hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into sashabu/repeated-initializers

Browse Source
This commit is contained in:
Jeroen Ketema
2023-04-03 09:48:23 +02:00
committed by GitHub
parent ddd44b4c13 ecf92f0c5d
commit 1d9fc8a581
11 changed files with 73 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cpp/ql/lib/experimental/semmle/code/cpp/semantic/analysis/RangeAnalysisStage.qll
View File

@@ -78,18 +78,15 @@ import experimental.semmle.code.cpp.semantic.SemanticLocation
/** /**
* Holds if `typ` is a small integral type with the given lower and upper bounds. * Holds if `typ` is a small integral type with the given lower and upper bounds.
*/ */
private predicate typeBound(SemIntegerType typ, int lowerbound, int upperbound) { private predicate typeBound(SemIntegerType typ, float lowerbound, float upperbound) {
exists(int bitSize | bitSize = typ.getByteSize() * 8 | exists(int bitSize | bitSize = typ.getByteSize() * 8 |
bitSize < 32 and
(
if typ.isSigned() if typ.isSigned()
then ( then (
upperbound = 1.bitShiftLeft(bitSize - 1) - 1 and upperbound = 2.pow(bitSize - 1) - 1 and
lowerbound = -upperbound - 1 lowerbound = -upperbound - 1
) else ( ) else (
lowerbound = 0 and lowerbound = 0 and
upperbound = 1.bitShiftLeft(bitSize) - 1 upperbound = 2.pow(bitSize) - 1
)
) )
) )
} }
@@ -286,10 +283,10 @@ module RangeStage<DeltaSig D, BoundSig<D> Bounds, LangSig<D> LangParam, UtilSig<
} }
/** Gets the lower bound of the resulting type. */ /** Gets the lower bound of the resulting type. */
int getLowerBound() { typeBound(getTrackedType(this), result, _) } float getLowerBound() { typeBound(getTrackedType(this), result, _) }
/** Gets the upper bound of the resulting type. */ /** Gets the upper bound of the resulting type. */
int getUpperBound() { typeBound(getTrackedType(this), _, result) } float getUpperBound() { typeBound(getTrackedType(this), _, result) }
} }
private module SignAnalysisInstantiated = SignAnalysis<D, UtilParam>; // TODO: will this cause reevaluation if it's instantiated with the same DeltaSig and UtilParam multiple times? private module SignAnalysisInstantiated = SignAnalysis<D, UtilParam>; // TODO: will this cause reevaluation if it's instantiated with the same DeltaSig and UtilParam multiple times?

6
cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
View File

@@ -48,11 +48,11 @@ predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
* Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
* argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`. * argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
*/ */
predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) { predicate case2(FunctionCall fc, Expr sizeArg, Expr destArg) {
interestingCallWithArgs(fc, sizeArg, destArg) and interestingCallWithArgs(fc, pragma[only_bind_into](sizeArg), pragma[only_bind_into](destArg)) and
exists(SubExpr sub, int n | exists(SubExpr sub, int n |
// The destination buffer is an array of size n // The destination buffer is an array of size n
destArg.getUnspecifiedType().(ArrayType).getSize() = n and pragma[only_bind_out](destArg.getUnspecifiedType().(ArrayType).getSize()) = n and
// The size argument is equivalent to a subtraction // The size argument is equivalent to a subtraction
globalValueNumber(sizeArg).getAnExpr() = sub and globalValueNumber(sizeArg).getAnExpr() = sub and
// ... where the left side of the subtraction is the constant n // ... where the left side of the subtraction is the constant n

62
cpp/ql/test/library-tests/ir/range-analysis/SimpleRangeAnalysis_tests.cpp
View File

