Merge branch 'main' into XMLXml

2026-05-22 15:17:09 +02:00 · 2022-08-22 11:14:34 +02:00
parent fd581f74aa c904ba1d16
commit 39820ee561
29 changed files with 9008 additions and 211 deletions
--- a/cpp/downgrades/f96ad9b2da43bbc9e55a72a165febd270ae07981/old.dbscheme
+++ b/cpp/downgrades/f96ad9b2da43bbc9e55a72a165febd270ae07981/old.dbscheme
--- a/cpp/downgrades/f96ad9b2da43bbc9e55a72a165febd270ae07981/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/f96ad9b2da43bbc9e55a72a165febd270ae07981/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/f96ad9b2da43bbc9e55a72a165febd270ae07981/upgrade.properties
+++ b/cpp/downgrades/f96ad9b2da43bbc9e55a72a165febd270ae07981/upgrade.properties
@@ -0,0 +1,3 @@
+description: Add relation for orphaned local variables
+compatibility: full
+orphaned_variables.rel: delete
--- a/cpp/ql/lib/semmle/code/cpp/Variable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Variable.qll
@@ -398,6 +398,8 @@ class LocalVariable extends LocalScopeVariable, @localvariable {
    exists(DeclStmt s | s.getADeclaration() = this and s.getEnclosingFunction() = result)
    or
    exists(ConditionDeclExpr e | e.getVariable() = this and e.getEnclosingFunction() = result)
+    or
+    orphaned_variables(underlyingElement(this), unresolveElement(result))
  }
 }

--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -523,6 +523,11 @@ autoderivation(
    int derivation_type: @type ref
 );

+orphaned_variables(
+    int var: @localvariable ref,
+    int function: @function ref
+)
+
 enumconstants(
    unique int id: @enumconstant,
    int parent: @usertype ref,
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/old.dbscheme
+++ b/cpp/ql/lib/upgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/old.dbscheme
--- a/cpp/ql/lib/upgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/upgrade.properties
+++ b/cpp/ql/lib/upgrades/73af5058c6899dcdb05754c27ca966aeb3a68c94/upgrade.properties
@@ -0,0 +1,2 @@
+description: Add relation for orphaned local variables
+compatibility: partial
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -19,6 +19,7 @@ import semmle.code.cpp.security.Security
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.dataflow.TaintTracking2
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.models.implementations.Strcat
 import DataFlow::PathGraph
@@ -83,6 +84,32 @@ class ExecState extends DataFlow::FlowState {
  DataFlow::Node getFstNode() { result = fst }

  DataFlow::Node getSndNode() { result = snd }
+
+  /** Holds if this is a possible `ExecState` for `sink`. */
+  predicate isFeasibleForSink(DataFlow::Node sink) {
+    any(ExecStateConfiguration conf).hasFlow(snd, sink)
+  }
+}
+
+/**
+ * A `TaintTracking` configuration that's used to find the relevant `ExecState`s for a
+ * given sink. This avoids a cartesian product between all sinks and all `ExecState`s in
+ * `ExecTaintConfiguration::isSink`.
+ */
+class ExecStateConfiguration extends TaintTracking2::Configuration {
+  ExecStateConfiguration() { this = "ExecStateConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(ExecState state | state.getSndNode() = source)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    shellCommand(sinkAsArgumentIndirection(sink), _)
+  }
+
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers
+  }
 }

 class ExecTaintConfiguration extends TaintTracking::Configuration {
@@ -94,8 +121,8 @@ class ExecTaintConfiguration extends TaintTracking::Configuration {
  }

  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    shellCommand(sinkAsArgumentIndirection(sink), _) and
-    state instanceof ExecState
+    any(ExecStateConfiguration conf).isSink(sink) and
+    state.(ExecState).isFeasibleForSink(sink)
  }

  override predicate isAdditionalTaintStep(
--- a/cpp/ql/test/TestUtilities/InlineExpectationsTest.qll
+++ b/cpp/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -330,6 +330,19 @@ abstract private class Expectation extends FailureLocatable {
  override Location getLocation() { result = comment.getLocation() }
 }

