hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 07:45:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into rust-rusqlite

Browse Source
This commit is contained in:
Mathew Payne
2025-02-10 15:22:05 +00:00
committed by GitHub
parent 3e38867cb2 9eeae712d7
commit 1b30847310
70 changed files with 1575 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).

9
actions/ql/lib/codeql/actions/config/Config.qll
View File

@@ -126,6 +126,15 @@ predicate vulnerableActionsDataModel(
*/
predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
/**
* MaD models for trusted actions owners
* Fields:
* - owner: owner name
*/
predicate trustedActionsOwnerDataModel(string owner) {
Extensions::trustedActionsOwnerDataModel(owner)
}
/**
* MaD models for untrusted git commands
* Fields:

5
actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
View File

@@ -63,6 +63,11 @@ extensible predicate vulnerableActionsDataModel(
*/
extensible predicate immutableActionsDataModel(string action);
/**
* Holds for trusted Actions owners.
*/
extensible predicate trustedActionsOwnerDataModel(string owner);
/**
* Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
*/

8
actions/ql/lib/ext/config/trusted_actions_owner.yml Normal file
View File

@@ -0,0 +1,8 @@
extensions:
- addsTo:
pack: codeql/actions-all
extensible: trustedActionsOwnerDataModel
data:
- ["actions"]
- ["github"]
- ["advanced-security"]

4
actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
View File

@@ -2,9 +2,9 @@
* @name PATH Enviroment Variable built from user-controlled sources
* @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
* @kind path-problem
* @problem.severity warning
* @problem.severity error
* @security-severity 5.0
* @precision high
* @precision medium
* @id actions/envpath-injection/medium
* @tags actions
* security

4
actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
View File

@@ -2,9 +2,9 @@
* @name Enviroment Variable built from user-controlled sources
* @description Building an environment variable from user-controlled sources may alter the execution of following system commands
* @kind path-problem
* @problem.severity warning
* @problem.severity error
* @security-severity 5.0
* @precision high
* @precision medium
* @id actions/envvar-injection/medium
* @tags actions
* security

3
actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
View File

@@ -3,11 +3,12 @@
* @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
* @kind problem
* @security-severity 5.0
* @problem.severity recommendation
* @problem.severity warning
* @precision high
* @id actions/missing-workflow-permissions
* @tags actions
* maintainability
* security
* external/cwe/cwe-275
*/

3
actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
View File

@@ -2,7 +2,8 @@
* @name Excessive Secrets Exposure
* @description All organization and repository secrets are passed to the workflow runner.
* @kind problem
* @problem.severity recommendation
* @precision high
* @problem.severity warning
* @id actions/excessive-secrets-exposure
* @tags actions
* security

4
actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
View File

@@ -2,8 +2,8 @@
* @name Artifact poisoning
* @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
* @kind path-problem
* @problem.severity warning
* @precision high
* @problem.severity error
* @precision medium
* @security-severity 5.0
* @id actions/artifact-poisoning/medium
* @tags actions

2
actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md
View File

@@ -24,4 +24,4 @@ Pinning an action to a full length commit SHA is currently the only way to use a
## References
- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)

21
actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
View File

@@ -3,8 +3,8 @@
* @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
* @kind problem
* @security-severity 5.0
* @problem.severity recommendation
* @precision high
* @problem.severity warning
* @precision medium
* @id actions/unpinned-tag
* @tags security
* actions
@@ -17,14 +17,15 @@ import codeql.actions.security.UseOfUnversionedImmutableAction
bindingset[version]
private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
bindingset[repo]
private predicate isTrustedOrg(string repo) {
repo.matches(["actions", "github", "advanced-security"] + "/%")
bindingset[nwo]
private predicate isTrustedOwner(string nwo) {
// Gets the segment before the first '/' in the name with owner(nwo) string
trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
}
from UsesStep uses, string repo, string version, Workflow workflow, string name
from UsesStep uses, string nwo, string version, Workflow workflow, string name
where
uses.getCallee() = repo and
uses.getCallee() = nwo and
uses.getEnclosingWorkflow() = workflow and
(
workflow.getName() = name
@@ -32,9 +33,9 @@ where
not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
) and
uses.getVersion() = version and
not isTrustedOrg(repo) and
not isTrustedOwner(nwo) and
not isPinnedCommit(version) and
not isImmutableAction(uses, repo)
not isImmutableAction(uses, nwo)
select uses.getCalleeNode(),
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
"', not a pinned commit hash", uses, uses.toString()

20
actions/ql/src/change-notes/2025-02-06-curate-suites.md Normal file
View File

@@ -0,0 +1,20 @@
---
category: breaking
---
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
Any existing alerts for these queries will be closed automatically.
* `actions/if-expression-always-true/critical`
* `actions/if-expression-always-true/high`
* `actions/unnecessary-use-of-advanced-config`
* The following query has been moved from the `code-scanning` suite to the `security-extended`
suite. Any existing alerts for this query will be closed automatically unless the analysis is
configured to use the `security-extended` suite.
* `actions/unpinned-tag`
* The following queries have been added to the `security-extended` suite.
* `actions/unversioned-immutable-action`
* `actions/envpath-injection/medium`
* `actions/envvar-injection/medium`
* `actions/code-injection/medium`
* `actions/artifact-poisoning/medium`
* `actions/untrusted-checkout/medium`

13
actions/ql/src/codeql-suites/actions-code-scanning.qls
View File

@@ -1,11 +1,4 @@
- description: Standard Code Scanning queries for GitHub Actions
- queries: '.'
- include:
problem.severity:
- error
- recommendation
- exclude:
tags contain:
- experimental
- debug
- internal
- queries: .
- apply: code-scanning-selectors.yml
from: codeql/suite-helpers

4
actions/ql/src/codeql-suites/actions-security-extended.qls
View File

@@ -1,2 +1,4 @@
- description: Security-extended queries for GitHub Actions
- import: codeql-suites/actions-code-scanning.qls
- queries: .
- apply: security-extended-selectors.yml
from: codeql/suite-helpers

0
actions/ql/src/Security/CWE-074/OutputClobberingHigh.ql → actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
View File

0
actions/ql/src/Security/CWE-078/CommandInjectionCritical.ql → actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
View File

0
actions/ql/src/Security/CWE-078/CommandInjectionMedium.ql → actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
View File

0
actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.md → actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.md
View File

0
actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql → actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
View File

0
actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.md → actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.md
View File

0
actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql → actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
View File

0
actions/ql/src/Security/CWE-200/SecretExfiltration.ql → actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
View File

0
actions/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql → actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
View File

0
actions/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql → actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
View File

0
actions/ql/src/Security/CWE-918/RequestForgery.ql → actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
View File

2
actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref
View File

@@ -1 +1 @@
Security/CWE-074/OutputClobberingHigh.ql
experimental/Security/CWE-074/OutputClobberingHigh.ql

2
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref
View File

@@ -1 +1 @@
Security/CWE-078/CommandInjectionCritical.ql
experimental/Security/CWE-078/CommandInjectionCritical.ql

2
actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref
View File

@@ -1 +1 @@
Security/CWE-078/CommandInjectionMedium.ql
experimental/Security/CWE-078/CommandInjectionMedium.ql

2
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref
View File

@@ -1 +1 @@
Security/CWE-088/ArgumentInjectionCritical.ql
experimental/Security/CWE-088/ArgumentInjectionCritical.ql

2
actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref
View File

@@ -1 +1 @@
Security/CWE-088/ArgumentInjectionMedium.ql
experimental/Security/CWE-088/ArgumentInjectionMedium.ql

2
actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.qlref
View File

@@ -1,2 +1,2 @@
Security/CWE-200/SecretExfiltration.ql
experimental/Security/CWE-200/SecretExfiltration.ql

2
actions/ql/test/query-tests/Security/CWE-284/CodeExecutionOnSelfHostedRunner.qlref
View File

@@ -1,2 +1,2 @@
Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql

2
actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref
View File

@@ -1,2 +1,2 @@
Security/CWE-829/ArtifactPoisoningPathTraversal.ql
experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

2
actions/ql/test/query-tests/Security/CWE-918/RequestForgery.qlref
View File

@@ -1 +1 @@
Security/CWE-918/RequestForgery.ql
experimental/Security/CWE-918/RequestForgery.ql

4
csharp/ql/lib/change-notes/2025-02-03-blazor-routing-parameters.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.