@@ -566,11 +566,11 @@ unsigned int test_ternary01(unsigned int x) {
y1 = x < 100 ? y1 = x < 100 ?
(range(x), x) : // $ range=<=99 (range(x), x) : // $ range=<=99
(range(x), 10); // $ range=>=100 (range(x), 10); // $ range=>=100
range(y1); range(y1); // $ range=<=99
y2 = x >= 100 ? y2 = x >= 100 ?
(range(x), 10) : // $ range=>=100 (range(x), 10) : // $ range=>=100
(range(x), x); // $ range=<=99 (range(x), x); // $ range=<=99
range(y2); range(y2); // $ range=<=99
y3 = 0; y3 = 0;
y4 = 0; y4 = 0;
y5 = 0; y5 = 0;
@@ -580,14 +580,14 @@ unsigned int test_ternary01(unsigned int x) {
if (x < 300) { if (x < 300) {
range(x); // $ range=<=299 range(x); // $ range=<=299
y3 = x ?: y3 = x ?:
(range(x), 5); // y3 < 300 (range(x), 5);
range(y3); range(y3); // $ range=<=299
y4 = x ?: y4 = x ?:
(range(x), 500); // y4 <= 500 (range(x), 500);
range(y4); range(y4); // $ range=<=500
y5 = (x+1) ?: y5 = (x+1) ?:
(range(x), 500); // $ range===-1 (range(x), 500); // $ range===-1
range(y5); // y5 <= 300 range(y5); // $ range=<=500
y6 = ((unsigned char)(x+1)) ?: y6 = ((unsigned char)(x+1)) ?:
(range(x), 5); // $ range=<=299 (range(x), 5); // $ range=<=299
range(y6); // y6 < 256 range(y6); // y6 < 256
@@ -608,11 +608,11 @@ unsigned int test_ternary02(unsigned int x) {
y1 = x > 100 ? y1 = x > 100 ?
(range(x), x) : // $ range=>=101 (range(x), x) : // $ range=>=101
(range(x), 110); // $ range=<=100 (range(x), 110); // $ range=<=100
range(y1); // y1 > 100 range(y1); // $ range=>=101
y2 = x <= 100 ? y2 = x <= 100 ?
(range(x), 110) : // $ range=<=100 (range(x), 110) : // $ range=<=100
(range(x), x); // $ range=>=101 (range(x), x); // $ range=>=101
range(y2); // y2 > 100 range(y2); // $ range=>=101
y3 = 1000; y3 = 1000;
y4 = 1000; y4 = 1000;
y5 = 1000; y5 = 1000;
@@ -620,15 +620,15 @@ unsigned int test_ternary02(unsigned int x) {
range(x); // $ range=>=300 range(x); // $ range=>=300
y3 = (x-300) ?: y3 = (x-300) ?:
(range(x), 5); // $ range===300 (range(x), 5); // $ range===300
range(y3); // y3 >= 0 range(y3); // $ range=>=0
y4 = (x-200) ?: y4 = (x-200) ?:
(range(x), 5); // $ range=<=200 range=>=300 (range(x), 5); // $ range=<=200 range=>=300
range(y4); // y4 >= 100 range(y4); // $ SPURIOUS: range=>=5 MISSING: range=>=100
y5 = ((unsigned char)(x-200)) ?: y5 = ((unsigned char)(x-200)) ?:
(range(x), 5); // $ range=>=300 (range(x), 5); // $ range=>=300
range(y5); // y6 >= 0 range(y5); // y6 >= 0
} }
range(y1 + y2 + y3 + y4 + y5); // $ MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0" range(y1 + y2 + y3 + y4 + y5); // $ range=">=call to range+207" MISSING: range=">=... = ...:... ? ... : ...+0" range=">=call to range+0"
return y1 + y2 + y3 + y4 + y5; return y1 + y2 + y3 + y4 + y5;
} }
@@ -640,14 +640,14 @@ unsigned int test_comma01(unsigned int x) {
unsigned int y1; unsigned int y1;
unsigned int y2; unsigned int y2;
y1 = (++y, y); y1 = (++y, y);
range(y1); // $ range="==... ? ... : ...+1" range(y1); // $ range=<=101 range="==... ? ... : ...+1"
y2 = (y++, y2 = (y++,
range(y), // $ range="==++ ...:... = ...+1" range="==... ? ... : ...+2" range(y), // $ range=<=102 range="==++ ...:... = ...+1" range="==... ? ... : ...+2"
y += 3, y += 3,
range(y), // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5" range(y), // $ range=<=105 range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
y); y);
range(y2); // $ range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5" range(y2); // $ range=<=105 range="==++ ...:... = ...+4" range="==... +++3" range="==... ? ... : ...+5"
