diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll index 330251be09d..c544dec893f 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll @@ -78,18 +78,15 @@ import experimental.semmle.code.cpp.semantic.SemanticLocation /** * Holds if `typ` is a small integral type with the given lower and upper bounds. */ -private predicate typeBound(SemIntegerType typ, int lowerbound, int upperbound) { +private predicate typeBound(SemIntegerType typ, float lowerbound, float upperbound) { exists(int bitSize | bitSize = typ.getByteSize() * 8 | - bitSize < 32 and - ( - if typ.isSigned() - then ( - upperbound = 1.bitShiftLeft(bitSize - 1) - 1 and - lowerbound = -upperbound - 1 - ) else ( - lowerbound = 0 and - upperbound = 1.bitShiftLeft(bitSize) - 1 - ) + if typ.isSigned() + then ( + upperbound = 2.pow(bitSize - 1) - 1 and + lowerbound = -upperbound - 1 + ) else ( + lowerbound = 0 and + upperbound = 2.pow(bitSize) - 1 ) ) } @@ -286,10 +283,10 @@ module RangeStage Bounds, LangSig LangParam, UtilSig< } /** Gets the lower bound of the resulting type. */ - int getLowerBound() { typeBound(getTrackedType(this), result, _) } + float getLowerBound() { typeBound(getTrackedType(this), result, _) } /** Gets the upper bound of the resulting type. */ - int getUpperBound() { typeBound(getTrackedType(this), _, result) } + float getUpperBound() { typeBound(getTrackedType(this), _, result) } } private module SignAnalysisInstantiated = SignAnalysis; // TODO: will this cause reevaluation if it's instantiated with the same DeltaSig and UtilParam multiple times? diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql index 0d46332a40a..37ad8fd7076 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql +++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql @@ -48,11 +48,11 @@ predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) { * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination * argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`. */ -predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) { - interestingCallWithArgs(fc, sizeArg, destArg) and +predicate case2(FunctionCall fc, Expr sizeArg, Expr destArg) { + interestingCallWithArgs(fc, pragma[only_bind_into](sizeArg), pragma[only_bind_into](destArg)) and exists(SubExpr sub, int n | // The destination buffer is an array of size n - destArg.getUnspecifiedType().(ArrayType).getSize() = n and + pragma[only_bind_out](destArg.getUnspecifiedType().(ArrayType).getSize()) = n and // The size argument is equivalent to a subtraction globalValueNumber(sizeArg).getAnExpr() = sub and // ... where the left side of the subtraction is the constant n diff --git a/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp b/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp index 7103d5962fb..19c9b47d670 100644 --- a/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp +++ b/cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp @@ -566,11 +566,11 @@ unsigned int test_ternary01(unsigned int x) { y1 = x < 100 ? (range(x), x) : // $ range=<=99 (range(x), 10); // $ range=>=100 - range(y1); + range(y1); // $ range=<=99 y2 = x >= 100 ? (range(x), 10) : // $ range=>=100 (range(x), x); // $ range=<=99 - range(y2); + range(y2); // $ range=<=99 y3 = 0; y4 = 0; y5 = 0; @@ -580,14 +580,14 @@ unsigned int test_ternary01(unsigned int x) { if (x < 300) { range(x); // $ range=<=299 y3 = x ?: - (range(x), 5); // y3 < 300 - range(y3); + (range(x), 5); + range(y3); // $ range=<=299 y4 = x ?: - (range(x), 500); // y4 <= 500 - range(y4); + (range(x), 500); + range(y4); // $ range=<=500 y5 = (x+1) ?: (range(x), 500); // $ range===-1 - range(y5); // y5 <= 300 + range(y5); // $ range=<=500 y6 = ((unsigned char)(x+1)) ?: (range(x), 5); // $ range=<=299 range(y6); // y6 < 256 @@ -608,11 +608,11 @@ unsigned int test_ternary02(unsigned int x) { y1 = x > 100 ? (range(x), x) : // $ range=>=101 (range(x), 110); // $ range=<=100 - range(y1); // y1 > 100 + range(y1); // $ range=>=101 y2 = x <= 100 ? (range(x), 110) : // $ range=<=100 (range(x), x); // $ range=>=101 - range(y2); // y2 > 100 + range(y2); // $ range=>=101 y3 = 1000; y4 = 1000; y5 = 1000; @@ -620,15 +620,15 @@ unsigned int test_ternary02(unsigned int x) { range(x); // $ range=>=300 y3 = (x-300) ?: (range(x), 5); // $ range===300 - range(y3); // y3 >= 