135
csharp/ql/lib/semmle/code/csharp/frameworks/microsoft/aspnetcore/Components.qll Normal file
View File

@@ -0,0 +1,135 @@
/** Provides classes for working with `Microsoft.AspNetCore.Components` */
import csharp
import semmle.code.csharp.frameworks.Microsoft
import semmle.code.csharp.frameworks.microsoft.AspNetCore
/** The `Microsoft.AspNetCore.Components` namespace */
class MicrosoftAspNetCoreComponentsNamespace extends Namespace {
MicrosoftAspNetCoreComponentsNamespace() {
this.getParentNamespace() instanceof MicrosoftAspNetCoreNamespace and
this.hasName("Components")
}
}
/**
* A class in the `Microsoft.AspNetCore.Components` namespace.
*/
private class MicrosoftAspNetCoreComponentsClass extends Class {
MicrosoftAspNetCoreComponentsClass() {
this.getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace
}
}
/** The `Microsoft.AspNetCore.Components.CascadingParameterAttributeBase` class. */
class MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass extends MicrosoftAspNetCoreComponentsClass
{
MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass() {
this.hasName("CascadingParameterAttributeBase")
}
}
/** The `Microsoft.AspNetCore.Components.ComponentBase` class. */
class MicrosoftAspNetCoreComponentsComponentBaseClass extends MicrosoftAspNetCoreComponentsClass {
MicrosoftAspNetCoreComponentsComponentBaseClass() { this.hasName("ComponentBase") }
}
/** The `Microsoft.AspNetCore.Components.IComponent` interface. */
class MicrosoftAspNetCoreComponentsIComponentInterface extends Interface {
MicrosoftAspNetCoreComponentsIComponentInterface() {
this.getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
this.hasName("IComponent")
}
}
/** The `Microsoft.AspNetCore.Components.RouteAttribute` attribute. */
private class MicrosoftAspNetCoreComponentsRouteAttribute extends Attribute {
MicrosoftAspNetCoreComponentsRouteAttribute() {
this.getType().getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
this.getType().hasName("RouteAttribute")
}
}
/** The `Microsoft.AspNetCore.Components.ParameterAttribute` attribute. */
private class MicrosoftAspNetCoreComponentsParameterAttribute extends Attribute {
MicrosoftAspNetCoreComponentsParameterAttribute() {
this.getType().getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
this.getType().hasName("ParameterAttribute")
}
}
/** An ASP.NET Core (Blazor) component. */
class MicrosoftAspNetCoreComponentsComponent extends Class {
MicrosoftAspNetCoreComponentsComponent() {
this.getABaseType+() instanceof MicrosoftAspNetCoreComponentsComponentBaseClass or
this.getABaseType+() instanceof MicrosoftAspNetCoreComponentsIComponentInterface
}
/** Gets a property whose value cascades down the component hierarchy. */
Property getACascadingParameterProperty() {
result = this.getAProperty() and
result.getAnAttribute().getType().getBaseClass() instanceof
MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass
}
/** Gets the url for the route from the `Microsoft.AspNetCore.Components.RouteAttribute` of the component. */
private string getRouteAttributeUrl() {
exists(MicrosoftAspNetCoreComponentsRouteAttribute a | a = this.getAnAttribute() |
result = a.getArgument(0).getValue()
)
}
/**
* Gets a route parameter from the `Microsoft.AspNetCore.Components.RouteAttribute` of the component.
*
* A route parameter is defined in the URL by wrapping its name in a pair of { braces } when adding a component's @page declaration.
* There are various extensions that can be added next to the parameter name, such as `:int` or `?` to make the parameter optional.
* Optionally, the parameter name can start with a `*` to make it a catch-all parameter.
*
* An example of a route parameter is `@page "/counter/{id:int}/{other?}/{*rest}"`, from this we're getting the `id`, `other` and `rest` parameters.
*/
pragma[nomagic]
private string getARouteParameter() {
exists(string s |
s = this.getRouteAttributeUrl().splitAt("{").regexpCapture("\\*?([^:?}]+)[:?}](.*)", 1) and
result = s.toLowerCase()
)
}
/** Gets a property attributed with `[Parameter]` attribute. */
pragma[nomagic]
private Property getAParameterProperty(string name) {
result = this.getAProperty() and
result.getAnAttribute() instanceof MicrosoftAspNetCoreComponentsParameterAttribute and
name = result.getName().toLowerCase()
}
/** Gets a property whose value is populated from route parameters. */
Property getARouteParameterProperty() {
exists(string name | name = this.getARouteParameter() |
result = this.getAParameterProperty(name)
)
}
}
private module Sources {
private import semmle.code.csharp.security.dataflow.flowsources.Remote
/**
* A property with a `[Parameter]` attribute in an ASP.NET Core component which
* is populated from a route parameter.
*/
private class AspNetCoreComponentRouteParameterFlowSource extends AspNetRemoteFlowSource,
DataFlow::ExprNode
{
AspNetCoreComponentRouteParameterFlowSource() {
exists(MicrosoftAspNetCoreComponentsComponent c, Property p |
p = c.getARouteParameterProperty()
|
this.asExpr() = p.getGetter().getACall()
)
}
override string getSourceType() { result = "ASP.NET Core component route parameter" }
}
}

3
csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
View File

@@ -26,7 +26,8 @@ abstract class RemoteFlowSource extends SourceNode {
* A module for importing frameworks that defines remote flow sources.
*/
private module RemoteFlowSources {
private import semmle.code.csharp.frameworks.ServiceStack
private import semmle.code.csharp.frameworks.ServiceStack as ServiceStack
private import semmle.code.csharp.frameworks.microsoft.aspnetcore.Components as Blazor
}
/** A data flow source of remote user input (ASP.NET). */

28
csharp/ql/src/Telemetry/DatabaseQuality.qll
View File

@@ -4,33 +4,7 @@
*/
import csharp
signature module StatsSig {
int getNumberOfOk();
int getNumberOfNotOk();
string getOkText();
string getNotOkText();
}
module ReportStats<StatsSig Stats> {
predicate numberOfOk(string key, int value) {
value = Stats::getNumberOfOk() and
key = "Number of " + Stats::getOkText()
}
predicate numberOfNotOk(string key, int value) {
value = Stats::getNumberOfNotOk() and
key = "Number of " + Stats::getNotOkText()
}
predicate percentageOfOk(string key, float value) {
value = Stats::getNumberOfOk() * 100.0 / (Stats::getNumberOfOk() + Stats::getNumberOfNotOk()) and
key = "Percentage of " + Stats::getOkText()
}
}
import codeql.util.ReportStats
module CallTargetStats implements StatsSig {
int getNumberOfOk() { result = count(Call c | exists(c.getTarget())) }

124
csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_MyInput_razor.g.cs Normal file
View File

@@ -0,0 +1,124 @@
// <auto-generated/>
#pragma warning disable 1591
namespace BlazorTest.Components
{
#line default
using global::System;
using global::System.Collections.Generic;
using global::System.Linq;
using global::System.Threading.Tasks;
using global::Microsoft.AspNetCore.Components;
#nullable restore
using System.Net.Http
#nullable disable
;
#nullable restore
using System.Net.Http.Json
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Forms
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Routing
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Web
#nullable disable
;
#nullable restore
using static Microsoft.AspNetCore.Components.Web.RenderMode
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Web.Virtualization
#nullable disable
;
#nullable restore
using Microsoft.JSInterop
#nullable disable
;
#nullable restore
using BlazorTest
#nullable disable
;
#nullable restore
using BlazorTest.Components
#line default
#line hidden
#nullable disable
;
[global::BlazorTest.Components.MyInput.__PrivateComponentRenderModeAttribute]
#nullable restore
public partial class MyInput : global::Microsoft.AspNetCore.Components.ComponentBase
#nullable disable
{
#pragma warning disable 1998
protected override void BuildRenderTree(global::Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder __builder)
{
__builder.OpenElement(0, "input");
__builder.AddAttribute(1, "value", global::Microsoft.AspNetCore.Components.BindConverter.FormatValue(
#nullable restore
Param1
#line default
#line hidden
#nullable disable
));
__builder.AddAttribute(2, "onchange", global::Microsoft.AspNetCore.Components.EventCallback.Factory.CreateBinder(this, global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.CreateInferredBindSetter(callback: __value =>
{
Param1 = __value; return global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.InvokeAsynchronousDelegate(callback:
#nullable restore
Fire
#line default
#line hidden
#nullable disable
);
}, value: Param1), Param1));
__builder.SetUpdatesAttributeName("value");
__builder.CloseElement();
}
#pragma warning restore 1998
#nullable restore
[Parameter]
public string? Param1 { get; set; } = "";
[Parameter]
public EventCallback<string?> ValueChanged { get; set; }
[Parameter]
public EventCallback<string?> Param1Changed { get; set; }
private void Fire()
{
ValueChanged.InvokeAsync(Param1);
Param1Changed.InvokeAsync(Param1);
}
#line default
#line hidden
#nullable disable
private sealed class __PrivateComponentRenderModeAttribute : global::Microsoft.AspNetCore.Components.RenderModeAttribute
{
private static global::Microsoft.AspNetCore.Components.IComponentRenderMode ModeImpl => InteractiveServer
;
public override global::Microsoft.AspNetCore.Components.IComponentRenderMode Mode => ModeImpl;
}
}
}
#pragma warning restore 1591

115
csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_MyOutput_razor.g.cs Normal file
View File

@@ -0,0 +1,115 @@
// <auto-generated/>
#pragma warning disable 1591
namespace BlazorTest.Components
{
#line default
using global::System;
using global::System.Collections.Generic;
using global::System.Linq;
using global::System.Threading.Tasks;
using global::Microsoft.AspNetCore.Components;
#nullable restore
using System.Net.Http
#nullable disable
;
#nullable restore
using System.Net.Http.Json
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Forms
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Routing
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Web
#nullable disable
;
#nullable restore
using static Microsoft.AspNetCore.Components.Web.RenderMode
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Web.Virtualization
#nullable disable
;
#nullable restore
using Microsoft.JSInterop
#nullable disable
;
#nullable restore
using BlazorTest
#nullable disable
;
#nullable restore
using BlazorTest.Components
#line default
#line hidden
#nullable disable
;
[global::BlazorTest.Components.MyOutput.__PrivateComponentRenderModeAttribute]
#nullable restore
public partial class MyOutput : global::Microsoft.AspNetCore.Components.ComponentBase
#nullable disable
{
#pragma warning disable 1998
protected override void BuildRenderTree(global::Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder __builder)
{
__builder.OpenElement(0, "div");
__builder.OpenElement(1, "p");
__builder.AddContent(2, "Value from InputText: ");
__builder.AddContent(3,
#nullable restore
Value
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.AddMarkupContent(4, "\n ");
__builder.OpenElement(5, "p");
__builder.AddContent(6, "Raw value from InputText: ");
__builder.AddContent(7,
#nullable restore
new MarkupString(Value)
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
}
#pragma warning restore 1998
#nullable restore
[Parameter]
public string Value { get; set; } = "";
#line default
#line hidden
#nullable disable
private sealed class __PrivateComponentRenderModeAttribute : global::Microsoft.AspNetCore.Components.RenderModeAttribute
{
private static global::Microsoft.AspNetCore.Components.IComponentRenderMode ModeImpl => InteractiveServer
;
public override global::Microsoft.AspNetCore.Components.IComponentRenderMode Mode => ModeImpl;
}
}
}
#pragma warning restore 1591

567
csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/Components_Pages_TestPage_razor.g.cs Normal file
View File

