 @@ class ApplicationPropertiesOption extends TOption { Location getLocation() { result = this.asSome().getLocation() } /** Gets the wrapped element, if any. */ - ApplicationPropertiesConfigPair asSome() { this = TSome(result) } + JavaProperty asSome() { this = TSome(result) } /** Holds if this option is the singleton `None`. */ predicate isNone() { this = TNone() } } /** - * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom - * has a vulnerable configuration of Spring Boot Actuator management endpoints. + * Holds if `JavaPropertyOption` jpOption of a repository using `SpringBootStarterActuatorDependency` + * d exposes sensitive Spring Boot Actuator endpoints. */ -predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertiesOption apOption) { - pom.isSpringBootActuatorUsed() and - not pom.isSpringBootSecurityUsed() and - exists(ApplicationPropertiesFile apFile | - apFile +predicate exposesSensitiveEndpoint( + SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption +) { + exists(PropertiesFile propFile, SpringBootPom pom | + d = pom.getADependency() and + not pom.isSpringBootSecurityUsed() and + propFile .getParentContainer() .getAbsolutePath() .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory @@ -102,26 +96,26 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie springBootVersion = pom.getParentElement().getVersionString() | springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4 - not exists(ManagementSecurityConfig me | me.getFile() = apFile) and - apOption.isNone() + not exists(ManagementSecurityEnabledProperty ep | ep.getFile() = propFile) and + jpOption.isNone() or springBootVersion.regexpMatch("1\\.[0-5].*") and // version 1.0, 1.1, ..., 1.5 - exists(ManagementSecurityConfig me | - me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome() + exists(ManagementSecurityEnabledProperty ep | + ep.hasSecurityDisabled() and ep.getFile() = propFile and ep = jpOption.asSome() ) or springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x - exists(ManagementEndPointInclude mi | - mi.getFile() = apFile and - mi = apOption.asSome() and + exists(ManagementEndpointsIncludeProperty ip | + ip.getFile() = propFile and + ip = jpOption.asSome() and ( - mi.getValue() = "*" // all endpoints are enabled + ip.getValue() = "*" // all endpoints are exposed or - mi.getValue() + ip.getValue() .matches([ "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", "%beans%", "%sessions%" - ]) // confidential endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring + ]) // sensitive endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring ) ) ) diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 2437a77953d..989646c10af 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -15,11 +15,11 @@ import java import semmle.code.xml.MavenPom import semmle.code.java.security.SpringBootActuatorsConfigQuery -from SpringBootPom pom, Dependency d, ApplicationPropertiesOption apOption +from SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption, SpringBootPom pom where - hasConfidentialEndPointExposed(pom, apOption) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" + exposesSensitiveEndpoint(d, jpOption) and + // TODO: remove pom; for debugging versions + d = pom.getADependency() select d, "Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (" + - pom.getParentElement().getVersionString() + ").", apOption, "configuration" + pom.getParentElement().getVersionString() + ").", jpOption, "configuration" From ea529b047b0223d025b0009fb95c944196a71da8 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 18:12:45 -0400 Subject: [PATCH 0074/1955] Java: adjust metadata and alert msg --- .../InsecureSpringActuatorConfig.ql | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql index 989646c10af..5fb86c42b80 100644 --- a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql @@ -1,14 +1,14 @@ /** - * @name Insecure Spring Boot Actuator Configuration - * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural - * security enforcement leads to information leak or even remote code execution. + * @name Exposed Spring Boot actuators in configuration file + * @description Exposing Spring Boot actuators through configuration files may lead to information leak from + * the internal application, or even to remote code execution. * @kind problem * @problem.severity error + * @security-severity 6.5 * @precision high - * @id java/insecure-spring-actuator-config + * @id java/spring-boot-exposed-actuators-config * @tags security - * experimental - * external/cwe/cwe-016 + * external/cwe/cwe-200 */ import java @@ -21,5 +21,5 @@ where // TODO: remove pom; for debugging versions d = pom.getADependency() select d, - "Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (" + + "Insecure Spring Boot actuator $@ exposes sensitive endpoints (" + pom.getParentElement().getVersionString() + ").", jpOption, "configuration" From 70d51504a7372e265c0a4b500e4030590d27a8f3 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 18:20:14 -0400 Subject: [PATCH 0075/1955] Java: rename to align with 'java/spring-boot-exposed-actuators' query --- .../query-suite/java-code-scanning.qls.expected | 2 +- .../java-security-and-quality.qls.expected | 2 +- .../query-suite/java-security-extended.qls.expected | 2 +- .../SpringBootActuatorsConfig.qhelp} | 0 .../SpringBootActuatorsConfig.ql} | 0 .../application_bad.properties | 0 .../application_good.properties | 0 .../pom_good.xml | 0 .../InsecureSpringActuatorConfig.qlref | 2 -- .../InsecureSpringActuatorConfig/SensitiveInfo.java | 13 ------------- .../SpringBootActuatorsConfig.expected} | 0 .../SpringBootActuatorsConfig.qlref | 2 ++ .../bad/default/application.properties | 0 .../Version1.0.x-1.4.x/bad/default/pom.xml | 0 .../bad/false/application.properties | 0 .../Version1.0.x-1.4.x/bad/false/pom.xml | 0 .../Version1.0.x-1.4.x/good/application.properties | 0 .../Version1.0.x-1.4.x/good/pom.xml | 0 .../Version1.5.x/bad/application.properties | 0 .../Version1.5.x/bad/pom.xml | 0 .../Version1.5.x/good/application.properties | 0 .../Version1.5.x/good/pom.xml | 0 .../Version2.x/bad/application.properties | 0 .../Version2.x/bad/pom.xml | 0 .../Version2.x/good/application.properties | 0 .../Version2.x/good/pom.xml | 0 .../Version3.x/bad/application.properties | 0 .../Version3.x/bad/pom.xml | 0 .../Version3.x/good/application.properties | 0 .../Version3.x/good/pom.xml | 0 .../options | 0 31 files changed, 5 insertions(+), 18 deletions(-) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp => SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp} (100%) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql => SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql} (100%) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/application_bad.properties (100%) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/application_good.properties (100%) rename java/ql/src/Security/CWE/CWE-200/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/pom_good.xml (100%) delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref delete mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected => SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected} (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/bad/default/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/bad/default/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/bad/false/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/bad/false/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.0.x-1.4.x/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.5.x/bad/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.5.x/bad/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.5.x/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version1.5.x/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version2.x/bad/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version2.x/bad/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version2.x/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version2.x/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version3.x/bad/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version3.x/bad/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version3.x/good/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/Version3.x/good/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/{InsecureSpringActuatorConfig => SpringBootActuatorsConfig}/options (100%) diff --git a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected index 90b5b7ca491..afa6cebba31 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected @@ -26,8 +26,8 @@ ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql -ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected index b203ea23a62..f5470c463c3 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected @@ -142,8 +142,8 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql -ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql diff --git a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected index c7dac907a96..a3ebc029d28 100644 --- a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected @@ -45,8 +45,8 @@ ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql -ql/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql +ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qhelp diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_bad.properties similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_bad.properties diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_good.properties similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/application_good.properties diff --git a/java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/pom_good.xml similarity index 100% rename from java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml rename to java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/pom_good.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref deleted file mode 100644 index b826de8eed3..00000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref +++ /dev/null @@ -1,2 +0,0 @@ -query: Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java deleted file mode 100644 index a3ff69c1b81..00000000000 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/SensitiveInfo.java +++ /dev/null @@ -1,13 +0,0 @@ -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.RequestMapping; - -@Controller -public class SensitiveInfo { - @RequestMapping - public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception { - if (!username.equals("") && password.equals("")) { - //Blank processing - } - } -} \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref new file mode 100644 index 00000000000..eec8ba18ae1 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.qlref @@ -0,0 +1,2 @@ +query: Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/default/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/bad/false/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.0.x-1.4.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version1.5.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2.x/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version3.x/good/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/good/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/options similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/options From 8decc136c41155adfb10c266335e02a159777f99 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 17 Jul 2025 18:37:53 -0400 Subject: [PATCH 0076/1955] Java: add change note --- .../change-notes/2025-07-17-spring-actuators-config-promo.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md diff --git a/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md b/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md new file mode 100644 index 00000000000..ec53c015fff --- /dev/null +++ b/java/ql/src/change-notes/2025-07-17-spring-actuators-config-promo.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* The query `java/insecure-spring-actuator-config` has been promoted from experimental to the main query pack as `java/spring-boot-exposed-actuators-config`. Its results will now appear by default. This query was originally submitted as an experimental query [by @luchua-bc](https://github.com/github/codeql/pull/5384). From 685f68d9d39f3942864eacd1daef6cd742e1eba8 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 18 Jul 2025 09:50:49 -0400 Subject: [PATCH 0077/1955] Java: support 'management.endpoints.web.expose' property --- .../SpringBootActuatorsConfigQuery.qll | 21 +++++---- .../bad/expose/application.properties | 2 + .../Version2.x/bad/{ => expose}/pom.xml | 0 .../application.properties | 0 .../Version2.x/bad/exposure-include/pom.xml | 47 +++++++++++++++++++ 5 files changed, 61 insertions(+), 9 deletions(-) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/{ => expose}/pom.xml (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/{ => exposure-include}/application.properties (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index d6c889166c1..5f4ee632775 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -42,10 +42,13 @@ private class ManagementSecurityEnabledProperty extends JavaProperty { predicate hasSecurityDisabled() { this.getValue() = "false" } } -/** The Spring Boot configuration property `management.endpoints.web.exposure.include`. */ -private class ManagementEndpointsIncludeProperty extends JavaProperty { - ManagementEndpointsIncludeProperty() { - this.getNameElement().getName() = "management.endpoints.web.exposure.include" +/** + * The Spring Boot configuration property `management.endpoints.web.exposure.include` + * or `management.endpoints.web.expose`. + */ +private class ManagementEndpointsExposeProperty extends JavaProperty { + ManagementEndpointsExposeProperty() { + this.getNameElement().getName() = "management.endpoints.web." + ["exposure.include", "expose"] } /** Gets the whitespace-trimmed value of this property. */ @@ -105,13 +108,13 @@ predicate exposesSensitiveEndpoint( ) or springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x - exists(ManagementEndpointsIncludeProperty ip | - ip.getFile() = propFile and - ip = jpOption.asSome() and + exists(ManagementEndpointsExposeProperty ep | + ep.getFile() = propFile and + ep = jpOption.asSome() and ( - ip.getValue() = "*" // all endpoints are exposed + ep.getValue() = "*" // all endpoints are exposed or - ip.getValue() + ep.getValue() .matches([ "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%", "%beans%", "%sessions%" diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties new file mode 100644 index 00000000000..338b1fb3a9c --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2.0.0.RC1): exposes health and info only by default, here overridden to expose everything +management.endpoints.web.expose=* \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/expose/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml new file mode 100644 index 00000000000..c22f08d7e7e --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 7250265c1f109ae9a80e695dc316b8ac3f39285f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 18 Jul 2025 17:32:35 -0400 Subject: [PATCH 0078/1955] Java: consider all endpoints except for health and info as sensitive to align with Spring docs --- .../SpringBootActuatorsConfigQuery.qll | 15 +++--- .../SpringBootActuatorsConfig.expected | 7 ++- .../{ => all-exposed}/application.properties | 0 .../{ => all-exposed}/pom.xml | 0 .../some-exposed/application.properties | 2 + .../bad/exposure-include/some-exposed/pom.xml | 47 +++++++++++++++++++ .../{ => all-exposed}/application.properties | 0 .../Version3.x/bad/{ => all-exposed}/pom.xml | 0 .../bad/some-exposed/application.properties | 2 + .../Version3.x/bad/some-exposed/pom.xml | 47 +++++++++++++++++++ 10 files changed, 112 insertions(+), 8 deletions(-) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/{ => all-exposed}/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/{ => all-exposed}/pom.xml (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/{ => all-exposed}/application.properties (100%) rename java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/{ => all-exposed}/pom.xml (100%) create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties create mode 100644 java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index 5f4ee632775..19cb9c30ca9 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -112,13 +112,16 @@ predicate exposesSensitiveEndpoint( ep.getFile() = propFile and ep = jpOption.asSome() and ( - ep.getValue() = "*" // all endpoints are exposed + // all endpoints are exposed + ep.getValue() = "*" or - ep.getValue() - .matches([ - "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", - "%env%", "%beans%", "%sessions%" - ]) // sensitive endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring + // version 2.x: exposes health and info only by default + springBootVersion.matches("2.%") and + not ep.getValue() = ["health", "info"] + or + // version 3.x: exposes health only by default + springBootVersion.matches("3.%") and + not ep.getValue() = "health" ) ) ) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected index 5b29b16b1be..345d001a1f5 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected @@ -1,5 +1,8 @@ | Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | | Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | | Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version2.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | -| Version3.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version2.x/bad/expose/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/expose/application.properties:2:1:2:33 | management.endpoints.web.expose=* | configuration | +| Version2.x/bad/exposure-include/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/exposure-include/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version2.x/bad/exposure-include/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/exposure-include/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | +| Version3.x/bad/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version3.x/bad/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/all-exposed/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties new file mode 100644 index 00000000000..1f29407c192 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to also expose beans +management.endpoints.web.exposure.include=health,info,beans \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml new file mode 100644 index 00000000000..c22f08d7e7e --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version2.x/bad/exposure-include/some-exposed/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 2.2.6.RELEASE + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/application.properties similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/application.properties rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/application.properties diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/pom.xml similarity index 100% rename from java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/pom.xml rename to java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/all-exposed/pom.xml diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties new file mode 100644 index 00000000000..27d08eac74f --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/application.properties @@ -0,0 +1,2 @@ +# vulnerable configuration (spring boot 3+): exposes health only by default, here overridden to also expose info and beans +management.endpoints.web.exposure.include=health,info,beans \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml new file mode 100644 index 00000000000..12dab1d9421 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/Version3.x/bad/some-exposed/pom.xml @@ -0,0 +1,47 @@ + + + 4.0.0 + + spring-boot-actuator-app + spring-boot-actuator-app + 1.0-SNAPSHOT + + + UTF-8 + 1.8 + 1.8 + + + + org.springframework.boot + spring-boot-starter-parent + 3.3.5 + + + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.boot + spring-boot-test + + + + \ No newline at end of file From 0dd33b273437cfa85904760e6f4b9366fca12a81 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sat, 19 Jul 2025 13:01:00 -0400 Subject: [PATCH 0079/1955] Java: remove version debugging from alert message --- .../java/security/SpringBootActuatorsConfigQuery.qll | 3 +-- .../SpringBootActuatorsConfig.ql | 11 +++-------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll index 19cb9c30ca9..163cd46d5d8 100644 --- a/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll @@ -11,9 +11,8 @@ private class SpringBootParent extends Parent { SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" } } -// TODO: private once done with version string debugging in alert msg. /** A `Pom` with a Spring Boot parent node. */ -class SpringBootPom extends Pom { +private class SpringBootPom extends Pom { SpringBootPom() { this.getParentElement() instanceof SpringBootParent } /** Holds if the Spring Boot Security module is used in the project. */ diff --git a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql index 5fb86c42b80..562298257a7 100644 --- a/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql +++ b/java/ql/src/Security/CWE/CWE-200/SpringBootActuatorsConfig/SpringBootActuatorsConfig.ql @@ -15,11 +15,6 @@ import java import semmle.code.xml.MavenPom import semmle.code.java.security.SpringBootActuatorsConfigQuery -from SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption, SpringBootPom pom -where - exposesSensitiveEndpoint(d, jpOption) and - // TODO: remove pom; for debugging versions - d = pom.getADependency() -select d, - "Insecure Spring Boot actuator $@ exposes sensitive endpoints (" + - pom.getParentElement().getVersionString() + ").", jpOption, "configuration" +from SpringBootStarterActuatorDependency d, JavaPropertyOption jpOption +where exposesSensitiveEndpoint(d, jpOption) +select d, "Insecure Spring Boot actuator $@ exposes sensitive endpoints.", jpOption, "configuration" From c9692a6d105cbfc1015804f6ac891704fb1f13c4 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sat, 19 Jul 2025 13:27:09 -0400 Subject: [PATCH 0080/1955] Java: fix test failures cause by alert msg change --- .../SpringBootActuatorsConfig.expected | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected index 345d001a1f5..8845d970df2 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuatorsConfig/SpringBootActuatorsConfig.expected @@ -1,8 +1,8 @@ -| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration | -| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | -| Version2.x/bad/expose/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/expose/application.properties:2:1:2:33 | management.endpoints.web.expose=* | configuration | -| Version2.x/bad/exposure-include/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/exposure-include/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | -| Version2.x/bad/exposure-include/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/exposure-include/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | -| Version3.x/bad/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | -| Version3.x/bad/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | +| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | file://:0:0:0:0 | (none) | configuration | +| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration | +| Version2.x/bad/expose/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/expose/application.properties:2:1:2:33 | management.endpoints.web.expose=* | configuration | +| Version2.x/bad/exposure-include/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/exposure-include/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version2.x/bad/exposure-include/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version2.x/bad/exposure-include/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | +| Version3.x/bad/all-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version3.x/bad/all-exposed/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration | +| Version3.x/bad/some-exposed/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints. | Version3.x/bad/some-exposed/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=health,info,beans | configuration | From bca2c2da548d6918ce6d9fde1dac2a41a4331f87 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Sat, 19 Jul 2025 19:29:00 -0400 Subject: [PATCH 0081/1955] Java: Add 'previous-id' and adjust tags for 'java/garbage-collection' and 'java/do-not-use-finalizers' --- .../query-suite/java-code-quality-extended.qls.expected | 1 + .../Undesirable Calls/CallsToRunFinalizersOnExit.ql | 7 +++++-- .../Undesirable Calls/GarbageCollection.ql | 6 ++++-- java/ql/src/change-notes/2025-07-19-adjust-tags.md | 5 +++++ 4 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 java/ql/src/change-notes/2025-07-19-adjust-tags.md diff --git a/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected index 7a1a986b2aa..4a736437995 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected @@ -80,6 +80,7 @@ ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldC ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql ql/java/ql/src/Violations of Best Practice/Records/IgnoredSerializationMembersOfRecordClass.ql ql/java/ql/src/Violations of Best Practice/SpecialCharactersInLiterals/NonExplicitControlAndWhitespaceCharsInLiterals.ql +ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql index c2ffe45b520..568be1805e6 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql @@ -7,8 +7,11 @@ * @problem.severity error * @precision medium * @id java/run-finalizers-on-exit - * @tags reliability - * maintainability + * @previous-id java/do-not-use-finalizers + * @tags quality + * reliability + * correctness + * performance */ import java diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql index 1067bdcb6dc..620177cc58c 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql @@ -6,8 +6,10 @@ * @problem.severity recommendation * @precision low * @id java/garbage-collection - * @tags reliability - * maintainability + * @previous-id java/do-not-use-finalizers + * @tags quality + * reliability + * correctness */ import java diff --git a/java/ql/src/change-notes/2025-07-19-adjust-tags.md b/java/ql/src/change-notes/2025-07-19-adjust-tags.md new file mode 100644 index 00000000000..0067adebdaf --- /dev/null +++ b/java/ql/src/change-notes/2025-07-19-adjust-tags.md @@ -0,0 +1,5 @@ +--- +category: queryMetadata +--- +* The tag `maintainability` has been removed from `java/run-finalizers-on-exit` and the tags `quality`, `correctness`, and `performance` have been added. +* The tag `maintainability` has been removed from `java/garbage-collection` and the tags `quality` and `correctness` have been added. From 793f92129162ecbe8d280bc3a3e55b0940bbe013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 10:38:05 +0200 Subject: [PATCH 0082/1955] [DIFF-INFORMED] C#: ConditionalBypass https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/csharp/ql/src/Security%20Features/CWE-807/ConditionalBypass.ql#L22 --- .../csharp/security/dataflow/ConditionalBypassQuery.qll | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll index f92bb0d2f44..ee345780654 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll @@ -39,6 +39,15 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or + // from ConditionalBypass.ql + result = sink.