0 + range(y3); // $ range=>=0 y4 = (x-200) ?: (range(x), 5); // $ range=<=200 range=>=300 - range(y4); // y4 >= 100 + range(y4); // $ SPURIOUS: range=>=5 MISSING: range=>=100 y5 = ((unsigned char)(x-200)) ?: (range(x), 5); // $ range=>=300 range(y5); // y6 >= 0 } - range(y1 + y2 + y3 + y4 + y5); // $ MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0" + range(y1 + y2 + y3 + y4 + y5); // $ range=">=call to range+207" MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0" return y1 + y2 + y3 + y4 + y5; } @@ -640,14 +640,14 @@ unsigned int test_comma01(unsigned int x) { unsigned int y1; unsigned int y2; y1 = (++y, y); - range(y1); // $ range="==... ? ... : ...+1" + range(y1); // $ range=<=101 range="==... ? ... : ...+1" y2 = (y++, - range(y), // $ range="==++ ...:... = ...+1" range="==... ? ... : ...+2" + range(y), // $ range=<=102 range="==++ ...:... = ...+1" range="==... ? ... : ...+2" y += 3, - range(y), // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5" + range(y), // $ range=<=105 range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5" y); - range(y2); // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5" - range(y1 + y2); // $ MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6" + range(y2); // $ range=<=105 range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5" + range(y1 + y2); // $ range=<=206 range="<=... ? ... : ...+106" MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6" return y1 + y2; } @@ -683,27 +683,27 @@ int test_unsigned_mult01(unsigned int a, unsigned b) { range(a); // $ range=<=11 range=>=3 range(b); // $ range=<=23 range=>=5 int r = a*b; // 15 .. 253 - range(r); + range(r); // $ range=>=15 range=<=253 total += r; - range(total); // $ MISSING: range=>=1 + range(total); // $ range=>=15 range=<=253 } if (3 <= a && a <= 11 && 0 <= b && b <= 23) { range(a); // $ range=<=11 range=>=3 range(b); // $ range=<=23 range=>=0 int r = a*b; // 0 .. 253 - range(r); + range(r); // $ range=>=0 range=<=253 total += r; - range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0 + range(total); // $ range=>=0 range=<=506 range=">=(unsigned int)...+0" range="<=(unsigned int)...+253" } if (3 <= a && a <= 11 && 13 <= b && b <= 23) { range(a); // $ range=<=11 range=>=3 range(b); // $ range=<=23 range=>=13 int r = a*b; // 39 .. 253 - range(r); + range(r); // $ range=>=39 range=<=253 total += r; - range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1 + range(total); // $ range=>=39 range=<=759 range=">=(unsigned int)...+39" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253" } - range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0 + range(total); // $ range=>=0 range=<=759 range=">=(unsigned int)...+0" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253" return total; } @@ -713,25 +713,25 @@ int test_unsigned_mult02(unsigned b) { if (5 <= b && b <= 23) { range(b); // $ range=<=23 range=>=5 int r = 11*b; // 55 .. 253 - range(r); + range(r); // $ range=>=55 range=<=253 total += r; - range(total); // $ MISSING: range=>=1 + range(total); // $ range=>=55 range=<=253 } if (0 <= b && b <= 23) { range(b); // $ range=<=23 range=>=0 int r = 11*b; // 0 .. 253 - range(r); + range(r); // $ range=>=0 range=<=253 total += r; - range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0 + range(total); // $ range=>=0 range=<=506 range=">=(unsigned int)...+0" range="<=(unsigned int)...+253" } if (13 <= b && b <= 23) { range(b); // $ range=<=23 range=>=13 int r = 11*b; // 143 .. 253 - range(r); + range(r); // $ range=>=143 range=<=253 total += r; - range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1 + range(total); // $ range=>=143 range=<=759 range=">=(unsigned int)...+143" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253" } - range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0 + range(total); // $ range=>=0 range=<=759 range=">=(unsigned int)...+0" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253" return total; } diff --git a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.qhelp b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.qhelp index 1efdbe694b1..f9e3a5b3857 100644 --- a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.qhelp +++ b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.qhelp @@ -37,7 +37,7 @@ the hash of a password.

