hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-31 04:38:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1

Browse Source
This commit is contained in:
Óscar San José
2026-03-30 10:51:12 +02:00
parent ce6e6d5db3 898d12b0be
commit 59eec7ffa2
765 changed files with 13826 additions and 27987 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/dependabot.yml vendored
View File

@@ -45,3 +45,5 @@ updates:
directory: "/"
schedule:
interval: weekly
exclude-paths:
- "misc/bazel/registry/**"

78
.github/workflows/compile-queries.yml vendored
View File

@@ -1,78 +0,0 @@
name: "Compile all queries using the latest stable CodeQL CLI"
on:
push:
branches: # makes sure the cache gets populated - running on the branches people tend to merge into.
- main
- "rc/*"
- "codeql-cli-*"
pull_request:
paths:
- '**.ql'
- '**.qll'
- '**/qlpack.yml'
- '**.dbscheme'
permissions:
contents: read
jobs:
detect-changes:
if: github.repository_owner == 'github'
runs-on: ubuntu-latest
outputs:
languages: ${{ steps.detect.outputs.languages }}
steps:
- uses: actions/checkout@v5
- name: Detect changed languages
id: detect
run: |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
# For PRs, detect which languages have changes
changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
languages=()
for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
languages+=("$lang")
fi
done
echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
else
# For pushes to main/rc branches, run all languages
echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
fi
env:
GH_TOKEN: ${{ github.token }}
compile-queries:
needs: detect-changes
if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
runs-on: ubuntu-latest-xl
strategy:
fail-fast: false
matrix:
language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
steps:
- uses: actions/checkout@v5
- name: Setup CodeQL
uses: ./.github/actions/fetch-codeql
with:
channel: 'release'
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: ${{ matrix.language }}-queries
- name: check formatting
run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
- name: compile queries - check-only
# run with --check-only if running in a PR (github.sha != main)
if : ${{ github.event_name == 'pull_request' }}
shell: bash
run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
- name: compile queries - full
# do full compile if running on main - this populates the cache
if : ${{ github.event_name != 'pull_request' }}
shell: bash
run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000

236
.github/workflows/ruby-build.yml vendored
View File

@@ -1,236 +0,0 @@
name: "Ruby: Build"
on:
push:
paths:
- "ruby/**"
- .github/workflows/ruby-build.yml
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
- "shared/tree-sitter-extractor/**"
branches:
- main
- "rc/*"
pull_request:
paths:
- "ruby/**"
- .github/workflows/ruby-build.yml
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
- "shared/tree-sitter-extractor/**"
branches:
- main
- "rc/*"
workflow_dispatch:
inputs:
tag:
description: "Version tag to create"
required: false
env:
CARGO_TERM_COLOR: always
defaults:
run:
working-directory: ruby
permissions:
contents: read
jobs:
build:
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
- name: Install GNU tar
if: runner.os == 'macOS'
run: |
brew install gnu-tar
echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
- name: Prepare Windows
if: runner.os == 'Windows'
shell: powershell
run: |
git config --global core.longpaths true
- uses: ./.github/actions/os-version
id: os_version
- name: Cache entire extractor
uses: actions/cache@v3
id: cache-extractor
with:
path: |
target/release/codeql-extractor-ruby
target/release/codeql-extractor-ruby.exe
ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
- uses: actions/cache@v3
if: steps.cache-extractor.outputs.cache-hit != 'true'
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
- name: Check formatting
if: steps.cache-extractor.outputs.cache-hit != 'true'
run: cd extractor && cargo fmt -- --check
- name: Build
if: steps.cache-extractor.outputs.cache-hit != 'true'
run: cd extractor && cargo build --verbose
- name: Run tests
if: steps.cache-extractor.outputs.cache-hit != 'true'
run: cd extractor && cargo test --verbose
- name: Release build
if: steps.cache-extractor.outputs.cache-hit != 'true'
run: cd extractor && cargo build --release
- name: Generate dbscheme
if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
- uses: actions/upload-artifact@v4
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
name: ruby.dbscheme
path: ruby/ql/lib/ruby.dbscheme
- uses: actions/upload-artifact@v4
if: ${{ matrix.os == 'ubuntu-latest' }}
with:
name: TreeSitter.qll
path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
- uses: actions/upload-artifact@v4
with:
name: extractor-${{ matrix.os }}
path: |
target/release/codeql-extractor-ruby
target/release/codeql-extractor-ruby.exe
retention-days: 1
compile-queries:
if: github.repository_owner == 'github'
runs-on: ubuntu-latest-xl
steps:
- uses: actions/checkout@v5
- name: Fetch CodeQL
uses: ./.github/actions/fetch-codeql
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: ruby-build
- name: Build Query Pack
run: |
PACKS=${{ runner.temp }}/query-packs
rm -rf $PACKS
codeql pack create ../misc/suite-helpers --output "$PACKS"
codeql pack create ../shared/regex --output "$PACKS"
codeql pack create ../shared/ssa --output "$PACKS"
codeql pack create ../shared/tutorial --output "$PACKS"
codeql pack create ql/lib --output "$PACKS"
codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
(cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
- uses: actions/upload-artifact@v4
with:
name: codeql-ruby-queries
path: |
${{ runner.temp }}/query-packs/*
retention-days: 1
include-hidden-files: true
package:
runs-on: ubuntu-latest
needs: [build, compile-queries]
steps:
- uses: actions/checkout@v5
- uses: actions/download-artifact@v4
with:
name: ruby.dbscheme
path: ruby/ruby
- uses: actions/download-artifact@v4
with:
name: extractor-ubuntu-latest
path: ruby/linux64
- uses: actions/download-artifact@v4
with:
name: extractor-windows-latest
path: ruby/win64
- uses: actions/download-artifact@v4
with:
name: extractor-macos-latest
path: ruby/osx64
- run: |
mkdir -p ruby
cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
mkdir -p ruby/tools/{linux64,osx64,win64}
cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor
cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor
cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
chmod +x ruby/tools/{linux64,osx64}/extractor
zip -rq codeql-ruby.zip ruby
- uses: actions/upload-artifact@v4
with:
name: codeql-ruby-pack
path: ruby/codeql-ruby.zip
retention-days: 1
include-hidden-files: true
- uses: actions/download-artifact@v4
with:
name: codeql-ruby-queries
path: ruby/qlpacks
- run: |
echo '{
"provide": [
"ruby/codeql-extractor.yml",
"qlpacks/*/*/*/qlpack.yml"
]
}' > .codeqlmanifest.json
zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
- uses: actions/upload-artifact@v4
with:
name: codeql-ruby-bundle
path: ruby/codeql-ruby-bundle.zip
retention-days: 1
include-hidden-files: true
test:
defaults:
run:
working-directory: ${{ github.workspace }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
needs: [package]
steps:
- uses: actions/checkout@v5
- name: Fetch CodeQL
uses: ./.github/actions/fetch-codeql
- name: Download Ruby bundle
uses: actions/download-artifact@v4
with:
name: codeql-ruby-bundle
path: ${{ runner.temp }}
- name: Unzip Ruby bundle
shell: bash
run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
- name: Run QL test
shell: bash
run: |
codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
- name: Create database
shell: bash
run: |
codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
- name: Analyze database
shell: bash
run: |
codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls

75
.github/workflows/ruby-dataset-measure.yml vendored
View File

@@ -1,75 +0,0 @@
name: "Ruby: Collect database stats"
on:
push:
branches:
- main
- "rc/*"
paths:
- ruby/ql/lib/ruby.dbscheme
- .github/workflows/ruby-dataset-measure.yml
pull_request:
branches:
- main
- "rc/*"
paths:
- ruby/ql/lib/ruby.dbscheme
- .github/workflows/ruby-dataset-measure.yml
workflow_dispatch:
permissions:
contents: read
jobs:
measure:
env:
CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
strategy:
fail-fast: false
matrix:
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- uses: ./ruby/actions/create-extractor-pack
- name: Checkout ${{ matrix.repo }}
uses: actions/checkout@v5
with:
repository: ${{ matrix.repo }}
path: ${{ github.workspace }}/repo
- name: Create database
run: |
codeql database create \
--search-path "${{ github.workspace }}" \
--threads 4 \
--language ruby --source-root "${{ github.workspace }}/repo" \
"${{ runner.temp }}/database"
- name: Measure database
run: |
mkdir -p "stats/${{ matrix.repo }}"
codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
- uses: actions/upload-artifact@v4
with:
name: measurements-${{ hashFiles('stats/**') }}
path: stats
retention-days: 1
merge:
runs-on: ubuntu-latest
needs: measure
steps:
- uses: actions/checkout@v5
- uses: actions/download-artifact@v4
with:
path: stats
- run: |
python -m pip install --user lxml
find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
- uses: actions/upload-artifact@v4
with:
name: ruby.dbscheme.stats
path: ruby/ql/lib/ruby.dbscheme.stats

40
.github/workflows/ruby-qltest-rtjo.yml vendored
View File

@@ -1,40 +0,0 @@
name: "Ruby: Run RTJO Language Tests"
on:
pull_request:
types:
- opened
- synchronize
- reopened
- labeled
env:
CARGO_TERM_COLOR: always
defaults:
run:
working-directory: ruby
permissions:
contents: read
jobs:
qltest-rtjo:
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
runs-on: ubuntu-latest-xl
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- uses: ./ruby/actions/create-extractor-pack
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: ruby-qltest
- name: Run QL tests
run: |
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env:
GITHUB_TOKEN: ${{ github.token }}

73
.github/workflows/ruby-qltest.yml vendored
View File

@@ -1,73 +0,0 @@
name: "Ruby: Run QL Tests"
on:
push:
paths:
- "ruby/**"
- "shared/**"
- .github/workflows/ruby-build.yml
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main
- "rc/*"
pull_request:
paths:
- "ruby/**"
- "shared/**"
- .github/workflows/ruby-qltest.yml
- .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml
branches:
- main
- "rc/*"
env:
CARGO_TERM_COLOR: always
defaults:
run:
working-directory: ruby
permissions:
contents: read
jobs:
qlupgrade:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- name: Check DB upgrade scripts
run: |
echo >empty.trap
codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
codeql dataset upgrade testdb --additional-packs ql/lib
diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme
- name: Check DB downgrade scripts
run: |
echo >empty.trap
rm -rf testdb; codeql dataset import -S ql/lib/ruby.dbscheme testdb empty.trap
codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
--dbscheme=ql/lib/ruby.dbscheme --target-dbscheme=downgrades/initial/ruby.dbscheme |
xargs codeql execute upgrades testdb
diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
qltest:
if: github.repository_owner == 'github'
runs-on: ubuntu-latest-xl
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v5
- uses: ./.github/actions/fetch-codeql
- uses: ./ruby/actions/create-extractor-pack
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: ruby-qltest
- name: Run QL tests
run: |
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env:
GITHUB_TOKEN: ${{ github.token }}

14
MODULE.bazel
View File

@@ -15,14 +15,14 @@ local_path_override(
# see https://registry.bazel.build/ for a list of available packages
bazel_dep(name = "platforms", version = "1.0.0")
bazel_dep(name = "rules_cc", version = "0.2.16")
bazel_dep(name = "rules_go", version = "0.59.0")
bazel_dep(name = "rules_java", version = "9.0.3")
bazel_dep(name = "rules_pkg", version = "1.0.1")
bazel_dep(name = "rules_cc", version = "0.2.17")
bazel_dep(name = "rules_go", version = "0.60.0")
bazel_dep(name = "rules_java", version = "9.6.1")
bazel_dep(name = "rules_pkg", version = "1.2.0")
bazel_dep(name = "rules_nodejs", version = "6.7.3")
bazel_dep(name = "rules_python", version = "1.9.0")
bazel_dep(name = "rules_shell", version = "0.6.1")
bazel_dep(name = "bazel_skylib", version = "1.8.1")
bazel_dep(name = "rules_shell", version = "0.7.1")
bazel_dep(name = "bazel_skylib", version = "1.9.0")
bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
@@ -30,7 +30,7 @@ bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
bazel_dep(name = "gazelle", version = "0.47.0")
bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1")
bazel_dep(name = "rules_rust", version = "0.69.0")
bazel_dep(name = "zstd", version = "1.5.7.bcr.1")
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)

1
cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
View File

@@ -52,5 +52,6 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

1
cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected
View File

@@ -160,6 +160,7 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql

1
cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected
View File

@@ -93,5 +93,6 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
ql/cpp/ql/src/Telemetry/CompilerErrors.ql
ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
ql/cpp/ql/src/Telemetry/MissingIncludes.ql
ql/cpp/ql/src/Telemetry/SucceededIncludes.ql

4
cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.

