mirror of
https://github.com/github/codeql.git
synced 2026-04-29 10:45:15 +02:00
Merge remote-tracking branch 'upstream/master' into detect-conflated-memory
Conflicts: cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/IRSanity.qll cpp/ql/src/semmle/code/cpp/ir/implementation/raw/IRSanity.qll cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/IRSanity.qll cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity.expected cpp/ql/test/library-tests/ir/ir/aliased_ssa_sanity_unsound.expected cpp/ql/test/library-tests/ir/ir/raw_sanity.expected cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected cpp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity_unsound.expected cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity.expected cpp/ql/test/library-tests/ir/ssa/aliased_ssa_sanity_unsound.expected cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity.expected cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_sanity_unsound.expected cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_sanity.expected cpp/ql/test/library-tests/syntax-zoo/raw_sanity.expected cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_sanity.expected csharp/ql/src/semmle/code/csharp/ir/implementation/raw/IRSanity.qll csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/IRSanity.qll csharp/ql/test/library-tests/ir/ir/raw_ir_sanity.expected csharp/ql/test/library-tests/ir/ir/unaliased_ssa_sanity.expected
This commit is contained in:
Jonas Jensen
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -243,7 +243,7 @@ private module Cached {
|
||||
* - Types are checked using the `compatibleTypes()` relation.
|
||||
*/
|
||||
cached
|
||||
module Final {
|
||||
private module Final {
|
||||
/**
|
||||
* Holds if `p` can flow to `node` in the same callable using only
|
||||
* value-preserving steps, not taking call contexts into account.
|
||||
|
||||
@@ -21,4 +21,23 @@ module SystemXmlXPath {
|
||||
class XPathExpression extends Class {
|
||||
XPathExpression() { this.hasName("XPathExpression") }
|
||||
}
|
||||
|
||||
/** The `System.Xml.XPath.XPathNavigator` class. */
|
||||
class XPathNavigator extends Class {
|
||||
XPathNavigator() { this.hasName("XPathNavigator") }
|
||||
|
||||
/** Gets a method that selects nodes. */
|
||||
csharp::Method getASelectMethod() {
|
||||
result = this.getAMethod() and result.getName().matches("Select%")
|
||||
}
|
||||
|
||||
/** Gets the `Compile` method. */
|
||||
csharp::Method getCompileMethod() { result = this.getAMethod("Compile") }
|
||||
|
||||
/** Gets an `Evaluate` method. */
|
||||
csharp::Method getAnEvaluateMethod() { result = this.getAMethod("Evaluate") }
|
||||
|
||||
/** Gets a `Matches` method. */
|
||||
csharp::Method getAMatchesMethod() { result = this.getAMethod("Matches") }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -70,7 +70,7 @@ private newtype TOpcode =
|
||||
TVarArgsStart() or
|
||||
TVarArgsEnd() or
|
||||
TVarArg() or
|
||||
TVarArgCopy() or
|
||||
TNextVarArg() or
|
||||
TCallSideEffect() or
|
||||
TCallReadSideEffect() or
|
||||
TIndirectReadSideEffect() or
|
||||
@@ -629,20 +629,20 @@ module Opcode {
|
||||
final override string toString() { result = "BuiltIn" }
|
||||
}
|
||||
|
||||
class VarArgsStart extends BuiltInOperationOpcode, TVarArgsStart {
|
||||
class VarArgsStart extends UnaryOpcode, TVarArgsStart {
|
||||
final override string toString() { result = "VarArgsStart" }
|
||||
}
|
||||
|
||||
class VarArgsEnd extends BuiltInOperationOpcode, TVarArgsEnd {
|
||||
class VarArgsEnd extends UnaryOpcode, TVarArgsEnd {
|
||||
final override string toString() { result = "VarArgsEnd" }
|
||||
}
|
||||
|
||||
class VarArg extends BuiltInOperationOpcode, TVarArg {
|
||||
class VarArg extends UnaryOpcode, TVarArg {
|
||||
final override string toString() { result = "VarArg" }
|
||||
}
|
||||
|
||||
class VarArgCopy extends BuiltInOperationOpcode, TVarArgCopy {
|
||||
final override string toString() { result = "VarArgCopy" }
|
||||
class NextVarArg extends UnaryOpcode, TNextVarArg {
|
||||
final override string toString() { result = "NextVarArg" }
|
||||
}
|
||||
|
||||
class CallSideEffect extends WriteSideEffectOpcode, EscapedWriteOpcode, MayWriteOpcode,
|
||||
|
||||
@@ -5,6 +5,7 @@ import IRTypeSanity // module is in IRType.qll
|
||||
module InstructionSanity {
|
||||
private import internal.InstructionImports as Imports
|
||||
private import Imports::OperandTag
|
||||
private import Imports::Overlap
|
||||
private import internal.IRInternal
|
||||
|
||||
/**
|
||||
@@ -302,4 +303,18 @@ module InstructionSanity {
|
||||
instr.isResultConflated() and
|
||||
not shouldBeConflated(instr)
|
||||
}
|
||||
|
||||
query predicate invalidOverlap(
|
||||