(Sink).getSensitiveMethodCall().getLocation() + } } /** From 7f085e6bd937ad3663c009c65889ec62542496d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 10:40:56 +0200 Subject: [PATCH 0083/1955] [DIFF-INFORMED] C#: UnsafeDeserializationQuery https://github.com/d10c/codeql/blob/57c8b6e2299f5d6e991bd1a198a58692b6d6e016/csharp/ql/src/Security%20Features/CWE-502/UnsafeDeserializationUntrustedInput.ql#L59 --- .../dataflow/UnsafeDeserializationQuery.qll | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll index 5d9d18dcbac..27f6ab6935f 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll @@ -59,6 +59,10 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql + } } /** @@ -77,6 +81,10 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql + } } /** @@ -133,6 +141,10 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + none() // Only used as secondary config in UnsafeDeserializationUntrustedInput.ql + } } /** @@ -149,6 +161,10 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql + } } /** @@ -186,6 +202,10 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig { oc.getObjectType() instanceof StrongTypeDeserializer ) } + + predicate observeDiffInformedIncrementalMode() { + none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql + } } /** @@ -210,6 +230,10 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config sink.asExpr() = mc.getQualifier() ) } + + predicate observeDiffInformedIncrementalMode() { + none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql + } } /** From b2fd58eea435d902bfdfe853ba5225dab3bfbe59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 10:42:09 +0200 Subject: [PATCH 0084/1955] [DIFF-INFORMED] C#: ThreadUnsafeCryptoTransformLambda --- csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql index 9f70760ba60..8fcef4d4744 100644 --- a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql +++ b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql @@ -24,6 +24,8 @@ module NotThreadSafeCryptoUsageIntoParallelInvokeConfig implements DataFlow::Con } predicate isSink(DataFlow::Node sink) { sink instanceof ParallelSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module NotThreadSafeCryptoUsageIntoParallelInvoke = From 218fcbbec5eea8c63715c41a82f9588ab48bf58a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 10:42:36 +0200 Subject: [PATCH 0085/1955] [DIFF-INFORMED] C#: HardcodedConnectionString --- .../Security Features/CWE-798/HardcodedConnectionString.ql | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql index 32508fa9d3f..1e33ed6a1fd 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql @@ -38,6 +38,12 @@ module ConnectionStringConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof StringFormatSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + any(Call call | call.getAnArgument() = sink.asExpr()).getLocation() = result + } } /** From b4b848a25c8663942af6c80ee18fda7ee2acaf09 Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Mon, 21 Jul 2025 21:53:35 +0000 Subject: [PATCH 0086/1955] Fix tests and simplify sanitizer --- go/ql/lib/ext/os.model.yml | 1 + .../lib/semmle/go/security/TaintedPathCustomizations.qll | 9 +-------- .../semmle/go/frameworks/StdlibTaintFlow/Os.go | 2 +- go/ql/test/query-tests/Security/CWE-022/TaintedPath.go | 2 +- 4 files changed, 4 insertions(+), 10 deletions(-) diff --git a/go/ql/lib/ext/os.model.yml b/go/ql/lib/ext/os.model.yml index 66316b4ff35..7d2070b53ba 100644 --- a/go/ql/lib/ext/os.model.yml +++ b/go/ql/lib/ext/os.model.yml @@ -28,6 +28,7 @@ extensions: - ["os", "", False, "ReadDir", "", "", "Argument[0]", "path-injection", "manual"] - ["os", "", False, "ReadFile", "", "", "Argument[0]", "path-injection", "manual"] - ["os", "", False, "MkdirTemp", "", "", "Argument[0..1]", "path-injection", "manual"] + - ["os", "", False, "CreateTemp", "", "", "Argument[0]", "path-injection", "manual"] - ["os", "", False, "WriteFile", "", "", "Argument[0]", "path-injection", "manual"] # command-injection - ["os", "", False, "StartProcess", "", "", "Argument[0]", "command-injection", "manual"] diff --git a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll index 760de2d9c54..ac6ea8c9835 100644 --- a/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll +++ b/go/ql/lib/semmle/go/security/TaintedPathCustomizations.qll @@ -87,14 +87,7 @@ module TaintedPath { exists(DataFlow::CallNode cleanCall, StringOps::Concatenation concatNode | cleanCall = any(Function f | f.hasQualifiedName("path/filepath", "Clean")).getACall() and concatNode = cleanCall.getArgument(0) and - ( - concatNode.getOperand(0).asExpr().(StringLit).getValue() = "/" - or - exists(DeclaredConstant dc | - dc.hasQualifiedName("os", "PathSeparator") and - dc.getAReference() = concatNode.getOperand(0).asExpr().getAChildExpr*() - ) - ) and + concatNode.getOperand(0).getStringValue().prefix(1) = ["/", "\\"] and this = cleanCall.getResult() ) } diff --git a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go index b27c5d1f47c..859a3bbd3bd 100644 --- a/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go +++ b/go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Os.go @@ -178,6 +178,6 @@ func fsAccesses() { os.ReadDir(path) // $ fsaccess=path os.ReadFile(path) // $ fsaccess=path os.MkdirTemp(path, part) // $ fsaccess=path fsaccess=part - os.CreateTemp(path, part) // $ fsaccess=path fsaccess=part + os.CreateTemp(path, part) // $ fsaccess=path os.WriteFile(path, []byte{}, 0600) // $ fsaccess=path } diff --git a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go index 3949d8408a1..a6519acea00 100644 --- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go +++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.go @@ -66,7 +66,7 @@ func handler(w http.ResponseWriter, r *http.Request) { // GOOD: Sanitized by filepath.Clean with a prepended os.PathSeparator forcing interpretation // as an absolute path, so that Clean will throw away any leading `..` components. - data, _ = ioutil.ReadFile(filepath.Clean(string(os.PathSeparator) + tainted_path)) + data, _ = ioutil.ReadFile(filepath.Clean(string(os.PathSeparator) + "hardcoded" + tainted_path)) w.Write(data) // BAD: Sanitized by path.Clean with a prepended '/' forcing interpretation From e2f3c9d1b6c84b48c3d3dbcef86ce9b8ec02918a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> Date: Tue, 22 Jul 2025 00:09:37 +0100 Subject: [PATCH 0087/1955] Reword change note --- go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md b/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md index 69596cf98d9..004eb973de3 100644 --- a/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md +++ b/go/ql/lib/change-notes/2025-07-15-path-injection-sanitizers.md @@ -1,4 +1,5 @@ --- category: minorAnalysis --- -* Remove model `CreateTemp` function, from the `os` package, as a path-injection sink due to proper sanitization by Go. Add check for `os.PathSeparator` in sanitizers for path-injection query. \ No newline at end of file +* The second argument of the `CreateTemp` function, from the `os` package, is no longer a path-injection sink due to proper sanitization by Go. +* The query "Uncontrolled data used in path expression" (`go/path-injection`) now detects sanitizing a path by adding `os.PathSeparator` or `\` to the beginning. \ No newline at end of file From 73d257e538c5fefb3dcad71ef4f69f23c6f49262 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 23 Jul 2025 14:13:58 +0100 Subject: [PATCH 0088/1955] Port unexpected raise away from pointsto --- .../IncorrectRaiseInSpecialMethod.ql | 160 ++++++++++++------ 1 file changed, 105 insertions(+), 55 deletions(-) diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql index 4bf52af9061..5df5f64116e 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql @@ -12,16 +12,18 @@ */ import python +import semmle.python.ApiGraphs +import semmle.python.dataflow.new.internal.DataFlowDispatch -private predicate attribute_method(string name) { +private predicate attributeMethod(string name) { name = "__getattribute__" or name = "__getattr__" or name = "__setattr__" } -private predicate indexing_method(string name) { +private predicate indexingMethod(string name) { name = "__getitem__" or name = "__setitem__" or name = "__delitem__" } -private predicate arithmetic_method(string name) { +private predicate arithmeticMethod(string name) { name in [ "__add__", "__sub__", "__or__", "__xor__", "__rshift__", "__pow__", "__mul__", "__neg__", "__radd__", "__rsub__", "__rdiv__", "__rfloordiv__", "__div__", "__rdiv__", "__rlshift__", @@ -32,7 +34,7 @@ private predicate arithmetic_method(string name) { ] } -private predicate ordering_method(string name) { +private predicate orderingMethod(string name) { name = "__lt__" or name = "__le__" @@ -40,13 +42,9 @@ private predicate ordering_method(string name) { name = "__gt__" or name = "__ge__" - or - name = "__cmp__" and major_version() = 2 } -private predicate cast_method(string name) { - name = "__nonzero__" and major_version() = 2 - or +private predicate castMethod(string name) { name = "__int__" or name = "__float__" @@ -58,63 +56,115 @@ private predicate cast_method(string name) { name = "__complex__" } -predicate correct_raise(string name, ClassObject ex) { - ex.getAnImproperSuperType() = theTypeErrorType() and +predicate correctRaise(string name, Expr exec) { + execIsOfType(exec, "TypeError") and ( - name = "__copy__" or - name = "__deepcopy__" or - name = "__call__" or - indexing_method(name) or - attribute_method(name) + indexingMethod(name) or + attributeMethod(name) ) or - preferred_raise(name, ex) - or - preferred_raise(name, ex.getASuperType()) + exists(string execName | + preferredRaise(name, execName, _) and + execIsOfType(exec, execName) + ) } -predicate preferred_raise(string name, ClassObject ex) { - attribute_method(name) and ex = theAttributeErrorType() +predicate preferredRaise(string name, string execName, string message) { + // TODO: execName should be an IPA type + attributeMethod(name) and + execName = "AttributeError" and + message = "should raise an AttributeError instead." or - indexing_method(name) and ex = Object::builtin("LookupError") + indexingMethod(name) and + execName = "LookupError" and + message = "should raise a LookupError (KeyError or IndexError) instead." or - ordering_method(name) and ex = theTypeErrorType() + orderingMethod(name) and + execName = "TypeError" and + message = "should raise a TypeError, or return NotImplemented instead." or - arithmetic_method(name) and ex = Object::builtin("ArithmeticError") + arithmeticMethod(name) and + execName = "ArithmeticError" and + message = "should raise an ArithmeticError, or return NotImplemented instead." or - name = "__bool__" and ex = theTypeErrorType() + name = "__bool__" and + execName = "TypeError" and + message = "should raise a TypeError instead." } -predicate no_need_to_raise(string name, string message) { - name = "__hash__" and message = "use __hash__ = None instead" - or - cast_method(name) and message = "there is no need to implement the method at all." -} - -predicate is_abstract(FunctionObject func) { - func.getFunction().getADecorator().(Name).getId().matches("%abstract%") -} - -predicate always_raises(FunctionObject f, ClassObject ex) { - ex = f.getARaisedType() and - strictcount(f.getARaisedType()) = 1 and - not exists(f.getFunction().getANormalExit()) and - /* raising StopIteration is equivalent to a return in a generator */ - not ex = theStopIterationType() -} - -from FunctionObject f, ClassObject cls, string message -where - f.getFunction().isSpecialMethod() and - not is_abstract(f) and - always_raises(f, cls) and - ( - no_need_to_raise(f.getName(), message) and not cls.getName() = "NotImplementedError" +predicate execIsOfType(Expr exec, string execName) { + exists(string subclass | + execName = "TypeError" and + subclass = "TypeError" or - not correct_raise(f.getName(), cls) and - not cls.getName() = "NotImplementedError" and - exists(ClassObject preferred | preferred_raise(f.getName(), preferred) | - message = "raise " + preferred.getName() + " instead" + execName = "LookupError" and + subclass = ["LookupError", "KeyError", "IndexError"] + or + execName = "ArithmeticError" and + subclass = ["ArithmeticError", "FloatingPointError", "OverflowError", "ZeroDivisionError"] + or + execName = "AttributeError" and + subclass = "AttributeError" + | + exec = API::builtin(subclass).getACall().asExpr() + or + exec = API::builtin(subclass).getASubclass().getACall().asExpr() + ) +} + +predicate noNeedToAlwaysRaise(Function meth, string message, boolean allowNotImplemented) { + meth.getName() = "__hash__" and + message = "use __hash__ = None instead." and + allowNotImplemented = false + or + castMethod(meth.getName()) and + message = "this method does not need to be implemented." and + allowNotImplemented = true and + not exists(Function overridden | + overridden.getName() = meth.getName() and + overridden.getScope() = getADirectSuperclass+(meth.getScope()) and + alwaysRaises(overridden, _) + ) +} + +predicate isAbstract(Function func) { func.getADecorator().(Name).getId().matches("%abstract%") } + +predicate alwaysRaises(Function f, Expr exec) { + directlyRaises(f, exec) and + strictcount(Expr e | directlyRaises(f, e)) = 1 and + not exists(f.getANormalExit()) +} + +predicate directlyRaises(Function f, Expr exec) { + exists(Raise r | + r.getScope() = f and + exec = r.getException() and + not exec = API::builtin("StopIteration").asSource().asExpr() + ) +} + +predicate isNotImplementedError(Expr exec) { + exec = API::builtin("NotImplementedError").getACall().asExpr() +} + +from Function f, Expr exec, string message +where + f.isSpecialMethod() and + not isAbstract(f) and + directlyRaises(f, exec) and + ( + exists(boolean allowNotImplemented, string subMessage | + alwaysRaises(f, exec) and + noNeedToAlwaysRaise(f, subMessage, allowNotImplemented) and + (allowNotImplemented = false or not isNotImplementedError(exec)) and + message = "This method always raises $@ - " + subMessage + ) + or + alwaysRaises(f, exec) and // for now consider only alwaysRaises cases as original query + not isNotImplementedError(exec) and + not correctRaise(f.getName(), exec) and + exists(string subMessage | preferredRaise(f.getName(), _, subMessage) | + message = "This method always raises $@ - " + subMessage ) ) -select f, "Function always raises $@; " + message, cls, cls.toString() +select f, message, exec, exec.toString() // TODO: remove tostring From b9738066de1d9d67f73b452a16c3aea22e3a0470 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 24 Jul 2025 11:18:28 +0100 Subject: [PATCH 0089/1955] try excluding set methods, add methods, update alert messages --- .../IncorrectRaiseInSpecialMethod.ql | 55 ++++++++++--------- 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql index 5df5f64116e..0c61b0cf775 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql @@ -16,15 +16,16 @@ import semmle.python.ApiGraphs import semmle.python.dataflow.new.internal.DataFlowDispatch private predicate attributeMethod(string name) { - name = "__getattribute__" or name = "__getattr__" or name = "__setattr__" + name = ["__getattribute__", "__getattr__"] // __setattr__ excluded as it makes sense to raise different kinds of errors based on the `value` parameter } private predicate indexingMethod(string name) { - name = "__getitem__" or name = "__setitem__" or name = "__delitem__" + name = ["__getitem__", "__delitem__"] // __setitem__ excluded as it makes sense to raise different kinds of errors based on the `value` parameter } private predicate arithmeticMethod(string name) { - name in [ + name = + [ "__add__", "__sub__", "__or__", "__xor__", "__rshift__", "__pow__", "__mul__", "__neg__", "__radd__", "__rsub__", "__rdiv__", "__rfloordiv__", "__div__", "__rdiv__", "__rlshift__", "__rand__", "__ror__", "__rxor__", "__rrshift__", "__rpow__", "__rmul__", "__truediv__", @@ -35,32 +36,32 @@ private predicate arithmeticMethod(string name) { } private predicate orderingMethod(string name) { - name = "__lt__" - or - name = "__le__" - or - name = "__gt__" - or - name = "__ge__" + name = + [ + "__lt__", + "__le__", + "__gt__", + "__ge__", + ] } private predicate castMethod(string name) { - name = "__int__" - or - name = "__float__" - or - name = "__long__" - or - name = "__trunc__" - or - name = "__complex__" + name = + [ + "__int__", + "__float__", + "__long__", + "__trunc__", + "__complex__" + ] } predicate correctRaise(string name, Expr exec) { execIsOfType(exec, "TypeError") and ( indexingMethod(name) or - attributeMethod(name) + attributeMethod(name) or + name = ["__add__", "__iadd__", "__radd__"] ) or exists(string execName | @@ -81,11 +82,11 @@ predicate preferredRaise(string name, string execName, string message) { or orderingMethod(name) and execName = "TypeError" and - message = "should raise a TypeError, or return NotImplemented instead." + message = "should raise a TypeError or return NotImplemented instead." or arithmeticMethod(name) and execName = "ArithmeticError" and - message = "should raise an ArithmeticError, or return NotImplemented instead." + message = "should raise an ArithmeticError or return NotImplemented instead." or name = "__bool__" and execName = "TypeError" and @@ -120,6 +121,7 @@ predicate noNeedToAlwaysRaise(Function meth, string message, boolean allowNotImp castMethod(meth.getName()) and message = "this method does not need to be implemented." and allowNotImplemented = true and + // Allow an always raising cast method if it's overriding other behavior not exists(Function overridden | overridden.getName() = meth.getName() and overridden.getScope() = getADirectSuperclass+(meth.getScope()) and @@ -139,7 +141,7 @@ predicate directlyRaises(Function f, Expr exec) { exists(Raise r | r.getScope() = f and exec = r.getException() and - not exec = API::builtin("StopIteration").asSource().asExpr() + exec instanceof Call ) } @@ -156,15 +158,16 @@ where exists(boolean allowNotImplemented, string subMessage | alwaysRaises(f, exec) and noNeedToAlwaysRaise(f, subMessage, allowNotImplemented) and - (allowNotImplemented = false or not isNotImplementedError(exec)) and + (allowNotImplemented = true implies not isNotImplementedError(exec)) and // don't alert if it's a NotImplementedError and that's ok message = "This method always raises $@ - " + subMessage ) or - alwaysRaises(f, exec) and // for now consider only alwaysRaises cases as original query not isNotImplementedError(exec) and not correctRaise(f.getName(), exec) and exists(string subMessage | preferredRaise(f.getName(), _, subMessage) | - message = "This method always raises $@ - " + subMessage + if alwaysRaises(f, exec) + then message = "This method always raises $@ - " + subMessage + else message = "This method raises $@ - " + subMessage ) ) select f, message, exec, exec.toString() // TODO: remove tostring From b9f6657adedbbc121ad63f32ee8ce5b1133a0aa1 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 24 Jul 2025 13:50:27 +0100 Subject: [PATCH 0090/1955] Remove use of toString. This does also reduce reaults from cases where the exception is not a simple identifier. --- python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql index 0c61b0cf775..ca1996a1e01 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql @@ -71,7 +71,6 @@ predicate correctRaise(string name, Expr exec) { } predicate preferredRaise(string name, string execName, string message) { - // TODO: execName should be an IPA type attributeMethod(name) and execName = "AttributeError" and message = "should raise an AttributeError instead." @@ -94,6 +93,7 @@ predicate preferredRaise(string name, string execName, string message) { } predicate execIsOfType(Expr exec, string execName) { + // Might make sense to have execName be an IPA type here. Or part of a more general API modelling builtin/stdlib subclass relations. exists(string subclass | execName = "TypeError" and subclass = "TypeError" @@ -149,6 +149,8 @@ predicate isNotImplementedError(Expr exec) { exec = API::builtin("NotImplementedError").getACall().asExpr() } +string getExecName(Expr exec) { result = exec.(Call).getFunc().(Name).getId() } + from Function f, Expr exec, string message where f.isSpecialMethod() and @@ -170,4 +172,4 @@ where else message = "This method raises $@ - " + subMessage ) ) -select f, message, exec, exec.toString() // TODO: remove tostring +select f, message, exec, getExecName(exec) From 362bfba0496e494c85177eb8771cccbc1ac12c58 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 24 Jul 2025 14:50:36 +0100 Subject: [PATCH 0091/1955] Update unit tests --- .../IncorrectRaiseInSpecialMethod.ql | 9 +-- .../IncorrectRaiseInSpecialMethod.expected | 6 ++ .../IncorrectRaiseInSpecialMethod.qlref | 2 + .../IncorrectRaiseInSpcialMethod/test.py | 66 +++++++++++++++++++ .../IncorrectRaiseInSpecialMethod.expected | 3 - .../IncorrectRaiseInSpecialMethod.qlref | 1 - 6 files changed, 79 insertions(+), 8 deletions(-) create mode 100644 python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.expected create mode 100644 python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.qlref create mode 100644 python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/test.py delete mode 100644 python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.expected delete mode 100644 python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.qlref diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql index ca1996a1e01..12107821aa6 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql @@ -7,7 +7,7 @@ * error-handling * @problem.severity recommendation * @sub-severity high - * @precision very-high + * @precision high * @id py/unexpected-raise-in-special-method */ @@ -16,7 +16,7 @@ import semmle.python.ApiGraphs import semmle.python.dataflow.new.internal.DataFlowDispatch private predicate attributeMethod(string name) { - name = ["__getattribute__", "__getattr__"] // __setattr__ excluded as it makes sense to raise different kinds of errors based on the `value` parameter + name = ["__getattribute__", "__getattr__", "__delattr__"] // __setattr__ excluded as it makes sense to raise different kinds of errors based on the `value` parameter } private predicate indexingMethod(string name) { @@ -50,7 +50,7 @@ private predicate castMethod(string name) { [ "__int__", "__float__", - "__long__", + "__index__", "__trunc__", "__complex__" ] @@ -61,6 +61,7 @@ predicate correctRaise(string name, Expr exec) { ( indexingMethod(name) or attributeMethod(name) or + // Allow add methods to raise a TypeError, as they can be used for sequence concatenation as well as arithmetic name = ["__add__", "__iadd__", "__radd__"] ) or @@ -125,7 +126,7 @@ predicate noNeedToAlwaysRaise(Function meth, string message, boolean allowNotImp not exists(Function overridden | overridden.getName() = meth.getName() and overridden.getScope() = getADirectSuperclass+(meth.getScope()) and - alwaysRaises(overridden, _) + not alwaysRaises(overridden, _) ) } diff --git a/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.expected b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.expected new file mode 100644 index 00000000000..3907a725ee1 --- /dev/null +++ b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.expected @@ -0,0 +1,6 @@ +| test.py:6:5:6:33 | Function __getitem__ | This method always raises $@ - should raise a LookupError (KeyError or IndexError) instead. | test.py:7:15:7:33 | ZeroDivisionError() | ZeroDivisionError | +| test.py:9:5:9:32 | Function __getattr__ | This method always raises $@ - should raise an AttributeError instead. | test.py:10:15:10:33 | ZeroDivisionError() | ZeroDivisionError | +| test.py:12:5:12:23 | Function __bool__ | This method always raises $@ - should raise a TypeError instead. | test.py:13:15:13:26 | ValueError() | ValueError | +| test.py:15:5:15:22 | Function __int__ | This method always raises $@ - this method does not need to be implemented. | test.py:16:15:16:26 | ValueError() | ValueError | +| test.py:24:5:24:23 | Function __hash__ | This method always raises $@ - use __hash__ = None instead. | test.py:25:15:25:35 | NotImplementedError() | NotImplementedError | +| test.py:28:5:28:29 | Function __sub__ | This method raises $@ - should raise an ArithmeticError or return NotImplemented instead. | test.py:30:19:30:29 | TypeError() | TypeError | diff --git a/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.qlref b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.qlref new file mode 100644 index 00000000000..a81e499ea66 --- /dev/null +++ b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.qlref @@ -0,0 +1,2 @@ +query: Functions/IncorrectRaiseInSpecialMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/test.py b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/test.py new file mode 100644 index 00000000000..d5b1bc585f6 --- /dev/null +++ b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/test.py @@ -0,0 +1,66 @@ +class A: + + def __add__(self, other): # No alert - Always allow NotImplementedError + raise NotImplementedError() + + def __getitem__(self, index): # $ Alert + raise ZeroDivisionError() + + def __getattr__(self, name): # $ Alert + raise ZeroDivisionError() + + def __bool__(self): # $ Alert + raise ValueError() + + def __int__(self): # $ Alert # Cast method need not be defined to always raise + raise ValueError() + + def __float__(self): # No alert - OK to raise conditionally + if self.z: + return 0 + else: + raise ValueError() + + def __hash__(self): # $ Alert # should use __hash__=None rather than stub implementation to make class unhashable + raise NotImplementedError() + +class B: + def __sub__(self, other): # $ Alert # should return NotImplemented instead + if not isinstance(other,B): + raise TypeError() + return self + + def __add__(self, other): # No alert - allow add to raise a TypeError, as it is sometimes used for sequence concatenation as well as arithmetic + if not isinstance(other,B): + raise TypeError() + return self + + def __setitem__(self, key, val): # No alert - allow setitem to raise arbitrary exceptions as they could be due to the value, rather than a LookupError relating to the key + if val < 0: + raise ValueError() + + def __getitem__(self, key): # No alert - indexing method allowed to raise TypeError or subclasses of LookupError. + if not isinstance(key, int): + raise TypeError() + if key < 0: + raise KeyError() + return 3 + + def __getattribute__(self, name): + if name != "a": + raise AttributeError() + return 2 + + def __div__(self, other): + if other == 0: + raise ZeroDivisionError() + return self + + +class D: + def __int__(self): + return 2 + +class E(D): + def __int__(self): # No alert - cast method may override to raise exception + raise TypeError() \ No newline at end of file diff --git a/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.expected b/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.expected deleted file mode 100644 index dd4429de02e..00000000000 --- a/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.expected +++ /dev/null @@ -1,3 +0,0 @@ -| protocols.py:98:5:98:33 | Function __getitem__ | Function always raises $@; raise LookupError instead | file://:Compiled Code:0:0:0:0 | builtin-class ZeroDivisionError | builtin-class ZeroDivisionError | -| protocols.py:101:5:101:26 | Function __getattr__ | Function always raises $@; raise AttributeError instead | file://:Compiled Code:0:0:0:0 | builtin-class ZeroDivisionError | builtin-class ZeroDivisionError | -| protocols.py:104:5:104:23 | Function __bool__ | Function always raises $@; raise TypeError instead | file://:Compiled Code:0:0:0:0 | builtin-class ZeroDivisionError | builtin-class ZeroDivisionError | diff --git a/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.qlref b/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.qlref deleted file mode 100644 index 07fd22a9376..00000000000 --- a/python/ql/test/query-tests/Functions/general/IncorrectRaiseInSpecialMethod.qlref +++ /dev/null @@ -1 +0,0 @@ -Functions/IncorrectRaiseInSpecialMethod.ql \ No newline at end of file From 871688f02617921452a77f50aba33fd8c5b4dbe5 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 24 Jul 2025 16:01:57 +0100 Subject: [PATCH 0092/1955] Update docs --- .../IncorrectRaiseInSpecialMethod.py | 16 -------- .../IncorrectRaiseInSpecialMethod.qhelp | 40 +++++++++---------- .../IncorrectRaiseInSpecialMethod2.py | 15 ------- .../IncorrectRaiseInSpecialMethod3.py | 27 ------------- .../examples/IncorrectRaiseInSpecialMethod.py | 22 ++++++++++ .../IncorrectRaiseInSpecialMethod2.py | 7 ++++ .../IncorrectRaiseInSpecialMethod3.py | 4 ++ 7 files changed, 52 insertions(+), 79 deletions(-) delete mode 100644 python/ql/src/Functions/IncorrectRaiseInSpecialMethod.py delete mode 100644 python/ql/src/Functions/IncorrectRaiseInSpecialMethod2.py delete mode 100644 python/ql/src/Functions/IncorrectRaiseInSpecialMethod3.py create mode 100644 python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod.py create mode 100644 python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod2.py create mode 100644 python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod3.py diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.py b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.py deleted file mode 100644 index e76c27145db..00000000000 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.py +++ /dev/null @@ -1,16 +0,0 @@ -#Incorrect unhashable class -class MyMutableThing(object): - - def __init__(self): - pass - - def __hash__(self): - raise NotImplementedError("%r is unhashable" % self) - -#Make class unhashable in the standard way -class MyCorrectMutableThing(object): - - def __init__(self): - pass - - __hash__ = None diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp index f4f0cd6920a..a0c3463b9d1 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp @@ -9,7 +9,7 @@ When the expression a + b is evaluated the Python virtual machine w is not implemented it will call type(b).__radd__(b, a).