5
cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: feature
---
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.

4
cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

22
cpp/ql/lib/ext/ZMQ.model.yml Normal file
View File

@@ -0,0 +1,22 @@
# ZeroMQ networking library models
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "zmq_recv", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "zmq_recvmsg", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "zmq_msg_recv", "", "", "Argument[*0]", "remote", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: sinkModel
data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
- ["", "", False, "zmq_send", "", "", "Argument[*1]", "remote-sink", "manual"]
- ["", "", False, "zmq_sendmsg", "", "", "Argument[*1]", "remote-sink", "manual"]
- ["", "", False, "zmq_msg_send", "", "", "Argument[*0]", "remote-sink", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["", "", False, "zmq_msg_init_data", "", "", "Argument[*1]", "Argument[*0]", "taint", "manual"]
- ["", "", False, "zmq_msg_data", "", "", "Argument[*0]", "ReturnValue[*]", "taint", "manual"]

19
cpp/ql/lib/ext/getc.model.yml Normal file
View File

@@ -0,0 +1,19 @@
# Models for getc and similar character-reading functions
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "getc", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "getwc", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "_getc_nolock", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "_getwc_nolock", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "getch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwch", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getch_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwch_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "getchar", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "getwchar", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getchar_nolock", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "_getwchar_nolock", "", "", "ReturnValue", "local", "manual"]

6
cpp/ql/lib/semmle/code/cpp/Function.qll
View File

@@ -524,6 +524,12 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
)
}
/**
* Holds if this function has an ambiguous return type, meaning that zero or multiple return
* types for this function are present in the database (this can occur in `build-mode: none`).
*/
predicate hasAmbiguousReturnType() { count(this.getType()) != 1 }
}
pragma[noinline]

15
cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
View File

@@ -163,12 +163,23 @@ predicate primitiveVariadicFormatter(
)
}
/**
* Gets a function call whose target is a variadic formatter with the given
* `type`, `format` parameter index and `output` parameter index.
*
* Join-order helper for `callsVariadicFormatter`.
*/
pragma[nomagic]
private predicate callsVariadicFormatterCall(FunctionCall fc, string type, int format, int output) {
variadicFormatter(fc.getTarget(), type, format, output)
}
private predicate callsVariadicFormatter(
Function f, string type, int formatParamIndex, int outputParamIndex
) {
// calls a variadic formatter with `formatParamIndex`, `outputParamIndex` linked
exists(FunctionCall fc, int format, int output |
variadicFormatter(pragma[only_bind_into](fc.getTarget()), type, format, output) and
callsVariadicFormatterCall(fc, type, format, output) and
fc.getEnclosingFunction() = f and
fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
fc.getArgument(output) = f.getParameter(outputParamIndex).getAnAccess()
@@ -176,7 +187,7 @@ private predicate callsVariadicFormatter(
or
// calls a variadic formatter with only `formatParamIndex` linked
exists(FunctionCall fc, string calledType, int format, int output |
variadicFormatter(pragma[only_bind_into](fc.getTarget()), calledType, format, output) and
callsVariadicFormatterCall(fc, calledType, format, output) and
fc.getEnclosingFunction() = f and
fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
not fc.getArgument(output) = f.getParameter(_).getAnAccess() and

160
cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
View File

@@ -1,9 +1,10 @@
/**
* INTERNAL use only. This is an experimental API subject to change without notice.
*
* Provides classes and predicates for dealing with flow models specified in CSV format.
* Provides classes and predicates for dealing with flow models specified
* in data extension files.
*
* The CSV specification has the following columns:
* The extensible relations have the following columns:
* - Sources:
* `namespace; type; subtypes; name; signature; ext; output; kind`
* - Sinks:
@@ -104,117 +105,9 @@ private import internal.FlowSummaryImpl::Private
private import internal.FlowSummaryImpl::Private::External
private import internal.ExternalFlowExtensions::Extensions as Extensions
private import codeql.mad.ModelValidation as SharedModelVal
private import codeql.util.Unit
private import codeql.mad.static.ModelsAsData as SharedMaD
/**
* A unit class for adding additional source model rows.
*
* Extend this class to add additional source definitions.
*/
class SourceModelCsv extends Unit {
/** Holds if `row` specifies a source definition. */
abstract predicate row(string row);
}
/**
* A unit class for adding additional sink model rows.
*
* Extend this class to add additional sink definitions.
*/
class SinkModelCsv extends Unit {
/** Holds if `row` specifies a sink definition. */
abstract predicate row(string row);
}
/**
* A unit class for adding additional summary model rows.
*
* Extend this class to add additional flow summary definitions.
*/
class SummaryModelCsv extends Unit {
/** Holds if `row` specifies a summary definition. */
abstract predicate row(string row);
}
/** Holds if `row` is a source model. */
predicate sourceModel(string row) { any(SourceModelCsv s).row(row) }
/** Holds if `row` is a sink model. */
predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
/** Holds if `row` is a summary model. */
predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
private module MadInput implements SharedMaD::InputSig {
/** Holds if a source model exists for the given parameters. */
predicate additionalSourceModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind, string provenance, string model
) {
exists(string row |
sourceModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = output and
row.splitAt(";", 7) = kind
) and
provenance = "manual" and
model = ""
}
/** Holds if a sink model exists for the given parameters. */
predicate additionalSinkModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string kind, string provenance, string model
) {
exists(string row |
sinkModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = kind
) and
provenance = "manual" and
model = ""
}
/**
* Holds if a summary model exists for the given parameters.
*
* This predicate does not expand `@` to `*`s.
*/
predicate additionalSummaryModel(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind, string provenance, string model
) {
exists(string row |
summaryModel(row) and
row.splitAt(";", 0) = namespace and
row.splitAt(";", 1) = type and
row.splitAt(";", 2) = subtypes.toString() and
subtypes = [true, false] and
row.splitAt(";", 3) = name and
row.splitAt(";", 4) = signature and
row.splitAt(";", 5) = ext and
row.splitAt(";", 6) = input and
row.splitAt(";", 7) = output and
row.splitAt(";", 8) = kind
) and
provenance = "manual" and
model = ""
}
string namespaceSegmentSeparator() { result = "::" }
}
@@ -250,8 +143,8 @@ predicate summaryModel(
)
}
/** Provides a query predicate to check the CSV data for validation errors. */
module CsvValidation {
/** Provides a query predicate to check the data for validation errors. */
module ModelValidation {
private string getInvalidModelInput() {
exists(string pred, AccessPath input, string part |
sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
@@ -294,40 +187,6 @@ module CsvValidation {
private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
private string getInvalidModelSubtype() {
exists(string pred, string row |
sourceModel(row) and pred = "source"
or
sinkModel(row) and pred = "sink"
or
summaryModel(row) and pred = "summary"
|
exists(string b |
b = row.splitAt(";", 2) and
not b = ["true", "false"] and
result = "Invalid boolean \"" + b + "\" in " + pred + " model."
)
)
}
private string getInvalidModelColumnCount() {
exists(string pred, string row, int expect |
sourceModel(row) and expect = 8 and pred = "source"
or
sinkModel(row) and expect = 8 and pred = "sink"
or
summaryModel(row) and expect = 9 and pred = "summary"
|
exists(int cols |
cols = 1 + max(int n | exists(row.splitAt(";", n))) and
cols != expect and
result =
"Wrong number of columns in " + pred + " model row, expected " + expect + ", got " + cols +
"."
)
)
}
private string getInvalidModelSignature() {
exists(string pred, string namespace, string type, string name, string signature, string ext |
sourceModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "source"
@@ -366,13 +225,12 @@ module CsvValidation {
)
}
/** Holds if some row in a CSV-based flow model appears to contain typos. */
/** Holds if some row in a MaD flow model appears to contain typos. */
query predicate invalidModelRow(string msg) {
msg =
[
getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind(),
getIncorrectConstructorSummaryOutput()
KindVal::getInvalidModelKind(), getIncorrectConstructorSummaryOutput()
]
}
}
@@ -1026,7 +884,7 @@ private module Cached {
}
/**
* Holds if `node` is specified as a source with the given kind in a CSV flow
* Holds if `node` is specified as a source with the given kind in a MaD flow
* model.
*/
cached
@@ -1037,7 +895,7 @@ private module Cached {
}
/**
* Holds if `node` is specified as a sink with the given kind in a CSV flow
* Holds if `node` is specified as a sink with the given kind in a MaD flow
* model.
*/
cached

26
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
View File

@@ -238,7 +238,12 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
private import TypeTracking<Location, TtInput>::TypeTrack<qualifierSource/1>::Graph<qualifierOfVirtualCall/1>
private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2)
private predicate isSource(PathNode n) { n.isSource() }
private predicate isSink(PathNode n) { n.isSink() }
private predicate edgePlus(PathNode n1, PathNode n2) =
doublyBoundedFastTC(edges/2, isSource/1, isSink/1)(n1, n2)
/**
* Gets the most specific implementation of `mf` that may be called when the
@@ -255,6 +260,15 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
)
}
pragma[nomagic]
private MemberFunction mostSpecificForSource(PathNode p1, MemberFunction mf) {
p1.isSource() and
exists(Class derived |
qualifierSourceImpl(p1.getNode(), derived) and
result = mostSpecific(mf, derived)
)
}
/**
* Gets a possible pair of end-points `(p1, p2)` where:
* - `p1` is a derived-to-base conversion that converts from some
@@ -264,16 +278,16 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
* - `callable` is the most specific implementation that may be called when
* the qualifier has type `derived`.
*/
bindingset[p1, p2]
pragma[inline_late]
private predicate pairCand(
PathNode p1, PathNode p2, DataFlowPrivate::DataFlowCallable callable,
DataFlowPrivate::DataFlowCall call
) {
exists(Class derived, MemberFunction mf |
qualifierSourceImpl(p1.getNode(), derived) and
p2.isSink() and
exists(MemberFunction mf |
qualifierOfVirtualCallImpl(p2.getNode(), call.asCallInstruction(), mf) and
p1.isSource() and
p2.isSink() and
callable.asSourceCallable() = mostSpecific(mf, derived)
callable.asSourceCallable() = mostSpecificForSource(p1, mf)
)
}

66
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll
View File

@@ -321,6 +321,12 @@ module Public {
*/
Operand asIndirectOperand(int index) { hasOperandAndIndex(this, result, index) }
/**
* Gets the instruction that is indirectly tracked by this node behind
* `index` number of indirections.
*/
Instruction asIndirectInstruction(int index) { hasInstructionAndIndex(this, result, index) }
/**
* Holds if this node is at index `i` in basic block `block`.
*
@@ -617,6 +623,25 @@ module Public {
*/
LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }
/**
* Gets the uninitialized local variable corresponding to this node behind
* `index` number of indirections, if any.
*/
LocalVariable asIndirectUninitialized(int index) {
exists(IndirectUninitializedNode indirectUninitializedNode |
this = indirectUninitializedNode and
indirectUninitializedNode.getIndirectionIndex() = index
|
result = indirectUninitializedNode.getLocalVariable()
)
}
/**
* Gets the uninitialized local variable corresponding to this node behind
* a number indirections, if any.
*/
LocalVariable asIndirectUninitialized() { result = this.asIndirectUninitialized(_) }
/**
* Gets the positional parameter corresponding to the node that represents
* the value of the parameter after `index` number of loads, if any. For
@@ -761,16 +786,13 @@ module Public {
final override Type getType() { result = this.getPreUpdateNode().getType() }
}
/**
* The value of an uninitialized local variable, viewed as a node in a data
* flow graph.
*/
class UninitializedNode extends Node {
abstract private class AbstractUninitializedNode extends Node {
LocalVariable v;
int indirectionIndex;
UninitializedNode() {
AbstractUninitializedNode() {
exists(SsaImpl::Definition def, SsaImpl::SourceVariable sv |
def.getIndirectionIndex() = 0 and
def.getIndirectionIndex() = indirectionIndex and
def.getValue().asInstruction() instanceof UninitializedInstruction and
SsaImpl::defToNode(this, def, sv) and
v = sv.getBaseVariable().(SsaImpl::BaseIRVariable).getIRVariable().getAst()
@@ -781,6 +803,25 @@ module Public {
LocalVariable getLocalVariable() { result = v }
}
/**
* The value of an uninitialized local variable, viewed as a node in a data
* flow graph.
*/
class UninitializedNode extends AbstractUninitializedNode {
UninitializedNode() { indirectionIndex = 0 }
}
/**
* The value of an uninitialized local variable behind one or more levels of
* indirection, viewed as a node in a data flow graph.
*/
class IndirectUninitializedNode extends AbstractUninitializedNode {
IndirectUninitializedNode() { indirectionIndex > 0 }
/** Gets the indirection index of this node. */
int getIndirectionIndex() { result = indirectionIndex }
}
/**
* The value of a parameter at function entry, viewed as a node in a data
* flow graph. This includes both explicit parameters such as `x` in `f(x)`
@@ -795,6 +836,12 @@ module Public {
/** An explicit positional parameter, including `this`, but not `...`. */
final class DirectParameterNode = AbstractDirectParameterNode;
/**
* A node representing an indirection of a positional parameter,
* including `*this`, but not `*...`.
*/
final class IndirectParameterNode = AbstractIndirectParameterNode;
final class ExplicitParameterNode = AbstractExplicitParameterNode;
/** An implicit `this` parameter. */
@@ -954,11 +1001,6 @@ module Public {
private import Public
/**
* A node representing an indirection of a parameter.
*/
final class IndirectParameterNode = AbstractIndirectParameterNode;
/**
* A class that lifts pre-SSA dataflow nodes to regular dataflow nodes.
*/

1
cpp/ql/lib/semmle/code/cpp/models/Models.qll
View File

@@ -48,7 +48,6 @@ private import implementations.SqLite3
private import implementations.PostgreSql
private import implementations.System
private import implementations.StructuredExceptionHandling
private import implementations.ZMQ
private import implementations.Win32CommandExecution
private import implementations.CA2AEX
private import implementations.CComBSTR

18
cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll
View File

@@ -112,21 +112,3 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
override predicate hasArrayOutput(int bufParam) { bufParam = 0 }
}
/**
* A model for `getc` and similar functions that are flow sources.
*/
private class GetcSource extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;getc;;;ReturnValue;remote", ";;false;getwc;;;ReturnValue;remote",
";;false;_getc_nolock;;;ReturnValue;remote", ";;false;_getwc_nolock;;;ReturnValue;remote",
";;false;getch;;;ReturnValue;local", ";;false;_getch;;;ReturnValue;local",
";;false;_getwch;;;ReturnValue;local", ";;false;_getch_nolock;;;ReturnValue;local",
";;false;_getwch_nolock;;;ReturnValue;local", ";;false;getchar;;;ReturnValue;local",
";;false;getwchar;;;ReturnValue;local", ";;false;_getchar_nolock;;;ReturnValue;local",
";;false;_getwchar_nolock;;;ReturnValue;local",
]
}
}

45
cpp/ql/lib/semmle/code/cpp/models/implementations/ZMQ.qll
View File

@@ -1,45 +0,0 @@
/**
* Provides implementation classes modeling the ZeroMQ networking library.
*/
import semmle.code.cpp.models.interfaces.FlowSource
/**
* Remote flow sources.
*/
private class ZmqSource extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_recv;;;Argument[*1];remote", ";;false;zmq_recvmsg;;;Argument[*1];remote",
";;false;zmq_msg_recv;;;Argument[*0];remote",
]
}
}
/**
* Remote flow sinks.
*/
private class ZmqSinks extends SinkModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_send;;;Argument[*1];remote-sink",
";;false;zmq_sendmsg;;;Argument[*1];remote-sink",
";;false;zmq_msg_send;;;Argument[*0];remote-sink",
]
}
}
/**
* Flow steps.
*/
private class ZmqSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
";;false;zmq_msg_init_data;;;Argument[*1];Argument[*0];taint",
";;false;zmq_msg_data;;;Argument[*0];ReturnValue[*];taint",
]
}
}

4
cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
View File

@@ -218,7 +218,9 @@ where
// only report if we cannot prove that the result of the
// multiplication will be less (resp. greater) than the
// maximum (resp. minimum) number we can compute.
overflows(me, t1)
overflows(me, t1) and
// exclude cases where the expression type may not have been extracted accurately
not me.getParent().(Call).getTarget().hasAmbiguousReturnType()
select me,
"Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"
+ me.getFullyConverted().getType().toString() + "'."

2
cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
View File

@@ -168,9 +168,11 @@ where
formatOtherArgType(ffc, n, expected, arg, actual) and
not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
) and
// Exclude some cases where we're less confident the result is correct / clear / valuable
not arg.isAffectedByMacro() and
not arg.isFromUninstantiatedTemplate(_) and
not actual.stripType() instanceof ErroneousType and
not arg.getType().stripType().(RoutineType).getReturnType() instanceof ErroneousType and
not arg.(Call).mayBeFromImplicitlyDeclaredFunction() and
// Make sure that the format function definition is consistent
count(ffc.getTarget().getFormatParameterIndex()) = 1

2
cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
View File

@@ -4,7 +4,7 @@
* allows for a cross-site scripting vulnerability.
* @kind path-problem
* @problem.severity error
* @security-severity 6.1
* @security-severity 7.8
* @precision high
* @id cpp/cgi-xss
* @tags security

20
cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
View File

@@ -23,13 +23,31 @@ import Flow::PathGraph
predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }
/**
* Holds if `f` is a printf-like function or a (possibly nested) wrapper
* that forwards a format-string parameter to one.
*
* Functions that *implement* printf-like behavior (e.g. a custom
* `vsnprintf` variant) internally parse the caller-supplied format string
* and build small, bounded, local format strings such as `"%d"` or `"%ld"`
* for inner `sprintf` calls. Taint that reaches those inner calls via the
* parsed format specifier is not exploitable, so sinks inside such
* functions should be excluded.
*/
private predicate isPrintfImplementation(Function f) {
f instanceof PrintfLikeFunction
or
exists(PrintfLikeFunction printf | printf.wrapperFunction(f, _, _))
}
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { isSource(node, _) }
predicate isSink(DataFlow::Node node) {
exists(PrintfLikeFunction printf |
printf.outermostWrapperFunctionCall([node.asExpr(), node.asIndirectExpr()], _)
)
) and
not isPrintfImplementation([node.asExpr(), node.asIndirectExpr()].getEnclosingFunction())
}
private predicate isArithmeticNonCharType(ArithmeticType type) {

3
cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
View File

@@ -18,7 +18,8 @@ import IncorrectPointerScalingCommon
private predicate isCharSzPtrExpr(Expr e) {
exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() |
pt.getBaseType() instanceof CharType or
pt.getBaseType() instanceof VoidType
pt.getBaseType() instanceof VoidType or
pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation
)
}

48
cpp/ql/src/Telemetry/DatabaseQuality.qll Normal file
View File

@@ -0,0 +1,48 @@
import cpp
import codeql.util.ReportStats
/** A file that is included in the quality statistics. */
private class RelevantFile extends File {
RelevantFile() { this.fromSource() and exists(this.getRelativePath()) }
}
module CallTargetStats implements StatsSig {
private class RelevantCall extends Call {
RelevantCall() { this.getFile() instanceof RelevantFile }
}
// We assume that calls with an implicit target are calls that could not be
// resolved. This is accurate in the vast majority of cases, but is inaccurate
// for calls that deliberately rely on implicitly declared functions.
private predicate hasImplicitTarget(RelevantCall call) {
call.getTarget().getADeclarationEntry().isImplicit()
}
int getNumberOfOk() { result = count(RelevantCall call | not hasImplicitTarget(call)) }
int getNumberOfNotOk() { result = count(RelevantCall call | hasImplicitTarget(call)) }
string getOkText() { result = "calls with call target" }
string getNotOkText() { result = "calls with missing call target" }
}
private class SourceExpr extends Expr {
SourceExpr() { this.getFile() instanceof RelevantFile }
}
private predicate hasGoodType(Expr e) { not e.getType() instanceof ErroneousType }
module ExprTypeStats implements StatsSig {
int getNumberOfOk() { result = count(SourceExpr e | hasGoodType(e)) }
int getNumberOfNotOk() { result = count(SourceExpr e | not hasGoodType(e)) }
string getOkText() { result = "expressions with known type" }
string getNotOkText() { result = "expressions with unknown type" }
}
module CallTargetStatsReport = ReportStats<CallTargetStats>;
module ExprTypeStatsReport = ReportStats<ExprTypeStats>;

28
cpp/ql/src/Telemetry/ExtractorInformation.ql Normal file
View File

@@ -0,0 +1,28 @@
/**
* @name C/C++ extraction information
* @description Information about the extraction for a C/C++ database
* @kind metric
* @tags summary telemetry
* @id cpp/telemetry/extraction-information
*/
import cpp
import DatabaseQuality
from string key, float value
where
(
CallTargetStatsReport::numberOfOk(key, value) or
CallTargetStatsReport::numberOfNotOk(key, value) or
CallTargetStatsReport::percentageOfOk(key, value) or
ExprTypeStatsReport::numberOfOk(key, value) or
ExprTypeStatsReport::numberOfNotOk(key, value) or
ExprTypeStatsReport::percentageOfOk(key, value)
) and
/* Infinity */
value != 1.0 / 0.0 and
/* -Infinity */
value != -1.0 / 0.0 and
/* NaN */
value != 0.0 / 0.0
select key, value

4
cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: queryMetadata
---
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).

4
cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.

