Merge branch 'main' into js/shared-dataflow-merge-main

2026-05-02 04:05:14 +02:00 · 2024-09-18 14:57:50 +02:00
parent 5e4c0906d8 e43d39a0fe
commit 1cd00a118c
4906 changed files with 172914 additions and 89179 deletions
--- a/shared/dataflow/CHANGELOG.md
+++ b/shared/dataflow/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 1.1.2
+
+No user-facing changes.
+
+## 1.1.1
+
+No user-facing changes.
+
+## 1.1.0
+
+### Deprecated APIs
+
+* The source/sink grouping feature of the data flow library has been removed. It was introduced primarily for debugging, but has not proven useful.
+
 ## 1.0.5

 No user-facing changes.
--- a/shared/dataflow/change-notes/2024-08-20-remove-srcsink-grouping.md
+++ b/shared/dataflow/change-notes/2024-08-20-remove-srcsink-grouping.md
@@ -1,4 +1,5 @@
---
-category: deprecated
---
+## 1.1.0
+
+### Deprecated APIs
+
 * The source/sink grouping feature of the data flow library has been removed. It was introduced primarily for debugging, but has not proven useful.
--- a/shared/dataflow/change-notes/released/1.1.1.md
+++ b/shared/dataflow/change-notes/released/1.1.1.md
@@ -0,0 +1,3 @@
+## 1.1.1
+
+No user-facing changes.
--- a/shared/dataflow/change-notes/released/1.1.2.md
+++ b/shared/dataflow/change-notes/released/1.1.2.md
@@ -0,0 +1,3 @@
+## 1.1.2
+
+No user-facing changes.
--- a/shared/dataflow/codeql-pack.release.yml
+++ b/shared/dataflow/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.5
+lastReleaseVersion: 1.1.2
--- a/shared/dataflow/codeql/dataflow/DataFlow.qll
+++ b/shared/dataflow/codeql/dataflow/DataFlow.qll
@@ -298,7 +298,7 @@ signature module InputSig<LocationSig Location> {
  /** Extra data-flow steps needed for lambda flow analysis. */
  predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue);

-  predicate knownSourceModel(Node sink, string model);
+  predicate knownSourceModel(Node source, string model);

  predicate knownSinkModel(Node sink, string model);

--- a/shared/dataflow/codeql/dataflow/VariableCapture.qll
+++ b/shared/dataflow/codeql/dataflow/VariableCapture.qll
@@ -585,11 +585,13 @@ module Flow<LocationSig Location, InputSig<Location> Input> implements OutputSig
    2 <= strictcount(CapturedVariable v | captureAccess(v, c))
    or
    // Constructors that capture a variable may assign it to a field, which also
-    // entails a this-to-this summary.
-    captureAccess(_, c) and c.isConstructor()
+    // entails a this-to-this summary. If there are multiple constructors, then
+    // they might call each other, so if one constructor captures a variable we
+    // allow this-to-this summaries for all of them.
+    exists(ClosureExpr ce | ce.hasBody(c) and c.isConstructor() and hasConstructorCapture(ce, _))
  }

-  /** Holds if the constructor, if any, for the closure defined by `ce` captures `v`. */
+  /** Holds if a constructor, if any, for the closure defined by `ce` captures `v`. */
  private predicate hasConstructorCapture(ClosureExpr ce, CapturedVariable v) {
    exists(Callable c | ce.hasBody(c) and c.isConstructor() and captureAccess(v, c))
  }
--- a/shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll
+++ b/shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll
@@ -104,8 +104,6 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
        additionalStep(node1, state1, node2, state2)
      }

-      predicate isAdditionalFlowStep = ContentConfig::isAdditionalFlowStep/2;
-
      predicate isBarrier = ContentConfig::isBarrier/1;