@@ -0,0 +1,567 @@
// <auto-generated/>
#pragma warning disable 1591
namespace BlazorTest.Components.Pages
{
#line default
using global::System;
using global::System.Collections.Generic;
using global::System.Linq;
using global::System.Threading.Tasks;
using global::Microsoft.AspNetCore.Components;
#nullable restore
using System.Net.Http
#nullable disable
;
#nullable restore
using System.Net.Http.Json
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Forms
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Routing
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Web
#nullable disable
;
#nullable restore
using static Microsoft.AspNetCore.Components.Web.RenderMode
#nullable disable
;
#nullable restore
using Microsoft.AspNetCore.Components.Web.Virtualization
#nullable disable
;
#nullable restore
using Microsoft.JSInterop
#nullable disable
;
#nullable restore
using BlazorTest
#nullable disable
;
#nullable restore
using BlazorTest.Components
#line default
#line hidden
#nullable disable
;
[global::Microsoft.AspNetCore.Components.RouteAttribute(
// language=Route,Component
#nullable restore
"/"
#line default
#line hidden
#nullable disable
)]
[global::Microsoft.AspNetCore.Components.RouteAttribute(
// language=Route,Component
#nullable restore
"/test/{urlParam?}"
#line default
#line hidden
#nullable disable
)]
[global::BlazorTest.Components.Pages.TestPage.__PrivateComponentRenderModeAttribute]
#nullable restore
public partial class TestPage : global::Microsoft.AspNetCore.Components.ComponentBase
#nullable disable
{
#pragma warning disable 1998
protected override void BuildRenderTree(global::Microsoft.AspNetCore.Components.Rendering.RenderTreeBuilder __builder)
{
__builder.OpenComponent<global::Microsoft.AspNetCore.Components.Web.PageTitle>(0);
__builder.AddAttribute(1, "ChildContent", (global::Microsoft.AspNetCore.Components.RenderFragment)((__builder2) =>
{
__builder2.AddContent(2, "TestPage");
}
));
__builder.CloseComponent();
__builder.AddMarkupContent(3, "\n\n");
__builder.OpenElement(4, "div");
__builder.AddMarkupContent(5, "<h3>Route parameter</h3>\n ");
__builder.OpenElement(6, "p");
__builder.AddContent(7, "Go to: ");
__builder.OpenElement(8, "a");
__builder.AddAttribute(9, "href", "/test/" + (
#nullable restore
XssUrl
#line default
#line hidden
#nullable disable
));
__builder.AddContent(10, "/test/");
__builder.AddContent(11,
#nullable restore
XssUrl
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(12, "\n ");
__builder.OpenElement(13, "p");
__builder.AddContent(14, "Parameter from URL: ");
__builder.AddContent(15,
#nullable restore
UrlParam
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.AddMarkupContent(16, "\n ");
__builder.OpenElement(17, "p");
__builder.AddContent(18, "Raw parameter from URL: ");
__builder.AddContent(19,
#nullable restore
(MarkupString)UrlParam
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(20, "\n\n<hr>\n\n");
__builder.OpenElement(21, "div");
__builder.AddMarkupContent(22, "<h3>Query parameter</h3>\n ");
__builder.OpenElement(23, "p");
__builder.AddContent(24, "Go to: ");
__builder.OpenElement(25, "a");
__builder.AddAttribute(26, "href", "/test/?qs=" + (
#nullable restore
XssUrl
#line default
#line hidden
#nullable disable
));
__builder.AddContent(27, "/test/?qs=");
__builder.AddContent(28,
#nullable restore
XssUrl
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(29, "\n ");
__builder.OpenElement(30, "p");
__builder.AddContent(31, "Parameter from query string: ");
__builder.AddContent(32,
#nullable restore
QueryParam
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.AddMarkupContent(33, "\n ");
__builder.OpenElement(34, "p");
__builder.AddContent(35, "Raw parameter from query string: ");
__builder.AddContent(36,
#nullable restore
new MarkupString(QueryParam)
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(37, "\n\n<hr>\n\n");
__builder.OpenElement(38, "div");
__builder.AddMarkupContent(39, "<h3>Bind InputText component</h3>\n ");
__builder.OpenComponent<global::Microsoft.AspNetCore.Components.Forms.InputText>(40);
__builder.AddComponentParameter(41, nameof(global::Microsoft.AspNetCore.Components.Forms.InputText.
#nullable restore
Value
#line default
#line hidden
#nullable disable
), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.String>(
#nullable restore
InputValue1
#line default
#line hidden
#nullable disable
));
__builder.AddComponentParameter(42, nameof(global::Microsoft.AspNetCore.Components.Forms.InputText.ValueChanged), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::Microsoft.AspNetCore.Components.EventCallback<global::System.String>>(global::Microsoft.AspNetCore.Components.EventCallback.Factory.Create<global::System.String>(this, global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.CreateInferredEventCallback(this, __value => InputValue1 = __value, InputValue1))));
__builder.AddComponentParameter(43, nameof(global::Microsoft.AspNetCore.Components.Forms.InputText.ValueExpression), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.Linq.Expressions.Expression<global::System.Func<global::System.String>>>(() => InputValue1));
__builder.CloseComponent();
__builder.AddMarkupContent(44, "\n ");
__builder.OpenElement(45, "p");
__builder.AddContent(46, "Value from InputText: ");
__builder.AddContent(47,
#nullable restore
InputValue1
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.AddMarkupContent(48, "\n ");
__builder.OpenElement(49, "p");
__builder.AddContent(50, "Raw value from InputText: ");
__builder.AddContent(51,
#nullable restore
new MarkupString(InputValue1)
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(52, "\n\n<hr>\n\n");
__builder.OpenElement(53, "div");
__builder.AddMarkupContent(54, "<h3>Bind input element</h3>\n ");
__builder.OpenElement(55, "input");
__builder.AddAttribute(56, "value", global::Microsoft.AspNetCore.Components.BindConverter.FormatValue(
#nullable restore
InputValue2
#line default
#line hidden
#nullable disable
));
__builder.AddAttribute(57, "onchange", global::Microsoft.AspNetCore.Components.EventCallback.Factory.CreateBinder(this, __value => InputValue2 = __value, InputValue2));
__builder.SetUpdatesAttributeName("value");
__builder.CloseElement();
__builder.AddMarkupContent(58, "\n ");
__builder.OpenElement(59, "p");
__builder.AddContent(60, "Value from InputText: ");
__builder.AddContent(61,
#nullable restore
InputValue2
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.AddMarkupContent(62, "\n ");
__builder.OpenElement(63, "p");
__builder.AddContent(64, "Raw value from InputText: ");
__builder.AddContent(65,
#nullable restore
new MarkupString(InputValue2)
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(66, "\n\n<hr>\n\n");
__builder.OpenElement(67, "div");
__builder.AddMarkupContent(68, "<h3>Bind through object property</h3>\n ");
__builder.OpenElement(69, "input");
__builder.AddAttribute(70, "value", global::Microsoft.AspNetCore.Components.BindConverter.FormatValue(
#nullable restore
Container1.Value
#line default
#line hidden
#nullable disable
));
__builder.AddAttribute(71, "onchange", global::Microsoft.AspNetCore.Components.EventCallback.Factory.CreateBinder(this, __value => Container1.Value = __value, Container1.Value));
__builder.SetUpdatesAttributeName("value");
__builder.CloseElement();
__builder.AddMarkupContent(72, "\n ");
__builder.OpenElement(73, "p");
__builder.AddContent(74, "Value from InputText: ");
__builder.AddContent(75,
#nullable restore
Container1.Value
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.AddMarkupContent(76, "\n ");
__builder.OpenElement(77, "p");
__builder.AddContent(78, "Raw value from InputText: ");
__builder.AddContent(79,
#nullable restore
new MarkupString(Container1.Value)
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(80, "\n\n<hr>\n\n");
__builder.OpenElement(81, "div");
__builder.AddMarkupContent(82, "<h3>Input component with custom event</h3>\n ");
__builder.OpenComponent<global::BlazorTest.Components.MyInput>(83);
__builder.AddComponentParameter(84, nameof(global::BlazorTest.Components.MyInput.
#nullable restore
Param1
#line default
#line hidden
#nullable disable
), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.String>(
#nullable restore
InputValue3
#line default
#line hidden
#nullable disable
));
__builder.AddComponentParameter(85, nameof(global::BlazorTest.Components.MyInput.
#nullable restore
ValueChanged
#line default
#line hidden
#nullable disable
), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::Microsoft.AspNetCore.Components.EventCallback<global::System.String>>(global::Microsoft.AspNetCore.Components.EventCallback.Factory.Create<global::System.String>(this,
#nullable restore
MyInputChanged
#line default
#line hidden
#nullable disable
)));
__builder.CloseComponent();
__builder.AddMarkupContent(86, "\n ");
__builder.OpenElement(87, "p");
__builder.AddContent(88, "Value from InputText: ");
__builder.AddContent(89,
#nullable restore
InputValue3
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.AddMarkupContent(90, "\n ");
__builder.OpenElement(91, "p");
__builder.AddContent(92, "Raw value from InputText: ");
__builder.AddContent(93,
#nullable restore
new MarkupString(InputValue3)
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(94, "\n\n<hr>\n\n");
__builder.OpenElement(95, "div");
__builder.AddMarkupContent(96, "<h3>Input component with binding</h3>\n ");
__builder.OpenComponent<global::BlazorTest.Components.MyInput>(97);
__builder.AddComponentParameter(98, nameof(global::BlazorTest.Components.MyInput.
#nullable restore
Param1
#line default
#line hidden
#nullable disable
), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.String>(
#nullable restore
InputValue4
#line default
#line hidden
#nullable disable
));
__builder.AddComponentParameter(99, nameof(global::BlazorTest.Components.MyInput.Param1Changed), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::Microsoft.AspNetCore.Components.EventCallback<global::System.String>>(global::Microsoft.AspNetCore.Components.EventCallback.Factory.Create<global::System.String>(this, global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.CreateInferredEventCallback(this, __value => InputValue4 = __value, InputValue4))));
__builder.CloseComponent();
__builder.AddMarkupContent(100, "\n ");
__builder.OpenElement(101, "p");
__builder.AddContent(102, "Value from InputText: ");
__builder.AddContent(103,
#nullable restore
InputValue4
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.AddMarkupContent(104, "\n ");
__builder.OpenElement(105, "p");
__builder.AddContent(106, "Raw value from InputText: ");
__builder.AddContent(107,
#nullable restore
new MarkupString(InputValue4)
#line default
#line hidden
#nullable disable
);
__builder.CloseElement();
__builder.CloseElement();
__builder.AddMarkupContent(108, "\n\n<hr>\n\n");
__builder.OpenElement(109, "div");
__builder.AddMarkupContent(110, "<h3>Input, Output components</h3>\n ");
__builder.OpenComponent<global::BlazorTest.Components.MyInput>(111);
__builder.AddComponentParameter(112, nameof(global::BlazorTest.Components.MyInput.
#nullable restore
Param1
#line default
#line hidden
#nullable disable
), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.String>(
#nullable restore
InputValue5
#line default
#line hidden
#nullable disable
));
__builder.AddComponentParameter(113, nameof(global::BlazorTest.Components.MyInput.Param1Changed), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::Microsoft.AspNetCore.Components.EventCallback<global::System.String>>(global::Microsoft.AspNetCore.Components.EventCallback.Factory.Create<global::System.String>(this, global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.CreateInferredEventCallback(this, __value => InputValue5 = __value, InputValue5))));
__builder.CloseComponent();
__builder.AddMarkupContent(114, "\n ");
__builder.OpenComponent<global::BlazorTest.Components.MyOutput>(115);
__builder.AddComponentParameter(116, nameof(global::BlazorTest.Components.MyOutput.
#nullable restore
Value
#line default
#line hidden
#nullable disable
), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.String>(
#nullable restore
InputValue5
#line default
#line hidden
#nullable disable
));
__builder.CloseComponent();
__builder.CloseElement();
__builder.AddMarkupContent(117, "\n\n<hr>\n\n");
__builder.OpenElement(118, "div");
__builder.AddMarkupContent(119, "<h3>Bind InputText, Output component</h3>\n ");
__builder.OpenComponent<global::Microsoft.AspNetCore.Components.Forms.InputText>(120);
__builder.AddComponentParameter(121, nameof(global::Microsoft.AspNetCore.Components.Forms.InputText.
#nullable restore
Value
#line default
#line hidden
#nullable disable
), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.String>(
#nullable restore
InputValue6
#line default
#line hidden
#nullable disable
));
__builder.AddComponentParameter(122, nameof(global::Microsoft.AspNetCore.Components.Forms.InputText.ValueChanged), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::Microsoft.AspNetCore.Components.EventCallback<global::System.String>>(global::Microsoft.AspNetCore.Components.EventCallback.Factory.Create<global::System.String>(this, global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.CreateInferredEventCallback(this, __value => InputValue6 = __value, InputValue6))));
__builder.AddComponentParameter(123, nameof(global::Microsoft.AspNetCore.Components.Forms.InputText.ValueExpression), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.Linq.Expressions.Expression<global::System.Func<global::System.String>>>(() => InputValue6));
__builder.CloseComponent();
__builder.AddMarkupContent(124, "\n ");
__builder.OpenComponent<global::BlazorTest.Components.MyOutput>(125);
__builder.AddComponentParameter(126, nameof(global::BlazorTest.Components.MyOutput.
#nullable restore
Value
#line default
#line hidden
#nullable disable
), global::Microsoft.AspNetCore.Components.CompilerServices.RuntimeHelpers.TypeCheck<global::System.String>(
#nullable restore
InputValue6
#line default
#line hidden
#nullable disable
));
__builder.CloseComponent();
__builder.CloseElement();
}
#pragma warning restore 1998
#nullable restore
public class Container
{
public string? Value { get; set; } = "";
}
private const string XssUrl = "<b>aaaa<%2Fb>";
private const string XssUrl2 = "<b>aaaa</b>";
[Parameter]
public string UrlParam { get; set; } = "";
[SupplyParameterFromQuery(Name = "qs")]
public string QueryParam { get; set; } = "";
public string InputValue1 { get; set; } = "";
public string InputValue2 { get; set; } = "";
public string InputValue3 { get; set; } = "";
public string InputValue4 { get; set; } = "";
public string InputValue5 { get; set; } = "";
public string InputValue6 { get; set; } = "";
public Container Container1 { get; set; } = new Container();
protected override void OnInitialized()
{
InputValue1 = XssUrl2;
InputValue2 = XssUrl2;
Container1.Value = XssUrl2;
InputValue3 = XssUrl2;
InputValue4 = XssUrl2;
InputValue5 = XssUrl2;
InputValue6 = XssUrl2;
}
private void MyInputChanged(string value)
{
InputValue3 = value;
}
#line default
#line hidden
#nullable disable
private sealed class __PrivateComponentRenderModeAttribute : global::Microsoft.AspNetCore.Components.RenderModeAttribute
{
private static global::Microsoft.AspNetCore.Components.IComponentRenderMode ModeImpl => InteractiveServer
;
public override global::Microsoft.AspNetCore.Components.IComponentRenderMode Mode => ModeImpl;
}
}
}
#pragma warning restore 1591

2
csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/options Normal file
View File

@@ -0,0 +1,2 @@
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
semmle-extractor-options: /nostdlib /noconfig