2
cpp/ql/test/library-tests/dataflow/external-models/validatemodels.ql
View File

@@ -1,2 +1,2 @@
import cpp
import semmle.code.cpp.dataflow.ExternalFlow::CsvValidation
import semmle.code.cpp.dataflow.ExternalFlow::ModelValidation

20
cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.ql
View File

@@ -1,20 +0,0 @@
import testModels
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
string describe(DataFlow::Node n) {
n instanceof ParameterNode and result = "ParameterNode"
or
n instanceof PostUpdateNode and result = "PostUpdateNode"
or
n instanceof ArgumentNode and result = "ArgumentNode"
or
n instanceof ReturnNode and result = "ReturnNode"
or
n instanceof OutNode and result = "OutNode"
}
from FlowSummaryNode n
select n, concat(describe(n), ", "), concat(n.getSummarizedCallable().toString(), ", "),
concat(n.getEnclosingCallable().toString(), ", ")

267
cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.expected
View File

@@ -1,267 +0,0 @@
summaryCalls
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
summarizedCallables
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:471:5:471:17 | receive_array |
sourceCallables
| tests.cpp:3:5:3:10 | source |
| tests.cpp:4:6:4:14 | sourcePtr |
| tests.cpp:5:6:5:19 | sourceIndirect |
| tests.cpp:6:6:6:9 | sink |
| tests.cpp:6:15:6:17 | val |
| tests.cpp:7:6:7:9 | sink |
| tests.cpp:7:16:7:18 | ptr |
| tests.cpp:11:5:11:18 | localMadSource |
| tests.cpp:12:5:12:19 | remoteMadSource |
| tests.cpp:13:5:13:14 | notASource |
| tests.cpp:14:5:14:22 | localMadSourceVoid |
| tests.cpp:15:5:15:25 | localMadSourceHasBody |
| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
| tests.cpp:18:39:18:39 | x |
| tests.cpp:18:47:18:47 | y |
| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
| tests.cpp:19:39:19:39 | x |
| tests.cpp:19:47:19:47 | y |
| tests.cpp:20:5:20:22 | remoteMadSourceVar |
| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
| tests.cpp:31:6:31:19 | localMadSource |
| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
| tests.cpp:35:6:35:17 | test_sources |
| tests.cpp:50:6:50:6 | v |
| tests.cpp:51:7:51:16 | v_indirect |
| tests.cpp:52:6:52:13 | v_direct |
| tests.cpp:63:6:63:6 | a |
| tests.cpp:63:9:63:9 | b |
| tests.cpp:63:12:63:12 | c |
| tests.cpp:63:15:63:15 | d |
| tests.cpp:75:6:75:6 | e |
| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
| tests.cpp:85:32:85:32 | x |
| tests.cpp:92:6:92:16 | madSinkArg0 |
| tests.cpp:92:22:92:22 | x |
| tests.cpp:93:6:93:13 | notASink |
| tests.cpp:93:19:93:19 | x |
| tests.cpp:94:6:94:16 | madSinkArg1 |
| tests.cpp:94:22:94:22 | x |
| tests.cpp:94:29:94:29 | y |
| tests.cpp:95:6:95:17 | madSinkArg01 |
| tests.cpp:95:23:95:23 | x |
| tests.cpp:95:30:95:30 | y |
| tests.cpp:95:37:95:37 | z |
| tests.cpp:96:6:96:17 | madSinkArg02 |
| tests.cpp:96:23:96:23 | x |
| tests.cpp:96:30:96:30 | y |
| tests.cpp:96:37:96:37 | z |
| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
| tests.cpp:97:31:97:31 | x |
| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
| tests.cpp:98:38:98:38 | x |
| tests.cpp:99:5:99:14 | madSinkVar |
| tests.cpp:100:6:100:23 | madSinkVarIndirect |
| tests.cpp:102:6:102:15 | test_sinks |
| tests.cpp:116:6:116:6 | a |
| tests.cpp:117:7:117:11 | a_ptr |
| tests.cpp:132:6:132:18 | madSinkParam0 |
| tests.cpp:132:24:132:24 | x |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:18 | MyContainer |
| tests.cpp:139:6:139:10 | value |
| tests.cpp:140:6:140:11 | value2 |
| tests.cpp:141:7:141:9 | ptr |
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:144:25:144:25 | x |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:145:34:145:34 | x |
| tests.cpp:146:5:146:15 | notASummary |
| tests.cpp:146:21:146:21 | x |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:147:34:147:34 | x |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:148:34:148:34 | x |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:149:41:149:41 | x |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:150:37:150:37 | x |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:151:32:151:32 | x |
| tests.cpp:151:40:151:40 | y |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:152:47:152:47 | x |
| tests.cpp:152:55:152:55 | y |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:153:25:153:25 | a |
| tests.cpp:153:33:153:33 | b |
| tests.cpp:153:40:153:40 | c |
| tests.cpp:153:47:153:47 | d |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:154:20:154:20 | a |
| tests.cpp:154:28:154:28 | b |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:155:34:155:34 | a |
| tests.cpp:155:41:155:41 | b |
| tests.cpp:155:48:155:48 | c |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:160:38:160:39 | mc |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:161:47:161:48 | mc |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:162:46:162:47 | mc |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:163:38:163:38 | x |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:164:47:164:47 | x |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:165:46:165:46 | x |
| tests.cpp:167:13:167:30 | madFieldToFieldVar |
| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
| tests.cpp:171:6:171:19 | test_summaries |
| tests.cpp:174:6:174:6 | a |
| tests.cpp:174:9:174:9 | b |
| tests.cpp:174:12:174:12 | c |
| tests.cpp:174:15:174:15 | d |
| tests.cpp:174:18:174:18 | e |
| tests.cpp:175:7:175:11 | a_ptr |
| tests.cpp:218:14:218:16 | mc1 |
| tests.cpp:218:19:218:21 | mc2 |
| tests.cpp:237:15:237:18 | rtn1 |
| tests.cpp:240:14:240:17 | rtn2 |
| tests.cpp:241:7:241:14 | rtn2_ptr |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:13 | MyClass |
| tests.cpp:270:6:270:26 | memberRemoteMadSource |
| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
| tests.cpp:271:46:271:46 | x |
| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
| tests.cpp:273:7:273:21 | qualifierSource |
| tests.cpp:274:7:274:26 | qualifierFieldSource |
| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
| tests.cpp:277:29:277:29 | x |
| tests.cpp:278:6:278:21 | memberMadSinkVar |
| tests.cpp:279:7:279:19 | qualifierSink |
| tests.cpp:280:7:280:23 | qualifierArg0Sink |
| tests.cpp:280:29:280:29 | x |
| tests.cpp:281:7:281:24 | qualifierFieldSink |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:284:25:284:25 | x |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:286:6:286:16 | notASummary |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:287:26:287:26 | x |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:290:6:290:8 | val |
| tests.cpp:293:7:293:7 | MyDerivedClass |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:20 | MyDerivedClass |
| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
| tests.cpp:296:6:296:21 | subtypeNonSource |
| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
| tests.cpp:300:9:300:15 | source2 |
| tests.cpp:301:6:301:9 | sink |
| tests.cpp:301:19:301:20 | mc |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:14 | MyClass |
| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
| tests.cpp:307:39:307:39 | x |
| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
| tests.cpp:308:52:308:52 | x |
| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:317:22:317:28 | source3 |
| tests.cpp:319:6:319:23 | test_class_members |
| tests.cpp:320:10:320:11 | mc |
| tests.cpp:320:14:320:16 | mc2 |
| tests.cpp:320:19:320:21 | mc3 |
| tests.cpp:320:24:320:26 | mc4 |
| tests.cpp:320:29:320:31 | mc5 |
| tests.cpp:320:34:320:36 | mc6 |
| tests.cpp:320:39:320:41 | mc7 |
| tests.cpp:320:44:320:46 | mc8 |
| tests.cpp:320:49:320:51 | mc9 |
| tests.cpp:320:54:320:57 | mc10 |
| tests.cpp:320:60:320:63 | mc11 |
| tests.cpp:321:11:321:13 | ptr |
| tests.cpp:321:17:321:23 | mc4_ptr |
| tests.cpp:322:17:322:19 | mdc |
| tests.cpp:323:23:323:25 | mnc |
| tests.cpp:323:28:323:31 | mnc2 |
| tests.cpp:324:24:324:31 | mnc2_ptr |
| tests.cpp:330:6:330:6 | a |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:14 | intPair |
| tests.cpp:430:6:430:10 | first |
| tests.cpp:431:6:431:11 | second |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:434:37:434:43 | fun_ptr |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:46:435:52 | fun_ptr |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:436:34:436:40 | fun_ptr |
| tests.cpp:436:53:436:57 | value |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:437:45:437:51 | fun_ptr |
| tests.cpp:437:64:437:68 | value |
| tests.cpp:439:5:439:14 | getTainted |
| tests.cpp:440:6:440:13 | useValue |
| tests.cpp:440:19:440:19 | x |
| tests.cpp:441:6:441:17 | dontUseValue |
| tests.cpp:441:23:441:23 | x |
| tests.cpp:443:6:443:27 | test_function_pointers |
| tests.cpp:456:19:456:19 | X |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<X> |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
| tests.cpp:458:12:458:15 | Type |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
| tests.cpp:463:6:463:6 | x |
| tests.cpp:464:36:464:36 | s |
| tests.cpp:465:6:465:6 | y |
| tests.cpp:469:7:469:9 | INT |
| tests.cpp:471:5:471:17 | receive_array |
| tests.cpp:471:23:471:23 | a |
| tests.cpp:473:6:473:23 | test_receive_array |
| tests.cpp:474:6:474:6 | x |
| tests.cpp:475:6:475:10 | array |
| tests.cpp:476:6:476:6 | y |

9
cpp/ql/test/library-tests/dataflow/models-as-data/SummaryCall.ql
View File

@@ -1,9 +0,0 @@
import testModels
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
query predicate summaryCalls(SummaryCall c) { any() }
query predicate summarizedCallables(SummarizedCallable c) { any() }
query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }

29
cpp/ql/test/library-tests/dataflow/models-as-data/consistency.expected
View File

@@ -1,29 +0,0 @@
uniqueEnclosingCallable
uniqueCallEnclosingCallable
uniqueType
uniqueNodeLocation
missingLocation
uniqueNodeToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
postIsNotPre
postHasUniquePre
uniquePostUpdate
postIsInSameCallable
reverseRead
argHasPostUpdate
postWithInFlow
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox
identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel

2
cpp/ql/test/library-tests/dataflow/models-as-data/consistency.ql
View File

@@ -1,2 +0,0 @@
import testModels
import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency

18
cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.ql
View File

@@ -1,18 +0,0 @@
import utils.test.InlineExpectationsTest
import testModels
module InterpretElementTest implements TestSig {
string getARelevantTag() { result = "interpretElement" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element e |
e = interpretElement(_, _, _, _, _, _) and
location = e.getLocation() and
element = e.toString() and
tag = "interpretElement" and
value = ""
)
}
}
import MakeTest<InterpretElementTest>

0
cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected
View File

32
cpp/ql/test/library-tests/dataflow/models-as-data/taint.ql
View File

@@ -1,32 +0,0 @@
import utils.test.dataflow.FlowTestCommon
import testModels
module IRTest {
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.TaintTracking
/** Common data flow configuration to be used by tests. */
module TestAllocationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof FlowSource
or
source.asExpr().(FunctionCall).getTarget().getName() =
["source", "source2", "source3", "sourcePtr"]
or
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
}
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "test-sink")
or
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
module IRFlow = TaintTracking::Global<TestAllocationConfig>;
}
import MakeTest<IRFlowTest<IRTest::IRFlow>>