range(y1 + y2); // $ MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6" range(y1 + y2); // $ range=<=206 range="<=... ? ... : ...+106" MISSING: range=">=++ ...:... = ...+5" range=">=... +++4" range=">=... += ...:... = ...+1" range=">=... ? ... : ...+6"
return y1 + y2; return y1 + y2;
} }
@@ -683,27 +683,27 @@ int test_unsigned_mult01(unsigned int a, unsigned b) {
range(a); // $ range=<=11 range=>=3 range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=5 range(b); // $ range=<=23 range=>=5
int r = a*b; // 15 .. 253 int r = a*b; // 15 .. 253
range(r); range(r); // $ range=>=15 range=<=253
total += r; total += r;
range(total); // $ MISSING: range=>=1 range(total); // $ range=>=15 range=<=253
} }
if (3 <= a && a <= 11 && 0 <= b && b <= 23) { if (3 <= a && a <= 11 && 0 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3 range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=0 range(b); // $ range=<=23 range=>=0
int r = a*b; // 0 .. 253 int r = a*b; // 0 .. 253
range(r); range(r); // $ range=>=0 range=<=253
total += r; total += r;
range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0 range(total); // $ range=>=0 range=<=506 range=">=(unsigned int)...+0" range="<=(unsigned int)...+253"
} }
if (3 <= a && a <= 11 && 13 <= b && b <= 23) { if (3 <= a && a <= 11 && 13 <= b && b <= 23) {
range(a); // $ range=<=11 range=>=3 range(a); // $ range=<=11 range=>=3
range(b); // $ range=<=23 range=>=13 range(b); // $ range=<=23 range=>=13
int r = a*b; // 39 .. 253 int r = a*b; // 39 .. 253
range(r); range(r); // $ range=>=39 range=<=253
total += r; total += r;
range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1 range(total); // $ range=>=39 range=<=759 range=">=(unsigned int)...+39" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
} }
range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0 range(total); // $ range=>=0 range=<=759 range=">=(unsigned int)...+0" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
return total; return total;
} }
@@ -713,25 +713,25 @@ int test_unsigned_mult02(unsigned b) {
if (5 <= b && b <= 23) { if (5 <= b && b <= 23) {
range(b); // $ range=<=23 range=>=5 range(b); // $ range=<=23 range=>=5
int r = 11*b; // 55 .. 253 int r = 11*b; // 55 .. 253
range(r); range(r); // $ range=>=55 range=<=253
total += r; total += r;
range(total); // $ MISSING: range=>=1 range(total); // $ range=>=55 range=<=253
} }
if (0 <= b && b <= 23) { if (0 <= b && b <= 23) {
range(b); // $ range=<=23 range=>=0 range(b); // $ range=<=23 range=>=0
int r = 11*b; // 0 .. 253 int r = 11*b; // 0 .. 253
range(r); range(r); // $ range=>=0 range=<=253
total += r; total += r;
range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0 range(total); // $ range=>=0 range=<=506 range=">=(unsigned int)...+0" range="<=(unsigned int)...+253"
} }
if (13 <= b && b <= 23) { if (13 <= b && b <= 23) {
range(b); // $ range=<=23 range=>=13 range(b); // $ range=<=23 range=>=13
int r = 11*b; // 143 .. 253 int r = 11*b; // 143 .. 253
range(r); range(r); // $ range=>=143 range=<=253
total += r; total += r;
range(total); // $ MISSING: range=">=(unsigned int)...+1" range=>=1 range(total); // $ range=>=143 range=<=759 range=">=(unsigned int)...+143" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
} }
range(total); // $ MISSING: range=">=(unsigned int)...+0" range=>=0 range(total); // $ range=>=0 range=<=759 range=">=(unsigned int)...+0" range="<=(unsigned int)...+506" range="<=(unsigned int)...+253"
return total; return total;
} }