4
csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/remoteFlowSource.expected Normal file
View File

@@ -0,0 +1,4 @@
| Components_Pages_TestPage_razor.g.cs:126:1:126:8 | access to property UrlParam | ASP.NET Core component route parameter |
| Components_Pages_TestPage_razor.g.cs:138:15:138:22 | access to property UrlParam | ASP.NET Core component route parameter |
| Components_Pages_TestPage_razor.g.cs:176:1:176:10 | access to property QueryParam | external |
| Components_Pages_TestPage_razor.g.cs:188:18:188:27 | access to property QueryParam | external |

7
csharp/ql/test/library-tests/frameworks/microsoft/aspnetcore/blazor/remoteFlowSource.ql Normal file
View File

@@ -0,0 +1,7 @@
import semmle.code.csharp.security.dataflow.flowsources.Remote
from RemoteFlowSource source, File f
where
source.getLocation().getFile() = f and
f.fromSource()
select source, source.getSourceType()

1
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.2.rst
View File

@@ -74,6 +74,7 @@ Golang
* Added member predicates :code:`StructTag.hasOwnFieldWithTag` and :code:`Field.getTag`, which enable CodeQL queries to examine struct field tags.
* Added member predicate :code:`InterfaceType.hasPrivateMethodWithQualifiedName`, which enables CodeQL queries to distinguish interfaces with matching non-exported method names that are declared in different packages, and are therefore incompatible.
* Local source models with the :code:`stdin` source kind have been added for the variable :code:`os.Stdin` and the functions :code:`fmt.Scan`, :code:`fmt.Scanf` and :code:`fmt.Scanln`. You can optionally include threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries <https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data%3E>`__ and `Customizing your advanced setup for code scanning <https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.
Python
""""""

8
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.1.rst
View File

@@ -56,8 +56,8 @@ Python
* The Server Side Template Injection query (:code:`py/template-injection`), originally contributed to the experimental query pack by @porcupineyhairs, has been promoted to the main query suite. This query finds instances of templates for a template engine such as Jinja being constructed with user input.
Actions
"""""""
GitHub Actions
""""""""""""""
* Initial public preview release
@@ -149,8 +149,8 @@ Python
* Added support for parameter annotations in API graphs. This means that in a function definition such as :code:`def foo(x: Bar): ...`, you can now use the :code:`getInstanceFromAnnotation()` method to step from :code:`Bar` to :code:`x`. In addition to this, the :code:`getAnInstance` method now also includes instances arising from parameter annotations.
Actions
"""""""
GitHub Actions
""""""""""""""
* Initial public preview release

223
docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst Normal file
View File

@@ -0,0 +1,223 @@
.. _codeql-cli-2.20.4:
==========================
CodeQL 2.20.4 (2025-02-06)
==========================
.. contents:: Contents
:depth: 2
:local:
:backlinks: none
This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
Security Coverage
-----------------
CodeQL 2.20.4 runs a total of 454 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE).
CodeQL CLI
----------
Bug Fixes
~~~~~~~~~
* Fixed a bug where CodeQL for Java would fail with an SSL exception while trying to download :code:`maven`.
New Features
~~~~~~~~~~~~
* Using the :code:`actions` language (for analysis of GitHub Actions workflows) no longer requires the :code:`CODEQL_ENABLE_EXPERIMENTAL_FEATURES` environment variable to be set. Support for analysis of GitHub Actions workflows remains in public preview.
Miscellaneous
~~~~~~~~~~~~~
* The build of the `logback-core <https://logback.qos.ch/>`__ library that is used for logging in the CodeQL CLI has been updated to version 1.3.15.
Query Packs
-----------
Bug Fixes
~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Fixed a bug that would occur when TypeScript code was found in an HTML-like file, such as a :code:`.vue` file,
but where it could not be associated with any :code:`tsconfig.json` file. Previously the embedded code was not extracted in this case, but should now be extracted properly.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Improved support for NestJS applications that make use of dependency injection with custom providers.
Calls to methods on an injected service should now be resolved properly.
* TypeScript extraction is now better at analyzing projects where the main :code:`tsconfig.json` file does not include any source files, but references other :code:`tsconfig.json`\ -like files that do include source files.
* The :code:`js/incorrect-suffix-check` query now recognises some good patterns of the form :code:`origin.indexOf("." + allowedOrigin)` that were previously falsely flagged.
* Added a new threat model kind called :code:`view-component-input`, which can enabled with `advanced setup <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.
When enabled, all React props, Vue props, and input fields in an Angular component are seen as taint sources, even if none of the corresponding instantiation sites appear to pass in a tainted value.
Some users may prefer this as a "defense in depth" option but note that it may result in false positives.
Regardless of whether the threat model is enabled, CodeQL will propagate taint from the instantiation sites of such components into the components themselves.
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C/C++
"""""
* The "Wrong type of arguments to formatting function" query (:code:`cpp/wrong-type-format-argument`) now produces fewer FPs if the formatting function has multiple definitions.
* The "Call to memory access function may overflow buffer" query (:code:`cpp/overflow-buffer`) now produces fewer FPs involving non-static member variables.
C#
""
* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in `CodeQL-Community-Packs <https://github.com/GitHubSecurityLab/CodeQL-Community-Packs>`__.
Java/Kotlin
"""""""""""
* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in `CodeQL-Community-Packs <https://github.com/GitHubSecurityLab/CodeQL-Community-Packs>`__.
Language Libraries
------------------
Bug Fixes
~~~~~~~~~
GitHub Actions
""""""""""""""
* Fixed data for vulnerable versions of :code:`actions/download-artifact` and :code:`rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
* Improved :code:`untrustedGhCommandDataModel` regex for :code:`gh pr view` and Bash taint analysis in GitHub Actions.
Breaking Changes
~~~~~~~~~~~~~~~~
C/C++
"""""
* Deleted the deprecated :code:`getAllocatorCall` predicate from :code:`DeleteOrDeleteArrayExpr`, use :code:`getDeallocatorCall` instead.
C#
""
* Deleted the deprecated :code:`getInstanceType` predicate from the :code:`UnboundGenericType` class.
* Deleted the deprecated :code:`getElement` predicate from the :code:`Node` class in :code:`ControlFlowGraph.qll`, use :code:`getAstNode` instead.
Golang
""""""
* Deleted the deprecated :code:`describeBitSize` predicate from :code:`IncorrectIntegerConversionLib.qll`
Java/Kotlin
"""""""""""
* Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead.
* Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead.
* Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead.
* Deleted a lot of deprecated classes ending in ``*Access``, use the corresponding ``*Call`` classes instead.
* Deleted a lot of deprecated predicates ending in ``*Access``, use the corresponding ``*Call`` predicates instead.
* Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead.
* Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead.
Python
""""""
* Deleted the old deprecated TypeTracking library.
* Deleted the deprecated :code:`classRef` predicate from the :code:`FieldStorage` module, use :code:`subclassRef` instead.
* Deleted a lot of deprecated modules and predicates from :code:`Stdlib.qll`, use API-graphs directly instead.
Ruby
""""
* Deleted the deprecated :code:`getCallNode` predicate from :code:`API::Node`, use :code:`asCall()` instead.
* Deleted the deprecated :code:`getASubclass`, :code:`getAnImmediateSubclass`, :code:`getASuccessor`, :code:`getAPredecessor`, :code:`getASuccessor`, :code:`getDepth`, and :code:`getPath` predicates from :code:`API::Node`.
* Deleted the deprecated :code:`Root`, :code:`Use`, and :code:`Def` classes from :code:`ApiGraphs.qll`.
* Deleted the deprecated :code:`Label` module from :code:`ApiGraphs.qll`.
* Deleted the deprecated :code:`getAUse`, :code:`getAnImmediateUse`, :code:`getARhs`, and :code:`getAValueReachingRhs` predicates from :code:`API::Node`, use :code:`getAValueReachableFromSource`, :code:`asSource`, :code:`asSink`, and :code:`getAValueReachingSink` instead.
* Deleted the deprecated :code:`getAVariable` predicate from the :code:`ExprNode` class, use :code:`getVariable` instead.
* Deleted the deprecated :code:`getAPotentialFieldAccessMethod` predicate from the :code:`ActiveRecordModelClass` class.
* Deleted the deprecated :code:`ActiveRecordModelClassMethodCall` class from :code:`ActiveRecord.qll`, use :code:`ActiveRecordModelClass.getClassNode().trackModule().getMethod()` instead.
* Deleted the deprecated :code:`PotentiallyUnsafeSqlExecutingMethodCall` class from :code:`ActiveRecord.qll`, use the :code:`SqlExecution` concept instead.
* Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead.
* Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead.
* Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`.
* Deleted a lot of deprecated dataflow modules from ``*Query.qll`` files.
* Deleted the old deprecated TypeTracking library.
Swift
"""""
* Deleted the deprecated :code:`ArrayContent` class from the dataflow library, use :code:`CollectionContent` instead.
* Deleted the deprecated :code:`getOptionsInput`, :code:`getRegexInput`, and :code:`getStringInput` predicates from the regexp library, use :code:`getAnOptionsInput`, :code:`getRegexInputNode`, and :code:`getStringInputNode` instead.
Major Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
JavaScript/TypeScript
"""""""""""""""""""""
* Added new XSS sink where :code:`innerHTML` or :code:`outerHTML` is assigned to with the Angular Renderer2 API, plus modeled this API as a general attribute setter
Minor Analysis Improvements
~~~~~~~~~~~~~~~~~~~~~~~~~~~
C#
""
* C# 13: Added MaD models for some overload implementations using :code:`ReadOnlySpan` parameters (like :code:`String.Format(System.String, System.ReadOnlySpan<System.Object>))`).
* C# 13: Added support for the overload resolution priority attribute (:code:`OverloadResolutionPriority`). Usages of the attribute and the corresponding priority can be found using the QL class :code:`SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute`.
* C# 13: Added support for partial properties and indexers.
Golang
""""""
* Models-as-data models using "Parameter", "Parameter[n]" or "Parameter[n1..n2]" as the output now work correctly.
* By implementing :code:`ImplicitFieldReadNode` it is now possible to declare a dataflow node that reads any content (fields, array members, map keys and values). For example, this is appropriate for modelling a serialization method that flattens a potentially deep data structure into a string or byte array.
* The :code:`Template.Execute[Template]` methods of the :code:`text/template` package now correctly convey taint from any nested fields to their result. This may produce more results from any taint-tracking query when the :code:`text/template` package is in use.
* Added the `rs cors <https://github.com/rs/cors>`__ library to the CorsMisconfiguration.ql query
Java/Kotlin
"""""""""""
* We now allow classes which don't have any JAX-RS annotations to inherit JAX-RS annotations from superclasses or interfaces. This is not allowed in the JAX-RS specification, but some implementations, like Apache CXF, allow it. This may lead to more alerts being found.
Python
""""""
* Additional data flow models for the builtin functions :code:`map`, :code:`filter`, :code:`zip`, and :code:`enumerate` have been added.
New Features
~~~~~~~~~~~~
C/C++
"""""
* A new predicate :code:`getOffsetInClass` was added to the :code:`Field` class, which computes the byte offset of a field relative to a given :code:`Class`.
* New classes :code:`PreprocessorElifdef` and :code:`PreprocessorElifndef` were introduced, which represents the C23/C++23 :code:`#elifdef` and :code:`#elifndef` preprocessor directives.
* A new class :code:`TypeLibraryImport` was introduced, which represents the :code:`#import` preprocessor directive as used by the Microsoft Visual C++ for importing type libraries.
Shared Libraries
----------------
Breaking Changes
~~~~~~~~~~~~~~~~
Dataflow Analysis
"""""""""""""""""
* Deleted the deprecated :code:`Make` and :code:`MakeWithState` modules, use :code:`Global` and :code:`GlobalWithState` instead.
* Deleted the deprecated :code:`hasFlow`, :code:`hasFlowPath`, :code:`hasFlowTo`, and :code:`hasFlowToExpr` predicates, use :code:`flow`, :code:`flowPath`, :code:`flowTo`, and :code:`flowToExpr` respectively instead.
Control Flow Analysis
"""""""""""""""""""""
* Added a basic block construction as part of the library. This is currently considered an internal unstable API. The input signature to the control flow graph now requires two additional predicates: :code:`idOfAstNode` and
:code:`idOfCfgScope`.
Type Trackers
"""""""""""""
* Deleted the deprecated :code:`ConsistencyChecks` module.