298
cpp/ql/test/library-tests/dataflow/models-as-data/FlowSummaryNode.expected → cpp/ql/test/library-tests/dataflow/models-as-data/testModels.expected
View File

@@ -1,3 +1,301 @@
uniqueEnclosingCallable
uniqueCallEnclosingCallable
uniqueType
uniqueNodeLocation
missingLocation
uniqueNodeToString
parameterCallable
localFlowIsLocal
readStepIsLocal
storeStepIsLocal
compatibleTypesReflexive
unreachableNodeCCtx
localCallNodes
postIsNotPre
postHasUniquePre
uniquePostUpdate
postIsInSameCallable
reverseRead
argHasPostUpdate
postWithInFlow
viableImplInCallContextTooLarge
uniqueParameterNodeAtPosition
uniqueParameterNodePosition
uniqueContentApprox
identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
testFailures
summaryCalls
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturn in madCallArg0ReturnToReturn |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0ReturnToReturnFirst in madCallArg0ReturnToReturnFirst |
| file://:0:0:0:0 | [summary] call to [summary param] 0 in madCallArg0WithValue in madCallArg0WithValue |
summarizedCallables
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:471:5:471:17 | receive_array |
sourceCallables
| tests.cpp:3:5:3:10 | source |
| tests.cpp:4:6:4:14 | sourcePtr |
| tests.cpp:5:6:5:19 | sourceIndirect |
| tests.cpp:6:6:6:9 | sink |
| tests.cpp:6:15:6:17 | val |
| tests.cpp:7:6:7:9 | sink |
| tests.cpp:7:16:7:18 | ptr |
| tests.cpp:11:5:11:18 | localMadSource |
| tests.cpp:12:5:12:19 | remoteMadSource |
| tests.cpp:13:5:13:14 | notASource |
| tests.cpp:14:5:14:22 | localMadSourceVoid |
| tests.cpp:15:5:15:25 | localMadSourceHasBody |
| tests.cpp:16:6:16:28 | remoteMadSourceIndirect |
| tests.cpp:17:7:17:35 | remoteMadSourceDoubleIndirect |
| tests.cpp:18:6:18:32 | remoteMadSourceIndirectArg0 |
| tests.cpp:18:39:18:39 | x |
| tests.cpp:18:47:18:47 | y |
| tests.cpp:19:6:19:32 | remoteMadSourceIndirectArg1 |
| tests.cpp:19:39:19:39 | x |
| tests.cpp:19:47:19:47 | y |
| tests.cpp:20:5:20:22 | remoteMadSourceVar |
| tests.cpp:21:6:21:31 | remoteMadSourceVarIndirect |
| tests.cpp:24:6:24:28 | namespaceLocalMadSource |
| tests.cpp:25:6:25:31 | namespaceLocalMadSourceVar |
| tests.cpp:28:7:28:30 | namespace2LocalMadSource |
| tests.cpp:31:6:31:19 | localMadSource |
| tests.cpp:33:5:33:27 | namespaceLocalMadSource |
| tests.cpp:35:6:35:17 | test_sources |
| tests.cpp:50:6:50:6 | v |
| tests.cpp:51:7:51:16 | v_indirect |
| tests.cpp:52:6:52:13 | v_direct |
| tests.cpp:63:6:63:6 | a |
| tests.cpp:63:9:63:9 | b |
| tests.cpp:63:12:63:12 | c |
| tests.cpp:63:15:63:15 | d |
| tests.cpp:75:6:75:6 | e |
| tests.cpp:85:6:85:26 | remoteMadSourceParam0 |
| tests.cpp:85:32:85:32 | x |
| tests.cpp:92:6:92:16 | madSinkArg0 |
| tests.cpp:92:22:92:22 | x |
| tests.cpp:93:6:93:13 | notASink |
| tests.cpp:93:19:93:19 | x |
| tests.cpp:94:6:94:16 | madSinkArg1 |
| tests.cpp:94:22:94:22 | x |
| tests.cpp:94:29:94:29 | y |
| tests.cpp:95:6:95:17 | madSinkArg01 |
| tests.cpp:95:23:95:23 | x |
| tests.cpp:95:30:95:30 | y |
| tests.cpp:95:37:95:37 | z |
| tests.cpp:96:6:96:17 | madSinkArg02 |
| tests.cpp:96:23:96:23 | x |
| tests.cpp:96:30:96:30 | y |
| tests.cpp:96:37:96:37 | z |
| tests.cpp:97:6:97:24 | madSinkIndirectArg0 |
| tests.cpp:97:31:97:31 | x |
| tests.cpp:98:6:98:30 | madSinkDoubleIndirectArg0 |
| tests.cpp:98:38:98:38 | x |
| tests.cpp:99:5:99:14 | madSinkVar |
| tests.cpp:100:6:100:23 | madSinkVarIndirect |
| tests.cpp:102:6:102:15 | test_sinks |
| tests.cpp:116:6:116:6 | a |
| tests.cpp:117:7:117:11 | a_ptr |
| tests.cpp:132:6:132:18 | madSinkParam0 |
| tests.cpp:132:24:132:24 | x |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:8 | operator= |
| tests.cpp:138:8:138:18 | MyContainer |
| tests.cpp:139:6:139:10 | value |
| tests.cpp:140:6:140:11 | value2 |
| tests.cpp:141:7:141:9 | ptr |
| tests.cpp:144:5:144:19 | madArg0ToReturn |
| tests.cpp:144:25:144:25 | x |
| tests.cpp:145:6:145:28 | madArg0ToReturnIndirect |
| tests.cpp:145:34:145:34 | x |
| tests.cpp:146:5:146:15 | notASummary |
| tests.cpp:146:21:146:21 | x |
| tests.cpp:147:5:147:28 | madArg0ToReturnValueFlow |
| tests.cpp:147:34:147:34 | x |
| tests.cpp:148:5:148:27 | madArg0IndirectToReturn |
| tests.cpp:148:34:148:34 | x |
| tests.cpp:149:5:149:33 | madArg0DoubleIndirectToReturn |
| tests.cpp:149:41:149:41 | x |
| tests.cpp:150:5:150:30 | madArg0NotIndirectToReturn |
| tests.cpp:150:37:150:37 | x |
| tests.cpp:151:6:151:26 | madArg0ToArg1Indirect |
| tests.cpp:151:32:151:32 | x |
| tests.cpp:151:40:151:40 | y |
| tests.cpp:152:6:152:34 | madArg0IndirectToArg1Indirect |
| tests.cpp:152:47:152:47 | x |
| tests.cpp:152:55:152:55 | y |
| tests.cpp:153:5:153:18 | madArgsComplex |
| tests.cpp:153:25:153:25 | a |
| tests.cpp:153:33:153:33 | b |
| tests.cpp:153:40:153:40 | c |
| tests.cpp:153:47:153:47 | d |
| tests.cpp:154:5:154:14 | madArgsAny |
| tests.cpp:154:20:154:20 | a |
| tests.cpp:154:28:154:28 | b |
| tests.cpp:155:5:155:28 | madAndImplementedComplex |
| tests.cpp:155:34:155:34 | a |
| tests.cpp:155:41:155:41 | b |
| tests.cpp:155:48:155:48 | c |
| tests.cpp:160:5:160:24 | madArg0FieldToReturn |
| tests.cpp:160:38:160:39 | mc |
| tests.cpp:161:5:161:32 | madArg0IndirectFieldToReturn |
| tests.cpp:161:47:161:48 | mc |
| tests.cpp:162:5:162:32 | madArg0FieldIndirectToReturn |
| tests.cpp:162:46:162:47 | mc |
| tests.cpp:163:13:163:32 | madArg0ToReturnField |
| tests.cpp:163:38:163:38 | x |
| tests.cpp:164:14:164:41 | madArg0ToReturnIndirectField |
| tests.cpp:164:47:164:47 | x |
| tests.cpp:165:13:165:40 | madArg0ToReturnFieldIndirect |
| tests.cpp:165:46:165:46 | x |
| tests.cpp:167:13:167:30 | madFieldToFieldVar |
| tests.cpp:168:13:168:38 | madFieldToIndirectFieldVar |
| tests.cpp:169:14:169:39 | madIndirectFieldToFieldVar |
| tests.cpp:171:6:171:19 | test_summaries |
| tests.cpp:174:6:174:6 | a |
| tests.cpp:174:9:174:9 | b |
| tests.cpp:174:12:174:12 | c |
| tests.cpp:174:15:174:15 | d |
| tests.cpp:174:18:174:18 | e |
| tests.cpp:175:7:175:11 | a_ptr |
| tests.cpp:218:14:218:16 | mc1 |
| tests.cpp:218:19:218:21 | mc2 |
| tests.cpp:237:15:237:18 | rtn1 |
| tests.cpp:240:14:240:17 | rtn2 |
| tests.cpp:241:7:241:14 | rtn2_ptr |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:7 | operator= |
| tests.cpp:267:7:267:13 | MyClass |
| tests.cpp:270:6:270:26 | memberRemoteMadSource |
| tests.cpp:271:7:271:39 | memberRemoteMadSourceIndirectArg0 |
| tests.cpp:271:46:271:46 | x |
| tests.cpp:272:6:272:29 | memberRemoteMadSourceVar |
| tests.cpp:273:7:273:21 | qualifierSource |
| tests.cpp:274:7:274:26 | qualifierFieldSource |
| tests.cpp:277:7:277:23 | memberMadSinkArg0 |
| tests.cpp:277:29:277:29 | x |
| tests.cpp:278:6:278:21 | memberMadSinkVar |
| tests.cpp:279:7:279:19 | qualifierSink |
| tests.cpp:280:7:280:23 | qualifierArg0Sink |
| tests.cpp:280:29:280:29 | x |
| tests.cpp:281:7:281:24 | qualifierFieldSink |
| tests.cpp:284:7:284:19 | madArg0ToSelf |
| tests.cpp:284:25:284:25 | x |
| tests.cpp:285:6:285:20 | madSelfToReturn |
| tests.cpp:286:6:286:16 | notASummary |
| tests.cpp:287:7:287:20 | madArg0ToField |
| tests.cpp:287:26:287:26 | x |
| tests.cpp:288:6:288:21 | madFieldToReturn |
| tests.cpp:290:6:290:8 | val |
| tests.cpp:293:7:293:7 | MyDerivedClass |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:7 | operator= |
| tests.cpp:293:7:293:20 | MyDerivedClass |
| tests.cpp:295:6:295:28 | subtypeRemoteMadSource1 |
| tests.cpp:296:6:296:21 | subtypeNonSource |
| tests.cpp:297:6:297:28 | subtypeRemoteMadSource2 |
| tests.cpp:300:9:300:15 | source2 |
| tests.cpp:301:6:301:9 | sink |
| tests.cpp:301:19:301:20 | mc |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:8 | operator= |
| tests.cpp:304:8:304:14 | MyClass |
| tests.cpp:307:8:307:33 | namespaceMemberMadSinkArg0 |
| tests.cpp:307:39:307:39 | x |
| tests.cpp:308:15:308:46 | namespaceStaticMemberMadSinkArg0 |
| tests.cpp:308:52:308:52 | x |
| tests.cpp:309:7:309:31 | namespaceMemberMadSinkVar |
| tests.cpp:310:14:310:44 | namespaceStaticMemberMadSinkVar |
| tests.cpp:313:7:313:30 | namespaceMadSelfToReturn |
| tests.cpp:317:22:317:28 | source3 |
| tests.cpp:319:6:319:23 | test_class_members |
| tests.cpp:320:10:320:11 | mc |
| tests.cpp:320:14:320:16 | mc2 |
| tests.cpp:320:19:320:21 | mc3 |
| tests.cpp:320:24:320:26 | mc4 |
| tests.cpp:320:29:320:31 | mc5 |
| tests.cpp:320:34:320:36 | mc6 |
| tests.cpp:320:39:320:41 | mc7 |
| tests.cpp:320:44:320:46 | mc8 |
| tests.cpp:320:49:320:51 | mc9 |
| tests.cpp:320:54:320:57 | mc10 |
| tests.cpp:320:60:320:63 | mc11 |
| tests.cpp:321:11:321:13 | ptr |
| tests.cpp:321:17:321:23 | mc4_ptr |
| tests.cpp:322:17:322:19 | mdc |
| tests.cpp:323:23:323:25 | mnc |
| tests.cpp:323:28:323:31 | mnc2 |
| tests.cpp:324:24:324:31 | mnc2_ptr |
| tests.cpp:330:6:330:6 | a |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:8 | operator= |
| tests.cpp:429:8:429:14 | intPair |
| tests.cpp:430:6:430:10 | first |
| tests.cpp:431:6:431:11 | second |
| tests.cpp:434:5:434:29 | madCallArg0ReturnToReturn |
| tests.cpp:434:37:434:43 | fun_ptr |
| tests.cpp:435:9:435:38 | madCallArg0ReturnToReturnFirst |
| tests.cpp:435:46:435:52 | fun_ptr |
| tests.cpp:436:6:436:25 | madCallArg0WithValue |
| tests.cpp:436:34:436:40 | fun_ptr |
| tests.cpp:436:53:436:57 | value |
| tests.cpp:437:5:437:36 | madCallReturnValueIgnoreFunction |
| tests.cpp:437:45:437:51 | fun_ptr |
| tests.cpp:437:64:437:68 | value |
| tests.cpp:439:5:439:14 | getTainted |
| tests.cpp:440:6:440:13 | useValue |
| tests.cpp:440:19:440:19 | x |
| tests.cpp:441:6:441:17 | dontUseValue |
| tests.cpp:441:23:441:23 | x |
| tests.cpp:443:6:443:27 | test_function_pointers |
| tests.cpp:456:19:456:19 | X |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<X> |
| tests.cpp:457:8:457:35 | StructWithTypedefInParameter<int> |
| tests.cpp:458:12:458:15 | Type |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:5:459:31 | parameter_ref_to_return_ref |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:459:45:459:45 | x |
| tests.cpp:462:6:462:37 | test_parameter_ref_to_return_ref |
| tests.cpp:463:6:463:6 | x |
| tests.cpp:464:36:464:36 | s |
| tests.cpp:465:6:465:6 | y |
| tests.cpp:469:7:469:9 | INT |
| tests.cpp:471:5:471:17 | receive_array |
| tests.cpp:471:23:471:23 | a |
| tests.cpp:473:6:473:23 | test_receive_array |
| tests.cpp:474:6:474:6 | x |
| tests.cpp:475:6:475:10 | array |
| tests.cpp:476:6:476:6 | y |
flowSummaryNode
| tests.cpp:144:5:144:19 | [summary param] 0 in madArg0ToReturn | ParameterNode | madArg0ToReturn | madArg0ToReturn |
| tests.cpp:144:5:144:19 | [summary] to write: ReturnValue in madArg0ToReturn | ReturnNode | madArg0ToReturn | madArg0ToReturn |
| tests.cpp:145:6:145:28 | [summary param] 0 in madArg0ToReturnIndirect | ParameterNode | madArg0ToReturnIndirect | madArg0ToReturnIndirect |