+private predicate onSameLine(ValidExpectation a, ActualResult b) {
+  exists(string fname, int line, Location la, Location lb |
+    // Join order intent:
+    // Take the locations of ActualResults,
+    // join with locations in the same file / on the same line,
+    // then match those against ValidExpectations.
+    la = a.getLocation() and
+    pragma[only_bind_into](lb) = b.getLocation() and
+    pragma[only_bind_into](la).hasLocationInfo(fname, line, _, _, _) and
+    lb.hasLocationInfo(fname, line, _, _, _)
+  )
+}
+
 private class ValidExpectation extends Expectation, TValidExpectation {
  string tag;
  string value;
@@ -344,8 +357,7 @@ private class ValidExpectation extends Expectation, TValidExpectation {
  string getKnownFailure() { result = knownFailure }

  predicate matchesActualResult(ActualResult actualResult) {
-    getLocation().getStartLine() = actualResult.getLocation().getStartLine() and
-    getLocation().getFile() = actualResult.getLocation().getFile() and
+    onSameLine(pragma[only_bind_into](this), actualResult) and
    getTag() = actualResult.getTag() and
    getValue() = actualResult.getValue()
  }
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -14137,6 +14137,30 @@ ir.cpp:
 # 1845|           Type = [Struct] B
 # 1845|           ValueCategory = lvalue
 # 1846|     getStmt(2): [ReturnStmt] return ...
+# 1849| [TopLevelFunction] void magicvars()
+# 1849|   <params>: 
+# 1849|   getEntryPoint(): [BlockStmt] { ... }
+# 1850|     getStmt(0): [DeclStmt] declaration
+# 1850|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of pf
+# 1850|           Type = [PointerType] const char *
+# 1850|         getVariable().getInitializer(): [Initializer] initializer for pf
+# 1850|           getExpr(): [VariableAccess] __PRETTY_FUNCTION__
+# 1850|               Type = [ArrayType] const char[17]
+# 1850|               ValueCategory = lvalue
+# 1850|           getExpr().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 1850|               Type = [PointerType] const char *
+# 1850|               ValueCategory = prvalue
+# 1851|     getStmt(1): [DeclStmt] declaration
+# 1851|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of strfunc
+# 1851|           Type = [PointerType] const char *
+# 1851|         getVariable().getInitializer(): [Initializer] initializer for strfunc
+# 1851|           getExpr(): [VariableAccess] __func__
+# 1851|               Type = [ArrayType] const char[10]
+# 1851|               ValueCategory = lvalue
+# 1851|           getExpr().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+# 1851|               Type = [PointerType] const char *
+# 1851|               ValueCategory = prvalue
+# 1852|     getStmt(2): [ReturnStmt] return ...
 perf-regression.cpp:
 #    4| [CopyAssignmentOperator] Big& Big::operator=(Big const&)
 #    4|   <params>: 
--- a/cpp/ql/test/library-tests/ir/ir/ir.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/ir.cpp
@@ -1846,4 +1846,9 @@ namespace block_assignment {
    }
 }

+void magicvars() {
+    const char *pf = __PRETTY_FUNCTION__;
+    const char *strfunc = __func__;
+}
+
 // semmle-extractor-options: -std=c++17 --clang
--- a/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
+++ b/cpp/ql/test/library-tests/ir/ir/operand_locations.expected
@@ -8641,6 +8641,15 @@
 | ir.cpp:1845:13:1845:13 | SideEffect | ~m1845_9 |
 | ir.cpp:1845:13:1845:13 | SideEffect | ~m1845_12 |
 | ir.cpp:1845:13:1845:13 | Unary | r1845_3 |
+| ir.cpp:1849:6:1849:14 | ChiPartial | partial:m1849_3 |
+| ir.cpp:1849:6:1849:14 | ChiTotal | total:m1849_2 |
+| ir.cpp:1849:6:1849:14 | SideEffect | m1849_3 |
+| ir.cpp:1850:17:1850:18 | Address | &:r1850_1 |
+| ir.cpp:1850:22:1850:40 | StoreValue | r1850_3 |
+| ir.cpp:1850:22:1850:40 | Unary | r1850_2 |
+| ir.cpp:1851:17:1851:23 | Address | &:r1851_1 |
+| ir.cpp:1851:27:1851:34 | StoreValue | r1851_3 |
+| ir.cpp:1851:27:1851:34 | Unary | r1851_2 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_5 |
 | perf-regression.cpp:6:3:6:5 | Address | &:r6_7 |
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -9914,6 +9914,24 @@ ir.cpp:
 # 1843|     v1843_5(void)           = AliasedUse                      : ~m?
 # 1843|     v1843_6(void)           = ExitFunction                    : 