MemoryOperand useOperand, string message, IRFunction func, string funcText
|
||||
) {
|
||||
exists(Overlap overlap |
|
||||
overlap = useOperand.getDefinitionOverlap() and
|
||||
overlap instanceof MayPartiallyOverlap and
|
||||
message =
|
||||
"MemoryOperand '" + useOperand.toString() + "' has a `getDefinitionOverlap()` of '" +
|
||||
overlap.toString() + "'." and
|
||||
func = useOperand.getEnclosingIRFunction() and
|
||||
funcText = Language::getIdentityString(func.getFunction())
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -384,6 +384,8 @@ class PositionalArgumentOperand extends ArgumentOperand {
|
||||
|
||||
class SideEffectOperand extends TypedOperand {
|
||||
override SideEffectOperandTag tag;
|
||||
|
||||
override string toString() { result = "SideEffect" }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -3,3 +3,4 @@ import semmle.code.csharp.ir.implementation.IRType as IRType
|
||||
import semmle.code.csharp.ir.implementation.MemoryAccessKind as MemoryAccessKind
|
||||
import semmle.code.csharp.ir.implementation.Opcode as Opcode
|
||||
import semmle.code.csharp.ir.implementation.internal.OperandTag as OperandTag
|
||||
import semmle.code.csharp.ir.internal.Overlap as Overlap
|
||||
|
||||
@@ -5,6 +5,7 @@ import IRTypeSanity // module is in IRType.qll
|
||||
module InstructionSanity {
|
||||
private import internal.InstructionImports as Imports
|
||||
private import Imports::OperandTag
|
||||
private import Imports::Overlap
|
||||
private import internal.IRInternal
|
||||
|
||||
/**
|
||||
@@ -302,4 +303,18 @@ module InstructionSanity {
|
||||
instr.isResultConflated() and
|
||||
not shouldBeConflated(instr)
|
||||
}
|
||||
|
||||
query predicate invalidOverlap(
|
||||
MemoryOperand useOperand, string message, IRFunction func, string funcText
|
||||
) {
|
||||
exists(Overlap overlap |
|
||||
overlap = useOperand.getDefinitionOverlap() and
|
||||
overlap instanceof MayPartiallyOverlap and
|
||||
message =
|
||||
"MemoryOperand '" + useOperand.toString() + "' has a `getDefinitionOverlap()` of '" +
|
||||
overlap.toString() + "'." and
|
||||
func = useOperand.getEnclosingIRFunction() and
|
||||
funcText = Language::getIdentityString(func.getFunction())
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -384,6 +384,8 @@ class PositionalArgumentOperand extends ArgumentOperand {
|
||||
|
||||
class SideEffectOperand extends TypedOperand {
|
||||
override SideEffectOperandTag tag;
|
||||
|
||||
override string toString() { result = "SideEffect" }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -3,3 +3,4 @@ import semmle.code.csharp.ir.implementation.IRType as IRType
|
||||
import semmle.code.csharp.ir.implementation.MemoryAccessKind as MemoryAccessKind
|
||||
import semmle.code.csharp.ir.implementation.Opcode as Opcode
|
||||
import semmle.code.csharp.ir.implementation.internal.OperandTag as OperandTag
|
||||
import semmle.code.csharp.ir.internal.Overlap as Overlap
|
||||
|
||||
@@ -107,14 +107,15 @@ private module Cached {
|
||||
oldOperand instanceof OldIR::NonPhiMemoryOperand and
|
||||
exists(
|
||||
OldBlock useBlock, int useRank, Alias::MemoryLocation useLocation,
|
||||
Alias::MemoryLocation defLocation, OldBlock defBlock, int defRank, int defOffset
|
||||
Alias::MemoryLocation defLocation, OldBlock defBlock, int defRank, int defOffset,
|
||||
Alias::MemoryLocation actualDefLocation
|
||||
|
|
||||
useLocation = Alias::getOperandMemoryLocation(oldOperand) and
|
||||
hasUseAtRank(useLocation, useBlock, useRank, oldInstruction) and
|
||||
definitionReachesUse(useLocation, defBlock, defRank, useBlock, useRank) and
|
||||
hasDefinitionAtRank(useLocation, defLocation, defBlock, defRank, defOffset) and
|
||||
instr = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, _) and
|
||||
overlap = Alias::getOverlap(defLocation, useLocation)
|
||||
instr = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, actualDefLocation) and
|
||||
overlap = Alias::getOverlap(actualDefLocation, useLocation)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -65,6 +65,20 @@ module XPathInjection {
|
||||
}
|
||||
}
|
||||
|
||||
/** The `xpath` argument to an `XPathNavigator` call. */
|
||||
class XmlNavigatorSink extends Sink {
|
||||
XmlNavigatorSink() {
|
||||
exists(SystemXmlXPath::XPathNavigator xmlNav, Method m |
|
||||
this.getExpr() = m.getACall().getArgumentForName("xpath")
|
||||
|
|
||||
m = xmlNav.getASelectMethod() or
|
||||
m = xmlNav.getCompileMethod() or
|
||||
m = xmlNav.getAnEvaluateMethod() or
|
||||
m = xmlNav.getAMatchesMethod()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
|
||||
|
||||
private class GuidSanitizer extends Sanitizer, GuidSanitizedExpr { }
|
||||
|
||||
Reference in New Issue
Block a user