84
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.ext.yml Normal file
View File

@@ -0,0 +1,84 @@
extensions:
- addsTo:
pack: codeql/cpp-all
extensible: sourceModel
data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
- ["", "", False, "localMadSource", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "remoteMadSource", "", "", "ReturnValue", "remote", "manual"]
- ["", "", False, "localMadSourceVoid", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "localMadSourceHasBody", "", "", "ReturnValue", "local", "manual"]
- ["", "", False, "remoteMadSourceIndirect", "", "", "ReturnValue[*]", "remote", "manual"]
- ["", "", False, "remoteMadSourceDoubleIndirect", "", "", "ReturnValue[**]", "remote", "manual"]
- ["", "", False, "remoteMadSourceIndirectArg0", "", "", "Argument[*0]", "remote", "manual"]
- ["", "", False, "remoteMadSourceIndirectArg1", "", "", "Argument[*1]", "remote", "manual"]
- ["", "", False, "remoteMadSourceVar", "", "", "", "remote", "manual"]
- ["", "", False, "remoteMadSourceVarIndirect", "", "", "*", "remote", "manual"] # we can't express this source/sink correctly at present, "*" is not a valid access path
- ["", "", False, "remoteMadSourceParam0", "", "", "Parameter[0]", "remote", "manual"]
- ["MyNamespace", "", False, "namespaceLocalMadSource", "", "", "ReturnValue", "local", "manual"]
- ["MyNamespace", "", False, "namespaceLocalMadSourceVar", "", "", "", "local", "manual"]
- ["MyNamespace::MyNamespace2", "", False, "namespace2LocalMadSource", "", "", "ReturnValue", "local", "manual"]
- ["", "MyClass", True, "memberRemoteMadSource", "", "", "ReturnValue", "remote", "manual"]
- ["", "MyClass", True, "memberRemoteMadSourceIndirectArg0", "", "", "Argument[*0]", "remote", "manual"]
- ["", "MyClass", True, "memberRemoteMadSourceVar", "", "", "", "remote", "manual"]
- ["", "MyClass", True, "subtypeRemoteMadSource1", "", "", "ReturnValue", "remote", "manual"]
- ["", "MyClass", False, "subtypeNonSource", "", "", "ReturnValue", "remote", "manual"] # the tests define this in MyDerivedClass, so it should *not* be recongized as a source
- ["", "MyClass", True, "qualifierSource", "", "", "Argument[-1]", "remote", "manual"]
- ["", "MyClass", True, "qualifierFieldSource", "", "", "Argument[-1].val", "remote", "manual"]
- ["", "MyDerivedClass", False, "subtypeRemoteMadSource2", "", "", "ReturnValue", "remote", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: sinkModel
data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
- ["", "", False, "madSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["", "", False, "madSinkArg1", "", "", "Argument[1]", "test-sink", "manual"]
- ["", "", False, "madSinkArg01", "", "", "Argument[0..1]", "test-sink", "manual"]
- ["", "", False, "madSinkArg02", "", "", "Argument[0,2]", "test-sink", "manual"]
- ["", "", False, "madSinkIndirectArg0", "", "", "Argument[*0]", "test-sink", "manual"]
- ["", "", False, "madSinkDoubleIndirectArg0", "", "", "Argument[**0]", "test-sink", "manual"]
- ["", "", False, "madSinkVar", "", "", "", "test-sink", "manual"]
- ["", "", False, "madSinkVarIndirect", "", "", "*", "test-sink", "manual"] # we can't express this source/sink correctly at present, "*" is not a valid access path
- ["", "", False, "madSinkParam0", "", "", "Parameter[0]", "test-sink", "manual"]
- ["", "MyClass", True, "memberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["", "MyClass", True, "memberMadSinkVar", "", "", "", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierSink", "", "", "Argument[-1]", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierArg0Sink", "", "", "Argument[-1..0]", "test-sink", "manual"]
- ["", "MyClass", True, "qualifierFieldSink", "", "", "Argument[-1].val", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMemberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceStaticMemberMadSinkArg0", "", "", "Argument[0]", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMemberMadSinkVar", "", "", "", "test-sink", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceStaticMemberMadSinkVar", "", "", "", "test-sink", "manual"]
- addsTo:
pack: codeql/cpp-all
extensible: summaryModel
data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
- ["", "", False, "madArg0ToReturn", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToReturnIndirect", "", "", "Argument[0]", "ReturnValue[*]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnValueFlow", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
- ["", "", False, "madArg0IndirectToReturn", "", "", "Argument[*0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0DoubleIndirectToReturn", "", "", "Argument[**0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0NotIndirectToReturn", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToArg1Indirect", "", "", "Argument[0]", "Argument[*1]", "taint", "manual"]
- ["", "", False, "madArg0IndirectToArg1Indirect", "", "", "Argument[*0]", "Argument[*1]", "taint", "manual"]
- ["", "", False, "madArgsComplex", "", "", "Argument[*0..1,2]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madAndImplementedComplex", "", "", "Argument[2]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArgsAny", "", "", "Argument", "ReturnValue", "taint", "manual"] # we can't express this source/sink correctly at present, "Argument" is not a valid input
- ["", "", False, "madArg0FieldToReturn", "", "", "Argument[0].Field[value]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0IndirectFieldToReturn", "", "", "Argument[*0].Field[value]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0FieldIndirectToReturn", "", "", "Argument[0].Field[*ptr]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madArg0ToReturnField", "", "", "Argument[0]", "ReturnValue.Field[value]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnIndirectField", "", "", "Argument[0]", "ReturnValue[*].Field[value]", "taint", "manual"]
- ["", "", False, "madArg0ToReturnFieldIndirect", "", "", "Argument[0]", "ReturnValue.Field[*ptr]", "taint", "manual"]
- ["", "", False, "madFieldToFieldVar", "", "", "Field[value]", "Field[value2]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[value2]" is not a valid output
- ["", "", False, "madFieldToIndirectFieldVar", "", "", "Field[value]", "Field[*ptr]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[*ptr]" is not a valid output
- ["", "", False, "madIndirectFieldToFieldVar", "", "", "Field[value]", "Field[value2]", "taint", "manual"] # we can't express this source/sink correctly at present, "Field[value]" is not a valid input and "Field[value2]" is not a valid output
- ["", "MyClass", True, "madArg0ToSelf", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
- ["", "MyClass", True, "madSelfToReturn", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
- ["", "MyClass", True, "madArg0ToField", "", "", "Argument[0]", "Argument[-1].Field[val]", "taint", "manual"]
- ["", "MyClass", True, "madFieldToReturn", "", "", "Argument[-1].Field[val]", "ReturnValue", "taint", "manual"]
- ["MyNamespace", "MyClass", True, "namespaceMadSelfToReturn", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
- ["", "", False, "madCallArg0ReturnToReturn", "", "", "Argument[0].ReturnValue", "ReturnValue", "value", "manual"]
- ["", "", False, "madCallArg0ReturnToReturnFirst", "", "", "Argument[0].ReturnValue", "ReturnValue.Field[first]", "value", "manual"]
- ["", "", False, "madCallArg0WithValue", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
- ["", "", False, "madCallReturnValueIgnoreFunction", "", "", "Argument[1]", "ReturnValue", "value", "manual"]
- ["", "StructWithTypedefInParameter<T>", True, "parameter_ref_to_return_ref", "(const T &)", "", "Argument[*0]", "ReturnValue[*]", "value", "manual"]
- ["", "", False, "receive_array", "(int[20])", "", "Argument[*0]", "ReturnValue", "taint", "manual"]

74
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.ql Normal file
View File