1
docs/codeql/codeql-overview/codeql-changelog/index.rst
View File

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
.. toctree::
:maxdepth: 1
codeql-cli-2.20.4
codeql-cli-2.20.3
codeql-cli-2.20.2
codeql-cli-2.20.1

28
java/ql/integration-tests/java/buildless-maven-existing-settings-xml/maven-fetches.expected
View File

@@ -11,23 +11,23 @@ Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferst
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.14.1/jackson-bom-2.14.1.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.14/jackson-parent-2.14.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/48/oss-parent-48.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3/depgraph-maven-plugin-4.0.3.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3/depgraph-maven-plugin-4.0.3.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.11.0/error_prone_annotations-2.11.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.11.0/error_prone_annotations-2.11.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_parent/2.11.0/error_prone_parent-2.11.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_parent/2.36.0/error_prone_parent-2.36.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/31.1-jre/guava-parent-31.1-jre.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/31.1-jre/guava-31.1-jre.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/33.4.0-jre/guava-parent-33.4.0-jre.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/33.4.0-jre/guava-33.4.0-jre.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/33.4.0-jre/guava-33.4.0-jre.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/3.0.0/j2objc-annotations-3.0.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/3.0.0/j2objc-annotations-3.0.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/net/java/jvnet-parent/3/jvnet-parent-3.pom
@@ -49,8 +49,8 @@ Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferst
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-shared-components/37/maven-shared-components-37.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.12.0/checker-qual-3.12.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.12.0/checker-qual-3.12.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.43.0/checker-qual-3.43.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.43.0/checker-qual-3.43.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.5.2/plexus-classworlds-2.5.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.pom

2
java/ql/integration-tests/java/buildless-maven-timeout/diagnostics.expected
View File

@@ -83,7 +83,7 @@
}
}
{
"markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3:graph` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
"markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3-CodeQL:graph` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
"severity": "note",
"source": {
"extractorName": "java",

2
java/ql/integration-tests/java/buildless-maven-tolerate-unavailable-dependency/diagnostics.expected
View File

@@ -97,7 +97,7 @@
}
}
{
"markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3:graph` yielded an artifact transfer exception. This means some dependency information will be unavailable, and so some dependencies will be guessed based on Java package names. Consider investigating why this plugin encountered errors retrieving dependencies.",
"markdownMessage": "Running the Maven plugin `com.github.ferstl:depgraph-maven-plugin:4.0.3-CodeQL:graph` yielded an artifact transfer exception. This means some dependency information will be unavailable, and so some dependencies will be guessed based on Java package names. Consider investigating why this plugin encountered errors retrieving dependencies.",
"severity": "note",
"source": {
"extractorName": "java",

28
java/ql/integration-tests/java/buildless-maven/maven-fetches.expected
View File

@@ -11,23 +11,23 @@ Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferst
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.14.1/jackson-bom-2.14.1.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.14/jackson-parent-2.14.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/48/oss-parent-48.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3/depgraph-maven-plugin-4.0.3.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3/depgraph-maven-plugin-4.0.3.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.11.0/error_prone_annotations-2.11.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.11.0/error_prone_annotations-2.11.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_parent/2.11.0/error_prone_parent-2.11.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.1/failureaccess-1.0.1.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_parent/2.36.0/error_prone_parent-2.36.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/31.1-jre/guava-parent-31.1-jre.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/31.1-jre/guava-31.1-jre.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/33.4.0-jre/guava-parent-33.4.0-jre.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/33.4.0-jre/guava-33.4.0-jre.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/33.4.0-jre/guava-33.4.0-jre.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/1.3/j2objc-annotations-1.3.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/3.0.0/j2objc-annotations-3.0.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/3.0.0/j2objc-annotations-3.0.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/net/java/jvnet-parent/3/jvnet-parent-3.pom
@@ -49,8 +49,8 @@ Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferst
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-shared-components/37/maven-shared-components-37.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.12.0/checker-qual-3.12.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.12.0/checker-qual-3.12.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.43.0/checker-qual-3.43.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.43.0/checker-qual-3.43.0.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.5.2/plexus-classworlds-2.5.2.pom
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.jar
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.pom

28
java/ql/src/Telemetry/DatabaseQuality.qll
View File

@@ -4,33 +4,7 @@
*/
import java
signature module StatsSig {
int getNumberOfOk();
int getNumberOfNotOk();
string getOkText();
string getNotOkText();
}
module ReportStats<StatsSig Stats> {
predicate numberOfOk(string key, int value) {
value = Stats::getNumberOfOk() and
key = "Number of " + Stats::getOkText()
}
predicate numberOfNotOk(string key, int value) {
value = Stats::getNumberOfNotOk() and
key = "Number of " + Stats::getNotOkText()
}
predicate percentageOfOk(string key, float value) {
value = Stats::getNumberOfOk() * 100.0 / (Stats::getNumberOfOk() + Stats::getNumberOfNotOk()) and
key = "Percentage of " + Stats::getOkText()
}
}
import codeql.util.ReportStats
module CallTargetStats implements StatsSig {
int getNumberOfOk() { result = count(Call c | exists(c.getCallee())) }

2
rust/ql/integration-tests/hello-project/summary.expected
View File

@@ -14,7 +14,7 @@
| Macro calls - resolved | 2 |
| Macro calls - total | 2 |
| Macro calls - unresolved | 0 |
| Taint edges - number of edges | 3 |
| Taint edges - number of edges | 4 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |

2
rust/ql/integration-tests/hello-workspace/summary.cargo.expected
View File

@@ -14,7 +14,7 @@
| Macro calls - resolved | 2 |
| Macro calls - total | 2 |
| Macro calls - unresolved | 0 |
| Taint edges - number of edges | 3 |
| Taint edges - number of edges | 4 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |

2
rust/ql/integration-tests/hello-workspace/summary.rust-project.expected
View File

@@ -14,7 +14,7 @@
| Macro calls - resolved | 2 |
| Macro calls - total | 2 |
| Macro calls - unresolved | 0 |
| Taint edges - number of edges | 3 |
| Taint edges - number of edges | 4 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |

26
rust/ql/lib/codeql/rust/Concepts.qll
View File

@@ -100,6 +100,32 @@ class ModeledEnvironmentSource extends EnvironmentSource::Range {
ModeledEnvironmentSource() { sourceNode(this, "environment-source") }
}
/**
* A data flow source corresponding to the program's database reads.
*/
final class DatabaseSource = DatabaseSource::Range;
/**
* Provides a class for modeling new sources for the program's database reads.
*/
module DatabaseSource {
/**
* A data flow source corresponding to the program's database reads.
*/
abstract class Range extends ThreatModelSource::Range {
override string getThreatModel() { result = "database" }
override string getSourceType() { result = "DatabaseSource" }
}
}
/**
* An externally modeled source for data from the program's database.
*/
class ModeledDatabaseSource extends DatabaseSource::Range {
ModeledDatabaseSource() { sourceNode(this, "database") }
}
/**
* A data flow source for remote (network) data.
*/

8
rust/ql/lib/codeql/rust/frameworks/stdlib/env.model.yml
View File

@@ -3,12 +3,12 @@ extensions:
pack: codeql/rust-all
extensible: sourceModel
data:
- ["lang:std", "crate::env::args", "ReturnValue", "command-line-source", "manual"]
- ["lang:std", "crate::env::args_os", "ReturnValue", "command-line-source", "manual"]
- ["lang:std", "crate::env::args", "ReturnValue.Element", "command-line-source", "manual"]
- ["lang:std", "crate::env::args_os", "ReturnValue.Element", "command-line-source", "manual"]
- ["lang:std", "crate::env::current_dir", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "command-line-source", "manual"]
- ["lang:std", "crate::env::current_exe", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "command-line-source", "manual"]
- ["lang:std", "crate::env::home_dir", "ReturnValue.Variant[crate::option::Option::Some(0)]", "command-line-source", "manual"]
- ["lang:std", "crate::env::var", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "environment-source", "manual"]
- ["lang:std", "crate::env::var_os", "ReturnValue.Variant[crate::option::Option::Some(0)]", "environment-source", "manual"]
- ["lang:std", "crate::env::vars", "ReturnValue", "environment-source", "manual"]
- ["lang:std", "crate::env::vars_os", "ReturnValue", "environment-source", "manual"]
- ["lang:std", "crate::env::vars", "ReturnValue.Element", "environment-source", "manual"]
- ["lang:std", "crate::env::vars_os", "ReturnValue.Element", "environment-source", "manual"]

3
rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
View File

@@ -7,6 +7,9 @@ extensions:
- ["lang:alloc", "crate::fmt::format", "Argument[0]", "ReturnValue", "taint", "manual"]
# Hint
- ["lang:core", "crate::hint::must_use", "Argument[0]", "ReturnValue", "value", "manual"]
# Iterator
- ["lang:core", "crate::iter::traits::iterator::Iterator::nth", "Argument[self].Element", "ReturnValue.Variant[crate::option::Option::Some(0)]", "value", "manual"]
- ["lang:core", "crate::iter::traits::iterator::Iterator::collect", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
# Option
- ["lang:core", "<crate::option::Option>::unwrap", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]
- ["lang:core", "<crate::option::Option>::unwrap_or", "Argument[self].Variant[crate::option::Option::Some(0)]", "ReturnValue", "value", "manual"]

24
rust/ql/lib/codeql/rust/frameworks/tokio-postgres.model.yml Normal file
View File

@@ -0,0 +1,24 @@
extensions:
- addsTo:
pack: codeql/rust-all
extensible: sinkModel
data:
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::execute", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::batch_execute", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::execute_raw", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::prepare", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::prepare_typed", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query_opt", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query_raw", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query_typed", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::query_typed_raw", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::simple_query", "Argument[0]", "sql-injection", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::client::Client>::simple_query_raw", "Argument[0]", "sql-injection", "manual"]
- addsTo:
pack: codeql/rust-all
extensible: sourceModel
data:
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::row::Row>::get", "ReturnValue", "database", "manual"]
- ["repo:https://github.com/sfackler/rust-postgres:tokio-postgres", "<crate::row::Row>::try_get", "ReturnValue.Variant[crate::result::Result::Ok(0)]", "database", "manual"]

46
rust/ql/src/queries/telemetry/DatabaseQuality.qll Normal file
View File

@@ -0,0 +1,46 @@
/**
* Provides database quality statistics that are reported by
* `rust/telemetry/extractor-information`
* and perhaps warned about by `rust/diagnostics/database-quality`.
*/
import rust
import codeql.util.ReportStats
module CallTargetStats implements StatsSig {
int getNumberOfOk() { result = count(CallExprBase c | exists(c.getStaticTarget())) }
private predicate isLambdaCall(CallExpr call) {
exists(Expr receiver | receiver = call.getFunction() |
// All calls to complex expressions and local variable accesses are lambda calls
receiver instanceof PathExpr implies receiver = any(Variable v).getAnAccess()
)
}
additional predicate isNotOkCall(CallExprBase c) {
not exists(c.getStaticTarget()) and
not isLambdaCall(c)
}
int getNumberOfNotOk() { result = count(CallExprBase c | isNotOkCall(c)) }
string getOkText() { result = "calls with call target" }
string getNotOkText() { result = "calls with missing call target" }
}
module MacroCallTargetStats implements StatsSig {
int getNumberOfOk() { result = count(MacroCall c | c.hasExpanded()) }
additional predicate isNotOkCall(MacroCall c) { not c.hasExpanded() }
int getNumberOfNotOk() { result = count(MacroCall c | isNotOkCall(c)) }
string getOkText() { result = "macro calls with call target" }
string getNotOkText() { result = "macro calls with missing call target" }
}
module CallTargetStatsReport = ReportStats<CallTargetStats>;
module MacroCallTargetStatsReport = ReportStats<MacroCallTargetStats>;

41
rust/ql/src/queries/telemetry/DatabaseQualityDiagnostics.ql Normal file
View File

@@ -0,0 +1,41 @@
/**
* @name Low Rust analysis quality
* @description Low Rust analysis quality
* @kind diagnostic
* @id rust/diagnostic/database-quality
*/
import rust
import DatabaseQuality
import codeql.util.Unit
class DbQualityDiagnostic extends Unit {
DbQualityDiagnostic() {
exists(float percentageGood |
CallTargetStatsReport::percentageOfOk(_, percentageGood)
or
MacroCallTargetStatsReport::percentageOfOk(_, percentageGood)
|
percentageGood < 95
)
}
string toString() {
result =
"Scanning Rust code completed successfully, but the scan encountered issues. " +
"This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- "
+
"see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. "
+ "Addressing these warnings is advisable to avoid false-positive or missing results."
}
}
query predicate diagnosticAttributes(DbQualityDiagnostic e, string key, string value) {
exists(e) and // Quieten warning about unconstrained 'e'
key = ["visibilityCliSummaryTable", "visibilityTelemetry", "visibilityStatusPage"] and
value = "true"
}
from DbQualityDiagnostic d
select d, d.toString(), 1
/* 1 = Warning severity */

65
rust/ql/src/queries/telemetry/ExtractorInformation.ql Normal file
View File

@@ -0,0 +1,65 @@
/**
* @name Rust extraction information
* @description Information about the extraction for a Rust database
* @kind metric
* @tags summary telemetry
* @id rust/telemetry/extraction-information
*/
import rust
import DatabaseQuality
import codeql.rust.Diagnostics
predicate fileCount(string key, int value) {
key = "Number of files" and
value = strictcount(File f)
}
predicate fileCountByExtension(string key, int value) {
exists(string extension |
key = "Number of files with extension " + extension and
value = strictcount(File f | f.getExtension() = extension)
)
}
predicate numberOfLinesOfCode(string key, int value) {
key = "Number of lines of code" and
value = strictsum(File f | any() | f.getNumberOfLinesOfCode())
}
predicate numberOfLinesOfCodeByExtension(string key, int value) {
exists(string extension |
key = "Number of lines of code with extension " + extension and
value = strictsum(File f | f.getExtension() = extension | f.getNumberOfLinesOfCode())
)
}
predicate extractorDiagnostics(string key, int value) {
exists(int severity |
key = "Number of diagnostics with severity " + severity.toString() and
value = strictcount(Diagnostic d | d.getSeverity() = severity)
)
}
from string key, float value
where
(
fileCount(key, value) or
fileCountByExtension(key, value) or
numberOfLinesOfCode(key, value) or
numberOfLinesOfCodeByExtension(key, value) or
extractorDiagnostics(key, value) or
CallTargetStatsReport::numberOfOk(key, value) or
CallTargetStatsReport::numberOfNotOk(key, value) or
CallTargetStatsReport::percentageOfOk(key, value) or
MacroCallTargetStatsReport::numberOfOk(key, value) or
MacroCallTargetStatsReport::numberOfNotOk(key, value) or
MacroCallTargetStatsReport::percentageOfOk(key, value)
) and
/* Infinity */
value != 1.0 / 0.0 and
/* -Infinity */
value != -1.0 / 0.0 and
/* NaN */
value != 0.0 / 0.0
select key, value