    Since the virtual machine calls these special methods for common expressions, users of the class will expect these operations to raise standard exceptions. -For example, users would expect that the expression a.b might raise an AttributeError +For example, users would expect that the expression a.b may raise an AttributeError if the object a does not have an attribute b. If a KeyError were raised instead, then this would be unexpected and may break code that expected an AttributeError, but not a KeyError. @@ -20,18 +20,18 @@ Therefore, if a method is unable to perform the expected operation then its resp

      -
    • Attribute access, a.b: Raise AttributeError
      • -
    • Arithmetic operations, a + b: Do not raise an exception, return NotImplemented instead.
      • -
    • Indexing, a[b]: Raise KeyError.
      • -
    • Hashing, hash(a): Use __hash__ = None to indicate that an object is unhashable.
      • -
    • Equality methods, a != b: Never raise an exception, always return True or False.
      • -
    • Ordering comparison methods, a < b: Raise a TypeError if the objects cannot be ordered.
      • +
    • Attribute access, a.b (__getattr__): Raise AttributeError
      • +
    • Arithmetic operations, a + b (__add__): Do not raise an exception, return NotImplemented instead.
      • +
    • Indexing, a[b] (__getitem__): Raise KeyError or IndexError.
      • +
    • Hashing, hash(a) (__hash__): Should not raise an exception. Use __hash__ = None to indicate that an object is unhashable rather than raising an exception.
      • +
    • Equality methods, a == b (__eq__): Never raise an exception, always return True or False.
      • +
    • Ordering comparison methods, a < b (__lt__): Raise a TypeError if the objects cannot be ordered.
    • Most others: Ideally, do not implement the method at all, otherwise raise TypeError to indicate that the operation is unsupported.
    -

    If the method is meant to be abstract, then declare it so using the @abstractmethod decorator. +

    If the method is intended to be abstract, then declare it so using the @abstractmethod decorator. Otherwise, either remove the method or ensure that the method raises an exception of the correct type.

    @@ -39,31 +39,29 @@ Otherwise, either remove the method or ensure that the method raises an exceptio

    -This example shows two unhashable classes. The first class is unhashable in a non-standard way which may cause maintenance problems. -The second, corrected, class uses the standard idiom for unhashable classes. +In the following example, the __add__ method of A raises a TypeError if other is of the wrong type. +However, it should return NotImplemented instead of rising an exception, to allow other classes to support adding to A. +This is demonstrated in the class B.

    - +

    -In this example, the first class is implicitly abstract; the __add__ method is unimplemented, -presumably with the expectation that it will be implemented by sub-classes. -The second class makes this explicit with an @abstractmethod decoration on the unimplemented __add__ method. +In the following example, the __getitem__ method of C raises a ValueError, rather than a KeyError or IndexError as expected.

    - +

    -In this last example, the first class implements a collection backed by the file store. -However, should an IOError be raised in the __getitem__ it will propagate to the caller. -The second class handles any IOError by reraising a KeyError which is the standard exception for -the __getitem__ method. +In the following example, the class __hash__ method of D raises TypeError. +This causes D to be incorrectly identified as hashable by isinstance(obj, collections.abc.Hashable); so the correct +way to make a class unhashable is to set __hash__ = None.

    - +
  • Python Language Reference: Special Method Names.
    • -
  • Python Library Reference: Exceptions.
    • +
  • Python Library Reference: Exceptions.
    • diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod2.py b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod2.py deleted file mode 100644 index 405400bfe61..00000000000 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod2.py +++ /dev/null @@ -1,15 +0,0 @@ - -#Abstract base class, but don't declare it. -class ImplicitAbstractClass(object): - - def __add__(self, other): - raise NotImplementedError() - -#Make abstractness explicit. -class ExplicitAbstractClass: - __metaclass__ = ABCMeta - - @abstractmethod - def __add__(self, other): - raise NotImplementedError() - diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod3.py b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod3.py deleted file mode 100644 index 048d5043b4d..00000000000 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod3.py +++ /dev/null @@ -1,27 +0,0 @@ - -#Incorrect file-backed table -class FileBackedTable(object): - - def __getitem__(self, key): - if key not in self.index: - raise IOError("Key '%s' not in table" % key) - else: - #May raise an IOError - return self.backing.get_row(key) - -#Correct by transforming exception -class ObjectLikeFileBackedTable(object): - - def get_from_key(self, key): - if key not in self.index: - raise IOError("Key '%s' not in table" % key) - else: - #May raise an IOError - return self.backing.get_row(key) - - def __getitem__(self, key): - try: - return self.get_from_key(key) - except IOError: - raise KeyError(key) - diff --git a/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod.py b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod.py new file mode 100644 index 00000000000..77c623bef79 --- /dev/null +++ b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod.py @@ -0,0 +1,22 @@ +class A: + def __init__(self, a): + self.a = a + + def __add__(self, other): + # BAD: Should return NotImplemented instead of raising + if not isinstance(other,A): + raise TypeError(f"Cannot add A to {other.__type__}") + return A(self.a + other.a) + +class B: + def __init__(self, a): + self.a = a + + def __add__(self, other): + # GOOD: Returning NotImplemented allows for other classes to support adding do B. + if not isinstance(other,B): + return NotImplemented + return B(self.a + other.a) + + + diff --git a/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod2.py b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod2.py new file mode 100644 index 00000000000..ba5f90f4670 --- /dev/null +++ b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod2.py @@ -0,0 +1,7 @@ +class C: + def __getitem__(self, idx): + if self.idx < 0: + # BAD: Should raise a KeyError or IndexError instead. + raise ValueError("Invalid index") + return self.lookup(idx) + diff --git a/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod3.py b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod3.py new file mode 100644 index 00000000000..84ce9d18d27 --- /dev/null +++ b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod3.py @@ -0,0 +1,4 @@ +class D: + def __hash__(self): + # BAD: Use `__hash__ = None` instead. + raise NotImplementedError(f"{self.__type__} is unhashable.") \ No newline at end of file From 3525e83ad2d8609491931c9e46ae9431dc6981aa Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 25 Jul 2025 09:52:54 +0100 Subject: [PATCH 0093/1955] Add changenote + some doc updates --- python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp | 6 +++--- python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql | 2 +- .../2025-07-25-unexpected-raise-special-method.md | 5 +++++ 3 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 python/ql/src/change-notes/2025-07-25-unexpected-raise-special-method.md diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp index a0c3463b9d1..d6ce2167b8c 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp @@ -20,18 +20,18 @@ Therefore, if a method is unable to perform the expected operation then its resp

      -
    • Attribute access, a.b (__getattr__): Raise AttributeError
      • +
    • Attribute access, a.b (__getattr__): Raise AttributeError.
    • Arithmetic operations, a + b (__add__): Do not raise an exception, return NotImplemented instead.
    • Indexing, a[b] (__getitem__): Raise KeyError or IndexError.
    • Hashing, hash(a) (__hash__): Should not raise an exception. Use __hash__ = None to indicate that an object is unhashable rather than raising an exception.
    • Equality methods, a == b (__eq__): Never raise an exception, always return True or False.
    • Ordering comparison methods, a < b (__lt__): Raise a TypeError if the objects cannot be ordered.
      • -
    • Most others: Ideally, do not implement the method at all, otherwise raise TypeError to indicate that the operation is unsupported.
      • +
    • Most others: If the operation is never supported, the method often does not need to be implemented at all; otherwise a TypeError should be raised.
    -

    If the method is intended to be abstract, then declare it so using the @abstractmethod decorator. +

    If the method is intended to be abstract, and thus always raise an exception, then declare it so using the @abstractmethod decorator. Otherwise, either remove the method or ensure that the method raises an exception of the correct type.

    diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql index 12107821aa6..3232ef51a2d 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql @@ -94,7 +94,7 @@ predicate preferredRaise(string name, string execName, string message) { } predicate execIsOfType(Expr exec, string execName) { - // Might make sense to have execName be an IPA type here. Or part of a more general API modelling builtin/stdlib subclass relations. + // Might make sense to have execName be an IPA type here. Or part of a more general API modeling builtin/stdlib subclass relations. exists(string subclass | execName = "TypeError" and subclass = "TypeError" diff --git a/python/ql/src/change-notes/2025-07-25-unexpected-raise-special-method.md b/python/ql/src/change-notes/2025-07-25-unexpected-raise-special-method.md new file mode 100644 index 00000000000..4b79dbc3b81 --- /dev/null +++ b/python/ql/src/change-notes/2025-07-25-unexpected-raise-special-method.md @@ -0,0 +1,5 @@ +--- +category: minorAnalysis +--- +* The `py/unexpected-raise-in-special-method` query has been modernized. It produces additional results in cases where the exception is +only raised conditionally. Its precision has been changed from `very-high` to `high`. \ No newline at end of file From 8bdf6801b3b92b40135dcfbab56a75c6f75b0ad8 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 25 Jul 2025 10:05:09 +0100 Subject: [PATCH 0094/1955] Add qldoc --- .../IncorrectRaiseInSpecialMethod.ql | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql index 3232ef51a2d..fbb02822bf7 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql @@ -15,14 +15,17 @@ import python import semmle.python.ApiGraphs import semmle.python.dataflow.new.internal.DataFlowDispatch +/** Holds if `name` is the name of a special method for attribute access such as `a.b`, that should raise an `AttributeError`. */ private predicate attributeMethod(string name) { name = ["__getattribute__", "__getattr__", "__delattr__"] // __setattr__ excluded as it makes sense to raise different kinds of errors based on the `value` parameter } +/** Holds if `name` is the name of a special method for indexing operations such as `a[b]`, that should raise a `LookupError`. */ private predicate indexingMethod(string name) { name = ["__getitem__", "__delitem__"] // __setitem__ excluded as it makes sense to raise different kinds of errors based on the `value` parameter } +/** Holds if `name` is the name of a special method for arithmetic operations. */ private predicate arithmeticMethod(string name) { name = [ @@ -35,6 +38,7 @@ private predicate arithmeticMethod(string name) { ] } +/** Holds if `name is the name of a special method for ordering operations such as `a < b`. */ private predicate orderingMethod(string name) { name = [ @@ -45,6 +49,7 @@ private predicate orderingMethod(string name) { ] } +/** Holds if `name` is the name of a special method for casting an object to a numeric type, such as `int(x)` */ private predicate castMethod(string name) { name = [ @@ -53,9 +58,10 @@ private predicate castMethod(string name) { "__index__", "__trunc__", "__complex__" - ] + ] // __bool__ excluded as it makes sense to allow it to always raise } +/** Holds if we allow a special method named `name` to raise `exec` as an exception. */ predicate correctRaise(string name, Expr exec) { execIsOfType(exec, "TypeError") and ( @@ -71,6 +77,7 @@ predicate correctRaise(string name, Expr exec) { ) } +/** Holds if it is preferred for `name` to raise exceptions of type `execName`. `message` is the alert message. */ predicate preferredRaise(string name, string execName, string message) { attributeMethod(name) and execName = "AttributeError" and @@ -93,6 +100,7 @@ predicate preferredRaise(string name, string execName, string message) { message = "should raise a TypeError instead." } +/** Holds if `exec` is an exception object of the type named `execName`. */ predicate execIsOfType(Expr exec, string execName) { // Might make sense to have execName be an IPA type here. Or part of a more general API modeling builtin/stdlib subclass relations. exists(string subclass | @@ -114,6 +122,10 @@ predicate execIsOfType(Expr exec, string execName) { ) } +/** + * Holds if `meth` need not be implemented if it always raises. `message` is the alert message, and `allowNotImplemented` is true + * if we still allow the method to always raise `NotImplementedError`. + */ predicate noNeedToAlwaysRaise(Function meth, string message, boolean allowNotImplemented) { meth.getName() = "__hash__" and message = "use __hash__ = None instead." and @@ -130,14 +142,17 @@ predicate noNeedToAlwaysRaise(Function meth, string message, boolean allowNotImp ) } +/** Holds if `func` has a decorator likely marking it as an abstract method. */ predicate isAbstract(Function func) { func.getADecorator().(Name).getId().matches("%abstract%") } +/** Holds if `f` always raises the exception `exec`. */ predicate alwaysRaises(Function f, Expr exec) { directlyRaises(f, exec) and strictcount(Expr e | directlyRaises(f, e)) = 1 and not exists(f.getANormalExit()) } +/** Holds if `f` directly raises `expr` using a `raise` statement. */ predicate directlyRaises(Function f, Expr exec) { exists(Raise r | r.getScope() = f and @@ -146,10 +161,12 @@ predicate directlyRaises(Function f, Expr exec) { ) } +/** Holds if `exec` is a `NotImplementedError`. */ predicate isNotImplementedError(Expr exec) { exec = API::builtin("NotImplementedError").getACall().asExpr() } +/** Gets the name of the builtin exception type `exec` constructs, if it can be determined. */ string getExecName(Expr exec) { result = exec.(Call).getFunc().(Name).getId() } from Function f, Expr exec, string message From 9af2ab83dc66df7fd48501bf3f6ed75c2b6bba35 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 25 Jul 2025 10:22:51 +0100 Subject: [PATCH 0095/1955] Cleanups --- .../src/Functions/IncorrectRaiseInSpecialMethod.ql | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql index fbb02822bf7..07c6fb1c5d3 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql @@ -30,11 +30,11 @@ private predicate arithmeticMethod(string name) { name = [ "__add__", "__sub__", "__or__", "__xor__", "__rshift__", "__pow__", "__mul__", "__neg__", - "__radd__", "__rsub__", "__rdiv__", "__rfloordiv__", "__div__", "__rdiv__", "__rlshift__", - "__rand__", "__ror__", "__rxor__", "__rrshift__", "__rpow__", "__rmul__", "__truediv__", - "__rtruediv__", "__pos__", "__iadd__", "__isub__", "__idiv__", "__ifloordiv__", "__idiv__", - "__ilshift__", "__iand__", "__ior__", "__ixor__", "__irshift__", "__abs__", "__ipow__", - "__imul__", "__itruediv__", "__floordiv__", "__div__", "__divmod__", "__lshift__", "__and__" + "__radd__", "__rsub__", "__rdiv__", "__rfloordiv__", "__rlshift__", "__rand__", "__ror__", + "__rxor__", "__rrshift__", "__rpow__", "__rmul__", "__truediv__", "__rtruediv__", "__pos__", + "__iadd__", "__isub__", "__idiv__", "__ifloordiv__", "__idiv__", "__ilshift__", "__iand__", + "__ior__", "__ixor__", "__irshift__", "__abs__", "__ipow__", "__imul__", "__itruediv__", + "__floordiv__", "__div__", "__divmod__", "__lshift__", "__and__" ] } @@ -152,7 +152,7 @@ predicate alwaysRaises(Function f, Expr exec) { not exists(f.getANormalExit()) } -/** Holds if `f` directly raises `expr` using a `raise` statement. */ +/** Holds if `f` directly raises `exec` using a `raise` statement. */ predicate directlyRaises(Function f, Expr exec) { exists(Raise r | r.getScope() = f and From d7b855c4e379fef782a45f79e07ecc3305a6cc54 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 25 Jul 2025 10:24:58 +0100 Subject: [PATCH 0096/1955] qhelp fix --- python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp index d6ce2167b8c..42d7d421b0a 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.qhelp @@ -49,7 +49,7 @@ In the following example, the __getitem__ method of C

    -In the following example, the class __hash__ method of D raises TypeError. +In the following example, the class __hash__ method of D raises NotImplementedError. This causes D to be incorrectly identified as hashable by isinstance(obj, collections.abc.Hashable); so the correct way to make a class unhashable is to set __hash__ = None.