@@ -0,0 +1,74 @@
import semmle.code.cpp.ir.dataflow.internal.DataFlowImplConsistency::Consistency
import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes
import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
import semmle.code.cpp.security.FlowSources
import utils.test.dataflow.FlowTestCommon
module InterpretElementTest implements TestSig {
string getARelevantTag() { result = "interpretElement" }
predicate hasActualResult(Location location, string element, string tag, string value) {
exists(Element e |
e = interpretElement(_, _, _, _, _, _) and
location = e.getLocation() and
element = e.toString() and
tag = "interpretElement" and
value = ""
)
}
}
query predicate summaryCalls(SummaryCall c) { any() }
query predicate summarizedCallables(SummarizedCallable c) { any() }
query predicate sourceCallables(SourceCallable c) { c.getLocation().getFile().toString() != "" }
module IRTest {
private import semmle.code.cpp.ir.IR
private import semmle.code.cpp.ir.dataflow.TaintTracking
/** Common data flow configuration to be used by tests. */
module TestAllocationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof FlowSource
or
source.asExpr().(FunctionCall).getTarget().getName() =
["source", "source2", "source3", "sourcePtr"]
or
source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "sourceIndirect"
}
predicate isSink(DataFlow::Node sink) {
sinkNode(sink, "test-sink")
or
exists(FunctionCall call |
call.getTarget().getName() = "sink" and
sink.asExpr() = call.getAnArgument()
)
}
}
module IRFlow = TaintTracking::Global<TestAllocationConfig>;
}
import MakeTest<MergeTests<IRFlowTest<IRTest::IRFlow>, InterpretElementTest>>
string describe(DataFlow::Node n) {
n instanceof ParameterNode and result = "ParameterNode"
or
n instanceof PostUpdateNode and result = "PostUpdateNode"
or
n instanceof ArgumentNode and result = "ArgumentNode"
or
n instanceof ReturnNode and result = "ReturnNode"
or
n instanceof OutNode and result = "OutNode"
}
query predicate flowSummaryNode(FlowSummaryNode n, string str1, string str2, string str3) {
str1 = concat(describe(n), ", ") and
str2 = concat(n.getSummarizedCallable().toString(), ", ") and
str3 = concat(n.getEnclosingCallable().toString(), ", ")
}

105
cpp/ql/test/library-tests/dataflow/models-as-data/testModels.qll
View File

@@ -1,105 +0,0 @@
import semmle.code.cpp.security.FlowSources
/**
* Models-as-data source models for this test.
*/
private class TestSources extends SourceModelCsv {
override predicate row(string row) {
row =
[
";;false;localMadSource;;;ReturnValue;local",
";;false;remoteMadSource;;;ReturnValue;remote",
";;false;localMadSourceVoid;;;ReturnValue;local",
";;false;localMadSourceHasBody;;;ReturnValue;local",
";;false;remoteMadSourceIndirect;;;ReturnValue[*];remote",
";;false;remoteMadSourceDoubleIndirect;;;ReturnValue[**];remote",
";;false;remoteMadSourceIndirectArg0;;;Argument[*0];remote",
";;false;remoteMadSourceIndirectArg1;;;Argument[*1];remote",
";;false;remoteMadSourceVar;;;;remote",
";;false;remoteMadSourceVarIndirect;;;*;remote", // not correctly expressed
";;false;remoteMadSourceParam0;;;Parameter[0];remote",
"MyNamespace;;false;namespaceLocalMadSource;;;ReturnValue;local",
"MyNamespace;;false;namespaceLocalMadSourceVar;;;;local",
"MyNamespace::MyNamespace2;;false;namespace2LocalMadSource;;;ReturnValue;local",
";MyClass;true;memberRemoteMadSource;;;ReturnValue;remote",
";MyClass;true;memberRemoteMadSourceIndirectArg0;;;Argument[*0];remote",
";MyClass;true;memberRemoteMadSourceVar;;;;remote",
";MyClass;true;subtypeRemoteMadSource1;;;ReturnValue;remote",
";MyClass;false;subtypeNonSource;;;ReturnValue;remote", // the tests define this in MyDerivedClass, so it should *not* be recongized as a source
";MyClass;true;qualifierSource;;;Argument[-1];remote",
";MyClass;true;qualifierFieldSource;;;Argument[-1].val;remote",
";MyDerivedClass;false;subtypeRemoteMadSource2;;;ReturnValue;remote",
]
}
}
/**
* Models-as-data sink models for this test.
*/
private class TestSinks extends SinkModelCsv {
override predicate row(string row) {
row =
[
";;false;madSinkArg0;;;Argument[0];test-sink",
";;false;madSinkArg1;;;Argument[1];test-sink",
";;false;madSinkArg01;;;Argument[0..1];test-sink",
";;false;madSinkArg02;;;Argument[0,2];test-sink",
";;false;madSinkIndirectArg0;;;Argument[*0];test-sink",
";;false;madSinkDoubleIndirectArg0;;;Argument[**0];test-sink",
";;false;madSinkVar;;;;test-sink",
";;false;madSinkVarIndirect;;;*;test-sink", // not correctly expressed
";;false;madSinkParam0;;;Parameter[0];test-sink",
";MyClass;true;memberMadSinkArg0;;;Argument[0];test-sink",
";MyClass;true;memberMadSinkVar;;;;test-sink",
";MyClass;true;qualifierSink;;;Argument[-1];test-sink",
";MyClass;true;qualifierArg0Sink;;;Argument[-1..0];test-sink",
";MyClass;true;qualifierFieldSink;;;Argument[-1].val;test-sink",
"MyNamespace;MyClass;true;namespaceMemberMadSinkArg0;;;Argument[0];test-sink",
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkArg0;;;Argument[0];test-sink",
"MyNamespace;MyClass;true;namespaceMemberMadSinkVar;;;;test-sink",
"MyNamespace;MyClass;true;namespaceStaticMemberMadSinkVar;;;;test-sink",
]
}
}
/**
* Models-as-data summary models for this test.
*/
private class TestSummaries extends SummaryModelCsv {
override predicate row(string row) {
row =
[
";;false;madArg0ToReturn;;;Argument[0];ReturnValue;taint",
";;false;madArg0ToReturnIndirect;;;Argument[0];ReturnValue[*];taint",
";;false;madArg0ToReturnValueFlow;;;Argument[0];ReturnValue;value",
";;false;madArg0IndirectToReturn;;;Argument[*0];ReturnValue;taint",
";;false;madArg0DoubleIndirectToReturn;;;Argument[**0];ReturnValue;taint",
";;false;madArg0NotIndirectToReturn;;;Argument[0];ReturnValue;taint",
";;false;madArg0ToArg1Indirect;;;Argument[0];Argument[*1];taint",
";;false;madArg0IndirectToArg1Indirect;;;Argument[*0];Argument[*1];taint",
";;false;madArgsComplex;;;Argument[*0..1,2];ReturnValue;taint",
";;false;madAndImplementedComplex;;;Argument[2];ReturnValue;taint",
";;false;madArgsAny;;;Argument;ReturnValue;taint", // (syntax not supported)
";;false;madArg0FieldToReturn;;;Argument[0].Field[value];ReturnValue;taint",
";;false;madArg0IndirectFieldToReturn;;;Argument[*0].Field[value];ReturnValue;taint",
";;false;madArg0FieldIndirectToReturn;;;Argument[0].Field[*ptr];ReturnValue;taint",
";;false;madArg0ToReturnField;;;Argument[0];ReturnValue.Field[value];taint",
";;false;madArg0ToReturnIndirectField;;;Argument[0];ReturnValue[*].Field[value];taint",
";;false;madArg0ToReturnFieldIndirect;;;Argument[0];ReturnValue.Field[*ptr];taint",
";;false;madFieldToFieldVar;;;Field[value];Field[value2];taint",
";;false;madFieldToIndirectFieldVar;;;Field[value];Field[*ptr];taint",
";;false;madIndirectFieldToFieldVar;;;;Field[value];Field[value2];taint", // not correctly expressed
";MyClass;true;madArg0ToSelf;;;Argument[0];Argument[-1];taint",
";MyClass;true;madSelfToReturn;;;Argument[-1];ReturnValue;taint",
";MyClass;true;madArg0ToField;;;Argument[0];Argument[-1].Field[val];taint",
";MyClass;true;madFieldToReturn;;;Argument[-1].Field[val];ReturnValue;taint",
"MyNamespace;MyClass;true;namespaceMadSelfToReturn;;;Argument[-1];ReturnValue;taint",
";;false;madCallArg0ReturnToReturn;;;Argument[0].ReturnValue;ReturnValue;value",
";;false;madCallArg0ReturnToReturnFirst;;;Argument[0].ReturnValue;ReturnValue.Field[first];value",
";;false;madCallArg0WithValue;;;Argument[1];Argument[0].Parameter[0];value",
";;false;madCallReturnValueIgnoreFunction;;;Argument[1];ReturnValue;value",
";StructWithTypedefInParameter<T>;true;parameter_ref_to_return_ref;(const T &);;Argument[*0];ReturnValue[*];value",
";;false;receive_array;(int[20]);;Argument[*0];ReturnValue;taint"
]
}
}

28
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/Buildless.c Normal file
View File

@@ -0,0 +1,28 @@
// semmle-extractor-options: --expect_errors
void test_float_double1(float f, double d) {
float r1 = f * f; // GOOD
float r2 = f * d; // GOOD
double r3 = f * f; // BAD
double r4 = f * d; // GOOD
float f1 = fabsf(f * f); // GOOD
float f2 = fabsf(f * d); // GOOD
double f3 = fabs(f * f); // BAD [NOT DETECTED]
double f4 = fabs(f * d); // GOOD
}
double fabs(double f);
float fabsf(float f);
void test_float_double2(float f, double d) {
float r1 = f * f; // GOOD
float r2 = f * d; // GOOD
double r3 = f * f; // BAD
double r4 = f * d; // GOOD
float f1 = fabsf(f * f); // GOOD
float f2 = fabsf(f * d); // GOOD
double f3 = fabs(f * f); // BAD [NOT DETECTED]
double f4 = fabs(f * d); // GOOD
}

2
cpp/ql/test/query-tests/Likely Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected
View File

@@ -1,3 +1,5 @@
| Buildless.c:6:17:6:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
| Buildless.c:21:17:21:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
| IntMultToLong.c:4:10:4:14 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
| IntMultToLong.c:7:16:7:20 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
| IntMultToLong.c:18:19:18:23 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |

2
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected
View File

@@ -1 +1,3 @@
| second.cpp:26:18:26:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. |
| second.cpp:29:18:29:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. |
| tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. |

3
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp Normal file
View File

@@ -0,0 +1,3 @@
// defines type size_t plausibly
typedef unsigned long size_t;

32
cpp/ql/test/query-tests/Likely Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp Normal file
View File