8
rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
View File

@@ -4,6 +4,8 @@ localStep
| file://:0:0:0:0 | [summary param] 0 in lang:core::_::crate::hint::must_use | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::crate::hint::must_use | MaD:21 |
| file://:0:0:0:0 | [summary] read: Argument[0].ReturnValue in lang:core::_::<crate::option::Option>::unwrap_or_else | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap_or_else | MaD:7 |
| file://:0:0:0:0 | [summary] read: Argument[0].ReturnValue in lang:core::_::<crate::result::Result>::unwrap_or_else | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::unwrap_or_else | MaD:18 |
| file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect | file://:0:0:0:0 | [summary] to write: ReturnValue.Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect | MaD:22 |
| file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::nth | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::option::Option::Some(0)] in lang:core::_::crate::iter::traits::iterator::Iterator::nth | MaD:23 |
| file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::expect | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::expect | MaD:2 |
| file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap | MaD:3 |
| file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap_or | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::option::Option>::unwrap_or | MaD:5 |
@@ -536,7 +538,11 @@ models
| 19 | Summary: lang:core; <crate::result::Result>::unwrap_or_else; Argument[self].Variant[crate::result::Result::Ok(0)]; ReturnValue; value |
| 20 | Summary: lang:core; <crate::result::Result>::unwrap_unchecked; Argument[self].Variant[crate::result::Result::Ok(0)]; ReturnValue; value |
| 21 | Summary: lang:core; crate::hint::must_use; Argument[0]; ReturnValue; value |
| 22 | Summary: lang:core; crate::iter::traits::iterator::Iterator::collect; Argument[self].Element; ReturnValue.Element; value |
| 23 | Summary: lang:core; crate::iter::traits::iterator::Iterator::nth; Argument[self].Element; ReturnValue.Variant[crate::option::Option::Some(0)]; value |
storeStep
| file://:0:0:0:0 | [summary] to write: ReturnValue.Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect | element | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::crate::iter::traits::iterator::Iterator::collect |
| file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::option::Option::Some(0)] in lang:core::_::crate::iter::traits::iterator::Iterator::nth | Some | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::crate::iter::traits::iterator::Iterator::nth |
| file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::bytes | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::bytes |
| file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text |
| file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text_with_charset | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text_with_charset |
@@ -639,6 +645,8 @@ readStep
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_or_default | Ok | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::unwrap_or_default |
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_or_else | Ok | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::unwrap_or_else |
| file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::result::Result>::unwrap_unchecked | Ok | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::unwrap_unchecked |
| file://:0:0:0:0 | [summary param] self in lang:core::_::crate::iter::traits::iterator::Iterator::collect | element | file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect |
| file://:0:0:0:0 | [summary param] self in lang:core::_::crate::iter::traits::iterator::Iterator::nth | element | file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::nth |
| main.rs:33:9:33:15 | Some(...) | Some | main.rs:33:14:33:14 | _ |
| main.rs:87:11:87:11 | i | &ref | main.rs:87:10:87:11 | * ... |
| main.rs:95:10:95:10 | a | tuple.0 | main.rs:95:10:95:12 | a.0 |

8
rust/ql/test/library-tests/dataflow/sources/test.rs
View File

@@ -32,10 +32,10 @@ fn test_env_args() {
let arg2 = std::env::args().nth(2).unwrap(); // $ Alert[rust/summary/taint-sources]
let arg3 = std::env::args_os().nth(3).unwrap(); // $ Alert[rust/summary/taint-sources]
sink(my_path); // $ MISSING: hasTaintFlow
sink(arg1); // $ MISSING: hasTaintFlow
sink(arg2); // $ MISSING: hasTaintFlow
sink(arg3); // $ MISSING: hasTaintFlow
sink(my_path); // $ hasTaintFlow
sink(arg1); // $ hasTaintFlow
sink(arg2); // $ hasTaintFlow
sink(arg3); // $ hasTaintFlow
for arg in std::env::args() { // $ Alert[rust/summary/taint-sources]
sink(arg); // $ hasTaintFlow

2
rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
View File

@@ -2,6 +2,8 @@ additionalTaintStep
| file://:0:0:0:0 | [summary param] 0 in lang:alloc::_::crate::fmt::format | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::crate::fmt::format | MaD:3 |
| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_bytes | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_bytes | MaD:1 |
| file://:0:0:0:0 | [summary param] self in lang:alloc::_::<crate::string::String>::as_str | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:alloc::_::<crate::string::String>::as_str | MaD:2 |
| file://:0:0:0:0 | [summary param] self in lang:core::_::crate::iter::traits::iterator::Iterator::collect | file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::collect | |
| file://:0:0:0:0 | [summary param] self in lang:core::_::crate::iter::traits::iterator::Iterator::nth | file://:0:0:0:0 | [summary] read: Argument[self].Element in lang:core::_::crate::iter::traits::iterator::Iterator::nth | |
| file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::bytes | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::bytes | MaD:4 |
| file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text | MaD:5 |
| file://:0:0:0:0 | [summary param] self in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text_with_charset | file://:0:0:0:0 | [summary] to write: ReturnValue.Variant[crate::result::Result::Ok(0)] in repo:https://github.com/seanmonstar/reqwest:reqwest::_::<crate::blocking::response::Response>::text_with_charset | MaD:6 |

11
rust/ql/test/library-tests/frameworks/postgres/Postgres.ql
View File

@@ -1,9 +1,10 @@
import rust
import codeql.rust.Concepts
import codeql.rust.security.SqlInjectionExtensions
import utils.test.InlineExpectationsTest
module PostgresTest implements TestSig {
string getARelevantTag() { result = "sql-sink" }
string getARelevantTag() { result = ["sql-sink", "database-read"] }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(SqlInjection::Sink sink |
@@ -13,6 +14,14 @@ module PostgresTest implements TestSig {
tag = "sql-sink" and
value = ""
)
or
exists(ModeledDatabaseSource source |
location = source.getLocation() and
location.getFile().getBaseName() != "" and
element = source.toString() and
tag = "database-read" and
value = ""
)
}
}

6
rust/ql/test/library-tests/frameworks/postgres/main.rs
View File

@@ -33,9 +33,9 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
// conn.query_typed_raw(query.as_str(), &[])?;
for row in &conn.query("SELECT id, name, age FROM person", &[])? { // $ sql-sink
let id: i32 = row.get("id");
let name: &str = row.get("name");
let age: i32 = row.get("age");
let id: i32 = row.get("id"); // $ database-read
let name: &str = row.try_get("name")?; // $ database-read
let age: i32 = row.try_get("age").unwrap(); // $ database-read
println!("found person: {} {} {}", id, name, age);
}

2
rust/ql/test/query-tests/diagnostics/SummaryStats.expected
View File

@@ -14,7 +14,7 @@
| Macro calls - resolved | 8 |
| Macro calls - total | 9 |
| Macro calls - unresolved | 1 |
| Taint edges - number of edges | 3 |
| Taint edges - number of edges | 4 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |

31
shared/util/codeql/util/ReportStats.qll Normal file
View File

@@ -0,0 +1,31 @@
/**
* Provides the `ReportStats` module for reporting database quality statistics.
*/
module;
signature module StatsSig {
int getNumberOfOk();
int getNumberOfNotOk();
string getOkText();
string getNotOkText();
}
module ReportStats<StatsSig Stats> {
predicate numberOfOk(string key, int value) {
value = Stats::getNumberOfOk() and
key = "Number of " + Stats::getOkText()
}
predicate numberOfNotOk(string key, int value) {
value = Stats::getNumberOfNotOk() and
key = "Number of " + Stats::getNotOkText()
}
predicate percentageOfOk(string key, float value) {
value = Stats::getNumberOfOk() * 100.0 / (Stats::getNumberOfOk() + Stats::getNumberOfNotOk()) and
key = "Percentage of " + Stats::getOkText()
}
}