    From 958fddb638b4ae13f2682b1fe984fc5af67e3138 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 25 Jul 2025 10:57:19 +0100 Subject: [PATCH 0097/1955] cleanup order and remove duplicates for arithmetic methods --- .../src/Functions/IncorrectRaiseInSpecialMethod.ql | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql index 07c6fb1c5d3..3cd7e0fe987 100644 --- a/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql +++ b/python/ql/src/Functions/IncorrectRaiseInSpecialMethod.ql @@ -29,12 +29,13 @@ private predicate indexingMethod(string name) { private predicate arithmeticMethod(string name) { name = [ - "__add__", "__sub__", "__or__", "__xor__", "__rshift__", "__pow__", "__mul__", "__neg__", - "__radd__", "__rsub__", "__rdiv__", "__rfloordiv__", "__rlshift__", "__rand__", "__ror__", - "__rxor__", "__rrshift__", "__rpow__", "__rmul__", "__truediv__", "__rtruediv__", "__pos__", - "__iadd__", "__isub__", "__idiv__", "__ifloordiv__", "__idiv__", "__ilshift__", "__iand__", - "__ior__", "__ixor__", "__irshift__", "__abs__", "__ipow__", "__imul__", "__itruediv__", - "__floordiv__", "__div__", "__divmod__", "__lshift__", "__and__" + "__add__", "__sub__", "__and__", "__or__", "__xor__", "__lshift__", "__rshift__", "__pow__", + "__mul__", "__div__", "__divmod__", "__truediv__", "__floordiv__", "__matmul__", "__radd__", + "__rsub__", "__rand__", "__ror__", "__rxor__", "__rlshift__", "__rrshift__", "__rpow__", + "__rmul__", "__rdiv__", "__rdivmod__", "__rtruediv__", "__rfloordiv__", "__rmatmul__", + "__iadd__", "__isub__", "__iand__", "__ior__", "__ixor__", "__ilshift__", "__irshift__", + "__ipow__", "__imul__", "__idiv__", "__idivmod__", "__itruediv__", "__ifloordiv__", + "__imatmul__", "__pos__", "__neg__", "__abs__", "__invert__", ] } From c0da9c407e12535984b98370f84a4f176bb17b34 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 25 Jul 2025 13:15:46 +0100 Subject: [PATCH 0098/1955] Fix typo in test dir name + update examples --- .../src/Functions/examples/IncorrectRaiseInSpecialMethod.py | 4 ++-- .../src/Functions/examples/IncorrectRaiseInSpecialMethod3.py | 2 +- .../IncorrectRaiseInSpecialMethod.expected | 0 .../IncorrectRaiseInSpecialMethod.qlref | 0 .../test.py | 0 5 files changed, 3 insertions(+), 3 deletions(-) rename python/ql/test/query-tests/Functions/{IncorrectRaiseInSpcialMethod => IncorrectRaiseInSpecialMethod}/IncorrectRaiseInSpecialMethod.expected (100%) rename python/ql/test/query-tests/Functions/{IncorrectRaiseInSpcialMethod => IncorrectRaiseInSpecialMethod}/IncorrectRaiseInSpecialMethod.qlref (100%) rename python/ql/test/query-tests/Functions/{IncorrectRaiseInSpcialMethod => IncorrectRaiseInSpecialMethod}/test.py (100%) diff --git a/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod.py b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod.py index 77c623bef79..d565a86cab2 100644 --- a/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod.py +++ b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod.py @@ -5,7 +5,7 @@ class A: def __add__(self, other): # BAD: Should return NotImplemented instead of raising if not isinstance(other,A): - raise TypeError(f"Cannot add A to {other.__type__}") + raise TypeError(f"Cannot add A to {other.__class__}") return A(self.a + other.a) class B: @@ -13,7 +13,7 @@ class B: self.a = a def __add__(self, other): - # GOOD: Returning NotImplemented allows for other classes to support adding do B. + # GOOD: Returning NotImplemented allows for the operation to fallback to other implementations to allow other classes to support adding to B. if not isinstance(other,B): return NotImplemented return B(self.a + other.a) diff --git a/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod3.py b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod3.py index 84ce9d18d27..33541adc7e6 100644 --- a/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod3.py +++ b/python/ql/src/Functions/examples/IncorrectRaiseInSpecialMethod3.py @@ -1,4 +1,4 @@ class D: def __hash__(self): # BAD: Use `__hash__ = None` instead. - raise NotImplementedError(f"{self.__type__} is unhashable.") \ No newline at end of file + raise NotImplementedError(f"{self.__class__} is unhashable.") \ No newline at end of file diff --git a/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.expected b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpecialMethod/IncorrectRaiseInSpecialMethod.expected similarity index 100% rename from python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.expected rename to python/ql/test/query-tests/Functions/IncorrectRaiseInSpecialMethod/IncorrectRaiseInSpecialMethod.expected diff --git a/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.qlref b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpecialMethod/IncorrectRaiseInSpecialMethod.qlref similarity index 100% rename from python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/IncorrectRaiseInSpecialMethod.qlref rename to python/ql/test/query-tests/Functions/IncorrectRaiseInSpecialMethod/IncorrectRaiseInSpecialMethod.qlref diff --git a/python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/test.py b/python/ql/test/query-tests/Functions/IncorrectRaiseInSpecialMethod/test.py similarity index 100% rename from python/ql/test/query-tests/Functions/IncorrectRaiseInSpcialMethod/test.py rename to python/ql/test/query-tests/Functions/IncorrectRaiseInSpecialMethod/test.py From 358617f53365db5b808bc668f0aae704e56790c2 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Wed, 30 Jul 2025 09:49:04 +0000 Subject: [PATCH 0099/1955] Move CORS misconfiguration query from experimental to Security --- .../semmle/javascript/frameworks}/Apollo.qll | 0 .../semmle/javascript/frameworks}/Cors.qll | 0 .../CorsPermissiveConfigurationCustomizations.qll | 10 +++++----- .../security}/CorsPermissiveConfigurationQuery.qll | 0 .../CWE-942/CorsPermissiveConfiguration.qhelp | 0 .../Security/CWE-942/CorsPermissiveConfiguration.ql | 11 ++++++----- .../examples/CorsPermissiveConfigurationBad.js | 0 .../examples/CorsPermissiveConfigurationGood.js | 0 .../CWE-942/CorsPermissiveConfiguration.qlref | 1 - .../CWE-942/CorsPermissiveConfiguration.expected | 0 .../CWE-942/CorsPermissiveConfiguration.qlref | 1 + .../Security/CWE-942/apollo-test.js | 0 .../Security/CWE-942/express-test.js | 0 13 files changed, 12 insertions(+), 11 deletions(-) rename javascript/ql/{src/experimental/Security/CWE-942 => lib/semmle/javascript/frameworks}/Apollo.qll (100%) rename javascript/ql/{src/experimental/Security/CWE-942 => lib/semmle/javascript/frameworks}/Cors.qll (100%) rename javascript/ql/{src/experimental/Security/CWE-942 => lib/semmle/javascript/security}/CorsPermissiveConfigurationCustomizations.qll (94%) rename javascript/ql/{src/experimental/Security/CWE-942 => lib/semmle/javascript/security}/CorsPermissiveConfigurationQuery.qll (100%) rename javascript/ql/src/{experimental => }/Security/CWE-942/CorsPermissiveConfiguration.qhelp (100%) rename javascript/ql/src/{experimental => }/Security/CWE-942/CorsPermissiveConfiguration.ql (53%) rename javascript/ql/src/{experimental => }/Security/CWE-942/examples/CorsPermissiveConfigurationBad.js (100%) rename javascript/ql/src/{experimental => }/Security/CWE-942/examples/CorsPermissiveConfigurationGood.js (100%) delete mode 100644 javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref rename javascript/ql/test/{experimental => query-tests}/Security/CWE-942/CorsPermissiveConfiguration.expected (100%) create mode 100644 javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref rename javascript/ql/test/{experimental => query-tests}/Security/CWE-942/apollo-test.js (100%) rename javascript/ql/test/{experimental => query-tests}/Security/CWE-942/express-test.js (100%) diff --git a/javascript/ql/src/experimental/Security/CWE-942/Apollo.qll b/javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll similarity index 100% rename from javascript/ql/src/experimental/Security/CWE-942/Apollo.qll rename to javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll diff --git a/javascript/ql/src/experimental/Security/CWE-942/Cors.qll b/javascript/ql/lib/semmle/javascript/frameworks/Cors.qll similarity index 100% rename from javascript/ql/src/experimental/Security/CWE-942/Cors.qll rename to javascript/ql/lib/semmle/javascript/frameworks/Cors.qll diff --git a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll similarity index 94% rename from javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll rename to javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll index 8876373a3d2..b642b98b35b 100644 --- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll @@ -5,8 +5,8 @@ */ import javascript -import Cors::Cors -import Apollo::Apollo +private import semmle.javascript.frameworks.Apollo +private import semmle.javascript.frameworks.Cors /** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */ module CorsPermissiveConfiguration { @@ -105,7 +105,7 @@ module CorsPermissiveConfiguration { */ class CorsApolloServer extends Sink, DataFlow::ValueNode { CorsApolloServer() { - exists(ApolloServer agql | + exists(Apollo::ApolloServer agql | this = agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs() ) @@ -125,7 +125,7 @@ module CorsPermissiveConfiguration { * An express route setup configured with the `cors` package. */ class CorsConfiguration extends DataFlow::MethodCallNode { - Cors corsConfig; + Cors::Cors corsConfig; CorsConfiguration() { exists(Express::RouteSetup setup | this = setup | @@ -136,6 +136,6 @@ module CorsPermissiveConfiguration { } /** Gets the expression that configures `cors` on this route setup. */ - Cors getCorsConfiguration() { result = corsConfig } + Cors::Cors getCorsConfiguration() { result = corsConfig } } } diff --git a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll similarity index 100% rename from javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll rename to javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll diff --git a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.qhelp b/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelp similarity index 100% rename from javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.qhelp rename to javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelp diff --git a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql b/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql similarity index 53% rename from javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql rename to javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql index 87db66ad98d..05084202858 100644 --- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql +++ b/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql @@ -1,5 +1,5 @@ /** - * @name overly CORS configuration + * @name Permissive CORS configuration * @description Misconfiguration of CORS HTTP headers allows CSRF attacks. * @kind path-problem * @problem.severity error @@ -11,11 +11,12 @@ */ import javascript -import CorsPermissiveConfigurationQuery -import CorsPermissiveConfigurationFlow::PathGraph +import semmle.javascript.security.CorsPermissiveConfigurationQuery as CorsQuery +import CorsQuery::CorsPermissiveConfigurationFlow::PathGraph from - CorsPermissiveConfigurationFlow::PathNode source, CorsPermissiveConfigurationFlow::PathNode sink -where CorsPermissiveConfigurationFlow::flowPath(source, sink) + CorsQuery::CorsPermissiveConfigurationFlow::PathNode source, + CorsQuery::CorsPermissiveConfigurationFlow::PathNode sink +where CorsQuery::CorsPermissiveConfigurationFlow::flowPath(source, sink) select sink.getNode(), source, sink, "CORS Origin misconfiguration due to a $@.", source.getNode(), "too permissive or user controlled value" diff --git a/javascript/ql/src/experimental/Security/CWE-942/examples/CorsPermissiveConfigurationBad.js b/javascript/ql/src/Security/CWE-942/examples/CorsPermissiveConfigurationBad.js similarity index 100% rename from javascript/ql/src/experimental/Security/CWE-942/examples/CorsPermissiveConfigurationBad.js rename to javascript/ql/src/Security/CWE-942/examples/CorsPermissiveConfigurationBad.js diff --git a/javascript/ql/src/experimental/Security/CWE-942/examples/CorsPermissiveConfigurationGood.js b/javascript/ql/src/Security/CWE-942/examples/CorsPermissiveConfigurationGood.js similarity index 100% rename from javascript/ql/src/experimental/Security/CWE-942/examples/CorsPermissiveConfigurationGood.js rename to javascript/ql/src/Security/CWE-942/examples/CorsPermissiveConfigurationGood.js diff --git a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref b/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref deleted file mode 100644 index 1e6a39679c0..00000000000 --- a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.qlref +++ /dev/null @@ -1 +0,0 @@ -./experimental/Security/CWE-942/CorsPermissiveConfiguration.ql \ No newline at end of file diff --git a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected similarity index 100% rename from javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected rename to javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected diff --git a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref new file mode 100644 index 00000000000..4f4178905a2 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref @@ -0,0 +1 @@ +Security/CWE-942/CorsPermissiveConfiguration.ql \ No newline at end of file diff --git a/javascript/ql/test/experimental/Security/CWE-942/apollo-test.js b/javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js similarity index 100% rename from javascript/ql/test/experimental/Security/CWE-942/apollo-test.js rename to javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js diff --git a/javascript/ql/test/experimental/Security/CWE-942/express-test.js b/javascript/ql/test/query-tests/Security/CWE-942/express-test.js similarity index 100% rename from javascript/ql/test/experimental/Security/CWE-942/express-test.js rename to javascript/ql/test/query-tests/Security/CWE-942/express-test.js From 92daa7d42cd2835a00c5e17deea4cc1a44401112 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Wed, 30 Jul 2025 10:27:14 +0000 Subject: [PATCH 0100/1955] Updated suite expectations --- .../query-suite/javascript-code-scanning.qls.expected | 1 + .../query-suite/javascript-security-and-quality.qls.expected | 1 + .../query-suite/javascript-security-extended.qls.expected | 1 + .../integration-tests/query-suite/not_included_in_qls.expected | 1 - 4 files changed, 3 insertions(+), 1 deletion(-) diff --git a/javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected b/javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected index 652ac0ebc1b..0c417e661c7 100644 --- a/javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected +++ b/javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected @@ -83,5 +83,6 @@ ql/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql +ql/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql ql/javascript/ql/src/Summary/LinesOfCode.ql ql/javascript/ql/src/Summary/LinesOfUserCode.ql diff --git a/javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected b/javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected index dd587768308..f87cd2bf505 100644 --- a/javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected +++ b/javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected @@ -184,6 +184,7 @@ ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql ql/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.ql ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql +ql/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql ql/javascript/ql/src/Statements/DanglingElse.ql ql/javascript/ql/src/Statements/IgnoreArrayResult.ql ql/javascript/ql/src/Statements/InconsistentLoopOrientation.ql diff --git a/javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected b/javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected index 9b7cfd22ed6..ac5e0e2c498 100644 --- a/javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected +++ b/javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected @@ -99,5 +99,6 @@ ql/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql ql/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql ql/javascript/ql/src/Security/CWE-918/ClientSideRequestForgery.ql ql/javascript/ql/src/Security/CWE-918/RequestForgery.ql +ql/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql ql/javascript/ql/src/Summary/LinesOfCode.ql ql/javascript/ql/src/Summary/LinesOfUserCode.ql diff --git a/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected b/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected index 1b119f60c75..fa52a97a4e4 100644 --- a/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected +++ b/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected @@ -75,7 +75,6 @@ ql/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationL ql/javascript/ql/src/experimental/Security/CWE-444/InsecureHttpParser.ql ql/javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql ql/javascript/ql/src/experimental/Security/CWE-918/SSRF.ql -ql/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfiguration.ql ql/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql ql/javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql From 95743d7109180c7076fe732c2e51ff1ee88d14ab Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Wed, 30 Jul 2025 10:42:55 +0000 Subject: [PATCH 0101/1955] Added inline test expectations for cors permissive config --- .../Security/CWE-942/CorsPermissiveConfiguration.qlref | 3 ++- .../ql/test/query-tests/Security/CWE-942/apollo-test.js | 8 ++++---- .../ql/test/query-tests/Security/CWE-942/express-test.js | 6 +++--- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref index 4f4178905a2..b38b30eb842 100644 --- a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref +++ b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref @@ -1 +1,2 @@ -Security/CWE-942/CorsPermissiveConfiguration.ql \ No newline at end of file +query: Security/CWE-942/CorsPermissiveConfiguration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js b/javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js index f55d5dc2c3e..22019a72258 100644 --- a/javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-942/apollo-test.js @@ -5,10 +5,10 @@ var https = require('https'), var server = https.createServer(function () { }); server.on('request', function (req, res) { - let user_origin = url.parse(req.url, true).query.origin; + let user_origin = url.parse(req.url, true).query.origin; // $ Source // BAD: CORS too permissive const server_1 = new ApolloServer({ - cors: { origin: true } + cors: { origin: true } // $ Alert }); // GOOD: restrictive CORS @@ -18,11 +18,11 @@ server.on('request', function (req, res) { // BAD: CORS too permissive const server_3 = new ApolloServer({ - cors: { origin: null } + cors: { origin: null } // $ Alert }); // BAD: CORS is controlled by user const server_4 = new ApolloServer({ - cors: { origin: user_origin } + cors: { origin: user_origin } // $ Alert }); }); \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-942/express-test.js b/javascript/ql/test/query-tests/Security/CWE-942/express-test.js index 3ad31a6a31a..9b21ed56873 100644 --- a/javascript/ql/test/query-tests/Security/CWE-942/express-test.js +++ b/javascript/ql/test/query-tests/Security/CWE-942/express-test.js @@ -7,7 +7,7 @@ var https = require('https'), var server = https.createServer(function () { }); server.on('request', function (req, res) { - let user_origin = url.parse(req.url, true).query.origin; + let user_origin = url.parse(req.url, true).query.origin; // $ Source // BAD: CORS too permissive, default value is * var app1 = express(); @@ -23,14 +23,14 @@ server.on('request', function (req, res) { // BAD: CORS too permissive var app3 = express(); var corsOption3 = { - origin: '*' + origin: '*' // $ Alert }; app3.use(cors(corsOption3)); // BAD: CORS is controlled by user var app4 = express(); var corsOption4 = { - origin: user_origin + origin: user_origin // $ Alert }; app4.use(cors(corsOption4)); }); \ No newline at end of file From 84ffbbec33cbff31393da847b815f2c56ae076c2 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Wed, 30 Jul 2025 10:51:38 +0000 Subject: [PATCH 0102/1955] Added missing doc strings --- .../security/CorsPermissiveConfigurationCustomizations.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll index b642b98b35b..4751ace2a60 100644 --- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll @@ -26,6 +26,7 @@ module CorsPermissiveConfiguration { this = TWildcard() and result = "wildcard" } + /** DEPRECATED: Converts this flow state to a flow label. */ deprecated DataFlow::FlowLabel toFlowLabel() { this = TTaint() and result.isTaint() or @@ -37,6 +38,7 @@ module CorsPermissiveConfiguration { /** Predicates for working with flow states. */ module FlowState { + /** DEPRECATED: Gets a flow state from a flow label. */ deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label } /** A tainted value. */ @@ -81,6 +83,7 @@ module CorsPermissiveConfiguration { TrueAndNull() { this = "TrueAndNull" } } + /** DEPRECATED: Gets a flow label representing `true` and `null` values. */ deprecated TrueAndNull truenullLabel() { any() } /** A flow label representing `*` value. */ @@ -88,6 +91,7 @@ module CorsPermissiveConfiguration { Wildcard() { this = "Wildcard" } } + /** DEPRECATED: Gets a flow label representing `*` value. */ deprecated Wildcard wildcardLabel() { any() } /** An overly permissive value for `origin` (Apollo) */ From af94ebe1fc65229b2589b2eba93d8263340c1d47 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 29 Jul 2025 14:16:16 +0100 Subject: [PATCH 0103/1955] Modernize attribute shadows subclass, Add cases for properties --- python/ql/src/Classes/SubclassShadowing.ql | 70 ++++++++++++------- .../SubclassShadowing.qlref | 3 +- .../subclass-shadowing/subclass_shadowing.py | 45 ++++++++---- 3 files changed, 81 insertions(+), 37 deletions(-) diff --git a/python/ql/src/Classes/SubclassShadowing.ql b/python/ql/src/Classes/SubclassShadowing.ql index 542cf31c76a..6e915250a54 100644 --- a/python/ql/src/Classes/SubclassShadowing.ql +++ b/python/ql/src/Classes/SubclassShadowing.ql @@ -17,31 +17,53 @@ * defined in a super-class */ -/* Need to find attributes defined in superclass (only in __init__?) */ import python +import semmle.python.ApiGraphs +import semmle.python.dataflow.new.internal.DataFlowDispatch -predicate shadowed_by_super_class( - ClassObject c, ClassObject supercls, Assign assign, FunctionObject f -) { - c.getASuperType() = supercls and - c.declaredAttribute(_) = f and - exists(FunctionObject init, Attribute attr | - supercls.declaredAttribute("__init__") = init and - attr = assign.getATarget() and - attr.getObject().(Name).getId() = "self" and - attr.getName() = f.getName() and - assign.getScope() = init.getOrigin().(FunctionExpr).getInnerScope() - ) and - /* - * It's OK if the super class defines the method as well. - * We assume that the original method must have been defined for a reason. - */ - - not supercls.hasAttribute(f.getName()) +predicate isSettableProperty(Function prop) { + isProperty(prop) and + exists(Function setter, DataFlow::AttrRead setterRead, FunctionExpr propExpr | + setterRead.asExpr() = setter.getADecorator() and + setterRead.getAttributeName() = "setter" and + propExpr.getInnerScope() = prop and + DataFlow::exprNode(propExpr).(DataFlow::LocalSourceNode).flowsTo(setterRead.getObject()) + ) } -from ClassObject c, ClassObject supercls, Assign assign, FunctionObject shadowed -where shadowed_by_super_class(c, supercls, assign, shadowed) -select shadowed.getOrigin(), - "Method " + shadowed.getName() + " is shadowed by an $@ in super class '" + supercls.getName() + - "'.", assign, "attribute" +predicate isProperty(Function prop) { + prop.getADecorator() = API::builtin("property").asSource().asExpr() +} + +predicate shadowedBySuperclass( + Class cls, Class superclass, DataFlow::AttrWrite write, Function shadowed +) { + getADirectSuperclass+(cls) = superclass and + shadowed = cls.getAMethod() and + exists(Function init | + init = superclass.getInitMethod() and + DataFlow::parameterNode(init.getArg(0)).(DataFlow::LocalSourceNode).flowsTo(write.getObject()) and + write.getAttributeName() = shadowed.getName() + ) and + // Allow cases in which the super class defines the method as well. + // We assume that the original method must have been defined for a reason. + not exists(Function superShadowed | + superShadowed = superclass.getAMethod() and + superShadowed.getName() = shadowed.getName() + ) and + // Allow properties if they have setters, as the write in the superclass will call the setter. + not isSettableProperty(shadowed) +} + +from Class cls, Class superclass, DataFlow::AttrWrite write, Function shadowed, string extra +where + shadowedBySuperclass(cls, superclass, write, shadowed) and + ( + if isProperty(shadowed) + then + not isSettableProperty(shadowed) and + extra = " (read-only property may cause an error if written to.)" + else extra = "" + ) +select shadowed, "This method is shadowed by $@ in superclass $@." + extra, write, + "attribute " + write.getAttributeName(), superclass, superclass.getName() diff --git a/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.qlref b/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.qlref index 5fed3f9f8fc..ab31ad285c5 100644 --- a/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.qlref +++ b/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.qlref @@ -1 +1,2 @@ -Classes/SubclassShadowing.ql +query: Classes/SubclassShadowing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file diff --git a/python/ql/test/query-tests/Classes/subclass-shadowing/subclass_shadowing.py b/python/ql/test/query-tests/Classes/subclass-shadowing/subclass_shadowing.py index 98e7f992e84..b9fcd975eb3 100644 --- a/python/ql/test/query-tests/Classes/subclass-shadowing/subclass_shadowing.py +++ b/python/ql/test/query-tests/Classes/subclass-shadowing/subclass_shadowing.py @@ -1,30 +1,51 @@ #Subclass shadowing -class Base(object): +# BAD: `shadow` method shadows attribute +class Base: def __init__(self): self.shadow = 4 class Derived(Base): - def shadow(self): + def shadow(self): # $ Alert pass -#OK if the super class defines the method as well. -#Since the original method must exist for some reason. -#See JSONEncoder.default for real example +# OK: Allow if superclass also shadows its own method, as this is likely intended. +# Example: stdlib JSONEncoder.default uses this pattern. +class Base2: -class Base2(object): + def __init__(self, default=None): + if default: + self.default = default - def __init__(self, shadowy=None): - if shadowy: - self.shadow = shadowy - - def shadow(self): + def default(self): pass class Derived2(Base2): - def shadow(self): + def default(self): # No alert return 0 + +# Properties + +class Base3: + def __init__(self): + self.foo = 1 + self.bar = 2 + +class Derived3(Base3): + # BAD: Write to foo in superclass init raises an error. + @property + def foo(self): # $ Alert + return 2 + + # OK: This property has a setter, so the write is OK. + @property + def bar(self): # No alert + return self._bar + + @bar.setter + def bar(self, val): + self._bar = val \ No newline at end of file From 796a6060b204a6cc243618606e38bb4bd4583721 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 30 Jul 2025 10:11:59 +0100 Subject: [PATCH 0104/1955] Exclude setters and update tests --- python/ql/src/Classes/SubclassShadowing.ql | 28 ++++++++++--------- .../SubclassShadowing.expected | 3 +- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/python/ql/src/Classes/SubclassShadowing.ql b/python/ql/src/Classes/SubclassShadowing.ql index 6e915250a54..eab8520857b 100644 --- a/python/ql/src/Classes/SubclassShadowing.ql +++ b/python/ql/src/Classes/SubclassShadowing.ql @@ -12,22 +12,23 @@ * @id py/attribute-shadows-method */ -/* - * Determine if a class defines a method that is shadowed by an attribute - * defined in a super-class - */ - import python import semmle.python.ApiGraphs import semmle.python.dataflow.new.internal.DataFlowDispatch predicate isSettableProperty(Function prop) { isProperty(prop) and - exists(Function setter, DataFlow::AttrRead setterRead, FunctionExpr propExpr | - setterRead.asExpr() = setter.getADecorator() and - setterRead.getAttributeName() = "setter" and - propExpr.getInnerScope() = prop and - DataFlow::exprNode(propExpr).(DataFlow::LocalSourceNode).flowsTo(setterRead.getObject()) + exists(Function setter | + setter.getScope() = prop.getScope() and + setter.getName() = prop.getName() and + isSetter(setter) + ) +} + +predicate isSetter(Function f) { + exists(DataFlow::AttrRead attr | + f.getADecorator() = attr.asExpr() and + attr.getAttributeName() = "setter" ) } @@ -52,7 +53,8 @@ predicate shadowedBySuperclass( superShadowed.getName() = shadowed.getName() ) and // Allow properties if they have setters, as the write in the superclass will call the setter. - not isSettableProperty(shadowed) + not isSettableProperty(shadowed) and + not isSetter(shadowed) } from Class cls, Class superclass, DataFlow::AttrWrite write, Function shadowed, string extra @@ -61,8 +63,8 @@ where ( if isProperty(shadowed) then - not isSettableProperty(shadowed) and - extra = " (read-only property may cause an error if written to.)" + // it's not a setter, so it's a read-only property + extra = " (read-only property may cause an error if written to in the superclass.)" else extra = "" ) select shadowed, "This method is shadowed by $@ in superclass $@." + extra, write, diff --git a/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.expected b/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.expected index caad71a9a31..3852b977a22 100644 --- a/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.expected +++ b/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.expected @@ -1 +1,2 @@ -| subclass_shadowing.py:10:5:10:21 | FunctionExpr | Method shadow is shadowed by an $@ in super class 'Base'. | subclass_shadowing.py:6:9:6:23 | AssignStmt | attribute | +| subclass_shadowing.py:11:5:11:21 | Function shadow | This method is shadowed by $@ in superclass $@. | subclass_shadowing.py:7:9:7:19 | ControlFlowNode for Attribute | attribute shadow | subclass_shadowing.py:4:1:4:11 | Class Base | Base | +| subclass_shadowing.py:41:5:41:18 | Function foo | This method is shadowed by $@ in superclass $@. (read-only property may cause an error if written to.) | subclass_shadowing.py:35:9:35:16 | ControlFlowNode for Attribute | attribute foo | subclass_shadowing.py:33:1:33:12 | Class Base3 | Base3 | From 34317d2d4ad66e2f5cd33a10a92389116ef5a2f1 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 30 Jul 2025 13:24:43 +0100 Subject: [PATCH 0105/1955] Update documentation --- python/ql/src/Classes/SubclassShadowing.py | 20 ++++--------- python/ql/src/Classes/SubclassShadowing.qhelp | 30 ++++++++++++------- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/python/ql/src/Classes/SubclassShadowing.py b/python/ql/src/Classes/SubclassShadowing.py index 617db3c58e0..4699b58d7e4 100644 --- a/python/ql/src/Classes/SubclassShadowing.py +++ b/python/ql/src/Classes/SubclassShadowing.py @@ -1,17 +1,9 @@ -class Mammal(object): - - def __init__(self, milk = 0): - self.milk = milk - - -class Cow(Mammal): - +class A: def __init__(self): - Mammal.__init__(self) + self._foo = 3 - def milk(self): - return "Milk" - -#Cow().milk() will raise an error as Cow().milk is the 'milk' attribute -#set in Mammal.__init__, not the 'milk' method defined on Cow. +class B: + # BAD: _foo is shadowed by attribute A._foo + def _foo(self): + return 2 diff --git a/python/ql/src/Classes/SubclassShadowing.qhelp b/python/ql/src/Classes/SubclassShadowing.qhelp index 90daa9a992a..c0a82012af3 100644 --- a/python/ql/src/Classes/SubclassShadowing.qhelp +++ b/python/ql/src/Classes/SubclassShadowing.qhelp @@ -3,25 +3,35 @@ "qhelp.dtd"> -

    Subclass shadowing occurs when an instance attribute of a superclass has the -the same name as a method of a subclass, or vice-versa. -The semantics of Python attribute look-up mean that the instance attribute of -the superclass hides the method in the subclass. +

    +When an object has an attribute that shares the same name a method on the object's class (or another class attribute), the instance attribute is +prioritized during attribute lookup, shadowing the method. + +If a method on a subclass is shadowed by an attribute on a superclass in this way, this may lead to unexpected results or errors, as this +shadowing behavior is nonlocal and may be unintended.

    -

    Rename the method in the subclass or rename the attribute in the superclass.

    +

    +Ensure method names on subclasses don't conflict with attribute names on superclasses, and rename one. +If the shadowing behavior is intended, ensure this is explicit in the superclass. +

     -

    The following code includes an example of subclass shadowing. When you call Cow().milk() -an error is raised because Cow().milk is interpreted as the 'milk' attribute set in -Mammal.__init__, not the 'milk' method defined within Cow. This can be fixed -by changing the name of either the 'milk' attribute or the 'milk' method.

    +

    +In the following example, the _foo attribute of class A shadows the method _foo of class B. +Calls to B()._foo() will result in a TypeError, as 3 will be called instead. +

    + + + +

    +In the following example... +

    -     From 2516f9452e8b725f923c8834bc3ad65c3bd2886f Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 30 Jul 2025 15:17:19 +0100 Subject: [PATCH 0106/1955] Move to subfolder --- .../src/Classes/{ => SubclassShadowing}/SubclassShadowing.qhelp | 2 +- .../ql/src/Classes/{ => SubclassShadowing}/SubclassShadowing.ql | 0 .../examples/SubclassShadowingGood.py} | 0 .../Classes/subclass-shadowing/SubclassShadowing.qlref | 2 +- 4 files changed, 2 insertions(+), 2 deletions(-) rename python/ql/src/Classes/{ => SubclassShadowing}/SubclassShadowing.qhelp (95%) rename python/ql/src/Classes/{ => SubclassShadowing}/SubclassShadowing.ql (100%) rename python/ql/src/Classes/{SubclassShadowing.py => SubclassShadowing/examples/SubclassShadowingGood.py} (100%) diff --git a/python/ql/src/Classes/SubclassShadowing.qhelp b/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.qhelp similarity index 95% rename from python/ql/src/Classes/SubclassShadowing.qhelp rename to python/ql/src/Classes/SubclassShadowing/SubclassShadowing.qhelp index c0a82012af3..acbcae65318 100644 --- a/python/ql/src/Classes/SubclassShadowing.qhelp +++ b/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.qhelp @@ -26,7 +26,7 @@ In the following example, the _foo attribute of class AB()._foo() will result in a TypeError, as 3 will be called instead.

    - +

    In the following example... diff --git a/python/ql/src/Classes/SubclassShadowing.ql b/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql similarity index 100% rename from python/ql/src/Classes/SubclassShadowing.ql rename to python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql diff --git a/python/ql/src/Classes/SubclassShadowing.py b/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingGood.py similarity index 100% rename from python/ql/src/Classes/SubclassShadowing.py rename to python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingGood.py diff --git a/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.qlref b/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.qlref index ab31ad285c5..5205014a3d5 100644 --- a/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.qlref +++ b/python/ql/test/query-tests/Classes/subclass-shadowing/SubclassShadowing.qlref @@ -1,2 +1,2 @@ -query: Classes/SubclassShadowing.ql +query: Classes/SubclassShadowing/SubclassShadowing.ql postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file From 63577f0cca1f9346390c46a34893468172f6c4d5 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 30 Jul 2025 15:52:26 +0100 Subject: [PATCH 0107/1955] Add extra example --- .../SubclassShadowing/SubclassShadowing.qhelp | 6 ++++-- .../examples/SubclassShadowingBad.py | 9 +++++++++ .../examples/SubclassShadowingGood.py | 20 ++++++++++++------- 3 files changed, 26 insertions(+), 9 deletions(-) create mode 100644 python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py diff --git a/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.qhelp b/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.qhelp index acbcae65318..5345d2c9178 100644 --- a/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.qhelp +++ b/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.qhelp @@ -26,12 +26,14 @@ In the following example, the _foo attribute of class AB()._foo() will result in a TypeError, as 3 will be called instead.

    - +

    -In the following example... +In the following example, the behavior of the default attribute being shadowed to allow for customization during initialization is +intended in within the superclass A. Overriding default in the subclass B is then OK.

    +     diff --git a/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py b/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py new file mode 100644 index 00000000000..4699b58d7e4 --- /dev/null +++ b/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py @@ -0,0 +1,9 @@ +class A: + def __init__(self): + self._foo = 3 + +class B: + # BAD: _foo is shadowed by attribute A._foo + def _foo(self): + return 2 + diff --git a/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingGood.py b/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingGood.py index 4699b58d7e4..8fca041176c 100644 --- a/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingGood.py +++ b/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingGood.py @@ -1,9 +1,15 @@ class A: - def __init__(self): - self._foo = 3 - -class B: - # BAD: _foo is shadowed by attribute A._foo - def _foo(self): - return 2 + def __init__(self, default_func=None): + if default_func is not None: + self.default = default_func + # GOOD: The shadowing behavior is explicitly intended in the superclass. + def default(self): + return [] + +class B(A): + + # Subclasses may override the method `default`, which will still be shadowed by the attribute `default` if it is set. + # As this is part of the expected behavior of the superclass, this is fine. + def default(self): + return {} \ No newline at end of file From 1efc09bbba4c408652544404054a5de0b4cdaff1 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 30 Jul 2025 15:54:39 +0100 Subject: [PATCH 0108/1955] Update integration tests --- .../query-suite/python-code-quality-extended.qls.expected | 2 +- .../query-suite/python-code-quality.qls.expected | 2 +- .../query-suite/python-security-and-quality.qls.expected | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/python/ql/integration-tests/query-suite/python-code-quality-extended.qls.expected b/python/ql/integration-tests/query-suite/python-code-quality-extended.qls.expected index 960972c508c..bb44ee105b5 100644 --- a/python/ql/integration-tests/query-suite/python-code-quality-extended.qls.expected +++ b/python/ql/integration-tests/query-suite/python-code-quality-extended.qls.expected @@ -6,7 +6,7 @@ ql/python/ql/src/Classes/InitCallsSubclass/InitCallsSubclassMethod.ql ql/python/ql/src/Classes/MissingCallToDel.ql ql/python/ql/src/Classes/MissingCallToInit.ql ql/python/ql/src/Classes/MutatingDescriptor.ql -ql/python/ql/src/Classes/SubclassShadowing.ql +ql/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql ql/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql ql/python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql ql/python/ql/src/Classes/WrongNameForArgumentInClassInstantiation.ql diff --git a/python/ql/integration-tests/query-suite/python-code-quality.qls.expected b/python/ql/integration-tests/query-suite/python-code-quality.qls.expected index 960972c508c..bb44ee105b5 100644 --- a/python/ql/integration-tests/query-suite/python-code-quality.qls.expected +++ b/python/ql/integration-tests/query-suite/python-code-quality.qls.expected @@ -6,7 +6,7 @@ ql/python/ql/src/Classes/InitCallsSubclass/InitCallsSubclassMethod.ql ql/python/ql/src/Classes/MissingCallToDel.ql ql/python/ql/src/Classes/MissingCallToInit.ql ql/python/ql/src/Classes/MutatingDescriptor.ql -ql/python/ql/src/Classes/SubclassShadowing.ql +ql/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql ql/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql ql/python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql ql/python/ql/src/Classes/WrongNameForArgumentInClassInstantiation.ql diff --git a/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected b/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected index 170d9f442f9..8799990b86e 100644 --- a/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected +++ b/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected @@ -11,7 +11,7 @@ ql/python/ql/src/Classes/MutatingDescriptor.ql ql/python/ql/src/Classes/OverwritingAttributeInSuperClass.ql ql/python/ql/src/Classes/PropertyInOldStyleClass.ql ql/python/ql/src/Classes/SlotsInOldStyleClass.ql -ql/python/ql/src/Classes/SubclassShadowing.ql +ql/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql ql/python/ql/src/Classes/SuperInOldStyleClass.ql ql/python/ql/src/Classes/SuperclassDelCalledMultipleTimes.ql ql/python/ql/src/Classes/SuperclassInitCalledMultipleTimes.ql From 71a6b22815ef97b581de675470a6a128fe922667 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 31 Jul 2025 06:05:25 +0100 Subject: [PATCH 0109/1955] Update python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../Classes/SubclassShadowing/examples/SubclassShadowingBad.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py b/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py index 4699b58d7e4..00a221760b4 100644 --- a/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py +++ b/python/ql/src/Classes/SubclassShadowing/examples/SubclassShadowingBad.py @@ -2,7 +2,7 @@ class A: def __init__(self): self._foo = 3 -class B: +class B(A): # BAD: _foo is shadowed by attribute A._foo def _foo(self): return 2 From 79d1deb28d0927a51b9909a24c59778dcd4bc325 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Thu, 31 Jul 2025 06:05:48 +0100 Subject: [PATCH 0110/1955] Update python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql b/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql index eab8520857b..39a320f75ac 100644 --- a/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql +++ b/python/ql/src/Classes/SubclassShadowing/SubclassShadowing.ql @@ -64,7 +64,7 @@ where if isProperty(shadowed) then // it's not a setter, so it's a read-only property - extra = " (read-only property may cause an error if written to in the superclass.)" + extra = " (read-only property may cause an error if written to in the superclass)" else extra = "" ) select shadowed, "This method is shadowed by $@ in superclass $@." + extra, write, From fd4233e30edc5b828c53f1b4b8cfe76becf154b3 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Thu, 31 Jul 2025 10:53:03 +0200 Subject: [PATCH 0111/1955] Moved apollo modeling to MaD --- javascript/ql/lib/ext/apollo-server.model.yml | 12 +++++++ .../semmle/javascript/frameworks/Apollo.qll | 36 ------------------- ...sPermissiveConfigurationCustomizations.qll | 4 +-- 3 files changed, 14 insertions(+), 38 deletions(-) delete mode 100644 javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll diff --git a/javascript/ql/lib/ext/apollo-server.model.yml b/javascript/ql/lib/ext/apollo-server.model.yml index ffceb6a6d5a..5962b8ee7d0 100644 --- a/javascript/ql/lib/ext/apollo-server.model.yml +++ b/javascript/ql/lib/ext/apollo-server.model.yml @@ -5,6 +5,12 @@ extensions: data: - ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].AnyMember.AnyMember.AnyMember.Parameter[1]", "remote"] + - addsTo: + pack: codeql/javascript-all + extensible: sinkModel + data: + - ["@apollo/server", "Member[gql].Argument[0]", "sql-injection"] + - addsTo: pack: codeql/javascript-all extensible: typeModel @@ -13,3 +19,9 @@ extensions: - ["@apollo/server", "apollo-server-express", ""] - ["@apollo/server", "apollo-server-core", ""] - ["@apollo/server", "apollo-server", ""] + - ["@apollo/server", "@apollo/apollo-server-express", ""] + - ["@apollo/server", "apollo-server-express", ""] + - ["@apollo/server", "@apollo/server", ""] + - ["@apollo/server", "@apollo/apollo-server-core", ""] + - ["ApolloServer", "@apollo/server", "Member[ApolloServer]"] + - ["GraphQLApollo", "@apollo/server", "Member[gql]"] diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll b/javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll deleted file mode 100644 index 983c0a8ac89..00000000000 --- a/javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll +++ /dev/null @@ -1,36 +0,0 @@ -/** - * Provides classes for working with Apollo GraphQL connectors. - */ - -import javascript - -/** Provides classes modeling the apollo packages [@apollo/server](https://npmjs.com/package/@apollo/server`) */ -module Apollo { - /** Get a reference to the `ApolloServer` class. */ - private API::Node apollo() { - result = - API::moduleImport([ - "@apollo/server", "@apollo/apollo-server-express", "@apollo/apollo-server-core", - "apollo-server", "apollo-server-express" - ]).getMember("ApolloServer") - } - - /** Gets a reference to the `gql` function that parses GraphQL strings. */ - private API::Node gql() { - result = - API::moduleImport([ - "@apollo/server", "@apollo/apollo-server-express", "@apollo/apollo-server-core", - "apollo-server", "apollo-server-express" - ]).getMember("gql") - } - - /** An instantiation of an `ApolloServer`. */ - class ApolloServer extends API::NewNode { - ApolloServer() { this = apollo().getAnInstantiation() } - } - - /** A string that is interpreted as a GraphQL query by a `apollo` package. */ - private class ApolloGraphQLString extends GraphQL::GraphQLString { - ApolloGraphQLString() { this = gql().getACall().getArgument(0) } - } -} diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll index 4751ace2a60..a504f66ba22 100644 --- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll @@ -5,7 +5,6 @@ */ import javascript -private import semmle.javascript.frameworks.Apollo private import semmle.javascript.frameworks.Cors /** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */ @@ -109,7 +108,8 @@ module CorsPermissiveConfiguration { */ class CorsApolloServer extends Sink, DataFlow::ValueNode { CorsApolloServer() { - exists(Apollo::ApolloServer agql | + exists(API::NewNode agql | + agql = ModelOutput::getATypeNode("ApolloServer").getAnInstantiation() and this = agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs() ) From 2baca58b278827703fd803889555c71b5bd05a8e Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Thu, 31 Jul 2025 11:08:22 +0200 Subject: [PATCH 0112/1955] Removed deprecations from cors as it was moved out experimental --- ...sPermissiveConfigurationCustomizations.qll | 33 ------------------- .../CorsPermissiveConfigurationQuery.qll | 28 ---------------- 2 files changed, 61 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll index a504f66ba22..583847ab0d9 100644 --- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll @@ -24,22 +24,10 @@ module CorsPermissiveConfiguration { or this = TWildcard() and result = "wildcard" } - - /** DEPRECATED: Converts this flow state to a flow label. */ - deprecated DataFlow::FlowLabel toFlowLabel() { - this = TTaint() and result.isTaint() - or - this = TTrueOrNull() and result instanceof TrueAndNull - or - this = TWildcard() and result instanceof Wildcard - } } /** Predicates for working with flow states. */ module FlowState { - /** DEPRECATED: Gets a flow state from a flow label. */ - deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label } - /** A tainted value. */ FlowState taint() { result = TTaint() } @@ -65,11 +53,6 @@ module CorsPermissiveConfiguration { */ abstract class Sanitizer extends DataFlow::Node { } - /** - * DEPRECATED: Use `ActiveThreatModelSource` from Concepts instead! - */ - deprecated class RemoteFlowSourceAsSource = ActiveThreatModelSourceAsSource; - /** * An active threat-model source, considered as a flow source. */ @@ -77,22 +60,6 @@ module CorsPermissiveConfiguration { ActiveThreatModelSourceAsSource() { not this instanceof ClientSideRemoteFlowSource } } - /** A flow label representing `true` and `null` values. */ - abstract deprecated class TrueAndNull extends DataFlow::FlowLabel { - TrueAndNull() { this = "TrueAndNull" } - } - - /** DEPRECATED: Gets a flow label representing `true` and `null` values. */ - deprecated TrueAndNull truenullLabel() { any() } - - /** A flow label representing `*` value. */ - abstract deprecated class Wildcard extends DataFlow::FlowLabel { - Wildcard() { this = "Wildcard" } - } - - /** DEPRECATED: Gets a flow label representing `*` value. */ - deprecated Wildcard wildcardLabel() { any() } - /** An overly permissive value for `origin` (Apollo) */ class TrueNullValue extends Source { TrueNullValue() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral } diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll index 3605a1adaa9..0db678e43af 100644 --- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll @@ -39,31 +39,3 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig { module CorsPermissiveConfigurationFlow = TaintTracking::GlobalWithState; - -/** - * DEPRECATED. Use the `CorsPermissiveConfigurationFlow` module instead. - */ -deprecated class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CorsPermissiveConfiguration" } - - override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { - CorsPermissiveConfigurationConfig::isSource(source, FlowState::fromFlowLabel(label)) - } - - override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { - CorsPermissiveConfigurationConfig::isSink(sink, FlowState::fromFlowLabel(label)) - } - - override predicate isSanitizer(DataFlow::Node node) { - super.isSanitizer(node) or - CorsPermissiveConfigurationConfig::isBarrier(node) - } -} - -deprecated private class WildcardActivated extends DataFlow::FlowLabel, Wildcard { - WildcardActivated() { this = this } -} - -deprecated private class TrueAndNullActivated extends DataFlow::FlowLabel, TrueAndNull { - TrueAndNullActivated() { this = this } -} From 791a7e242e5ca1e9ad68c21a49cd76730bdb0370 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Thu, 31 Jul 2025 11:31:10 +0200 Subject: [PATCH 0113/1955] Updated qhelp for cors permissive configuration --- .../CWE-942/CorsPermissiveConfiguration.qhelp | 92 ++++++++++--------- 1 file changed, 47 insertions(+), 45 deletions(-) diff --git a/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelp b/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelp index fc79eee743b..04796dfbc18 100644 --- a/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelp +++ b/javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelp @@ -3,69 +3,71 @@ "qhelp.dtd"> - -

    + +

    - A server can use CORS (Cross-Origin Resource Sharing) to relax the - restrictions imposed by the SOP (Same-Origin Policy), allowing controlled, secure - cross-origin requests when necessary. + A server can use CORS (Cross-Origin Resource Sharing) to relax the + restrictions imposed by the Same-Origin Policy, allowing controlled, secure + cross-origin requests when necessary. - A server with an overly permissive CORS configuration may inadvertently - expose sensitive data or lead to CSRF which is an attack that allows attackers to trick - users into performing unwanted operations in websites they're authenticated to. +

    +

    -

    + A server with an overly permissive CORS configuration may inadvertently + expose sensitive data or enable CSRF attacks, which allow attackers to trick + users into performing unwanted operations on websites they're authenticated to. -     +

    + - -

    + +

    - When the origin is set to true, it signifies that the server - is accepting requests from any origin, potentially exposing the system to - CSRF attacks. This can be fixed using false as origin value or using a whitelist. + When the origin is set to true, the server + accepts requests from any origin, potentially exposing the system to + CSRF attacks. Use false as the origin value or implement a whitelist + of allowed origins instead. -

    -

    +

    +

    - On the other hand, if the origin is - set to null, it can be exploited by an attacker to deceive a user into making - requests from a null origin form, often hosted within a sandboxed iframe. + When the origin is set to null, it can be + exploited by an attacker who can deceive a user into making + requests from a null origin, often hosted within a sandboxed iframe. -

    +

    +

    -

    + If the origin value is user-controlled, ensure that the data + is properly sanitized and validated against a whitelist of allowed origins. - If the origin value is user controlled, make sure that the data - is properly sanitized. +

    +     -

    -     + +

    - -

    + In the following example, server_1 accepts requests from any origin + because the value of origin is set to true. + server_2 uses user-controlled data for the origin without validation. - In the example below, the server_1 accepts requests from any origin - since the value of origin is set to true. - And server_2's origin is user-controlled. +

    -

    + - +

    -

    + To fix these issues, server_1 uses a restrictive CORS configuration + that is not vulnerable to CSRF attacks. server_2 properly validates + user-controlled data against a whitelist before using it. - In the example below, the server_1 CORS is restrictive so it's not - vulnerable to CSRF attacks. And server_2's is using properly sanitized - user-controlled data. +

