Merge branch 'main' into skip-safe-conversions-in-range-analysis

2026-02-23 10:23:41 +01:00 · 2023-03-24 17:01:11 +00:00
parent 61bafd358a 86cc59e7db
commit 125c013052
367 changed files with 8481 additions and 3745 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
@@ -50,9 +50,9 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
  }
 }

-module WordexpTaint = TaintTracking::Make<WordexpTaintConfig>;
+module WordexpTaint = TaintTracking::Global<WordexpTaintConfig>;

 from WordexpTaint::PathNode sourceNode, WordexpTaint::PathNode sinkNode
-where WordexpTaint::hasFlowPath(sourceNode, sinkNode)
+where WordexpTaint::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode,
  "Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection."
--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
@@ -32,10 +32,10 @@ module MultToAllocConfig implements DataFlow::ConfigSig {
  }
 }

-module MultToAlloc = DataFlow::Make<MultToAllocConfig>;
+module MultToAlloc = DataFlow::Global<MultToAllocConfig>;

 from MultToAlloc::PathNode source, MultToAlloc::PathNode sink
-where MultToAlloc::hasFlowPath(source, sink)
+where MultToAlloc::flowPath(source, sink)
 select sink, source, sink,
  "Potentially overflowing value from $@ is used in the size of this allocation.", source,
  "multiplication"
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
@@ -43,7 +43,8 @@ module FieldAddressToPointerArithmeticConfig implements DataFlow::ConfigSig {
  }
 }

-module FieldAddressToPointerArithmeticFlow = DataFlow::Make<FieldAddressToPointerArithmeticConfig>;
+module FieldAddressToPointerArithmeticFlow =
+  DataFlow::Global<FieldAddressToPointerArithmeticConfig>;

 predicate isFieldAddressSource(Field f, DataFlow::Node source) {
  source.asInstruction().(FieldAddressInstruction).getField() = f
@@ -70,7 +71,7 @@ predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string o

 predicate isConstantSizeOverflowSource(Field f, PointerAddInstruction pai, int delta) {
  exists(int size, int bound, DataFlow::Node source, DataFlow::InstructionNode sink |
-    FieldAddressToPointerArithmeticFlow::hasFlow(source, sink) and
+    FieldAddressToPointerArithmeticFlow::flow(source, sink) and
    isFieldAddressSource(f, source) and
    pai.getLeft() = sink.asInstruction() and
    f.getUnspecifiedType().(ArrayType).getArraySize() = size and
@@ -90,13 +91,13 @@ module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
 }

-module PointerArithmeticToDerefFlow = DataFlow::Make<PointerArithmeticToDerefConfig>;
+module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefConfig>;

 from
  Field f, PointerArithmeticToDerefFlow::PathNode source,
  PointerArithmeticToDerefFlow::PathNode sink, Instruction deref, string operation, int delta
 where
-  PointerArithmeticToDerefFlow::hasFlowPath(source, sink) and
+  PointerArithmeticToDerefFlow::flowPath(source, sink) and
  isInvalidPointerDerefSink(sink.getNode(), deref, operation) and
  isConstantSizeOverflowSource(f, source.getNode().asInstruction(), delta)
 select source, source, sink,
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/InvalidPointerDeref.ql
@@ -209,7 +209,7 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
 }

-module InvalidPointerToDerefFlow = DataFlow::Make<InvalidPointerToDerefConfig>;
+module InvalidPointerToDerefFlow = DataFlow::Global<InvalidPointerToDerefConfig>;

 /**
 * Holds if `pai` is a pointer-arithmetic operation and `source` is a dataflow node with a
@@ -241,7 +241,7 @@ newtype TMergedPathNode =
  // pointer, but we want to raise an alert at the dereference.
  TPathNodeSink(Instruction i) {
    exists(DataFlow::Node n |
-      InvalidPointerToDerefFlow::hasFlow(_, n) and
+      InvalidPointerToDerefFlow::flow(_, n) and
      isInvalidPointerDerefSink(n, i, _)
    )
  }
@@ -349,7 +349,7 @@ predicate hasFlowPath(
  |
    conf1.hasFlowPath(source1.asPathNode1(), _, sink1, _) and
    joinOn1(pai, sink1, source3) and
-    InvalidPointerToDerefFlow::hasFlowPath(source3, sink3) and
+    InvalidPointerToDerefFlow::flowPath(source3, sink3) and
    joinOn2(sink3, sink.asSinkNode(), operation)
  )
 }
--- a/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
@@ -16,7 +16,7 @@ import experimental.semmle.code.cpp.security.PrivateCleartextWrite::PrivateClear
 import WriteFlow::PathGraph

 from WriteFlow::PathNode source, WriteFlow::PathNode sink
-where WriteFlow::hasFlowPath(source, sink)
+where WriteFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
  "This write into the external location '" + sink.getNode() +
    "' may contain unencrypted data from $@.", source, "this source of private data."