+# 1849| void magicvars()
+# 1849|   Block 0
+# 1849|     v1849_1(void)            = EnterFunction                        : 
+# 1849|     mu1849_2(unknown)        = AliasedDefinition                    : 
+# 1849|     mu1849_3(unknown)        = InitializeNonLocal                   : 
+# 1850|     r1850_1(glval<char *>)   = VariableAddress[pf]                  : 
+# 1850|     r1850_2(glval<char[17]>) = VariableAddress[__PRETTY_FUNCTION__] : 
+# 1850|     r1850_3(char *)          = Convert                              : r1850_2
+# 1850|     mu1850_4(char *)         = Store[pf]                            : &:r1850_1, r1850_3
+# 1851|     r1851_1(glval<char *>)   = VariableAddress[strfunc]             : 
+# 1851|     r1851_2(glval<char[10]>) = VariableAddress[__func__]            : 
+# 1851|     r1851_3(char *)          = Convert                              : r1851_2
+# 1851|     mu1851_4(char *)         = Store[strfunc]                       : &:r1851_1, r1851_3
+# 1852|     v1852_1(void)            = NoOp                                 : 
+# 1849|     v1849_4(void)            = ReturnVoid                           : 
+# 1849|     v1849_5(void)            = AliasedUse                           : ~m?
+# 1849|     v1849_6(void)            = ExitFunction                         : 
+
 perf-regression.cpp:
 #    6| void Big::Big()
 #    6|   Block 0
--- a/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/aliased_ssa_consistency.expected
@@ -99,8 +99,6 @@ thisArgumentIsNonPointer
 | pointer_to_member.cpp:23:5:23:54 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 | pointer_to_member.cpp:24:5:24:49 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 nonUniqueIRVariable
-| misc.c:178:22:178:40 | VariableAddress: __PRETTY_FUNCTION__ | Variable address instruction 'VariableAddress: __PRETTY_FUNCTION__' has no associated variable, in function '$@'. | misc.c:177:6:177:14 | void magicvars() | void magicvars() |
-| misc.c:179:27:179:34 | VariableAddress: __func__ | Variable address instruction 'VariableAddress: __func__' has no associated variable, in function '$@'. | misc.c:177:6:177:14 | void magicvars() | void magicvars() |
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType
--- a/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/raw_consistency.expected
@@ -149,8 +149,6 @@ thisArgumentIsNonPointer
 | pointer_to_member.cpp:23:5:23:54 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 | pointer_to_member.cpp:24:5:24:49 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 nonUniqueIRVariable
-| misc.c:178:22:178:40 | VariableAddress: __PRETTY_FUNCTION__ | Variable address instruction 'VariableAddress: __PRETTY_FUNCTION__' has no associated variable, in function '$@'. | misc.c:177:6:177:14 | void magicvars() | void magicvars() |
-| misc.c:179:27:179:34 | VariableAddress: __func__ | Variable address instruction 'VariableAddress: __func__' has no associated variable, in function '$@'. | misc.c:177:6:177:14 | void magicvars() | void magicvars() |
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType
--- a/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/unaliased_ssa_consistency.expected
@@ -99,8 +99,6 @@ thisArgumentIsNonPointer
 | pointer_to_member.cpp:23:5:23:54 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 | pointer_to_member.cpp:24:5:24:49 | Call: call to expression | Call instruction 'Call: call to expression' has a `this` argument operand that is not an address, in function '$@'. | pointer_to_member.cpp:14:5:14:9 | int usePM(int PM::*) | int usePM(int PM::*) |
 nonUniqueIRVariable
-| misc.c:178:22:178:40 | VariableAddress: __PRETTY_FUNCTION__ | Variable address instruction 'VariableAddress: __PRETTY_FUNCTION__' has no associated variable, in function '$@'. | misc.c:177:6:177:14 | void magicvars() | void magicvars() |
-| misc.c:179:27:179:34 | VariableAddress: __func__ | Variable address instruction 'VariableAddress: __func__' has no associated variable, in function '$@'. | misc.c:177:6:177:14 | void magicvars() | void magicvars() |
 missingCanonicalLanguageType
 multipleCanonicalLanguageTypes
 missingIRType