- +

This is not secure, since the password can be efficiently @@ -46,7 +46,7 @@ algorithm:

- + diff --git a/ql/ql/src/codeql_ql/ast/Ast.qll b/ql/ql/src/codeql_ql/ast/Ast.qll index 4264cdf24db..818828d44fe 100644 --- a/ql/ql/src/codeql_ql/ast/Ast.qll +++ b/ql/ql/src/codeql_ql/ast/Ast.qll @@ -972,7 +972,7 @@ class Class extends TClass, TypeDeclaration, ModuleDeclaration { } /** Gets the class type defined by this class declaration. */ - Type getType() { result.getDeclaration() = this } + ClassType getType() { result.getDeclaration() = this } override AstNode getAChild(string pred) { result = super.getAChild(pred) diff --git a/ql/ql/test/type/type.expected b/ql/ql/test/type/type.expected index fd3a34c27f6..7089676858d 100644 --- a/ql/ql/test/type/type.expected +++ b/ql/ql/test/type/type.expected @@ -1,6 +1,4 @@ | Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings | -| Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings.Strings | -| Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings.extends | | Test.qll:4:22:4:76 | Set | file://:0:0:0:0 | string | | Test.qll:4:23:4:24 | String | file://:0:0:0:0 | string | | Test.qll:4:27:4:29 | String | file://:0:0:0:0 | string | @@ -13,8 +11,6 @@ | Test.qll:4:66:4:69 | String | file://:0:0:0:0 | string | | Test.qll:4:72:4:75 | String | file://:0:0:0:0 | string | | Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats | -| Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats.Floats | -| Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats.extends | | Test.qll:8:21:8:70 | Set | file://:0:0:0:0 | float | | Test.qll:8:22:8:24 | Float | file://:0:0:0:0 | float | | Test.qll:8:27:8:29 | Float | file://:0:0:0:0 | float | @@ -35,14 +31,10 @@ | Test.qll:13:45:13:49 | AddExpr | file://:0:0:0:0 | float | | Test.qll:13:49:13:49 | b | Test.qll:7:7:7:12 | Floats | | Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base | -| Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base.Base | -| Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base.extends | | Test.qll:16:19:16:23 | String | file://:0:0:0:0 | string | | Test.qll:18:15:18:20 | result | file://:0:0:0:0 | int | | Test.qll:18:24:18:24 | Integer | file://:0:0:0:0 | int | | Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub | -| Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub.Sub | -| Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub.extends | | Test.qll:22:18:22:22 | String | file://:0:0:0:0 | string | | Test.qll:24:15:24:20 | result | file://:0:0:0:0 | int | | Test.qll:24:24:24:33 | Super | Test.qll:15:7:15:10 | Base | diff --git a/swift/ql/src/diagnostics/SuccessfullyExtractedLines.ql b/swift/ql/src/diagnostics/SuccessfullyExtractedLines.ql new file mode 100644 index 00000000000..59b1d5bc8bc --- /dev/null +++ b/swift/ql/src/diagnostics/SuccessfullyExtractedLines.ql @@ -0,0 +1,15 @@ +/** + * @name Successfully extracted lines + * @description Count all lines in source code in which something was extracted. Entities spanning multiple lines like multi-line strings or comments only contribute one line to this count. + * @kind metric + * @id swift/diagnostics/successfully-extracted-lines + * @tags summary + */ + +import swift + +select count(File f, int line | + exists(Location loc | + not loc instanceof UnknownLocation and loc.getFile() = f and loc.getStartLine() = line + ) + ) diff --git a/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.expected b/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.expected new file mode 100644 index 00000000000..b5a514b9ffa --- /dev/null +++ b/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.expected @@ -0,0 +1 @@ +| 4 | diff --git a/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref b/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref new file mode 100644 index 00000000000..26996e64988 --- /dev/null +++ b/swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref @@ -0,0 +1 @@ +diagnostics/SuccessfullyExtractedLines.ql diff --git a/swift/ql/test/query-tests/Diagnostics/ignored.swift b/swift/ql/test/query-tests/Diagnostics/ignored.swift new file mode 100644 index 00000000000..f488af7e837 --- /dev/null +++ b/swift/ql/test/query-tests/Diagnostics/ignored.swift @@ -0,0 +1,3 @@ +//codeql-extractor-env: CODEQL_EXTRACTOR_SWIFT_RUN_UNDER=true + +func not_compiled() {} diff --git a/swift/ql/test/query-tests/Diagnostics/main.swift b/swift/ql/test/query-tests/Diagnostics/main.swift index e69de29bb2d..92d0406caac 100644 --- a/swift/ql/test/query-tests/Diagnostics/main.swift +++ b/swift/ql/test/query-tests/Diagnostics/main.swift @@ -0,0 +1,6 @@ + + +// a comment + + +func foo() {}