    -

    + +     - - - - -
  • Mozilla Developer Network: CORS, Access-Control-Allow-Origin.
    • -
  • W3C: CORS for developers, Advice for Resource Owners
    • -     + +
  • Mozilla Developer Network: CORS, Access-Control-Allow-Origin.
    • +
  • W3C: CORS for developers, Advice for Resource Owners.
    • +     From 5f538209c9954662d30a946bcab75435474bf551 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Thu, 31 Jul 2025 12:09:30 +0200 Subject: [PATCH 0114/1955] Exlucde environmental variables from default detection in regexp injection --- .../RegExpInjectionCustomizations.qll | 26 ++++++++++++++----- .../Security/CWE-730/RegExpInjection.expected | 4 --- .../Security/CWE-730/RegExpInjection.js | 2 +- 3 files changed, 21 insertions(+), 11 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll index 1c056935d40..5ee39219d26 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll @@ -5,6 +5,7 @@ */ import javascript +private import codeql.threatmodels.ThreatModels module RegExpInjection { /** @@ -32,19 +33,32 @@ module RegExpInjection { /** * An active threat-model source, considered as a flow source. + * Excludes environment variables by default - they require the "environment" threat model. */ private class ActiveThreatModelSourceAsSource extends Source instanceof ActiveThreatModelSource { - ActiveThreatModelSourceAsSource() { not this.isClientSideSource() } + ActiveThreatModelSourceAsSource() { + not this.isClientSideSource() and + not this.(ThreatModelSource).getThreatModel() = "environment" + } } - private import IndirectCommandInjectionCustomizations + /** + * Environment variables as a source when the "environment" threat model is active. + */ + private class EnvironmentVariableAsSource extends Source instanceof ThreatModelSource { + EnvironmentVariableAsSource() { + this.getThreatModel() = "environment" and + currentThreatModel("environment") + } + + override string describe() { result = "environment variable" } + } /** - * A read of `process.env`, `process.argv`, and similar, considered as a flow source for regular - * expression injection. + * Command line arguments as a source for regular expression injection. */ - class ArgvAsSource extends Source instanceof IndirectCommandInjection::Source { - override string describe() { result = IndirectCommandInjection::Source.super.describe() } + private class CommandLineArgumentAsSource extends Source instanceof CommandLineArguments { + override string describe() { result = "command-line argument" } } /** diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected index 06926c487ef..07225ec763e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected @@ -14,7 +14,6 @@ | RegExpInjection.js:49:14:49:52 | key.spl ... in("-") | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:49:14:49:52 | key.spl ... in("-") | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value | | RegExpInjection.js:59:14:59:18 | input | RegExpInjection.js:55:39:55:56 | req.param("input") | RegExpInjection.js:59:14:59:18 | input | This regular expression is constructed from a $@. | RegExpInjection.js:55:39:55:56 | req.param("input") | user-provided value | | RegExpInjection.js:82:14:82:55 | "^.*\\.( ... + ")$" | RegExpInjection.js:77:15:77:32 | req.param("input") | RegExpInjection.js:82:14:82:55 | "^.*\\.( ... + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:77:15:77:32 | req.param("input") | user-provided value | -| RegExpInjection.js:86:16:86:50 | `^${pro ... r.app$` | RegExpInjection.js:86:20:86:30 | process.env | RegExpInjection.js:86:16:86:50 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:86:20:86:30 | process.env | environment variable | | RegExpInjection.js:88:16:88:49 | `^${pro ... r.app$` | RegExpInjection.js:88:20:88:31 | process.argv | RegExpInjection.js:88:16:88:49 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:88:20:88:31 | process.argv | command-line argument | | RegExpInjection.js:95:14:95:22 | sanitized | RegExpInjection.js:92:15:92:32 | req.param("input") | RegExpInjection.js:95:14:95:22 | sanitized | This regular expression is constructed from a $@. | RegExpInjection.js:92:15:92:32 | req.param("input") | user-provided value | | tst.js:6:16:6:35 | "^"+ data.name + "$" | tst.js:5:16:5:29 | req.query.data | tst.js:6:16:6:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:5:16:5:29 | req.query.data | user-provided value | @@ -57,7 +56,6 @@ edges | RegExpInjection.js:77:15:77:32 | req.param("input") | RegExpInjection.js:77:7:77:32 | input | provenance | | | RegExpInjection.js:82:25:82:29 | input | RegExpInjection.js:82:25:82:48 | input.r ... g, "\|") | provenance | | | RegExpInjection.js:82:25:82:48 | input.r ... g, "\|") | RegExpInjection.js:82:14:82:55 | "^.*\\.( ... + ")$" | provenance | | -| RegExpInjection.js:86:20:86:30 | process.env | RegExpInjection.js:86:16:86:50 | `^${pro ... r.app$` | provenance | | | RegExpInjection.js:88:20:88:31 | process.argv | RegExpInjection.js:88:16:88:49 | `^${pro ... r.app$` | provenance | | | RegExpInjection.js:92:7:92:32 | input | RegExpInjection.js:94:19:94:23 | input | provenance | | | RegExpInjection.js:92:15:92:32 | req.param("input") | RegExpInjection.js:92:7:92:32 | input | provenance | | @@ -109,8 +107,6 @@ nodes | RegExpInjection.js:82:14:82:55 | "^.*\\.( ... + ")$" | semmle.label | "^.*\\.( ... + ")$" | | RegExpInjection.js:82:25:82:29 | input | semmle.label | input | | RegExpInjection.js:82:25:82:48 | input.r ... g, "\|") | semmle.label | input.r ... g, "\|") | -| RegExpInjection.js:86:16:86:50 | `^${pro ... r.app$` | semmle.label | `^${pro ... r.app$` | -| RegExpInjection.js:86:20:86:30 | process.env | semmle.label | process.env | | RegExpInjection.js:88:16:88:49 | `^${pro ... r.app$` | semmle.label | `^${pro ... r.app$` | | RegExpInjection.js:88:20:88:31 | process.argv | semmle.label | process.argv | | RegExpInjection.js:92:7:92:32 | input | semmle.label | input | diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js index 2aa73c80877..8a5fa557c19 100644 --- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js +++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js @@ -83,7 +83,7 @@ app.get('/has-sanitizer', function(req, res) { }); app.get("argv", function(req, res) { - new RegExp(`^${process.env.HOME}/Foo/bar.app$`); // $ Alert[js/regex-injection] + new RegExp(`^${process.env.HOME}/Foo/bar.app$`); // environment variable, should be detected only with threat model enabled. new RegExp(`^${process.argv[1]}/Foo/bar.app$`); // $ Alert[js/regex-injection] }); From 021aa13ee2d544de36bcb26f16857c9c085401d2 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Thu, 31 Jul 2025 12:45:34 +0200 Subject: [PATCH 0115/1955] Added change note --- .../change-notes/2025-07-31-cors-move-out-of-experimental.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 javascript/ql/src/change-notes/2025-07-31-cors-move-out-of-experimental.md diff --git a/javascript/ql/src/change-notes/2025-07-31-cors-move-out-of-experimental.md b/javascript/ql/src/change-notes/2025-07-31-cors-move-out-of-experimental.md new file mode 100644 index 00000000000..112fb0c628f --- /dev/null +++ b/javascript/ql/src/change-notes/2025-07-31-cors-move-out-of-experimental.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The query "CORS misconfiguration" (`js/cors-misconfiguration`) has been promoted from experimental and is now part of the default security suite. From 8583257574311191dc8d293aa0132024c95a7613 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Thu, 31 Jul 2025 12:24:32 +0200 Subject: [PATCH 0116/1955] Created new folder for test with threat models disabled --- .../CWE-730/{ => Threat-models-disabled}/RegExpInjection.expected | 0 .../CWE-730/{ => Threat-models-disabled}/RegExpInjection.js | 0 .../CWE-730/{ => Threat-models-disabled}/RegExpInjection.qlref | 0 .../CWE-730/{ => Threat-models-disabled}/RegExpInjectionGood.js | 0 .../CWE-730/{ => Threat-models-disabled}/ServerCrash.expected | 0 .../CWE-730/{ => Threat-models-disabled}/ServerCrash.qlref | 0 .../Security/CWE-730/{ => Threat-models-disabled}/client-side.js | 0 .../Security/CWE-730/{ => Threat-models-disabled}/search.js | 0 .../Security/CWE-730/{ => Threat-models-disabled}/server-crash.js | 0 .../Security/CWE-730/{ => Threat-models-disabled}/tst.js | 0 10 files changed, 0 insertions(+), 0 deletions(-) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/RegExpInjection.expected (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/RegExpInjection.js (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/RegExpInjection.qlref (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/RegExpInjectionGood.js (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/ServerCrash.expected (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/ServerCrash.qlref (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/client-side.js (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/search.js (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/server-crash.js (100%) rename javascript/ql/test/query-tests/Security/CWE-730/{ => Threat-models-disabled}/tst.js (100%) diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/RegExpInjection.expected similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/RegExpInjection.expected diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/RegExpInjection.js similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/RegExpInjection.js diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/RegExpInjection.qlref similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.qlref rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/RegExpInjection.qlref diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjectionGood.js b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/RegExpInjectionGood.js similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/RegExpInjectionGood.js rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/RegExpInjectionGood.js diff --git a/javascript/ql/test/query-tests/Security/CWE-730/ServerCrash.expected b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/ServerCrash.expected similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/ServerCrash.expected rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/ServerCrash.expected diff --git a/javascript/ql/test/query-tests/Security/CWE-730/ServerCrash.qlref b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/ServerCrash.qlref similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/ServerCrash.qlref rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/ServerCrash.qlref diff --git a/javascript/ql/test/query-tests/Security/CWE-730/client-side.js b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/client-side.js similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/client-side.js rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/client-side.js diff --git a/javascript/ql/test/query-tests/Security/CWE-730/search.js b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/search.js similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/search.js rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/search.js diff --git a/javascript/ql/test/query-tests/Security/CWE-730/server-crash.js b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/server-crash.js similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/server-crash.js rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/server-crash.js diff --git a/javascript/ql/test/query-tests/Security/CWE-730/tst.js b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/tst.js similarity index 100% rename from javascript/ql/test/query-tests/Security/CWE-730/tst.js rename to javascript/ql/test/query-tests/Security/CWE-730/Threat-models-disabled/tst.js From d28a6e6352c76bc1097ed72832c56c5778716ad5 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Thu, 31 Jul 2025 12:25:31 +0200 Subject: [PATCH 0117/1955] Added new test cases for regexp injection with enviromental variable threat model enabled --- .../RegExpInjection.expected | 34 +++++++++++++++++++ .../RegExpInjection.ext.yml | 6 ++++ .../Threat-models-enabled/RegExpInjection.js | 22 ++++++++++++ .../RegExpInjection.qlref | 2 ++ 4 files changed, 64 insertions(+) create mode 100644 javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.expected create mode 100644 javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.ext.yml create mode 100644 javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.js create mode 100644 javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.qlref diff --git a/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.expected b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.expected new file mode 100644 index 00000000000..95c1c0df9eb --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.expected @@ -0,0 +1,34 @@ +#select +| RegExpInjection.js:6:14:6:48 | `^${pro ... r.app$` | RegExpInjection.js:6:18:6:28 | process.env | RegExpInjection.js:6:14:6:48 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:6:18:6:28 | process.env | environment variable | +| RegExpInjection.js:8:14:8:40 | `^${pro ... }/bin$` | RegExpInjection.js:8:18:8:28 | process.env | RegExpInjection.js:8:14:8:40 | `^${pro ... }/bin$` | This regular expression is constructed from a $@. | RegExpInjection.js:8:18:8:28 | process.env | environment variable | +| RegExpInjection.js:11:14:11:19 | envVar | RegExpInjection.js:10:16:10:26 | process.env | RegExpInjection.js:11:14:11:19 | envVar | This regular expression is constructed from a $@. | RegExpInjection.js:10:16:10:26 | process.env | environment variable | +| RegExpInjection.js:14:14:14:47 | `^${pro ... r.app$` | RegExpInjection.js:14:18:14:29 | process.argv | RegExpInjection.js:14:14:14:47 | `^${pro ... r.app$` | This regular expression is constructed from a $@. | RegExpInjection.js:14:18:14:29 | process.argv | command-line argument | +| RegExpInjection.js:17:14:17:17 | argv | RegExpInjection.js:16:14:16:25 | process.argv | RegExpInjection.js:17:14:17:17 | argv | This regular expression is constructed from a $@. | RegExpInjection.js:16:14:16:25 | process.argv | command-line argument | +| RegExpInjection.js:21:14:21:22 | userInput | RegExpInjection.js:20:19:20:36 | req.param("input") | RegExpInjection.js:21:14:21:22 | userInput | This regular expression is constructed from a $@. | RegExpInjection.js:20:19:20:36 | req.param("input") | user-provided value | +edges +| RegExpInjection.js:6:18:6:28 | process.env | RegExpInjection.js:6:14:6:48 | `^${pro ... r.app$` | provenance | | +| RegExpInjection.js:8:18:8:28 | process.env | RegExpInjection.js:8:14:8:40 | `^${pro ... }/bin$` | provenance | | +| RegExpInjection.js:10:7:10:35 | envVar | RegExpInjection.js:11:14:11:19 | envVar | provenance | | +| RegExpInjection.js:10:16:10:26 | process.env | RegExpInjection.js:10:7:10:35 | envVar | provenance | | +| RegExpInjection.js:14:18:14:29 | process.argv | RegExpInjection.js:14:14:14:47 | `^${pro ... r.app$` | provenance | | +| RegExpInjection.js:16:7:16:28 | argv | RegExpInjection.js:17:14:17:17 | argv | provenance | | +| RegExpInjection.js:16:14:16:25 | process.argv | RegExpInjection.js:16:7:16:28 | argv | provenance | | +| RegExpInjection.js:20:7:20:36 | userInput | RegExpInjection.js:21:14:21:22 | userInput | provenance | | +| RegExpInjection.js:20:19:20:36 | req.param("input") | RegExpInjection.js:20:7:20:36 | userInput | provenance | | +nodes +| RegExpInjection.js:6:14:6:48 | `^${pro ... r.app$` | semmle.label | `^${pro ... r.app$` | +| RegExpInjection.js:6:18:6:28 | process.env | semmle.label | process.env | +| RegExpInjection.js:8:14:8:40 | `^${pro ... }/bin$` | semmle.label | `^${pro ... }/bin$` | +| RegExpInjection.js:8:18:8:28 | process.env | semmle.label | process.env | +| RegExpInjection.js:10:7:10:35 | envVar | semmle.label | envVar | +| RegExpInjection.js:10:16:10:26 | process.env | semmle.label | process.env | +| RegExpInjection.js:11:14:11:19 | envVar | semmle.label | envVar | +| RegExpInjection.js:14:14:14:47 | `^${pro ... r.app$` | semmle.label | `^${pro ... r.app$` | +| RegExpInjection.js:14:18:14:29 | process.argv | semmle.label | process.argv | +| RegExpInjection.js:16:7:16:28 | argv | semmle.label | argv | +| RegExpInjection.js:16:14:16:25 | process.argv | semmle.label | process.argv | +| RegExpInjection.js:17:14:17:17 | argv | semmle.label | argv | +| RegExpInjection.js:20:7:20:36 | userInput | semmle.label | userInput | +| RegExpInjection.js:20:19:20:36 | req.param("input") | semmle.label | req.param("input") | +| RegExpInjection.js:21:14:21:22 | userInput | semmle.label | userInput | +subpaths diff --git a/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.ext.yml b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.ext.yml new file mode 100644 index 00000000000..cd28c6d9717 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.ext.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/threat-models + extensible: threatModelConfiguration + data: + - ["environment", true, 0] diff --git a/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.js b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.js new file mode 100644 index 00000000000..28736678d8c --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.js @@ -0,0 +1,22 @@ +var express = require('express'); +var app = express(); + +app.get('/test-environment', function(req, res) { + // Environment variables should be detected when "environment" threat model is enabled + new RegExp(`^${process.env.HOME}/Foo/bar.app$`); // $ Alert[js/regex-injection] + + new RegExp(`^${process.env.PATH}/bin$`); // $ Alert[js/regex-injection] + + var envVar = process.env.NODE_ENV; // $ Source[js/regex-injection] + new RegExp(envVar); // $ Alert[js/regex-injection] + + // Command line arguments should still be detected + new RegExp(`^${process.argv[1]}/Foo/bar.app$`); // $ Alert[js/regex-injection] + + var argv = process.argv[2]; // $ Source[js/regex-injection] + new RegExp(argv); // $ Alert[js/regex-injection] + + // Regular user input should still be detected + var userInput = req.param("input"); // $ Source[js/regex-injection] + new RegExp(userInput); // $ Alert[js/regex-injection] +}); diff --git a/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.qlref new file mode 100644 index 00000000000..2bf1a8eee36 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-730/Threat-models-enabled/RegExpInjection.qlref @@ -0,0 +1,2 @@ +query: Security/CWE-730/RegExpInjection.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql From 3f9061abdbb20c1a42da631ddc9e90924db6b290 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Thu, 31 Jul 2025 12:33:16 +0200 Subject: [PATCH 0118/1955] Added change note --- .../change-notes/2025-07-31-regexp-injection-threat-model.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md diff --git a/javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md b/javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md new file mode 100644 index 00000000000..f87e1007765 --- /dev/null +++ b/javascript/ql/src/change-notes/2025-07-31-regexp-injection-threat-model.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The `js/regex-injection` query no longer considers environment variables as sources by default. Environment variables can be re-enabled as sources by setting the threat model to include the "environment" category. From e8eb9be3f603576da02c6b57551c8cad1557b1eb Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Fri, 1 Aug 2025 11:02:59 +0200 Subject: [PATCH 0119/1955] Add command injection tests for CLI argument parsing libraries --- .../CommandInjection/command-line-libs.js | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js new file mode 100644 index 00000000000..c5621354d91 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js @@ -0,0 +1,41 @@ +import express from 'express'; +import { Command } from 'commander'; +import { exec } from 'child_process'; +import arg from 'arg'; +const app = express(); +app.use(express.json()); + +app.post('/Command', (req, res) => { + const args = req.body.args || []; // $ MISSING: Source + const program = new Command(); + program.option('--cmd ', 'Command to execute'); + program.parse(args, { from: 'user' }); + const options = program.opts(); + exec(options.cmd); // $ MISSING: Alert +}); + +app.post('/arg', (req, res) => { + const argsArray = req.body.args || []; // $ MISSING: Source + const parsed = arg({ '--cmd': String }, { argv: argsArray }); + exec(parsed['--cmd']); // $ MISSING: Alert +}); + +app.post('/commandLineArgs', (req, res) => { + const commandLineArgs = require('command-line-args'); + const optionDefinitions = [{ name: 'cmd', type: String }]; + const options = commandLineArgs(optionDefinitions, { argv: req.body.args || [] }); // $ MISSING: Source + if (!options.cmd) return res.status(400).send({ error: 'Missing --cmd' }); + exec(options.cmd); // $ MISSING: Alert +}); + +app.post('/yargs', (req, res) => { + const yargs = require('yargs/yargs'); + const args = req.body.args || []; // $ MISSING: Source + const parsed = yargs(args).option('cmd', { + type: 'string', + describe: 'Command to execute', + demandOption: true + }).parse(); + + exec(parsed.cmd); // $ MISSING: Alert +}); From e980798eded71a6a8703ba7e4d164deb9e780ff2 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Fri, 1 Aug 2025 12:01:30 +0200 Subject: [PATCH 0120/1955] Added step through yargs/yargs constructor and chained methods. --- .../frameworks/CommandLineArguments.qll | 13 +++++++++++-- .../CommandInjection/CommandInjection.expected | 18 ++++++++++++++++++ .../CommandInjection/command-line-libs.js | 4 ++-- 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll b/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll index 50beb04b887..8fff526b2bd 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll @@ -87,11 +87,18 @@ private class ArgsParseStep extends TaintTracking::SharedTaintStep { override predicate step(DataFlow::Node pred, DataFlow::Node succ) { exists(DataFlow::CallNode call | call = DataFlow::moduleMember("args", "parse").getACall() or - call = DataFlow::moduleImport(["yargs-parser", "minimist", "subarg"]).getACall() + call = + DataFlow::moduleImport(["yargs-parser", "minimist", "subarg", "yargs/yargs", "yargs"]) + .getACall() | succ = call and pred = call.getArgument(0) ) + or + exists(DataFlow::MethodCallNode methodCall | methodCall = yargs() | + pred = methodCall.getReceiver() and + succ = methodCall + ) } } @@ -115,7 +122,9 @@ private API::Node commander() { * Either directly imported as a module, or through some chained method call. */ private DataFlow::SourceNode yargs() { - result = DataFlow::moduleImport("yargs") + result = DataFlow::moduleImport(["yargs", "yargs/yargs"]) + or + result = DataFlow::moduleImport(["yargs", "yargs/yargs"]).getACall() or // script used to generate list of chained methods: https://gist.github.com/erik-krogh/f8afe952c0577f4b563a993e613269ba exists(string method | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected index 22394ec4cb8..4c21013e8f0 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected @@ -21,6 +21,7 @@ | child_process-test.js:75:29:75:31 | cmd | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:75:29:75:31 | cmd | This command line depends on a $@. | child_process-test.js:73:25:73:31 | req.url | user-provided value | | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | This command line depends on a $@. | child_process-test.js:83:19:83:36 | req.query.fileName | user-provided value | | child_process-test.js:94:11:94:35 | "ping " ... ms.host | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | This command line depends on a $@. | child_process-test.js:94:21:94:30 | ctx.params | user-provided value | +| command-line-libs.js:40:8:40:17 | parsed.cmd | command-line-libs.js:33:16:33:23 | req.body | command-line-libs.js:40:8:40:17 | parsed.cmd | This command line depends on a $@. | command-line-libs.js:33:16:33:23 | req.body | user-provided value | | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value | | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value | | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command line depends on a $@. | execSeries.js:18:34:18:40 | req.url | user-provided value | @@ -116,6 +117,14 @@ edges | child_process-test.js:73:15:73:38 | url.par ... , true) | child_process-test.js:73:9:73:49 | cmd | provenance | | | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:73:15:73:38 | url.par ... , true) | provenance | | | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | provenance | | +| command-line-libs.js:33:9:33:34 | args | command-line-libs.js:34:24:34:27 | args | provenance | | +| command-line-libs.js:33:16:33:23 | req.body | command-line-libs.js:33:9:33:34 | args | provenance | | +| command-line-libs.js:34:9:38:12 | parsed | command-line-libs.js:40:8:40:13 | parsed | provenance | | +| command-line-libs.js:34:18:34:28 | yargs(args) | command-line-libs.js:34:18:38:4 | yargs(a ... ue\\n }) | provenance | | +| command-line-libs.js:34:18:38:4 | yargs(a ... ue\\n }) | command-line-libs.js:34:18:38:12 | yargs(a ... parse() | provenance | | +| command-line-libs.js:34:18:38:12 | yargs(a ... parse() | command-line-libs.js:34:9:38:12 | parsed | provenance | | +| command-line-libs.js:34:24:34:27 | args | command-line-libs.js:34:18:34:28 | yargs(args) | provenance | | +| command-line-libs.js:40:8:40:13 | parsed | command-line-libs.js:40:8:40:17 | parsed.cmd | provenance | | | exec-sh2.js:9:17:9:23 | command | exec-sh2.js:10:40:10:46 | command | provenance | | | exec-sh2.js:14:9:14:49 | cmd | exec-sh2.js:15:12:15:14 | cmd | provenance | | | exec-sh2.js:14:15:14:38 | url.par ... , true) | exec-sh2.js:14:9:14:49 | cmd | provenance | | @@ -269,6 +278,15 @@ nodes | child_process-test.js:83:19:83:36 | req.query.fileName | semmle.label | req.query.fileName | | child_process-test.js:94:11:94:35 | "ping " ... ms.host | semmle.label | "ping " ... ms.host | | child_process-test.js:94:21:94:30 | ctx.params | semmle.label | ctx.params | +| command-line-libs.js:33:9:33:34 | args | semmle.label | args | +| command-line-libs.js:33:16:33:23 | req.body | semmle.label | req.body | +| command-line-libs.js:34:9:38:12 | parsed | semmle.label | parsed | +| command-line-libs.js:34:18:34:28 | yargs(args) | semmle.label | yargs(args) | +| command-line-libs.js:34:18:38:4 | yargs(a ... ue\\n }) | semmle.label | yargs(a ... ue\\n }) | +| command-line-libs.js:34:18:38:12 | yargs(a ... parse() | semmle.label | yargs(a ... parse() | +| command-line-libs.js:34:24:34:27 | args | semmle.label | args | +| command-line-libs.js:40:8:40:13 | parsed | semmle.label | parsed | +| command-line-libs.js:40:8:40:17 | parsed.cmd | semmle.label | parsed.cmd | | exec-sh2.js:9:17:9:23 | command | semmle.label | command | | exec-sh2.js:10:40:10:46 | command | semmle.label | command | | exec-sh2.js:14:9:14:49 | cmd | semmle.label | cmd | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js index c5621354d91..58ae097297d 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js @@ -30,12 +30,12 @@ app.post('/commandLineArgs', (req, res) => { app.post('/yargs', (req, res) => { const yargs = require('yargs/yargs'); - const args = req.body.args || []; // $ MISSING: Source + const args = req.body.args || []; // $ Source const parsed = yargs(args).option('cmd', { type: 'string', describe: 'Command to execute', demandOption: true }).parse(); - exec(parsed.cmd); // $ MISSING: Alert + exec(parsed.cmd); // $ Alert }); From 6b4e34dd39b994b181b9ac13d2249961e47986e8 Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Fri, 1 Aug 2025 13:12:43 +0200 Subject: [PATCH 0121/1955] Added a step from parse to opts for commander js --- .../javascript/frameworks/CommandLineArguments.qll | 5 +++++ .../CommandInjection/CommandInjection.expected | 14 ++++++++++++++ .../CWE-078/CommandInjection/command-line-libs.js | 4 ++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll b/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll index 8fff526b2bd..04825b40626 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/CommandLineArguments.qll @@ -95,6 +95,11 @@ private class ArgsParseStep extends TaintTracking::SharedTaintStep { pred = call.getArgument(0) ) or + exists(API::Node commanderNode | commanderNode = commander() | + pred = commanderNode.getMember("parse").getACall().getAnArgument() and + succ = commanderNode.getMember("opts").getACall() + ) + or exists(DataFlow::MethodCallNode methodCall | methodCall = yargs() | pred = methodCall.getReceiver() and succ = methodCall diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected index 4c21013e8f0..7d95ca256f8 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected @@ -21,6 +21,7 @@ | child_process-test.js:75:29:75:31 | cmd | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:75:29:75:31 | cmd | This command line depends on a $@. | child_process-test.js:73:25:73:31 | req.url | user-provided value | | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | This command line depends on a $@. | child_process-test.js:83:19:83:36 | req.query.fileName | user-provided value | | child_process-test.js:94:11:94:35 | "ping " ... ms.host | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | This command line depends on a $@. | child_process-test.js:94:21:94:30 | ctx.params | user-provided value | +| command-line-libs.js:14:8:14:18 | options.cmd | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:14:8:14:18 | options.cmd | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value | | command-line-libs.js:40:8:40:17 | parsed.cmd | command-line-libs.js:33:16:33:23 | req.body | command-line-libs.js:40:8:40:17 | parsed.cmd | This command line depends on a $@. | command-line-libs.js:33:16:33:23 | req.body | user-provided value | | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value | | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value | @@ -117,6 +118,12 @@ edges | child_process-test.js:73:15:73:38 | url.par ... , true) | child_process-test.js:73:9:73:49 | cmd | provenance | | | child_process-test.js:73:25:73:31 | req.url | child_process-test.js:73:15:73:38 | url.par ... , true) | provenance | | | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | provenance | | +| command-line-libs.js:9:9:9:34 | args | command-line-libs.js:12:17:12:20 | args | provenance | | +| command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:9:9:9:34 | args | provenance | | +| command-line-libs.js:12:17:12:20 | args | command-line-libs.js:13:19:13:32 | program.opts() | provenance | | +| command-line-libs.js:13:9:13:32 | options | command-line-libs.js:14:8:14:14 | options | provenance | | +| command-line-libs.js:13:19:13:32 | program.opts() | command-line-libs.js:13:9:13:32 | options | provenance | | +| command-line-libs.js:14:8:14:14 | options | command-line-libs.js:14:8:14:18 | options.cmd | provenance | | | command-line-libs.js:33:9:33:34 | args | command-line-libs.js:34:24:34:27 | args | provenance | | | command-line-libs.js:33:16:33:23 | req.body | command-line-libs.js:33:9:33:34 | args | provenance | | | command-line-libs.js:34:9:38:12 | parsed | command-line-libs.js:40:8:40:13 | parsed | provenance | | @@ -278,6 +285,13 @@ nodes | child_process-test.js:83:19:83:36 | req.query.fileName | semmle.label | req.query.fileName | | child_process-test.js:94:11:94:35 | "ping " ... ms.host | semmle.label | "ping " ... ms.host | | child_process-test.js:94:21:94:30 | ctx.params | semmle.label | ctx.params | +| command-line-libs.js:9:9:9:34 | args | semmle.label | args | +| command-line-libs.js:9:16:9:23 | req.body | semmle.label | req.body | +| command-line-libs.js:12:17:12:20 | args | semmle.label | args | +| command-line-libs.js:13:9:13:32 | options | semmle.label | options | +| command-line-libs.js:13:19:13:32 | program.opts() | semmle.label | program.opts() | +| command-line-libs.js:14:8:14:14 | options | semmle.label | options | +| command-line-libs.js:14:8:14:18 | options.cmd | semmle.label | options.cmd | | command-line-libs.js:33:9:33:34 | args | semmle.label | args | | command-line-libs.js:33:16:33:23 | req.body | semmle.label | req.body | | command-line-libs.js:34:9:38:12 | parsed | semmle.label | parsed | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js index 58ae097297d..249bcb1d3ba 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js @@ -6,12 +6,12 @@ const app = express(); app.use(express.json()); app.post('/Command', (req, res) => { - const args = req.body.args || []; // $ MISSING: Source + const args = req.body.args || []; // $ Source const program = new Command(); program.option('--cmd ', 'Command to execute'); program.parse(args, { from: 'user' }); const options = program.opts(); - exec(options.cmd); // $ MISSING: Alert + exec(options.cmd); // $ Alert }); app.post('/arg', (req, res) => { From 39170f327c17e656e68a530200bad809853e136b Mon Sep 17 00:00:00 2001 From: Napalys Klicius Date: Fri, 1 Aug 2025 13:14:39 +0200 Subject: [PATCH 0122/1955] Added couple more test cases for commander js --- .../CommandInjection.expected | 36 +++++++++---------- .../CommandInjection/command-line-libs.js | 11 +++++- 2 files changed, 28 insertions(+), 19 deletions(-) diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected index 7d95ca256f8..75a8d6e8dc2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/CommandInjection.expected @@ -22,7 +22,7 @@ | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | child_process-test.js:83:19:83:36 | req.query.fileName | This command line depends on a $@. | child_process-test.js:83:19:83:36 | req.query.fileName | user-provided value | | child_process-test.js:94:11:94:35 | "ping " ... ms.host | child_process-test.js:94:21:94:30 | ctx.params | child_process-test.js:94:11:94:35 | "ping " ... ms.host | This command line depends on a $@. | child_process-test.js:94:21:94:30 | ctx.params | user-provided value | | command-line-libs.js:14:8:14:18 | options.cmd | command-line-libs.js:9:16:9:23 | req.body | command-line-libs.js:14:8:14:18 | options.cmd | This command line depends on a $@. | command-line-libs.js:9:16:9:23 | req.body | user-provided value | -| command-line-libs.js:40:8:40:17 | parsed.cmd | command-line-libs.js:33:16:33:23 | req.body | command-line-libs.js:40:8:40:17 | parsed.cmd | This command line depends on a $@. | command-line-libs.js:33:16:33:23 | req.body | user-provided value | +| command-line-libs.js:49:8:49:17 | parsed.cmd | command-line-libs.js:42:16:42:23 | req.body | command-line-libs.js:49:8:49:17 | parsed.cmd | This command line depends on a $@. | command-line-libs.js:42:16:42:23 | req.body | user-provided value | | exec-sh2.js:10:12:10:57 | cp.spaw ... ptions) | exec-sh2.js:14:25:14:31 | req.url | exec-sh2.js:10:40:10:46 | command | This command line depends on a $@. | exec-sh2.js:14:25:14:31 | req.url | user-provided value | | exec-sh.js:15:12:15:61 | cp.spaw ... ptions) | exec-sh.js:19:25:19:31 | req.url | exec-sh.js:15:44:15:50 | command | This command line depends on a $@. | exec-sh.js:19:25:19:31 | req.url | user-provided value | | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command line depends on a $@. | execSeries.js:18:34:18:40 | req.url | user-provided value | @@ -124,14 +124,14 @@ edges | command-line-libs.js:13:9:13:32 | options | command-line-libs.js:14:8:14:14 | options | provenance | | | command-line-libs.js:13:19:13:32 | program.opts() | command-line-libs.js:13:9:13:32 | options | provenance | | | command-line-libs.js:14:8:14:14 | options | command-line-libs.js:14:8:14:18 | options.cmd | provenance | | -| command-line-libs.js:33:9:33:34 | args | command-line-libs.js:34:24:34:27 | args | provenance | | -| command-line-libs.js:33:16:33:23 | req.body | command-line-libs.js:33:9:33:34 | args | provenance | | -| command-line-libs.js:34:9:38:12 | parsed | command-line-libs.js:40:8:40:13 | parsed | provenance | | -| command-line-libs.js:34:18:34:28 | yargs(args) | command-line-libs.js:34:18:38:4 | yargs(a ... ue\\n }) | provenance | | -| command-line-libs.js:34:18:38:4 | yargs(a ... ue\\n }) | command-line-libs.js:34:18:38:12 | yargs(a ... parse() | provenance | | -| command-line-libs.js:34:18:38:12 | yargs(a ... parse() | command-line-libs.js:34:9:38:12 | parsed | provenance | | -| command-line-libs.js:34:24:34:27 | args | command-line-libs.js:34:18:34:28 | yargs(args) | provenance | | -| command-line-libs.js:40:8:40:13 | parsed | command-line-libs.js:40:8:40:17 | parsed.cmd | provenance | | +| command-line-libs.js:42:9:42:34 | args | command-line-libs.js:43:24:43:27 | args | provenance | | +| command-line-libs.js:42:16:42:23 | req.body | command-line-libs.js:42:9:42:34 | args | provenance | | +| command-line-libs.js:43:9:47:12 | parsed | command-line-libs.js:49:8:49:13 | parsed | provenance | | +| command-line-libs.js:43:18:43:28 | yargs(args) | command-line-libs.js:43:18:47:4 | yargs(a ... ue\\n }) | provenance | | +| command-line-libs.js:43:18:47:4 | yargs(a ... ue\\n }) | command-line-libs.js:43:18:47:12 | yargs(a ... parse() | provenance | | +| command-line-libs.js:43:18:47:12 | yargs(a ... parse() | command-line-libs.js:43:9:47:12 | parsed | provenance | | +| command-line-libs.js:43:24:43:27 | args | command-line-libs.js:43:18:43:28 | yargs(args) | provenance | | +| command-line-libs.js:49:8:49:13 | parsed | command-line-libs.js:49:8:49:17 | parsed.cmd | provenance | | | exec-sh2.js:9:17:9:23 | command | exec-sh2.js:10:40:10:46 | command | provenance | | | exec-sh2.js:14:9:14:49 | cmd | exec-sh2.js:15:12:15:14 | cmd | provenance | | | exec-sh2.js:14:15:14:38 | url.par ... , true) | exec-sh2.js:14:9:14:49 | cmd | provenance | | @@ -292,15 +292,15 @@ nodes | command-line-libs.js:13:19:13:32 | program.opts() | semmle.label | program.opts() | | command-line-libs.js:14:8:14:14 | options | semmle.label | options | | command-line-libs.js:14:8:14:18 | options.cmd | semmle.label | options.cmd | -| command-line-libs.js:33:9:33:34 | args | semmle.label | args | -| command-line-libs.js:33:16:33:23 | req.body | semmle.label | req.body | -| command-line-libs.js:34:9:38:12 | parsed | semmle.label | parsed | -| command-line-libs.js:34:18:34:28 | yargs(args) | semmle.label | yargs(args) | -| command-line-libs.js:34:18:38:4 | yargs(a ... ue\\n }) | semmle.label | yargs(a ... ue\\n }) | -| command-line-libs.js:34:18:38:12 | yargs(a ... parse() | semmle.label | yargs(a ... parse() | -| command-line-libs.js:34:24:34:27 | args | semmle.label | args | -| command-line-libs.js:40:8:40:13 | parsed | semmle.label | parsed | -| command-line-libs.js:40:8:40:17 | parsed.cmd | semmle.label | parsed.cmd | +| command-line-libs.js:42:9:42:34 | args | semmle.label | args | +| command-line-libs.js:42:16:42:23 | req.body | semmle.label | req.body | +| command-line-libs.js:43:9:47:12 | parsed | semmle.label | parsed | +| command-line-libs.js:43:18:43:28 | yargs(args) | semmle.label | yargs(args) | +| command-line-libs.js:43:18:47:4 | yargs(a ... ue\\n }) | semmle.label | yargs(a ... ue\\n }) | +| command-line-libs.js:43:18:47:12 | yargs(a ... parse() | semmle.label | yargs(a ... parse() | +| command-line-libs.js:43:24:43:27 | args | semmle.label | args | +| command-line-libs.js:49:8:49:13 | parsed | semmle.label | parsed | +| command-line-libs.js:49:8:49:17 | parsed.cmd | semmle.label | parsed.cmd | | exec-sh2.js:9:17:9:23 | command | semmle.label | command | | exec-sh2.js:10:40:10:46 | command | semmle.label | command | | exec-sh2.js:14:9:14:49 | cmd | semmle.label | cmd | diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js index 249bcb1d3ba..c9739793a48 100644 --- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js +++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection/command-line-libs.js @@ -5,13 +5,22 @@ import arg from 'arg'; const app = express(); app.use(express.json()); -app.post('/Command', (req, res) => { +app.post('/Command', async (req, res) => { const args = req.body.args || []; // $ Source const program = new Command(); program.option('--cmd ', 'Command to execute'); program.parse(args, { from: 'user' }); const options = program.opts(); exec(options.cmd); // $ Alert + exec(program.cmd); // $ MISSING: Alert + + const program1 = new Command(); + program1 + .command('run