4
javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.qhelp
View File

@@ -37,7 +37,7 @@
the hash of a password. the hash of a password.
</p> </p>
<sample src="examples/InsufficientPasswordHash.js"/> <sample src="examples/InsufficientPasswordHash_NodeJS.js"/>
<p> <p>
This is not secure, since the password can be efficiently This is not secure, since the password can be efficiently
@@ -46,7 +46,7 @@
algorithm: algorithm:
</p> </p>
<sample src="examples/InsufficientPasswordHash_fixed.js"/> <sample src="examples/InsufficientPasswordHash_NodeJS_fixed.js"/>
</example> </example>
<references> <references>

2
ql/ql/src/codeql_ql/ast/Ast.qll
View File

@@ -972,7 +972,7 @@ class Class extends TClass, TypeDeclaration, ModuleDeclaration {
} }
/** Gets the class type defined by this class declaration. */ /** Gets the class type defined by this class declaration. */
Type getType() { result.getDeclaration() = this } ClassType getType() { result.getDeclaration() = this }
override AstNode getAChild(string pred) { override AstNode getAChild(string pred) {
result = super.getAChild(pred) result = super.getAChild(pred)

8
ql/ql/test/type/type.expected
View File

@@ -1,6 +1,4 @@
| Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings | | Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings |
| Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings.Strings |
| Test.qll:4:15:4:18 | this | Test.qll:3:7:3:13 | Strings.extends |
| Test.qll:4:22:4:76 | Set | file://:0:0:0:0 | string | | Test.qll:4:22:4:76 | Set | file://:0:0:0:0 | string |
| Test.qll:4:23:4:24 | String | file://:0:0:0:0 | string | | Test.qll:4:23:4:24 | String | file://:0:0:0:0 | string |
| Test.qll:4:27:4:29 | String | file://:0:0:0:0 | string | | Test.qll:4:27:4:29 | String | file://:0:0:0:0 | string |
@@ -13,8 +11,6 @@
| Test.qll:4:66:4:69 | String | file://:0:0:0:0 | string | | Test.qll:4:66:4:69 | String | file://:0:0:0:0 | string |
| Test.qll:4:72:4:75 | String | file://:0:0:0:0 | string | | Test.qll:4:72:4:75 | String | file://:0:0:0:0 | string |
| Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats | | Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats |
| Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats.Floats |
| Test.qll:8:14:8:17 | this | Test.qll:7:7:7:12 | Floats.extends |
| Test.qll:8:21:8:70 | Set | file://:0:0:0:0 | float | | Test.qll:8:21:8:70 | Set | file://:0:0:0:0 | float |
| Test.qll:8:22:8:24 | Float | file://:0:0:0:0 | float | | Test.qll:8:22:8:24 | Float | file://:0:0:0:0 | float |
| Test.qll:8:27:8:29 | Float | file://:0:0:0:0 | float | | Test.qll:8:27:8:29 | Float | file://:0:0:0:0 | float |
@@ -35,14 +31,10 @@
| Test.qll:13:45:13:49 | AddExpr | file://:0:0:0:0 | float | | Test.qll:13:45:13:49 | AddExpr | file://:0:0:0:0 | float |
| Test.qll:13:49:13:49 | b | Test.qll:7:7:7:12 | Floats | | Test.qll:13:49:13:49 | b | Test.qll:7:7:7:12 | Floats |
| Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base | | Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base |
| Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base.Base |
| Test.qll:16:12:16:15 | this | Test.qll:15:7:15:10 | Base.extends |
| Test.qll:16:19:16:23 | String | file://:0:0:0:0 | string | | Test.qll:16:19:16:23 | String | file://:0:0:0:0 | string |
| Test.qll:18:15:18:20 | result | file://:0:0:0:0 | int | | Test.qll:18:15:18:20 | result | file://:0:0:0:0 | int |
| Test.qll:18:24:18:24 | Integer | file://:0:0:0:0 | int | | Test.qll:18:24:18:24 | Integer | file://:0:0:0:0 | int |
| Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub | | Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub |
| Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub.Sub |
| Test.qll:22:11:22:14 | this | Test.qll:21:7:21:9 | Sub.extends |
| Test.qll:22:18:22:22 | String | file://:0:0:0:0 | string | | Test.qll:22:18:22:22 | String | file://:0:0:0:0 | string |
| Test.qll:24:15:24:20 | result | file://:0:0:0:0 | int | | Test.qll:24:15:24:20 | result | file://:0:0:0:0 | int |
| Test.qll:24:24:24:33 | Super | Test.qll:15:7:15:10 | Base | | Test.qll:24:24:24:33 | Super | Test.qll:15:7:15:10 | Base |

15
swift/ql/src/diagnostics/SuccessfullyExtractedLines.ql Normal file
View File

@@ -0,0 +1,15 @@
/**
* @name Successfully extracted lines
* @description Count all lines in source code in which something was extracted. Entities spanning multiple lines like multi-line strings or comments only contribute one line to this count.
* @kind metric
* @id swift/diagnostics/successfully-extracted-lines
* @tags summary
*/
import swift
select count(File f, int line |
exists(Location loc |
not loc instanceof UnknownLocation and loc.getFile() = f and loc.getStartLine() = line
)
)

1
swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.expected Normal file
View File

@@ -0,0 +1 @@
| 4 |

1
swift/ql/test/query-tests/Diagnostics/SuccessfullyExtractedLines.qlref Normal file
View File

@@ -0,0 +1 @@
diagnostics/SuccessfullyExtractedLines.ql

3
swift/ql/test/query-tests/Diagnostics/ignored.swift Normal file
View File

@@ -0,0 +1,3 @@
//codeql-extractor-env: CODEQL_EXTRACTOR_SWIFT_RUN_UNDER=true
func not_compiled() {}

6
swift/ql/test/query-tests/Diagnostics/main.swift
View File

@@ -0,0 +1,6 @@
// a comment
func foo() {}