      FlowFeature getAFeature() { result = ContentConfig::getAFeature() }
@@ -302,12 +300,16 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
          // relation, when flow can reach a sink without going back out
          Flow::PathGraph::subpaths(pred, succ, _, _) and
          not reachesSink(succ)
-          or
+        )
+        or
+        exists(Node predNode, State predState, Node succNode, State succState |
+          succNodeAndState(pred, predNode, predState, succ, succNode, succState)
+        |
          // needed to record store steps
-          storeStep(pred.getNode(), pred.getState(), _, succ.getNode(), succ.getState())
+          storeStep(predNode, predState, _, succNode, succState)
          or
          // needed to record read steps
-          readStep(pred.getNode(), pred.getState(), _, succ.getNode(), succ.getState())
+          readStep(predNode, predState, _, succNode, succState)
        )
      }

@@ -455,27 +457,39 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
      )
    }

+    pragma[nomagic]
+    private predicate succNodeAndState(
+      Flow::PathNode pre, Node preNode, State preState, Flow::PathNode succ, Node succNode,
+      State succState
+    ) {
+      pre.getNode() = preNode and
+      pre.getState() = preState and
+      succ.getNode() = succNode and
+      succ.getState() = succState and
+      pre.getASuccessor() = succ
+    }
+
    pragma[nomagic]
    private predicate nodeReachesStore(
-      Flow::PathNode source, AccessPath scReads, AccessPath scStores, Flow::PathNode node,
+      Flow::PathNode source, AccessPath scReads, AccessPath scStores, Flow::PathNode target,
      ContentSet c, AccessPath reads, AccessPath stores
    ) {
-      exists(Flow::PathNode mid |
+      exists(Flow::PathNode mid, State midState, Node midNode, State targetState, Node targetNode |
        nodeReaches(source, scReads, scStores, mid, reads, stores) and
-        storeStep(mid.getNode(), mid.getState(), c, node.getNode(), node.getState()) and
-        mid.getASuccessor() = node
+        succNodeAndState(mid, midNode, midState, target, targetNode, targetState) and
+        storeStep(midNode, midState, c, targetNode, targetState)
      )
    }

    pragma[nomagic]
    private predicate nodeReachesRead(
-      Flow::PathNode source, AccessPath scReads, AccessPath scStores, Flow::PathNode node,
+      Flow::PathNode source, AccessPath scReads, AccessPath scStores, Flow::PathNode target,
      ContentSet c, AccessPath reads, AccessPath stores
    ) {
-      exists(Flow::PathNode mid |
+      exists(Flow::PathNode mid, State midState, Node midNode, State targetState, Node targetNode |
        nodeReaches(source, scReads, scStores, mid, reads, stores) and
-        readStep(mid.getNode(), mid.getState(), c, node.getNode(), node.getState()) and
-        mid.getASuccessor() = node
+        succNodeAndState(mid, midNode, midState, target, targetNode, targetState) and
+        readStep(midNode, midState, c, targetNode, targetState)
      )
    }

--- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
+++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
--- a/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll
+++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll
@@ -1569,11 +1569,6 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
      TDataFlowCallNone() or
      TDataFlowCallSome(DataFlowCall call)

-    cached
-    newtype TParamNodeOption =
-      TParamNodeNone() or
-      TParamNodeSome(ParamNode p)
-
    cached
    newtype TReturnCtx =
      TReturnCtxNone() or
@@ -2234,19 +2229,6 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
    }
  }

-  /** An optional `ParamNode`. */
-  class ParamNodeOption extends TParamNodeOption {
-    string toString() {
-      this = TParamNodeNone() and
-      result = "(none)"
-      or
-      exists(ParamNode p |
-        this = TParamNodeSome(p) and
-        result = p.toString()
-      )
-    }
-  }
-
  /**
   * A return context used to calculate flow summaries in reverse flow.
   *
--- a/shared/dataflow/qlpack.yml
+++ b/shared/dataflow/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/dataflow
-version: 1.0.6-dev
+version: 1.1.3-dev
 groups: shared
 library: true
 dependencies: