hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6884 from geoffw0/setliterals

Browse Source 
Replace or chains with set literals.
This commit is contained in:
Geoffrey White
2021-10-18 16:46:55 +01:00
committed by GitHub
parent b67032d1cc a0e501c3a9
commit 3f3c79f48f
53 changed files with 908 additions and 2750 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateData.qll
View File

@@ -13,26 +13,25 @@ import cpp
/** A string for `match` that identifies strings that look like they represent private data. */
private string privateNames() {
result =
[
// Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
// Government identifiers, such as Social Security Numbers
result = "%social%security%number%" or
"%social%security%number%",
// Contact information, such as home addresses and telephone numbers
result = "%postcode%" or
result = "%zipcode%" or
"%postcode%", "%zipcode%",
// result = "%telephone%" or
// Geographic location - where the user is (or was)
result = "%latitude%" or
result = "%longitude%" or
"%latitude%", "%longitude%",
// Financial data - such as credit card numbers, salary, bank accounts, and debts
result = "%creditcard%" or
result = "%salary%" or
result = "%bankaccount%" or
"%creditcard%", "%salary%", "%bankaccount%",
// Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
// result = "%email%" or
// result = "%mobile%" or
result = "%employer%" or
"%employer%",
// Health - medical conditions, insurance status, prescription records
result = "%medical%"
"%medical%"
]
}
/** An expression that might contain private data. */

20
cpp/ql/lib/semmle/code/cpp/Specifier.qll
View File

@@ -31,11 +31,7 @@ class Specifier extends Element, @specifier {
* A C/C++ function specifier: `inline`, `virtual`, or `explicit`.
*/
class FunctionSpecifier extends Specifier {
FunctionSpecifier() {
this.hasName("inline") or
this.hasName("virtual") or
this.hasName("explicit")
}
FunctionSpecifier() { this.hasName(["inline", "virtual", "explicit"]) }
override string getAPrimaryQlClass() { result = "FunctionSpecifier" }
}
@@ -45,13 +41,7 @@ class FunctionSpecifier extends Specifier {
* or `mutable".
*/
class StorageClassSpecifier extends Specifier {
StorageClassSpecifier() {
this.hasName("auto") or
this.hasName("register") or
this.hasName("static") or
this.hasName("extern") or
this.hasName("mutable")
}
StorageClassSpecifier() { this.hasName(["auto", "register", "static", "extern", "mutable"]) }
override string getAPrimaryQlClass() { result = "StorageClassSpecifier" }
}
@@ -60,11 +50,7 @@ class StorageClassSpecifier extends Specifier {
* A C++ access specifier: `public`, `protected`, or `private`.
*/
class AccessSpecifier extends Specifier {
AccessSpecifier() {
this.hasName("public") or
this.hasName("protected") or
this.hasName("private")
}
AccessSpecifier() { this.hasName(["public", "protected", "private"]) }
/**
* Gets the visibility of a field with access specifier `this` if it is

72
cpp/ql/lib/semmle/code/cpp/security/CommandExecution.qll
View File

@@ -28,35 +28,19 @@ class SystemFunction extends FunctionWithWrappers instanceof CommandExecutionFun
*/
class VarargsExecFunctionCall extends FunctionCall {
VarargsExecFunctionCall() {
getTarget().hasGlobalName("execl") or
getTarget().hasGlobalName("execle") or
getTarget().hasGlobalName("execlp") or
getTarget()
.hasGlobalName([
"execl", "execle", "execlp",
// Windows
getTarget().hasGlobalName("_execl") or
getTarget().hasGlobalName("_execle") or
getTarget().hasGlobalName("_execlp") or
getTarget().hasGlobalName("_execlpe") or
getTarget().hasGlobalName("_spawnl") or
getTarget().hasGlobalName("_spawnle") or
getTarget().hasGlobalName("_spawnlp") or
getTarget().hasGlobalName("_spawnlpe") or
getTarget().hasGlobalName("_wexecl") or
getTarget().hasGlobalName("_wexecle") or
getTarget().hasGlobalName("_wexeclp") or
getTarget().hasGlobalName("_wexeclpe") or
getTarget().hasGlobalName("_wspawnl") or
getTarget().hasGlobalName("_wspawnle") or
getTarget().hasGlobalName("_wspawnlp") or
getTarget().hasGlobalName("_wspawnlpe")
"_execl", "_execle", "_execlp", "_execlpe", "_spawnl", "_spawnle", "_spawnlp",
"_spawnlpe", "_wexecl", "_wexecle", "_wexeclp", "_wexeclpe", "_wspawnl", "_wspawnle",
"_wspawnlp", "_wspawnlpe"
])
}
/** Whether the last argument to the function is an environment pointer */
predicate hasEnvironmentArgument() {
getTarget().hasGlobalName("execle") or
getTarget().hasGlobalName("_execle") or
getTarget().hasGlobalName("_execlpe") or
getTarget().hasGlobalName("_wexecle") or
getTarget().hasGlobalName("_wexeclpe")
getTarget().hasGlobalName(["execle", "_execle", "_execlpe", "_wexecle", "_wexeclpe"])
}
/**
@@ -83,11 +67,7 @@ class VarargsExecFunctionCall extends FunctionCall {
* all the other ones start with the command.
*/
private int getCommandIdx() {
if
getTarget().getName().matches("\\_spawn%") or
getTarget().getName().matches("\\_wspawn%")
then result = 1
else result = 0
if getTarget().getName().matches(["\\_spawn%", "\\_wspawn%"]) then result = 1 else result = 0
}
}
@@ -98,28 +78,14 @@ class VarargsExecFunctionCall extends FunctionCall {
*/
class ArrayExecFunctionCall extends FunctionCall {
ArrayExecFunctionCall() {
getTarget().hasGlobalName("execv") or
getTarget().hasGlobalName("execvp") or
getTarget().hasGlobalName("execvpe") or
getTarget().hasGlobalName("execve") or
getTarget().hasGlobalName("fexecve") or
getTarget()
.hasGlobalName([
"execv", "execvp", "execvpe", "execve", "fexecve",
// Windows variants
getTarget().hasGlobalName("_execv") or
getTarget().hasGlobalName("_execve") or
getTarget().hasGlobalName("_execvp") or
getTarget().hasGlobalName("_execvpe") or
getTarget().hasGlobalName("_spawnv") or
getTarget().hasGlobalName("_spawnve") or
getTarget().hasGlobalName("_spawnvp") or
getTarget().hasGlobalName("_spawnvpe") or
getTarget().hasGlobalName("_wexecv") or
getTarget().hasGlobalName("_wexecve") or
getTarget().hasGlobalName("_wexecvp") or
getTarget().hasGlobalName("_wexecvpe") or
getTarget().hasGlobalName("_wspawnv") or
getTarget().hasGlobalName("_wspawnve") or
getTarget().hasGlobalName("_wspawnvp") or
getTarget().hasGlobalName("_wspawnvpe")
"_execv", "_execve", "_execvp", "_execvpe", "_spawnv", "_spawnve", "_spawnvp",
"_spawnvpe", "_wexecv", "_wexecve", "_wexecvp", "_wexecvpe", "_wspawnv", "_wspawnve",
"_wspawnvp", "_wspawnvpe"
])
}
/** The argument with the array of command arguments */
@@ -133,11 +99,7 @@ class ArrayExecFunctionCall extends FunctionCall {
* all the other ones start with the command.
*/
private int getCommandIdx() {
if
getTarget().getName().matches("\\_spawn%") or
getTarget().getName().matches("\\_wspawn%")
then result = 1
else result = 0
if getTarget().getName().matches(["\\_spawn%", "\\_wspawn%"]) then result = 1 else result = 0
}
}

15
cpp/ql/lib/semmle/code/cpp/security/OutputWrite.qll
View File

@@ -21,14 +21,12 @@ class OutputWrite extends Expr {
* A standard output or standard error variable.
*/
private predicate outputVariable(Variable v) {
v.hasName([
// standard output
v.hasName("cout") or
v.hasName("wcout") or
"cout", "wcout",
// standard error
v.hasName("cerr") or
v.hasName("clog") or
v.hasName("wcerr") or
v.hasName("wclog")
"cerr", "clog", "wcerr", "wclog"
])
}
/**
@@ -64,10 +62,7 @@ private predicate outputWrite(Expr write, Expr source) {
arg >= f.(FormattingFunction).getFormatParameterIndex()
or
// puts, putchar
(
f.hasGlobalOrStdName("puts") or
f.hasGlobalOrStdName("putchar")
) and
f.hasGlobalOrStdName(["puts", "putchar"]) and
arg = 0
or
exists(Call wrappedCall, Expr wrappedSource |

13
cpp/ql/lib/semmle/code/cpp/security/SensitiveExprs.qll
View File

@@ -11,17 +11,8 @@ import cpp
*/
bindingset[s]
private predicate suspicious(string s) {
(
s.matches("%password%") or
s.matches("%passwd%") or
s.matches("%trusted%")
) and
not (
s.matches("%hash%") or
s.matches("%crypt%") or
s.matches("%file%") or
s.matches("%path%")
)
s.matches(["%password%", "%passwd%", "%trusted%"]) and
not s.matches(["%hash%", "%crypt%", "%file%", "%path%"])
}
/**

10
cpp/ql/src/Best Practices/Magic Constants/MagicConstants.qll
View File

@@ -58,15 +58,7 @@ predicate intTrivial(Literal lit) { exists(string v | trivialIntValue(v) and v =
predicate longTrivial(Literal lit) { exists(string v | trivialLongValue(v) and v = lit.getValue()) }
predicate powerOfTen(float f) {
f = 10 or
f = 100 or
f = 1000 or
f = 10000 or
f = 100000 or
f = 1000000 or
f = 10000000 or
f = 100000000 or
f = 1000000000
f = [10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000, 1000000000]
}
predicate floatTrivial(Literal lit) {

17
cpp/ql/src/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql
View File

@@ -13,14 +13,15 @@
import cpp
predicate commonErrorCode(string value) {
value = "0" or
value = "1" or
value = "-1" or
value = "18446744073709551615" or // 2^64-1, i.e. -1 as an unsigned int64
value = "4294967295" or // 2^32-1, i.e. -1 as an unsigned int32
value = "3735928559" or // 0xdeadbeef
value = "3735929054" or // 0xdeadc0de
value = "3405691582" // 0xcafebabe
value =
[
"0", "1", "-1", // common error codes
"18446744073709551615", // 2^64-1, i.e. -1 as an unsigned int64
"4294967295", // 2^32-1, i.e. -1 as an unsigned int32
"3735928559", // 0xdeadbeef
"3735929054", // 0xdeadc0de
"3405691582" // 0xcafebabe
]
}
from Expr e

28
cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
View File

@@ -43,23 +43,25 @@ predicate isSizePlus(Expr e, BufferSizeExpr baseSize, int plus) {
predicate strncpyFunction(Function f, int argDest, int argSrc, int argLimit) {
exists(string name | name = f.getName() |
(
name = "strcpy_s" or // strcpy_s(dst, max_amount, src)
name = "wcscpy_s" or // wcscpy_s(dst, max_amount, src)
name = "_mbscpy_s" // _mbscpy_s(dst, max_amount, src)
) and
name =
[
"strcpy_s", // strcpy_s(dst, max_amount, src)
"wcscpy_s", // wcscpy_s(dst, max_amount, src)
"_mbscpy_s" // _mbscpy_s(dst, max_amount, src)
] and
argDest = 0 and
argSrc = 2 and
argLimit = 1
or
(
name = "strncpy" or // strncpy(dst, src, max_amount)
name = "strncpy_l" or // strncpy_l(dst, src, max_amount, locale)
name = "wcsncpy" or // wcsncpy(dst, src, max_amount)
name = "_wcsncpy_l" or // _wcsncpy_l(dst, src, max_amount, locale)
name = "_mbsncpy" or // _mbsncpy(dst, src, max_amount)
name = "_mbsncpy_l" // _mbsncpy_l(dst, src, max_amount, locale)
) and
name =
[
"strncpy", // strncpy(dst, src, max_amount)
"strncpy_l", // strncpy_l(dst, src, max_amount, locale)
"wcsncpy", // wcsncpy(dst, src, max_amount)
"_wcsncpy_l", // _wcsncpy_l(dst, src, max_amount, locale)
"_mbsncpy", // _mbsncpy(dst, src, max_amount)
"_mbsncpy_l" // _mbsncpy_l(dst, src, max_amount, locale)
] and
argDest = 0 and
argSrc = 1 and
argLimit = 2

5
cpp/ql/src/Power of 10/Rule 1/UseOfJmp.ql
View File

@@ -15,10 +15,7 @@ import cpp
class ForbiddenFunction extends Function {
ForbiddenFunction() {
exists(string name | name = this.getName() |
name = "setjmp" or
name = "longjmp" or
name = "sigsetjmp" or
name = "siglongjmp"
name = ["setjmp", "longjmp", "sigsetjmp", "siglongjmp"]
)
}
}

13
cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
View File

@@ -26,12 +26,8 @@ import TaintedWithPath
class FileFunction extends FunctionWithWrappers {
FileFunction() {
exists(string nme | this.hasGlobalName(nme) |
nme = "fopen" or
nme = "_fopen" or
nme = "_wfopen" or
nme = "open" or
nme = "_open" or
nme = "_wopen" or
nme = ["fopen", "_fopen", "_wfopen", "open", "_open", "_wopen"]
or
// create file function on windows
nme.matches("CreateFile%")
)
@@ -40,10 +36,7 @@ class FileFunction extends FunctionWithWrappers {
or
// on any of the fstream classes, or filebuf
exists(string nme | this.getDeclaringType().hasQualifiedName("std", nme) |
nme = "basic_fstream" or
nme = "basic_ifstream" or
nme = "basic_ofstream" or
nme = "basic_filebuf"
nme = ["basic_fstream", "basic_ifstream", "basic_ofstream", "basic_filebuf"]
) and
// we look for either the open method or the constructor
(this.getName() = "open" or this instanceof Constructor)

6
cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
View File

@@ -21,11 +21,7 @@ class TaintSource extends VariableAccess {
this.getTarget() instanceof SemanticStackVariable and
x.isUserInput(this, cause)
|
cause = "read" or
cause = "fread" or
cause = "recv" or
cause = "recvfrom" or
cause = "recvmsg"
cause = ["read", "fread", "recv", "recvfrom", "recvmsg"]
)
}

9
cpp/ql/src/jsf/4.09 Style/AV Rule 53.1.ql
View File

@@ -14,12 +14,5 @@ import cpp
from Include i, string name
where
name = i.getIncludeText() and
(
name.matches("%'%") or
name.matches("%\\\\%") or
name.matches("%/*%") or
name.matches("%//%") or
name.matches("%\"%\"%\"%") or
name.matches("%<%\"%>%")
)
name.matches(["%'%", "%\\\\%", "%/*%", "%//%", "%\"%\"%\"%", "%<%\"%>%"])
select i, "AV Rule 53.1: Invalid character sequence in header file name '" + name + "'"

2
cpp/ql/test/library-tests/access/noPublic/noPublic.ql
View File

@@ -3,5 +3,5 @@ import cpp
from AccessSpecifier spec
// There is no way to create "protected" access without writing the keyword
// `protected` in the source, so we don't need to test for that.
where spec.hasName("private") or spec.hasName("public")
where spec.hasName(["private", "public"])
select spec

7
cpp/ql/test/library-tests/ir/points_to/points_to.ql
View File

@@ -3,12 +3,7 @@ private import TestUtilities.InlineExpectationsTest
private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
private predicate ignoreAllocation(string name) {
name = "i" or
name = "p" or
name = "q" or
name = "s" or
name = "t" or
name = "?{AllAliased}"
name = ["i", "p", "q", "s", "t", "?{AllAliased}"]
}
private predicate ignoreFile(File file) {

7
csharp/ql/lib/semmle/code/csharp/Modifier.qll
View File

@@ -19,10 +19,5 @@ class Modifier extends Element, @modifier {
* An access modifier: `public`, `private`, `internal` or `protected`.
*/
class AccessModifier extends Modifier {
AccessModifier() {
this.hasName("public") or
this.hasName("private") or
this.hasName("internal") or
this.hasName("protected")
}
AccessModifier() { this.hasName(["public", "private", "internal", "protected"]) }
}

103
csharp/ql/lib/semmle/code/csharp/commons/Collections.qll
View File

@@ -3,23 +3,12 @@
import csharp
private string modifyMethodName() {
result = "Add" or
result = "AddFirst" or
result = "AddLast" or
result = "Clear" or
result = "Enqueue" or
result = "ExceptWith" or
result = "Insert" or
result = "IntersectWith" or
result = "Push" or
result = "Remove" or
result = "RemoveAt" or
result = "RemoveFirst" or
result = "RemoveLast" or
result = "Set" or
result = "SetAll" or
result = "SymmetricExceptWith" or
result = "UnionWith"
result =
[
"Add", "AddFirst", "AddLast", "Clear", "Enqueue", "ExceptWith", "Insert", "IntersectWith",
"Push", "Remove", "RemoveAt", "RemoveFirst", "RemoveLast", "Set", "SetAll",
"SymmetricExceptWith", "UnionWith"
]
}
/** A method call that modifies a collection. */
@@ -39,45 +28,27 @@ class CollectionModificationAccess extends Access {
}
private string collectionTypeName() {
result = "ArrayList" or
result = "BitArray" or
result = "Hashtable" or
result = "ICollection" or
result = "IDictionary" or
result = "IList" or
result = "Queue" or
result = "ReadOnlyCollectionBase" or
result = "SortedList" or
result = "Stack"
result =
[
"ArrayList", "BitArray", "Hashtable", "ICollection", "IDictionary", "IList", "Queue",
"ReadOnlyCollectionBase", "SortedList", "Stack"
]
}
private string collectionNamespaceName() {
result = "Mono.Collections" or
result = "System.Collections"
}
private string collectionNamespaceName() { result = ["Mono.Collections", "System.Collections"] }
private string genericCollectionNamespaceName() {
result = "Mono.Collections.Generic" or
result = "System.Collections.Generic"
result = ["Mono.Collections.Generic", "System.Collections.Generic"]
}
private string genericCollectionTypeName() {
result = "Dictionary<,>" or
result = "HashSet<>" or
result = "ICollection<>" or
result = "IDictionary<,>" or
result = "IList<>" or
result = "ISet<>" or
result = "LinkedList<>" or
result = "List<>" or
result = "Queue<>" or
result = "SortedDictionary<,>" or
result = "SortedList<,>" or
result = "SortedSet<>" or
result = "Stack<>" or
result = "SynchronizedCollection<>" or
result = "SynchronizedKeyedCollection<>" or
result = "SynchronizedReadOnlyCollection<>"
result =
[
"Dictionary<,>", "HashSet<>", "ICollection<>", "IDictionary<,>", "IList<>", "ISet<>",
"LinkedList<>", "List<>", "Queue<>", "SortedDictionary<,>", "SortedList<,>", "SortedSet<>",
"Stack<>", "SynchronizedCollection<>", "SynchronizedKeyedCollection<>",
"SynchronizedReadOnlyCollection<>"
]
}
/** A collection type. */
@@ -105,36 +76,18 @@ class EmptyCollectionCreation extends ObjectCreation {
}
private string readonlyMethodName() {
result = "BinarySearch" or
result = "Clone" or
result = "Contains" or
result = "ContainsKey" or
result = "ContainsValue" or
result = "CopyTo" or
result = "Equals" or
result = "FixedArray" or
result = "FixedSize" or
result = "Get" or
result = "GetEnumerator" or
result = "GetHashCode" or
result = "GetRange" or
result = "IndexOf" or
result = "IsProperSubsetOf" or
result = "IsProperSupersetOf" or
result = "IsSubsetOf" or
result = "IsSupersetOf" or
result = "LastIndexOf" or
result = "MemberwiseClone" or
result = "Peek" or
result = "ToArray" or
result = "ToString" or
result = "TryGetValue"
result =
[
"BinarySearch", "Clone", "Contains", "ContainsKey", "ContainsValue", "CopyTo", "Equals",
"FixedArray", "FixedSize", "Get", "GetEnumerator", "GetHashCode", "GetRange", "IndexOf",
"IsProperSubsetOf", "IsProperSupersetOf", "IsSubsetOf", "IsSupersetOf", "LastIndexOf",
"MemberwiseClone", "Peek", "ToArray", "ToString", "TryGetValue"
]
}
private string noAddMethodName() {
result = readonlyMethodName() or
result = "Dequeue" or
result = "Pop"
result = ["Dequeue", "Pop"]
}
/** Holds if `a` is an access that does not modify a collection. */

24
csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll
View File

@@ -120,21 +120,13 @@ module JsonNET {
SerializedMember() {
// This member has a Json attribute
exists(Class attribute | attribute = this.getAnAttribute().getType() |
attribute.hasName("JsonPropertyAttribute")
or
attribute.hasName("JsonDictionaryAttribute")
or
attribute.hasName("JsonRequiredAttribute")
or
attribute.hasName("JsonArrayAttribute")
or
attribute.hasName("JsonConverterAttribute")
or
attribute.hasName("JsonExtensionDataAttribute")
or
attribute.hasName("SerializableAttribute") // System.SerializableAttribute
or
attribute.hasName("DataMemberAttribute") // System.DataMemberAttribute
attribute
.hasName([
"JsonPropertyAttribute", "JsonDictionaryAttribute", "JsonRequiredAttribute",
"JsonArrayAttribute", "JsonConverterAttribute", "JsonExtensionDataAttribute",
"SerializableAttribute", // System.SerializableAttribute
"DataMemberAttribute" // System.DataMemberAttribute
])
)
or
// This field is a member of an explicitly serialized type
@@ -175,7 +167,7 @@ module JsonNET {
/** Any attribute class that marks a member to not be serialized. */
private class NotSerializedAttributeClass extends JsonClass {
NotSerializedAttributeClass() {
this.hasName("JsonIgnoreAttribute") or this.hasName("NonSerializedAttribute")
this.hasName(["JsonIgnoreAttribute", "NonSerializedAttribute"])
}
}

10
csharp/ql/lib/semmle/code/csharp/frameworks/NHibernate.qll
View File

@@ -28,15 +28,7 @@ module NHibernate {
/** Gets a type parameter that specifies a mapped class. */
TypeParameter getAMappedObjectTp() {
exists(string methodName |
methodName = "Load<>"
or
methodName = "Merge<>"
or
methodName = "Get<>"
or
methodName = "Query<>"
|
exists(string methodName | methodName = ["Load<>", "Merge<>", "Get<>", "Query<>"] |
result = this.getAMethod(methodName).(UnboundGenericMethod).getTypeParameter(0)
)
}

22
csharp/ql/lib/semmle/code/csharp/security/PrivateData.qll
View File

@@ -14,26 +14,22 @@ import semmle.code.csharp.frameworks.system.windows.Forms
/** A string for `match` that identifies strings that look like they represent private data. */
private string privateNames() {
result =
[
// Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
// Government identifiers, such as Social Security Numbers
result = "%social%security%number%" or
"%social%security%number%",
// Contact information, such as home addresses and telephone numbers
result = "%postcode%" or
result = "%zipcode%" or
result = "%telephone%" or
"%postcode%", "%zipcode%", "%telephone%",
// Geographic location - where the user is (or was)
result = "%latitude%" or
result = "%longitude%" or
"%latitude%", "%longitude%",
// Financial data - such as credit card numbers, salary, bank accounts, and debts
result = "%creditcard%" or
result = "%salary%" or
result = "%bankaccount%" or
"%creditcard%", "%salary%", "%bankaccount%",
// Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
result = "%email%" or
result = "%mobile%" or
result = "%employer%" or
"%email%", "%mobile%", "%employer%",
// Health - medical conditions, insurance status, prescription records
result = "%medical%"
"%medical%"
]
}
/** An expression that might contain private data. */

7
csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll
View File

@@ -38,12 +38,7 @@ class TraceMessageSink extends ExternalLocationSink {
trace.hasQualifiedName("System.Diagnostics", "TraceSource")
|
this.getExpr() = trace.getAMethod().getACall().getArgumentForName(parameterName) and
(
parameterName = "format" or
parameterName = "args" or
parameterName = "message" or
parameterName = "category"
)
parameterName = ["format", "args", "message", "category"]
)
}
}

11
csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll
View File

@@ -43,15 +43,8 @@ class AspNetQueryStringMember extends Member {
* request.
*/
private string getHttpRequestFlowPropertyNames() {
result = "QueryString" or
result = "Headers" or
result = "RawUrl" or
result = "Url" or
result = "Cookies" or
result = "Form" or
result = "Params" or
result = "Path" or
result = "PathInfo"
result =
["QueryString", "Headers", "RawUrl", "Url", "Cookies", "Form", "Params", "Path", "PathInfo"]
}
/** A data flow source of remote user input (ASP.NET query string). */

207
csharp/ql/src/Bad Practices/Magic Constants/MagicConstants.qll
View File

@@ -7,179 +7,30 @@ import semmle.code.csharp.frameworks.System
*/
private predicate trivialPositiveIntValue(string s) {
s = "0" or
s = "1" or
s = "2" or
s = "3" or
s = "4" or
s = "5" or
s = "6" or
s = "7" or
s = "8" or
s = "9" or
s = "10" or
s = "11" or
s = "12" or
s = "13" or
s = "14" or
s = "15" or
s = "16" or
s = "17" or
s = "18" or
s = "19" or
s = "20" or
s = "16" or
s = "32" or
s = "64" or
s = "128" or
s = "256" or
s = "512" or
s = "1024" or
s = "2048" or
s = "4096" or
s = "16384" or
s = "32768" or
s = "65536" or
s = "1048576" or
s = "2147483648" or
s = "4294967296" or
s = "15" or
s = "31" or
s = "63" or
s = "127" or
s = "255" or
s = "511" or
s = "1023" or
s = "2047" or
s = "4095" or
s = "16383" or
s = "32767" or
s = "65535" or
s = "1048577" or
s = "2147483647" or
s = "4294967295" or
s = "0x00000001" or
s = "0x00000002" or
s = "0x00000004" or
s = "0x00000008" or
s = "0x00000010" or
s = "0x00000020" or
s = "0x00000040" or
s = "0x00000080" or
s = "0x00000100" or
s = "0x00000200" or
s = "0x00000400" or
s = "0x00000800" or
s = "0x00001000" or
s = "0x00002000" or
s = "0x00004000" or
s = "0x00008000" or
s = "0x00010000" or
s = "0x00020000" or
s = "0x00040000" or
s = "0x00080000" or
s = "0x00100000" or
s = "0x00200000" or
s = "0x00400000" or
s = "0x00800000" or
s = "0x01000000" or
s = "0x02000000" or
s = "0x04000000" or
s = "0x08000000" or
s = "0x10000000" or
s = "0x20000000" or
s = "0x40000000" or
s = "0x80000000" or
s = "0x00000001" or
s = "0x00000003" or
s = "0x00000007" or
s = "0x0000000f" or
s = "0x0000001f" or
s = "0x0000003f" or
s = "0x0000007f" or
s = "0x000000ff" or
s = "0x000001ff" or
s = "0x000003ff" or
s = "0x000007ff" or
s = "0x00000fff" or
s = "0x00001fff" or
s = "0x00003fff" or
s = "0x00007fff" or
s = "0x0000ffff" or
s = "0x0001ffff" or
s = "0x0003ffff" or
s = "0x0007ffff" or
s = "0x000fffff" or
s = "0x001fffff" or
s = "0x003fffff" or
s = "0x007fffff" or
s = "0x00ffffff" or
s = "0x01ffffff" or
s = "0x03ffffff" or
s = "0x07ffffff" or
s = "0x0fffffff" or
s = "0x1fffffff" or
s = "0x3fffffff" or
s = "0x7fffffff" or
s = "0xffffffff" or
s = "0x0001" or
s = "0x0002" or
s = "0x0004" or
s = "0x0008" or
s = "0x0010" or
s = "0x0020" or
s = "0x0040" or
s = "0x0080" or
s = "0x0100" or
s = "0x0200" or
s = "0x0400" or
s = "0x0800" or
s = "0x1000" or
s = "0x2000" or
s = "0x4000" or
s = "0x8000" or
s = "0x0001" or
s = "0x0003" or
s = "0x0007" or
s = "0x000f" or
s = "0x001f" or
s = "0x003f" or
s = "0x007f" or
s = "0x00ff" or
s = "0x01ff" or
s = "0x03ff" or
s = "0x07ff" or
s = "0x0fff" or
s = "0x1fff" or
s = "0x3fff" or
s = "0x7fff" or
s = "0xffff" or
s = "0x01" or
s = "0x02" or
s = "0x04" or
s = "0x08" or
s = "0x10" or
s = "0x20" or
s = "0x40" or
s = "0x80" or
s = "0x01" or
s = "0x03" or
s = "0x07" or
s = "0x0f" or
s = "0x1f" or
s = "0x3f" or
s = "0x7f" or
s = "0xff" or
s = "0x00" or
s = "10" or
s = "100" or
s = "1000" or
s = "10000" or
s = "100000" or
s = "1000000" or
s = "10000000" or
s = "100000000" or
s = "1000000000"
s =
[
"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16",
"17", "18", "19", "20", "16", "32", "64", "128", "256", "512", "1024", "2048", "4096",
"16384", "32768", "65536", "1048576", "2147483648", "4294967296", "15", "31", "63", "127",
"255", "511", "1023", "2047", "4095", "16383", "32767", "65535", "1048577", "2147483647",
"4294967295", "0x00000001", "0x00000002", "0x00000004", "0x00000008", "0x00000010",
"0x00000020", "0x00000040", "0x00000080", "0x00000100", "0x00000200", "0x00000400",
"0x00000800", "0x00001000", "0x00002000", "0x00004000", "0x00008000", "0x00010000",
"0x00020000", "0x00040000", "0x00080000", "0x00100000", "0x00200000", "0x00400000",
"0x00800000", "0x01000000", "0x02000000", "0x04000000", "0x08000000", "0x10000000",
"0x20000000", "0x40000000", "0x80000000", "0x00000001", "0x00000003", "0x00000007",
"0x0000000f", "0x0000001f", "0x0000003f", "0x0000007f", "0x000000ff", "0x000001ff",
"0x000003ff", "0x000007ff", "0x00000fff", "0x00001fff", "0x00003fff", "0x00007fff",
"0x0000ffff", "0x0001ffff", "0x0003ffff", "0x0007ffff", "0x000fffff", "0x001fffff",
"0x003fffff", "0x007fffff", "0x00ffffff", "0x01ffffff", "0x03ffffff", "0x07ffffff",
"0x0fffffff", "0x1fffffff", "0x3fffffff", "0x7fffffff", "0xffffffff", "0x0001", "0x0002",
"0x0004", "0x0008", "0x0010", "0x0020", "0x0040", "0x0080", "0x0100", "0x0200", "0x0400",
"0x0800", "0x1000", "0x2000", "0x4000", "0x8000", "0x0001", "0x0003", "0x0007", "0x000f",
"0x001f", "0x003f", "0x007f", "0x00ff", "0x01ff", "0x03ff", "0x07ff", "0x0fff", "0x1fff",
"0x3fff", "0x7fff", "0xffff", "0x01", "0x02", "0x04", "0x08", "0x10", "0x20", "0x40", "0x80",
"0x01", "0x03", "0x07", "0x0f", "0x1f", "0x3f", "0x7f", "0xff", "0x00", "10", "100", "1000",
"10000", "100000", "1000000", "10000000", "100000000", "1000000000"
]
}
private predicate trivialIntValue(string s) {
@@ -193,15 +44,7 @@ private predicate intTrivial(Literal lit) {
}
private predicate powerOfTen(float f) {
f = 10 or
f = 100 or
f = 1000 or
f = 10000 or
f = 100000 or
f = 1000000 or
f = 10000000 or
f = 100000000 or
f = 1000000000
f = [10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000, 1000000000]
}
private predicate floatTrivial(Literal lit) {

15
csharp/ql/src/Bad Practices/Naming Conventions/DefaultControlNames.ql
View File

@@ -13,16 +13,11 @@
import csharp
predicate controlName(string prefix) {
prefix = "[Ll]abel" or
prefix = "[Bb]utton" or
prefix = "[Pp]anel" or
prefix = "[Rr]adio[Bb]utton" or
prefix = "[Pp]rop" or
prefix = "[Ss]atus[Ss]trip" or
prefix = "[Tt]able[Ll]ayout[Dd]esigner" or
prefix = "[Tt]ext[Bb]ox" or
prefix = "[Tt]ool[Ss]trip" or
prefix = "[Pp]icture[Bb]ox"
prefix =
[
"[Ll]abel", "[Bb]utton", "[Pp]anel", "[Rr]adio[Bb]utton", "[Pp]rop", "[Ss]atus[Ss]trip",
"[Tt]able[Ll]ayout[Dd]esigner", "[Tt]ext[Bb]ox", "[Tt]ool[Ss]trip", "[Pp]icture[Bb]ox"
]
}
predicate usedInHumanWrittenCode(Field f) {

11
csharp/ql/src/Bad Practices/Naming Conventions/VariableNameTooShort.ql
View File

@@ -34,16 +34,7 @@ select variable, "Variable name '" + name + "' is too short."
// Adjustable: acceptable short names
//
predicate allowedName(string name) {
name = "url" or
name = "cmd" or
name = "UK" or
name = "uri" or
name = "top" or
name = "row" or
name = "pin" or
name = "log" or
name = "key" or
name = "_"
name = ["url", "cmd", "UK", "uri", "top", "row", "pin", "log", "key", "_"]
}
//

27
csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
View File

@@ -37,21 +37,11 @@ Expr getADelegateExpr(Callable c) {
*/
predicate nonEscapingCall(Call c) {
exists(string name | c.getTarget().hasName(name) |
name = "ForEach" or
name = "Count" or
name = "Any" or
name = "All" or
name = "Average" or
name = "Aggregate" or
name = "First" or
name = "Last" or
name = "FirstOrDefault" or
name = "LastOrDefault" or
name = "LongCount" or
name = "Max" or
name = "Single" or
name = "SingleOrDefault" or
name = "Sum"
name =
[
"ForEach", "Count", "Any", "All", "Average", "Aggregate", "First", "Last", "FirstOrDefault",
"LastOrDefault", "LongCount", "Max", "Single", "SingleOrDefault", "Sum"
]
)
}
@@ -116,12 +106,7 @@ class RelevantDefinition extends AssignableDefinition {
private predicate isDefaultLikeInitializer() {
this.isInitializer() and
exists(Expr e | e = this.getSource().stripCasts() |
exists(string val | val = e.getValue() |
val = "0" or
val = "-1" or
val = "" or
val = "false"
)
e.getValue() = ["0", "-1", "", "false"]
or
e instanceof NullLiteral
or

89
csharp/ql/src/Stubs/Stubs.qll
View File

@@ -613,83 +613,18 @@ private string stubImplementation(Virtualizable c) {
}
private predicate isKeyword(string s) {
s = "abstract" or
s = "as" or
s = "base" or
s = "bool" or
s = "break" or
s = "byte" or
s = "case" or
s = "catch" or
s = "char" or
s = "checked" or
s = "class" or
s = "const" or
s = "continue" or
s = "decimal" or
s = "default" or
s = "delegate" or
s = "do" or
s = "double" or
s = "else" or
s = "enum" or
s = "event" or
s = "explicit" or
s = "extern" or
s = "false" or
s = "finally" or
s = "fixed" or
s = "float" or
s = "for" or
s = "foreach" or
s = "goto" or
s = "if" or
s = "implicit" or
s = "in" or
s = "int" or
s = "interface" or
s = "internal" or
s = "is" or
s = "lock" or
s = "long" or
s = "namespace" or
s = "new" or
s = "null" or
s = "object" or
s = "operator" or
s = "out" or
s = "override" or
s = "params" or
s = "private" or
s = "protected" or
s = "public" or
s = "readonly" or
s = "ref" or
s = "return" or
s = "sbyte" or
s = "sealed" or
s = "short" or
s = "sizeof" or
s = "stackalloc" or
s = "static" or
s = "string" or
s = "struct" or
s = "switch" or
s = "this" or
s = "throw" or
s = "true" or
s = "try" or
s = "typeof" or
s = "uint" or
s = "ulong" or
s = "unchecked" or
s = "unsafe" or
s = "ushort" or
s = "using" or
s = "virtual" or
s = "void" or
s = "volatile" or
s = "while"
s =
[
"abstract", "as", "base", "bool", "break", "byte", "case", "catch", "char", "checked",
"class", "const", "continue", "decimal", "default", "delegate", "do", "double", "else",
"enum", "event", "explicit", "extern", "false", "finally", "fixed", "float", "for", "foreach",
"goto", "if", "implicit", "in", "int", "interface", "internal", "is", "lock", "long",
"namespace", "new", "null", "object", "operator", "out", "override", "params", "private",
"protected", "public", "readonly", "ref", "return", "sbyte", "sealed", "short", "sizeof",
"stackalloc", "static", "string", "struct", "switch", "this", "throw", "true", "try",
"typeof", "uint", "ulong", "unchecked", "unsafe", "ushort", "using", "virtual", "void",
"volatile", "while"
]
}
bindingset[s]

12
csharp/ql/test/library-tests/assemblies/CompareVersions.ql
View File

@@ -1,16 +1,8 @@
import csharp
Version getAVersion() {
result = "1.2" or
result = "1.2.0" or
result = "1.2.0.0" or
result = "1.3" or
result = "1.3.1" or
result = "1.3.1.2" or
result = "1.3.1.3" or
result = "1.3.2" or
result = "1.4" or
result = "2.3.1"
result =
["1.2", "1.2.0", "1.2.0.0", "1.3", "1.3.1", "1.3.1.2", "1.3.1.3", "1.3.2", "1.4", "2.3.1"]
}
from Version v1, Version v2

10
csharp/ql/test/library-tests/assemblies/ValidVersions.ql
View File

@@ -1,14 +1,6 @@
import csharp
from Version version
where
version = "1.2.3.4" or
version = "2.3.24" or
version = "1.2" or
version = "xxx" or
version = "1.x" or
version = "1" or
version = "" or
version = "1234.56"
where version = ["1.2.3.4", "2.3.24", "1.2", "xxx", "1.x", "1", "", "1234.56"]
select version, version.getMajor(), version.getMajorRevision(), version.getMinor(),
version.getMinorRevision()

11
java/ql/lib/semmle/code/java/UnitTests.qll
View File

@@ -38,11 +38,12 @@ class TearDownMethod extends Method {
private class TestRelatedAnnotation extends Annotation {
TestRelatedAnnotation() {
this.getType().getPackage().hasName("org.testng.annotations") or
this.getType().getPackage().hasName("org.junit") or
this.getType().getPackage().hasName("org.junit.runner") or
this.getType().getPackage().hasName("org.junit.jupiter.api") or
this.getType().getPackage().hasName("org.junit.jupiter.params")
this.getType()
.getPackage()
.hasName([
"org.testng.annotations", "org.junit", "org.junit.runner", "org.junit.jupiter.api",
"org.junit.jupiter.params"
])
}
}

15
java/ql/lib/semmle/code/java/controlflow/unreachableblocks/ExcludeDebuggingProfilingLogging.qll
View File

@@ -17,16 +17,11 @@ import semmle.code.java.controlflow.UnreachableBlocks
class ExcludeDebuggingProfilingLogging extends ExcludedConstantField {
ExcludeDebuggingProfilingLogging() {
exists(string validFieldName |
validFieldName = "debug" or
validFieldName = "profiling" or
validFieldName = "profile" or
validFieldName = "time" or
validFieldName = "verbose" or
validFieldName = "report" or
validFieldName = "dbg" or
validFieldName = "timing" or
validFieldName = "assert" or
validFieldName = "log"
validFieldName =
[
"debug", "profiling", "profile", "time", "verbose", "report", "dbg", "timing", "assert",
"log"
]
|
getName().regexpMatch(".*(?i)" + validFieldName + ".*")
) and

25
java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
View File

@@ -25,9 +25,7 @@ string getAJaxRsPackage(string subpackage) { result = getAJaxRsPackage() + "." +
class JaxWsEndpoint extends Class {
JaxWsEndpoint() {
exists(AnnotationType a | a = this.getAnAnnotation().getType() |
a.hasName("WebService") or
a.hasName("WebServiceProvider") or
a.hasName("WebServiceClient")
a.hasName(["WebService", "WebServiceProvider", "WebServiceClient"])
)
}
@@ -35,8 +33,7 @@ class JaxWsEndpoint extends Class {
Callable getARemoteMethod() {
result = this.getACallable() and
exists(AnnotationType a | a = result.getAnAnnotation().getType() |
a.hasName("WebMethod") or
a.hasName("WebEndpoint")
a.hasName(["WebMethod", "WebEndpoint"])
)
}
}
@@ -62,12 +59,7 @@ class JaxRsResourceMethod extends Method {
a = this.getAnAnnotation().getType() and
a.getPackage().getName() = getAJaxRsPackage()
|
a.hasName("GET") or
a.hasName("POST") or
a.hasName("DELETE") or
a.hasName("PUT") or
a.hasName("OPTIONS") or
a.hasName("HEAD")
a.hasName(["GET", "POST", "DELETE", "PUT", "OPTIONS", "HEAD"])
)
or
// A JaxRS resource method can also inherit these annotations from a supertype, but only if
@@ -201,13 +193,10 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation {
a = this.getType() and
a.getPackage().getName() = getAJaxRsPackage()
|
a.hasName("BeanParam") or
a.hasName("CookieParam") or
a.hasName("FormParam") or
a.hasName("HeaderParam") or
a.hasName("MatrixParam") or
a.hasName("PathParam") or
a.hasName("QueryParam")
a.hasName([
"BeanParam", "CookieParam", "FormParam", "HeaderParam", "MatrixParam", "PathParam",
"QueryParam"
])
)
or
this.getType().hasQualifiedName(getAJaxRsPackage("core"), "Context")

8
java/ql/lib/semmle/code/java/frameworks/Protobuf.qll
View File

@@ -40,13 +40,7 @@ class ProtobufMessageLite extends Interface {
*/
Method getAGetterMethod() {
exists(RefType decl | decl = result.getDeclaringType() and decl = this.getASubtype+() |
exists(string name, string suffix |
suffix = "" or
suffix = "list" or
suffix = "map" or
suffix = "ordefault" or
suffix = "orthrow"
|
exists(string name, string suffix | suffix = ["", "list", "map", "ordefault", "orthrow"] |
exists(Field f | f.getDeclaringType() = decl |
f.getName().toLowerCase().replaceAll("_", "") = name
) and

6
java/ql/lib/semmle/code/java/metrics/MetricRefType.qll
View File

@@ -266,11 +266,7 @@ class MetricRefType extends RefType, MetricElement {
* for use with the specialization index metric.
*/
predicate ignoreOverride(Method c) {
c.hasStringSignature("equals(Object)") or
c.hasStringSignature("hashCode()") or
c.hasStringSignature("toString()") or
c.hasStringSignature("finalize()") or
c.hasStringSignature("clone()")
c.hasStringSignature(["equals(Object)", "hashCode()", "toString()", "finalize()", "clone()"])
}
/** Gets a method that overrides a non-abstract method in a super type. */

47
java/ql/lib/semmle/code/java/security/RelativePaths.qll
View File

@@ -7,10 +7,7 @@ import java
predicate relativePath(Element tree, string command) {
exists(StringLiteral lit, string text | tree = lit and text = lit.getRepresentedString() |
text != "" and
(
text.regexpMatch("[^/\\\\ \t]*") or
text.regexpMatch("[^/\\\\ \t]*[ \t].*")
) and
text.regexpMatch(["[^/\\\\ \t]*", "[^/\\\\ \t]*[ \t].*"]) and
command = text.replaceAll("\t", " ").splitAt(" ", 0).replaceAll("\"", "")
)
or
@@ -35,39 +32,11 @@ predicate arrayStartingWithRelative(Element tree, string command) {
* because they do not correspond to files in the filesystem.
*/
predicate shellBuiltin(string command) {
command = "." or
command = "[" or
command = "[[" or
command = "alias" or
command = "builtin" or
command = "case" or
command = "command" or
command = "compgen" or
command = "complete" or
command = "compopt" or
command = "echo" or
command = "eval" or
command = "exec" or
command = "false" or
command = "fc" or
command = "for" or
command = "getopts" or
command = "help" or
command = "history" or
command = "if" or
command = "kill" or
command = "printf" or
command = "pwd" or
command = "select" or
command = "source" or
command = "test" or
command = "time" or
command = "times" or
command = "trap" or
command = "true" or
command = "type" or
command = "typeset" or
command = "ulimit" or
command = "until" or
command = "while"
command =
[
".", "[", "[[", "alias", "builtin", "case", "command", "compgen", "complete", "compopt",
"echo", "eval", "exec", "false", "fc", "for", "getopts", "help", "history", "if", "kill",
"printf", "pwd", "select", "source", "test", "time", "times", "trap", "true", "type",
"typeset", "ulimit", "until", "while"
]
}

1506
java/ql/src/Compatibility/JDK9/JdkInternals.qll
View File

File diff suppressed because it is too large Load Diff

197
java/ql/src/Violations of Best Practice/Magic Constants/MagicConstants.qll
View File

@@ -5,179 +5,30 @@ import java
*/
private predicate trivialPositiveIntValue(string s) {
s = "0" or
s = "1" or
s = "2" or
s = "3" or
s = "4" or
s = "5" or
s = "6" or
s = "7" or
s = "8" or
s = "9" or
s = "10" or
s = "11" or
s = "12" or
s = "13" or
s = "14" or
s = "15" or
s = "16" or
s = "17" or
s = "18" or
s = "19" or
s = "20" or
s = "16" or
s = "32" or
s = "64" or
s = "128" or
s = "256" or
s = "512" or
s = "1024" or
s = "2048" or
s = "4096" or
s = "16384" or
s = "32768" or
s = "65536" or
s = "1048576" or
s = "2147483648" or
s = "4294967296" or
s = "15" or
s = "31" or
s = "63" or
s = "127" or
s = "255" or
s = "511" or
s = "1023" or
s = "2047" or
s = "4095" or
s = "16383" or
s = "32767" or
s = "65535" or
s = "1048577" or
s = "2147483647" or
s = "4294967295" or
s = "0x00000001" or
s = "0x00000002" or
s = "0x00000004" or
s = "0x00000008" or
s = "0x00000010" or
s = "0x00000020" or
s = "0x00000040" or
s = "0x00000080" or
s = "0x00000100" or
s = "0x00000200" or
s = "0x00000400" or
s = "0x00000800" or
s = "0x00001000" or
s = "0x00002000" or
s = "0x00004000" or
s = "0x00008000" or
s = "0x00010000" or
s = "0x00020000" or
s = "0x00040000" or
s = "0x00080000" or
s = "0x00100000" or
s = "0x00200000" or
s = "0x00400000" or
s = "0x00800000" or
s = "0x01000000" or
s = "0x02000000" or
s = "0x04000000" or
s = "0x08000000" or
s = "0x10000000" or
s = "0x20000000" or
s = "0x40000000" or
s = "0x80000000" or
s = "0x00000001" or
s = "0x00000003" or
s = "0x00000007" or
s = "0x0000000f" or
s = "0x0000001f" or
s = "0x0000003f" or
s = "0x0000007f" or
s = "0x000000ff" or
s = "0x000001ff" or
s = "0x000003ff" or
s = "0x000007ff" or
s = "0x00000fff" or
s = "0x00001fff" or
s = "0x00003fff" or
s = "0x00007fff" or
s = "0x0000ffff" or
s = "0x0001ffff" or
s = "0x0003ffff" or
s = "0x0007ffff" or
s = "0x000fffff" or
s = "0x001fffff" or
s = "0x003fffff" or
s = "0x007fffff" or
s = "0x00ffffff" or
s = "0x01ffffff" or
s = "0x03ffffff" or
s = "0x07ffffff" or
s = "0x0fffffff" or
s = "0x1fffffff" or
s = "0x3fffffff" or
s = "0x7fffffff" or
s = "0xffffffff" or
s = "0x0001" or
s = "0x0002" or
s = "0x0004" or
s = "0x0008" or
s = "0x0010" or
s = "0x0020" or
s = "0x0040" or
s = "0x0080" or
s = "0x0100" or
s = "0x0200" or
s = "0x0400" or
s = "0x0800" or
s = "0x1000" or
s = "0x2000" or
s = "0x4000" or
s = "0x8000" or
s = "0x0001" or
s = "0x0003" or
s = "0x0007" or
s = "0x000f" or
s = "0x001f" or
s = "0x003f" or
s = "0x007f" or
s = "0x00ff" or
s = "0x01ff" or
s = "0x03ff" or
s = "0x07ff" or
s = "0x0fff" or
s = "0x1fff" or
s = "0x3fff" or
s = "0x7fff" or
s = "0xffff" or
s = "0x01" or
s = "0x02" or
s = "0x04" or
s = "0x08" or
s = "0x10" or
s = "0x20" or
s = "0x40" or
s = "0x80" or
s = "0x01" or
s = "0x03" or
s = "0x07" or
s = "0x0f" or
s = "0x1f" or
s = "0x3f" or
s = "0x7f" or
s = "0xff" or
s = "0x00" or
s = "10" or
s = "100" or
s = "1000" or
s = "10000" or
s = "100000" or
s = "1000000" or
s = "10000000" or
s = "100000000" or
s = "1000000000"
s =
[
"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16",
"17", "18", "19", "20", "16", "32", "64", "128", "256", "512", "1024", "2048", "4096",
"16384", "32768", "65536", "1048576", "2147483648", "4294967296", "15", "31", "63", "127",
"255", "511", "1023", "2047", "4095", "16383", "32767", "65535", "1048577", "2147483647",
"4294967295", "0x00000001", "0x00000002", "0x00000004", "0x00000008", "0x00000010",
"0x00000020", "0x00000040", "0x00000080", "0x00000100", "0x00000200", "0x00000400",
"0x00000800", "0x00001000", "0x00002000", "0x00004000", "0x00008000", "0x00010000",
"0x00020000", "0x00040000", "0x00080000", "0x00100000", "0x00200000", "0x00400000",
"0x00800000", "0x01000000", "0x02000000", "0x04000000", "0x08000000", "0x10000000",
"0x20000000", "0x40000000", "0x80000000", "0x00000001", "0x00000003", "0x00000007",
"0x0000000f", "0x0000001f", "0x0000003f", "0x0000007f", "0x000000ff", "0x000001ff",
"0x000003ff", "0x000007ff", "0x00000fff", "0x00001fff", "0x00003fff", "0x00007fff",
"0x0000ffff", "0x0001ffff", "0x0003ffff", "0x0007ffff", "0x000fffff", "0x001fffff",
"0x003fffff", "0x007fffff", "0x00ffffff", "0x01ffffff", "0x03ffffff", "0x07ffffff",
"0x0fffffff", "0x1fffffff", "0x3fffffff", "0x7fffffff", "0xffffffff", "0x0001", "0x0002",
"0x0004", "0x0008", "0x0010", "0x0020", "0x0040", "0x0080", "0x0100", "0x0200", "0x0400",
"0x0800", "0x1000", "0x2000", "0x4000", "0x8000", "0x0001", "0x0003", "0x0007", "0x000f",
"0x001f", "0x003f", "0x007f", "0x00ff", "0x01ff", "0x03ff", "0x07ff", "0x0fff", "0x1fff",
"0x3fff", "0x7fff", "0xffff", "0x01", "0x02", "0x04", "0x08", "0x10", "0x20", "0x40", "0x80",
"0x01", "0x03", "0x07", "0x0f", "0x1f", "0x3f", "0x7f", "0xff", "0x00", "10", "100", "1000",
"10000", "100000", "1000000", "10000000", "100000000", "1000000000"
]
}
private predicate trivialIntValue(string s) {

2
javascript/ql/lib/semmle/javascript/DynamicPropertyAccess.qll
View File

@@ -14,7 +14,7 @@ private import semmle.javascript.dataflow.internal.FlowSteps
SourceNode getAnEnumeratedArrayElement(SourceNode array) {
exists(MethodCallNode call, string name |
call = array.getAMethodCall(name) and
(name = "forEach" or name = "map") and
name = ["forEach", "map"] and
result = call.getCallback(0).getParameter(0)
)
or

8
javascript/ql/lib/semmle/javascript/StandardLibrary.qll
View File

@@ -55,13 +55,7 @@ private class ArrayIterationCallbackAsPartialInvoke extends DataFlow::PartialInv
getNumArgument() = 2 and
// Filter out library methods named 'forEach' etc
not DataFlow::moduleImport(_).flowsTo(getReceiver()) and
exists(string name | name = getMethodName() |
name = "filter" or
name = "forEach" or
name = "map" or
name = "some" or
name = "every"
)
getMethodName() = ["filter", "forEach", "map", "some", "every"]
}
override DataFlow::Node getBoundReceiver(DataFlow::Node callback) {

103
javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll
View File

@@ -177,15 +177,10 @@ class ModuleApiCallDependencyInjection extends DependencyInjection {
* This method excludes the method names that are also present on the AngularJS '$provide' object.
*/
private int injectableArgPos() {
(
methodName = "directive" or
methodName = "filter" or
methodName = "controller" or
methodName = "animation"
) and
methodName = ["directive", "filter", "controller", "animation"] and
result = 1
or
(methodName = "config" or methodName = "run") and
methodName = ["config", "run"] and
result = 0
}
@@ -199,64 +194,17 @@ class ModuleApiCallDependencyInjection extends DependencyInjection {
* (cf. https://docs.angularjs.org/api/ng/directive/).
*/
private predicate builtinDirective(string name) {
name = "ngApp" or
name = "ngBind" or
name = "ngBindHtml" or
name = "ngBindTemplate" or
name = "ngBlur" or
name = "ngChange" or
name = "ngChecked" or
name = "ngClass" or
name = "ngClassEven" or
name = "ngClassOdd" or
name = "ngClick" or
name = "ngCloak" or
name = "ngController" or
name = "ngCopy" or
name = "ngCsp" or
name = "ngCut" or
name = "ngDblclick" or
name = "ngDisabled" or
name = "ngFocus" or
name = "ngForm" or
name = "ngHide" or
name = "ngHref" or
name = "ngIf" or
name = "ngInclude" or
name = "ngInit" or
name = "ngJq" or
name = "ngKeydown" or
name = "ngKeypress" or
name = "ngKeyup" or
name = "ngList" or
name = "ngMaxlength" or
name = "ngMinlength" or
name = "ngModel" or
name = "ngModelOptions" or
name = "ngMousedown" or
name = "ngMouseenter" or
name = "ngMouseleave" or
name = "ngMousemove" or
name = "ngMouseover" or
name = "ngMouseup" or
name = "ngNonBindable" or
name = "ngOpen" or
name = "ngOptions" or
name = "ngPaste" or
name = "ngPattern" or
name = "ngPluralize" or
name = "ngReadonly" or
name = "ngRepeat" or
name = "ngRequired" or
name = "ngSelected" or
name = "ngShow" or
name = "ngSrc" or
name = "ngSrcset" or
name = "ngStyle" or
name = "ngSubmit" or
name = "ngSwitch" or
name = "ngTransclude" or
name = "ngValue"
name =
[
"ngApp", "ngBind", "ngBindHtml", "ngBindTemplate", "ngBlur", "ngChange", "ngChecked",
"ngClass", "ngClassEven", "ngClassOdd", "ngClick", "ngCloak", "ngController", "ngCopy",
"ngCsp", "ngCut", "ngDblclick", "ngDisabled", "ngFocus", "ngForm", "ngHide", "ngHref", "ngIf",
"ngInclude", "ngInit", "ngJq", "ngKeydown", "ngKeypress", "ngKeyup", "ngList", "ngMaxlength",
"ngMinlength", "ngModel", "ngModelOptions", "ngMousedown", "ngMouseenter", "ngMouseleave",
"ngMousemove", "ngMouseover", "ngMouseup", "ngNonBindable", "ngOpen", "ngOptions", "ngPaste",
"ngPattern", "ngPluralize", "ngReadonly", "ngRepeat", "ngRequired", "ngSelected", "ngShow",
"ngSrc", "ngSrcset", "ngStyle", "ngSubmit", "ngSwitch", "ngTransclude", "ngValue"
]
}
private newtype TDirectiveInstance =
@@ -676,10 +624,7 @@ private class JQLiteObject extends JQuery::ObjectSource::Range {
)
)
or
exists(ServiceReference element |
element.getName() = "$rootElement" or
element.getName() = "$document"
|
exists(ServiceReference element | element.getName() = ["$rootElement", "$document"] |
this = element.getAReference()
)
}
@@ -780,23 +725,17 @@ private class BuiltinServiceCall extends AngularJSCall {
override predicate interpretsArgumentAsCode(Expr e) {
exists(ScopeServiceReference scope, string methodName |
methodName = "$apply" or
methodName = "$applyAsync" or
methodName = "$eval" or
methodName = "$evalAsync" or
methodName = "$watch" or
methodName = "$watchCollection" or
methodName = "$watchGroup"
methodName =
[
"$apply", "$applyAsync", "$eval", "$evalAsync", "$watch", "$watchCollection",
"$watchGroup"
]
|
call = scope.getAMethodCall(methodName) and
e = call.getArgument(0)
)
or
exists(ServiceReference service |
service.getName() = "$compile" or
service.getName() = "$parse" or
service.getName() = "$interpolate"
|
exists(ServiceReference service | service.getName() = ["$compile", "$parse", "$interpolate"] |
call = service.getACall() and
e = call.getArgument(0)
)
@@ -952,7 +891,7 @@ class ElementScope extends AngularScope, MkElementScope {
DataFlow::SourceNode routeProviderRef() {
result = builtinServiceRef("$routeProvider")
or
exists(string m | m = "when" or m = "otherwise" | result = routeProviderRef().getAMethodCall(m))
exists(string m | m = ["when", "otherwise"] | result = routeProviderRef().getAMethodCall(m))
}
/**

23
javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSExpressions.qll
View File

@@ -277,24 +277,11 @@ private module Lexer {
override string getPattern() {
result =
concat(string op |
op = "===" or
op = "!==" or
op = "==" or
op = "!=" or
op = "<=" or
op = ">=" or
op = "&&" or
op = "||" or
op = "*" or
op = "!" or
op = "=" or
op = "<" or
op = ">" or
op = "+" or
op = "-" or
op = "/" or
op = "%" or
op = "|"
op =
[
"===", "!==", "==", "!=", "<=", ">=", "&&", "||", "*", "!", "=", "<", ">", "+", "-",
"/", "%", "|"
]
|
"\\Q" + op + "\\E", "|" order by op.length() desc
)

30
javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll
View File

@@ -103,25 +103,12 @@ module AsyncPackage {
IterationCall() {
this = memberVariant(name).getACall() and
(
name = "concat" or
name = "detect" or
name = "each" or
name = "eachOf" or
name = "forEach" or
name = "forEachOf" or
name = "every" or
name = "filter" or
name = "groupBy" or
name = "map" or
name = "mapValues" or
name = "reduce" or
name = "reduceRight" or
name = "reject" or
name = "some" or
name = "sortBy" or
name = "transform"
)
name =
[
"concat", "detect", "each", "eachOf", "forEach", "forEachOf", "every", "filter",
"groupBy", "map", "mapValues", "reduce", "reduceRight", "reject", "some", "sortBy",
"transform"
]
}
/**
@@ -176,10 +163,7 @@ module AsyncPackage {
pred = getLastParameter(iteratee).getACall().getArgument(i) and
succ = final.getParameter(i) and
exists(string name | name = call.getName() |
name = "concat" or
name = "map" or
name = "reduce" or
name = "reduceRight"
name = ["concat", "map", "reduce", "reduceRight"]
)
)
}

46
javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
View File

@@ -81,29 +81,12 @@ module HTTP {
*/
class RequestMethodName extends string {
RequestMethodName() {
this = "CHECKOUT" or
this = "COPY" or
this = "DELETE" or
this = "GET" or
this = "HEAD" or
this = "LOCK" or
this = "MERGE" or
this = "MKACTIVITY" or
this = "MKCOL" or
this = "MOVE" or
this = "M-SEARCH" or
this = "NOTIFY" or
this = "OPTIONS" or
this = "PATCH" or
this = "POST" or
this = "PURGE" or
this = "PUT" or
this = "REPORT" or
this = "SEARCH" or
this = "SUBSCRIBE" or
this = "TRACE" or
this = "UNLOCK" or
this = "UNSUBSCRIBE"
this =
[
"CHECKOUT", "COPY", "DELETE", "GET", "HEAD", "LOCK", "MERGE", "MKACTIVITY", "MKCOL",
"MOVE", "M-SEARCH", "NOTIFY", "OPTIONS", "PATCH", "POST", "PURGE", "PUT", "REPORT",
"SEARCH", "SUBSCRIBE", "TRACE", "UNLOCK", "UNSUBSCRIBE"
]
}
/**
@@ -111,14 +94,7 @@ module HTTP {
* such as for `GET` and `HEAD` requests.
*/
predicate isSafe() {
this = "GET" or
this = "HEAD" or
this = "OPTIONS" or
this = "PRI" or
this = "PROPFIND" or
this = "REPORT" or
this = "SEARCH" or
this = "TRACE"
this = ["GET", "HEAD", "OPTIONS", "PRI", "PROPFIND", "REPORT", "SEARCH", "TRACE"]
}
}
@@ -477,13 +453,7 @@ module HTTP {
* Headers are never considered third-party controllable by this predicate, although the
* third party does have some control over the the Referer and Origin headers.
*/
predicate isThirdPartyControllable() {
exists(string kind | kind = getKind() |
kind = "parameter" or
kind = "url" or
kind = "body"
)
}
predicate isThirdPartyControllable() { getKind() = ["parameter", "url", "body"] }
}
/**

463
javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll
View File

@@ -47,312 +47,50 @@ module LodashUnderscore {
*/
private predicate isLodashMember(string name) {
// Can be generated using Object.keys(require('lodash'))
name = "templateSettings" or
name = "after" or
name = "ary" or
name = "assign" or
name = "assignIn" or
name = "assignInWith" or
name = "assignWith" or
name = "at" or
name = "before" or
name = "bind" or
name = "bindAll" or
name = "bindKey" or
name = "castArray" or
name = "chain" or
name = "chunk" or
name = "compact" or
name = "concat" or
name = "cond" or
name = "conforms" or
name = "constant" or
name = "countBy" or
name = "create" or
name = "curry" or
name = "curryRight" or
name = "debounce" or
name = "defaults" or
name = "defaultsDeep" or
name = "defer" or
name = "delay" or
name = "difference" or
name = "differenceBy" or
name = "differenceWith" or
name = "drop" or
name = "dropRight" or
name = "dropRightWhile" or
name = "dropWhile" or
name = "fill" or
name = "filter" or
name = "flatMap" or
name = "flatMapDeep" or
name = "flatMapDepth" or
name = "flatten" or
name = "flattenDeep" or
name = "flattenDepth" or
name = "flip" or
name = "flow" or
name = "flowRight" or
name = "fromPairs" or
name = "functions" or
name = "functionsIn" or
name = "groupBy" or
name = "initial" or
name = "intersection" or
name = "intersectionBy" or
name = "intersectionWith" or
name = "invert" or
name = "invertBy" or
name = "invokeMap" or
name = "iteratee" or
name = "keyBy" or
name = "keys" or
name = "keysIn" or
name = "map" or
name = "mapKeys" or
name = "mapValues" or
name = "matches" or
name = "matchesProperty" or
name = "memoize" or
name = "merge" or
name = "mergeWith" or
name = "method" or
name = "methodOf" or
name = "mixin" or
name = "negate" or
name = "nthArg" or
name = "omit" or
name = "omitBy" or
name = "once" or
name = "orderBy" or
name = "over" or
name = "overArgs" or
name = "overEvery" or
name = "overSome" or
name = "partial" or
name = "partialRight" or
name = "partition" or
name = "pick" or
name = "pickBy" or
name = "property" or
name = "propertyOf" or
name = "pull" or
name = "pullAll" or
name = "pullAllBy" or
name = "pullAllWith" or
name = "pullAt" or
name = "range" or
name = "rangeRight" or
name = "rearg" or
name = "reject" or
name = "remove" or
name = "rest" or
name = "reverse" or
name = "sampleSize" or
name = "set" or
name = "setWith" or
name = "shuffle" or
name = "slice" or
name = "sortBy" or
name = "sortedUniq" or
name = "sortedUniqBy" or
name = "split" or
name = "spread" or
name = "tail" or
name = "take" or
name = "takeRight" or
name = "takeRightWhile" or
name = "takeWhile" or
name = "tap" or
name = "throttle" or
name = "thru" or
name = "toArray" or
name = "toPairs" or
name = "toPairsIn" or
name = "toPath" or
name = "toPlainObject" or
name = "transform" or
name = "unary" or
name = "union" or
name = "unionBy" or
name = "unionWith" or
name = "uniq" or
name = "uniqBy" or
name = "uniqWith" or
name = "unset" or
name = "unzip" or
name = "unzipWith" or
name = "update" or
name = "updateWith" or
name = "values" or
name = "valuesIn" or
name = "without" or
name = "words" or
name = "wrap" or
name = "xor" or
name = "xorBy" or
name = "xorWith" or
name = "zip" or
name = "zipObject" or
name = "zipObjectDeep" or
name = "zipWith" or
name = "entries" or
name = "entriesIn" or
name = "extend" or
name = "extendWith" or
name = "add" or
name = "attempt" or
name = "camelCase" or
name = "capitalize" or
name = "ceil" or
name = "clamp" or
name = "clone" or
name = "cloneDeep" or
name = "cloneDeepWith" or
name = "cloneWith" or
name = "conformsTo" or
name = "deburr" or
name = "defaultTo" or
name = "divide" or
name = "endsWith" or
name = "eq" or
name = "escape" or
name = "escapeRegExp" or
name = "every" or
name = "find" or
name = "findIndex" or
name = "findKey" or
name = "findLast" or
name = "findLastIndex" or
name = "findLastKey" or
name = "floor" or
name = "forEach" or
name = "forEachRight" or
name = "forIn" or
name = "forInRight" or
name = "forOwn" or
name = "forOwnRight" or
name = "get" or
name = "gt" or
name = "gte" or
name = "has" or
name = "hasIn" or
name = "head" or
name = "identity" or
name = "includes" or
name = "indexOf" or
name = "inRange" or
name = "invoke" or
name = "isArguments" or
name = "isArray" or
name = "isArrayBuffer" or
name = "isArrayLike" or
name = "isArrayLikeObject" or
name = "isBoolean" or
name = "isBuffer" or
name = "isDate" or
name = "isElement" or
name = "isEmpty" or
name = "isEqual" or
name = "isEqualWith" or
name = "isError" or
name = "isFinite" or
name = "isFunction" or
name = "isInteger" or
name = "isLength" or
name = "isMap" or
name = "isMatch" or
name = "isMatchWith" or
name = "isNaN" or
name = "isNative" or
name = "isNil" or
name = "isNull" or
name = "isNumber" or
name = "isObject" or
name = "isObjectLike" or
name = "isPlainObject" or
name = "isRegExp" or
name = "isSafeInteger" or
name = "isSet" or
name = "isString" or
name = "isSymbol" or
name = "isTypedArray" or
name = "isUndefined" or
name = "isWeakMap" or
name = "isWeakSet" or
name = "join" or
name = "kebabCase" or
name = "last" or
name = "lastIndexOf" or
name = "lowerCase" or
name = "lowerFirst" or
name = "lt" or
name = "lte" or
name = "max" or
name = "maxBy" or
name = "mean" or
name = "meanBy" or
name = "min" or
name = "minBy" or
name = "stubArray" or
name = "stubFalse" or
name = "stubObject" or
name = "stubString" or
name = "stubTrue" or
name = "multiply" or
name = "nth" or
name = "noConflict" or
name = "noop" or
name = "now" or
name = "pad" or
name = "padEnd" or
name = "padStart" or
name = "parseInt" or
name = "random" or
name = "reduce" or
name = "reduceRight" or
name = "repeat" or
name = "replace" or
name = "result" or
name = "round" or
name = "runInContext" or
name = "sample" or
name = "size" or
name = "snakeCase" or
name = "some" or
name = "sortedIndex" or
name = "sortedIndexBy" or
name = "sortedIndexOf" or
name = "sortedLastIndex" or
name = "sortedLastIndexBy" or
name = "sortedLastIndexOf" or
name = "startCase" or
name = "startsWith" or
name = "subtract" or
name = "sum" or
name = "sumBy" or
name = "template" or
name = "times" or
name = "toFinite" or
name = "toInteger" or
name = "toLength" or
name = "toLower" or
name = "toNumber" or
name = "toSafeInteger" or
name = "toString" or
name = "toUpper" or
name = "trim" or
name = "trimEnd" or
name = "trimStart" or
name = "truncate" or
name = "unescape" or
name = "uniqueId" or
name = "upperCase" or
name = "upperFirst" or
name = "each" or
name = "eachRight" or
name = "first"
name =
[
"templateSettings", "after", "ary", "assign", "assignIn", "assignInWith", "assignWith",
"at", "before", "bind", "bindAll", "bindKey", "castArray", "chain", "chunk", "compact",
"concat", "cond", "conforms", "constant", "countBy", "create", "curry", "curryRight",
"debounce", "defaults", "defaultsDeep", "defer", "delay", "difference", "differenceBy",
"differenceWith", "drop", "dropRight", "dropRightWhile", "dropWhile", "fill", "filter",
"flatMap", "flatMapDeep", "flatMapDepth", "flatten", "flattenDeep", "flattenDepth", "flip",
"flow", "flowRight", "fromPairs", "functions", "functionsIn", "groupBy", "initial",
"intersection", "intersectionBy", "intersectionWith", "invert", "invertBy", "invokeMap",
"iteratee", "keyBy", "keys", "keysIn", "map", "mapKeys", "mapValues", "matches",
"matchesProperty", "memoize", "merge", "mergeWith", "method", "methodOf", "mixin", "negate",
"nthArg", "omit", "omitBy", "once", "orderBy", "over", "overArgs", "overEvery", "overSome",
"partial", "partialRight", "partition", "pick", "pickBy", "property", "propertyOf", "pull",
"pullAll", "pullAllBy", "pullAllWith", "pullAt", "range", "rangeRight", "rearg", "reject",
"remove", "rest", "reverse", "sampleSize", "set", "setWith", "shuffle", "slice", "sortBy",
"sortedUniq", "sortedUniqBy", "split", "spread", "tail", "take", "takeRight",
"takeRightWhile", "takeWhile", "tap", "throttle", "thru", "toArray", "toPairs", "toPairsIn",
"toPath", "toPlainObject", "transform", "unary", "union", "unionBy", "unionWith", "uniq",
"uniqBy", "uniqWith", "unset", "unzip", "unzipWith", "update", "updateWith", "values",
"valuesIn", "without", "words", "wrap", "xor", "xorBy", "xorWith", "zip", "zipObject",
"zipObjectDeep", "zipWith", "entries", "entriesIn", "extend", "extendWith", "add",
"attempt", "camelCase", "capitalize", "ceil", "clamp", "clone", "cloneDeep",
"cloneDeepWith", "cloneWith", "conformsTo", "deburr", "defaultTo", "divide", "endsWith",
"eq", "escape", "escapeRegExp", "every", "find", "findIndex", "findKey", "findLast",
"findLastIndex", "findLastKey", "floor", "forEach", "forEachRight", "forIn", "forInRight",
"forOwn", "forOwnRight", "get", "gt", "gte", "has", "hasIn", "head", "identity", "includes",
"indexOf", "inRange", "invoke", "isArguments", "isArray", "isArrayBuffer", "isArrayLike",
"isArrayLikeObject", "isBoolean", "isBuffer", "isDate", "isElement", "isEmpty", "isEqual",
"isEqualWith", "isError", "isFinite", "isFunction", "isInteger", "isLength", "isMap",
"isMatch", "isMatchWith", "isNaN", "isNative", "isNil", "isNull", "isNumber", "isObject",
"isObjectLike", "isPlainObject", "isRegExp", "isSafeInteger", "isSet", "isString",
"isSymbol", "isTypedArray", "isUndefined", "isWeakMap", "isWeakSet", "join", "kebabCase",
"last", "lastIndexOf", "lowerCase", "lowerFirst", "lt", "lte", "max", "maxBy", "mean",
"meanBy", "min", "minBy", "stubArray", "stubFalse", "stubObject", "stubString", "stubTrue",
"multiply", "nth", "noConflict", "noop", "now", "pad", "padEnd", "padStart", "parseInt",
"random", "reduce", "reduceRight", "repeat", "replace", "result", "round", "runInContext",
"sample", "size", "snakeCase", "some", "sortedIndex", "sortedIndexBy", "sortedIndexOf",
"sortedLastIndex", "sortedLastIndexBy", "sortedLastIndexOf", "startCase", "startsWith",
"subtract", "sum", "sumBy", "template", "times", "toFinite", "toInteger", "toLength",
"toLower", "toNumber", "toSafeInteger", "toString", "toUpper", "trim", "trimEnd",
"trimStart", "truncate", "unescape", "uniqueId", "upperCase", "upperFirst", "each",
"eachRight", "first"
]
}
/**
@@ -363,27 +101,15 @@ module LodashUnderscore {
exists(DataFlow::CallNode call, string name |
// Members ending with By, With, or While indicate that they are a variant of
// another function that takes a callback.
name.matches("%By") or
name.matches("%With") or
name.matches("%While") or
name.matches(["%By", "%With", "%While"])
or
// Other members that don't fit the above pattern.
name = "each" or
name = "eachRight" or
name = "every" or
name = "filter" or
name = "find" or
name = "findLast" or
name = "flatMap" or
name = "flatMapDeep" or
name = "flatMapDepth" or
name = "forEach" or
name = "forEachRight" or
name = "partition" or
name = "reduce" or
name = "reduceRight" or
name = "replace" or
name = "some" or
name = "transform"
name =
[
"each", "eachRight", "every", "filter", "find", "findLast", "flatMap", "flatMapDeep",
"flatMapDepth", "forEach", "forEachRight", "partition", "reduce", "reduceRight",
"replace", "some", "transform"
]
|
call = member(name).getACall() and
pred = call.getAnArgument().(DataFlow::FunctionNode).getExceptionalReturn() and
@@ -461,91 +187,30 @@ private class LodashCallbackAsPartialInvoke extends DataFlow::PartialInvokeNode:
this = LodashUnderscore::member(name).getACall() and
getNumArgument() = argumentCount
|
(
name = "bind" or
name = "callback" or
name = "iteratee"
) and
name = ["bind", "callback", "iteratee"] and
callbackIndex = 0 and
contextIndex = 1 and
argumentCount = 2
or
(
name = "all" or
name = "any" or
name = "collect" or
name = "countBy" or
name = "detect" or
name = "dropRightWhile" or
name = "dropWhile" or
name = "each" or
name = "eachRight" or
name = "every" or
name = "filter" or
name = "find" or
name = "findIndex" or
name = "findKey" or
name = "findLast" or
name = "findLastIndex" or
name = "findLastKey" or
name = "forEach" or
name = "forEachRight" or
name = "forIn" or
name = "forInRight" or
name = "groupBy" or
name = "indexBy" or
name = "map" or
name = "mapKeys" or
name = "mapValues" or
name = "max" or
name = "min" or
name = "omit" or
name = "partition" or
name = "pick" or
name = "reject" or
name = "remove" or
name = "select" or
name = "some" or
name = "sortBy" or
name = "sum" or
name = "takeRightWhile" or
name = "takeWhile" or
name = "tap" or
name = "thru" or
name = "times" or
name = "unzipWith" or
name = "zipWith"
) and
name =
[
"all", "any", "collect", "countBy", "detect", "dropRightWhile", "dropWhile", "each",
"eachRight", "every", "filter", "find", "findIndex", "findKey", "findLast",
"findLastIndex", "findLastKey", "forEach", "forEachRight", "forIn", "forInRight",
"groupBy", "indexBy", "map", "mapKeys", "mapValues", "max", "min", "omit", "partition",
"pick", "reject", "remove", "select", "some", "sortBy", "sum", "takeRightWhile",
"takeWhile", "tap", "thru", "times", "unzipWith", "zipWith"
] and
callbackIndex = 1 and
contextIndex = 2 and
argumentCount = 3
or
(
name = "foldl" or
name = "foldr" or
name = "inject" or
name = "reduce" or
name = "reduceRight" or
name = "transform"
) and
name = ["foldl", "foldr", "inject", "reduce", "reduceRight", "transform"] and
callbackIndex = 1 and
contextIndex = 3 and
argumentCount = 4
or
(
name = "sortedlastIndex"
or
name = "assign"
or
name = "eq"
or
name = "extend"
or
name = "merge"
or
name = "sortedIndex" and
name = "uniq"
) and
name = ["sortedlastIndex", "assign", "eq", "extend", "merge", "sortedIndex", "uniq"] and
callbackIndex = 2 and
contextIndex = 3 and
argumentCount = 4

71
javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll
View File

@@ -15,72 +15,35 @@
*/
private module AlgorithmNames {
predicate isStrongHashingAlgorithm(string name) {
name = "DSA" or
name = "ED25519" or
name = "ES256" or
name = "ECDSA256" or
name = "ES384" or
name = "ECDSA384" or
name = "ES512" or
name = "ECDSA512" or
name = "SHA2" or
name = "SHA224" or
name = "SHA256" or
name = "SHA384" or
name = "SHA512" or
name = "SHA3" or
name = "SHA3224" or
name = "SHA3256" or
name = "SHA3384" or
name = "SHA3512"
name =
[
"DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2",
"SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512"
]
}
predicate isWeakHashingAlgorithm(string name) {
name = "HAVEL128" or
name = "MD2" or
name = "MD4" or
name = "MD5" or
name = "PANAMA" or
name = "RIPEMD" or
name = "RIPEMD128" or
name = "RIPEMD256" or
name = "RIPEMD160" or
name = "RIPEMD320" or
name = "SHA0" or
name = "SHA1"
name =
[
"HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD", "RIPEMD128", "RIPEMD256", "RIPEMD160",
"RIPEMD320", "SHA0", "SHA1"
]
}
predicate isStrongEncryptionAlgorithm(string name) {
name = "AES" or
name = "AES128" or
name = "AES192" or
name = "AES256" or
name = "AES512" or
name = "RSA" or
name = "RABBIT" or
name = "BLOWFISH"
name = ["AES", "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
}
predicate isWeakEncryptionAlgorithm(string name) {
name = "DES" or
name = "3DES" or
name = "TRIPLEDES" or
name = "TDEA" or
name = "TRIPLEDEA" or
name = "ARC2" or
name = "RC2" or
name = "ARC4" or
name = "RC4" or
name = "ARCFOUR" or
name = "ARC5" or
name = "RC5"
name =
[
"DES", "3DES", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR",
"ARC5", "RC5"
]
}
predicate isStrongPasswordHashingAlgorithm(string name) {
name = "ARGON2" or
name = "PBKDF2" or
name = "BCRYPT" or
name = "SCRYPT"
name = ["ARGON2", "PBKDF2", "BCRYPT", "SCRYPT"]
}
predicate isWeakPasswordHashingAlgorithm(string name) { none() }

19
javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll
View File

@@ -29,20 +29,11 @@ module TaintedUrlSuffix {
/** Holds for `pred -> succ` is a step of form `x -> x.p` */
private predicate isSafeLocationProp(DataFlow::PropRead read) {
// Ignore properties that refer to the scheme, domain, port, auth, or path.
exists(string name | name = read.getPropertyName() |
name = "protocol" or
name = "scheme" or
name = "host" or
name = "hostname" or
name = "domain" or
name = "origin" or
name = "port" or
name = "path" or
name = "pathname" or
name = "username" or
name = "password" or
name = "auth"
)
read.getPropertyName() =
[
"protocol", "scheme", "host", "hostname", "domain", "origin", "port", "path", "pathname",
"username", "password", "auth"
]
}
/**

16
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
View File

@@ -88,12 +88,7 @@ module ClientSideUrlRedirect {
class LocationSink extends Sink, DataFlow::ValueNode {
LocationSink() {
// A call to a `window.navigate` or `window.open`
exists(string name |
name = "navigate" or
name = "open" or
name = "openDialog" or
name = "showModalDialog"
|
exists(string name | name = ["navigate", "open", "openDialog", "showModalDialog"] |
this = DataFlow::globalVarRef(name).getACall().getArgument(0)
)
or
@@ -102,7 +97,7 @@ module ClientSideUrlRedirect {
locationCall = DOM::locationRef().getAMethodCall(name) and
this = locationCall.getArgument(0)
|
name = "replace" or name = "assign"
name = ["replace", "assign"]
)
or
// An assignment to `location`
@@ -113,7 +108,7 @@ module ClientSideUrlRedirect {
pw = DOM::locationRef().getAPropertyWrite(propName) and
this = pw.getRhs()
|
propName = "href" or propName = "protocol" or propName = "hostname"
propName = ["href", "protocol", "hostname"]
)
or
// A redirection using the AngularJS `$location` service
@@ -153,9 +148,8 @@ module ClientSideUrlRedirect {
*/
class SrcAttributeUrlSink extends ScriptUrlSink, DataFlow::ValueNode {
SrcAttributeUrlSink() {
exists(DOM::AttributeDefinition attr, string eltName |
attr.getElement().getName() = eltName and
(eltName = "script" or eltName = "iframe") and
exists(DOM::AttributeDefinition attr |
attr.getElement().getName() = ["script", "iframe"] and
attr.getName() = "src" and
this = attr.getValueNode()
)

72
javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll
View File

@@ -115,66 +115,18 @@ module LoopBoundInjection {
* Holds if `name` is a method from lodash vulnerable to a DoS attack if called with a tainted object.
*/
predicate loopableLodashMethod(string name) {
name = "chunk" or
name = "compact" or
name = "difference" or
name = "differenceBy" or
name = "differenceWith" or
name = "drop" or
name = "dropRight" or
name = "dropRightWhile" or
name = "dropWhile" or
name = "fill" or
name = "findIndex" or
name = "findLastIndex" or
name = "flatten" or
name = "flattenDeep" or
name = "flattenDepth" or
name = "initial" or
name = "intersection" or
name = "intersectionBy" or
name = "intersectionWith" or
name = "join" or
name = "remove" or
name = "reverse" or
name = "slice" or
name = "sortedUniq" or
name = "sortedUniqBy" or
name = "tail" or
name = "union" or
name = "unionBy" or
name = "unionWith" or
name = "uniqBy" or
name = "unzip" or
name = "unzipWith" or
name = "without" or
name = "zip" or
name = "zipObject" or
name = "zipObjectDeep" or
name = "zipWith" or
name = "countBy" or
name = "each" or
name = "forEach" or
name = "eachRight" or
name = "forEachRight" or
name = "filter" or
name = "find" or
name = "findLast" or
name = "flatMap" or
name = "flatMapDeep" or
name = "flatMapDepth" or
name = "forEach" or
name = "forEachRight" or
name = "groupBy" or
name = "invokeMap" or
name = "keyBy" or
name = "map" or
name = "orderBy" or
name = "partition" or
name = "reduce" or
name = "reduceRight" or
name = "reject" or
name = "sortBy"
name =
[
"chunk", "compact", "difference", "differenceBy", "differenceWith", "drop", "dropRight",
"dropRightWhile", "dropWhile", "fill", "findIndex", "findLastIndex", "flatten",
"flattenDeep", "flattenDepth", "initial", "intersection", "intersectionBy",
"intersectionWith", "join", "remove", "reverse", "slice", "sortedUniq", "sortedUniqBy",
"tail", "union", "unionBy", "unionWith", "uniqBy", "unzip", "unzipWith", "without", "zip",
"zipObject", "zipObjectDeep", "zipWith", "countBy", "each", "forEach", "eachRight",
"forEachRight", "filter", "find", "findLast", "flatMap", "flatMapDeep", "flatMapDepth",
"forEach", "forEachRight", "groupBy", "invokeMap", "keyBy", "map", "orderBy", "partition",
"reduce", "reduceRight", "reject", "sortBy"
]
}
/**

15
javascript/ql/src/Statements/UseOfReturnlessFunction.ql
View File

@@ -111,16 +111,11 @@ predicate callToVoidFunction(DataFlow::CallNode call, Function func) {
* and the callback is expected to return a value.
*/
predicate hasNonVoidCallbackMethod(string name) {
name = "every" or
name = "filter" or
name = "find" or
name = "findIndex" or
name = "flatMap" or
name = "map" or
name = "reduce" or
name = "reduceRight" or
name = "some" or
name = "sort"
name =
[
"every", "filter", "find", "findIndex", "flatMap", "map", "reduce", "reduceRight", "some",
"sort"
]
}
DataFlow::SourceNode array(DataFlow::TypeTracker t) {

22
javascript/ql/src/meta/Consistency.ql
View File

@@ -37,22 +37,12 @@ predicate exprWithoutEnclosingStmt(Expr e) {
* `"3 results for toString()"`.
*/
predicate uniqueness_error(int number, string what, string problem) {
(
what = "toString" or
what = "getLocation" or
what = "getTopLevel" or
what = "getEnclosingStmt" or
what = "getContainer" or
what = "getEnclosingContainer" or
what = "getEntry" or
what = "getExit" or
what = "getFirstControlFlowNode" or
what = "getOuterScope" or
what = "getScopeElement" or
what = "getBaseName" or
what = "getOperator" or
what = "getTest"
) and
what =
[
"toString", "getLocation", "getTopLevel", "getEnclosingStmt", "getContainer",
"getEnclosingContainer", "getEntry", "getExit", "getFirstControlFlowNode", "getOuterScope",
"getScopeElement", "getBaseName", "getOperator", "getTest"
] and
(
number = 0 and problem = "no results for " + what + "()"
or

71
python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll
View File

@@ -15,72 +15,35 @@
*/
private module AlgorithmNames {
predicate isStrongHashingAlgorithm(string name) {
name = "DSA" or
name = "ED25519" or
name = "ES256" or
name = "ECDSA256" or
name = "ES384" or
name = "ECDSA384" or
name = "ES512" or
name = "ECDSA512" or
name = "SHA2" or
name = "SHA224" or
name = "SHA256" or
name = "SHA384" or
name = "SHA512" or
name = "SHA3" or
name = "SHA3224" or
name = "SHA3256" or
name = "SHA3384" or
name = "SHA3512"
name =
[
"DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2",
"SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512"
]
}
predicate isWeakHashingAlgorithm(string name) {
name = "HAVEL128" or
name = "MD2" or
name = "MD4" or
name = "MD5" or
name = "PANAMA" or
name = "RIPEMD" or
name = "RIPEMD128" or
name = "RIPEMD256" or
name = "RIPEMD160" or
name = "RIPEMD320" or
name = "SHA0" or
name = "SHA1"
name =
[
"HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD", "RIPEMD128", "RIPEMD256", "RIPEMD160",
"RIPEMD320", "SHA0", "SHA1"
]
}
predicate isStrongEncryptionAlgorithm(string name) {
name = "AES" or
name = "AES128" or
name = "AES192" or
name = "AES256" or
name = "AES512" or
name = "RSA" or
name = "RABBIT" or
name = "BLOWFISH"
name = ["AES", "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
}
predicate isWeakEncryptionAlgorithm(string name) {
name = "DES" or
name = "3DES" or
name = "TRIPLEDES" or
name = "TDEA" or
name = "TRIPLEDEA" or
name = "ARC2" or
name = "RC2" or
name = "ARC4" or
name = "RC4" or
name = "ARCFOUR" or
name = "ARC5" or
name = "RC5"
name =
[
"DES", "3DES", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR",
"ARC5", "RC5"
]
}
predicate isStrongPasswordHashingAlgorithm(string name) {
name = "ARGON2" or
name = "PBKDF2" or
name = "BCRYPT" or
name = "SCRYPT"
name = ["ARGON2", "PBKDF2", "BCRYPT", "SCRYPT"]
}
predicate isWeakPasswordHashingAlgorithm(string name) { none() }

29
python/ql/lib/semmle/python/objects/TObject.qll
View File

@@ -387,7 +387,7 @@ private predicate concrete_class(PythonClassObjectInternal cls) {
not exists(Raise r, Name ex |
r.getScope() = f and
(r.getException() = ex or r.getException().(Call).getFunc() = ex) and
(ex.getId() = "NotImplementedError" or ex.getId() = "NotImplemented")
ex.getId() = ["NotImplementedError", "NotImplemented"]
)
)
)
@@ -437,11 +437,7 @@ predicate missing_imported_module(ControlFlowNode imp, Context ctx, string name)
* Helper for missing modules to determine if name `x.y` is a module `x.y` or
* an attribute `y` of module `x`. This list should be added to as required.
*/
predicate common_module_name(string name) {
name = "zope.interface"
or
name = "six.moves"
}
predicate common_module_name(string name) { name = ["zope.interface", "six.moves"] }
/**
* A declaration of a class, either a built-in class or a source definition
@@ -482,16 +478,11 @@ library class ClassDecl extends @py_object {
*/
predicate isSpecial() {
exists(string name | this = Builtin::special(name) |
name = "type" or
name = "super" or
name = "bool" or
name = "NoneType" or
name = "tuple" or
name = "property" or
name = "ClassMethod" or
name = "StaticMethod" or
name = "MethodType" or
name = "ModuleType"
name =
[
"type", "super", "bool", "NoneType", "tuple", "property", "ClassMethod", "StaticMethod",
"MethodType", "ModuleType"
]
)
}
@@ -514,11 +505,7 @@ library class ClassDecl extends @py_object {
/** Holds if this class is the abstract base class */
predicate isAbstractBaseClass(string name) {
exists(Module m |
m.getName() = "_abcoll"
or
m.getName() = "_collections_abc"
|
exists(Module m | m.getName() = ["_abcoll", "_collections_abc"] |
this.getClass().getScope() = m and
this.getName() = name
)

6
python/ql/lib/semmle/python/security/ClearText.qll
View File

@@ -47,11 +47,7 @@ module ClearTextLogging {
meth.getObject(name).(NameNode).getId().matches("logg%") and
call.getAnArg() = this
|
name = "error" or
name = "warn" or
name = "warning" or
name = "debug" or
name = "info"
name = ["error", "warn", "warning", "debug", "info"]
)
}
}

14
python/ql/lib/semmle/python/security/injection/Command.qll
View File

@@ -13,18 +13,11 @@ import semmle.python.security.strings.Untrusted
/** Abstract taint sink that is potentially vulnerable to malicious shell commands. */
abstract class CommandSink extends TaintSink { }
private ModuleObject osOrPopenModule() {
result.getName() = "os" or
result.getName() = "popen2"
}
private ModuleObject osOrPopenModule() { result.getName() = ["os", "popen2"] }
private Object makeOsCall() {
exists(string name | result = ModuleObject::named("subprocess").attr(name) |
name = "Popen" or
name = "call" or
name = "check_call" or
name = "check_output" or
name = "run"
name = ["Popen", "call", "check_call", "check_output", "run"]
)
}
@@ -65,8 +58,7 @@ class ShellCommand extends CommandSink {
call.getAnArg() = this and
call.getFunction().refersTo(osOrPopenModule().attr(name))
|
name = "system" or
name = "popen" or
name = ["system", "popen"] or
name.matches("popen_")
)
or