@@ -0,0 +1,32 @@
// semmle-extractor-options: --expect_errors
int printf(const char * format, ...);
// defines type `myFunctionPointerType`, referencing `size_t`
typedef size_t (*myFunctionPointerType) ();
void test_size_t() {
size_t s = 0;
printf("%zd", s); // GOOD
printf("%zi", s); // GOOD
printf("%zu", s); // GOOD (we generally permit signedness changes)
printf("%zx", s); // GOOD (we generally permit signedness changes)
printf("%d", s); // BAD [NOT DETECTED]
printf("%ld", s); // DUBIOUS [NOT DETECTED]
printf("%lld", s); // DUBIOUS [NOT DETECTED]
printf("%u", s); // BAD [NOT DETECTED]
char buffer[1024];
printf("%zd", &buffer[1023] - buffer); // GOOD
printf("%zi", &buffer[1023] - buffer); // GOOD
printf("%zu", &buffer[1023] - buffer); // GOOD
printf("%zx", &buffer[1023] - buffer); // GOOD
printf("%d", &buffer[1023] - buffer); // BAD
printf("%ld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED]
printf("%lld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED]
printf("%u", &buffer[1023] - buffer); // BAD
// (for the `%ld` and `%lld` cases, the signedness and type sizes match, `%zd` would be most correct
// and robust but the developer may know enough to make this safe)
}

2
cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
View File

@@ -1,3 +1,5 @@
| buildless.cpp:5:15:5:25 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const short * | const short * |
| buildless.cpp:6:13:6:23 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const int * | const int * |
| test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
| test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
| test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |

10
cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp Normal file
View File

@@ -0,0 +1,10 @@
// semmle-extractor-options: --expect_errors
void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32) {
*(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1)
*(p_short + sizeof(int)); // BAD
*(p_int + sizeof(int)); // BAD
*(p_8 + sizeof(int)); // GOOD (`sizeof(uint8_t)` is 1, but there's an error in the type)
*(p_16 + sizeof(int)); // BAD [NOT DETECTED]
*(p_32 + sizeof(int)); // BAD [NOT DETECTED]
}

6
cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp
View File

@@ -93,3 +93,9 @@ private:
myChar * const myCharsPointer;
myInt * const myIntsPointer;
};
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32);

61
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
View File

@@ -1,3 +1,24 @@
#select
| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
| tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | *call to getenv | *call to getenv |
| tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | *call to getenv | *call to getenv |
| tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:81:14:81:19 | *buffer | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:82:14:82:20 | *global1 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:82:14:82:20 | *global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:80:20:80:23 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
edges
| tests2.cpp:50:13:50:19 | **global1 | tests2.cpp:82:14:82:20 | *global1 | provenance | |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:50:13:50:19 | **global1 | provenance | |
@@ -12,16 +33,16 @@ edges
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:111:14:111:15 | *c1 [*ptr] | tests2.cpp:111:17:111:19 | *ptr | provenance | |
| tests2.cpp:111:17:111:19 | *ptr | tests2.cpp:111:14:111:19 | *ptr | provenance | |
| tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | provenance | |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance | |
| tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | provenance | MaD:4 |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:138:23:138:34 | *message_data | provenance | Sink:MaD:2 |
| tests2.cpp:134:2:134:30 | *... = ... | tests2.cpp:143:34:143:45 | *message_data | provenance | |
| tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:134:2:134:30 | *... = ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance | |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:144:33:144:40 | *& ... | provenance | Sink:MaD:3 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:147:20:147:27 | *& ... | provenance | Sink:MaD:1 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:155:32:155:39 | *& ... | provenance | Sink:MaD:3 |
| tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | tests2.cpp:158:20:158:27 | *& ... | provenance | Sink:MaD:1 |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | provenance | |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance | |
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument | provenance | MaD:4 |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:26:15:26:20 | *call to getenv | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | provenance | |
| tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | provenance | |
@@ -29,6 +50,11 @@ edges
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | provenance | |
| tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | provenance | |
| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | provenance | |
models
| 1 | Sink: ; ; false; zmq_msg_send; ; ; Argument[*0]; remote-sink; manual |
| 2 | Sink: ; ; false; zmq_send; ; ; Argument[*1]; remote-sink; manual |
| 3 | Sink: ; ; false; zmq_sendmsg; ; ; Argument[*1]; remote-sink; manual |
| 4 | Summary: ; ; false; zmq_msg_init_data; ; ; Argument[*1]; Argument[*0]; taint; manual |
nodes
| tests2.cpp:50:13:50:19 | **global1 | semmle.label | **global1 |
| tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | semmle.label | *call to mysql_get_client_info |
@@ -75,24 +101,3 @@ nodes
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | semmle.label | *pathbuf |
subpaths
| tests2.cpp:143:34:143:45 | *message_data | tests2.cpp:120:5:120:21 | [summary param] *1 in zmq_msg_init_data | tests2.cpp:120:5:120:21 | [summary param] *0 in zmq_msg_init_data [Return] | tests2.cpp:143:24:143:31 | zmq_msg_init_data output argument |
#select
| tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | tests2.cpp:63:13:63:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:26 | *call to getenv | *call to getenv |
| tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | tests2.cpp:64:13:64:26 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:26 | *call to getenv | *call to getenv |
| tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | tests2.cpp:65:13:65:30 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:30 | *call to getenv | *call to getenv |
| tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | tests2.cpp:66:13:66:34 | *call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:34 | *call to getenv | *call to getenv |
| tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:81:14:81:19 | *buffer | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | tests2.cpp:81:14:81:19 | *buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:82:14:82:20 | *global1 | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | tests2.cpp:82:14:82:20 | *global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | *call to mysql_get_client_info | *call to mysql_get_client_info |
| tests2.cpp:93:14:93:17 | *str1 | tests2.cpp:91:42:91:45 | *str1 | tests2.cpp:93:14:93:17 | *str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | *str1 | *str1 |
| tests2.cpp:102:14:102:15 | *pw | tests2.cpp:101:8:101:15 | *call to getpwuid | tests2.cpp:102:14:102:15 | *pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | *call to getpwuid | *call to getpwuid |
| tests2.cpp:111:14:111:19 | *ptr | tests2.cpp:109:12:109:17 | *call to getenv | tests2.cpp:111:14:111:19 | *ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | *call to getenv | *call to getenv |
| tests2.cpp:138:23:138:34 | *message_data | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:138:23:138:34 | *message_data | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:144:33:144:40 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:144:33:144:40 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:147:20:147:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:147:20:147:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:155:32:155:39 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:155:32:155:39 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests2.cpp:158:20:158:27 | *& ... | tests2.cpp:134:17:134:22 | *call to getenv | tests2.cpp:158:20:158:27 | *& ... | This operation exposes system data from $@. | tests2.cpp:134:17:134:22 | *call to getenv | *call to getenv |
| tests_sockets.cpp:39:19:39:22 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:39:19:39:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:43:20:43:23 | *path | tests_sockets.cpp:26:15:26:20 | *call to getenv | tests_sockets.cpp:43:20:43:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:76:19:76:22 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:76:19:76:22 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sockets.cpp:80:20:80:23 | *path | tests_sockets.cpp:63:15:63:20 | *call to getenv | tests_sockets.cpp:80:20:80:23 | *path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | *call to getenv | *call to getenv |
| tests_sysconf.cpp:39:19:39:25 | *pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | *pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |

5
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.qlref
View File

@@ -1 +1,4 @@
Security/CWE/CWE-497/ExposedSystemData.ql
query: Security/CWE/CWE-497/ExposedSystemData.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

46
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests2.cpp
View File

@@ -47,7 +47,7 @@ int val();
// --- test cases ---
const char *global1 = mysql_get_client_info();
const char *global1 = mysql_get_client_info(); // $ Source
const char *global2 = "abc";
void test7()
@@ -55,15 +55,15 @@ void test7()
int sock = socket(val(), val(), val());
// tests for a strict implementation of CWE-497
std::cout << getenv("HOME"); // BAD: outputs HOME environment variable [NOT DETECTED]
std::cout << "PATH = " << getenv("PATH") << "."; // BAD: outputs PATH environment variable [NOT DETECTED]
std::cout << getenv("HOME"); // $ MISSING: Alert // outputs HOME environment variable
std::cout << "PATH = " << getenv("PATH") << "."; // $ MISSING: Alert // outputs PATH environment variable
std::cout << "PATHPATHPATH"; // GOOD: not system data
// tests for a more pragmatic implementation of CWE-497
send(sock, getenv("HOME"), val(), val()); // BAD
send(sock, getenv("PATH"), val(), val()); // BAD
send(sock, getenv("USERNAME"), val(), val()); // BAD
send(sock, getenv("APP_PASSWORD"), val(), val()); // BAD
send(sock, getenv("HOME"), val(), val()); // $ Alert
send(sock, getenv("PATH"), val(), val()); // $ Alert
send(sock, getenv("USERNAME"), val(), val()); // $ Alert
send(sock, getenv("APP_PASSWORD"), val(), val()); // $ Alert
send(sock, getenv("HARMLESS"), val(), val()); // GOOD: harmless information
send(sock, "HOME", val(), val()); // GOOD: not system data
send(sock, "PATH", val(), val()); // GOOD: not system data
@@ -75,11 +75,11 @@ void test7()
{
char buffer[256];
strcpy(buffer, mysql_get_client_info());
strcpy(buffer, mysql_get_client_info()); // $ Source
send(sock, mysql_get_client_info(), val(), val()); // BAD
send(sock, buffer, val(), val()); // BAD
send(sock, global1, val(), val()); // BAD
send(sock, mysql_get_client_info(), val(), val()); // $ Alert
send(sock, buffer, val(), val()); // $ Alert
send(sock, global1, val(), val()); // $ Alert
send(sock, global2, val(), val()); // GOOD: not system data
}
@@ -88,9 +88,9 @@ void test7()
const char *str1 = "123456";
const char *str2 = "abcdef";
mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val());
mysql_real_connect(sock, val(), val(), str1, val(), val(), val(), val()); // $ Source
send(sock, str1, val(), val()); // BAD
send(sock, str1, val(), val()); // $ Alert
send(sock, str2, val(), val()); // GOOD: not system data
}
@@ -98,17 +98,17 @@ void test7()
{
passwd *pw;
pw = getpwuid(val());
send(sock, pw->pw_passwd, val(), val()); // BAD
pw = getpwuid(val()); // $ Source
send(sock, pw->pw_passwd, val(), val()); // $ Alert
}
// tests for containers
{
container c1, c2;
c1.ptr = getenv("MY_SECRET_TOKEN");
c1.ptr = getenv("MY_SECRET_TOKEN"); // $ Source
c2.ptr = "";
send(sock, c1.ptr, val(), val()); // BAD
send(sock, c1.ptr, val(), val()); // $ Alert
send(sock, c2.ptr, val(), val()); // GOOD: not system data
}
}
@@ -131,20 +131,20 @@ void test_zmq(void *remoteSocket)
size_t message_len;
// prepare data
message_data = getenv("HOME");
message_data = getenv("HOME"); // $ Source
message_len = strlen(message_data) + 1;
// send as data
if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable
if (zmq_send(socket, message_data, message_len, 0) >= 0) { // $ Alert: outputs HOME environment variable
// ...
}
// send as message
if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) {
if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable
if (zmq_sendmsg(remoteSocket, &message, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
if (zmq_msg_send(&message, remoteSocket, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
}
@@ -152,10 +152,10 @@ void test_zmq(void *remoteSocket)
// send as message (alternative path)
if (zmq_msg_init_size(&message, message_len) == 0) {
memcpy(zmq_msg_data(&message), message_data, message_len);
if (zmq_sendmsg(remoteSocket,&message, message_len)) { // BAD: outputs HOME environment variable
if (zmq_sendmsg(remoteSocket,&message, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable
if (zmq_msg_send(&message, remoteSocket, message_len)) { // $ Alert: outputs HOME environment variable
// ...
}
}

20
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sockets.cpp
View File

@@ -23,7 +23,7 @@ void test_sockets1()
int sockfd;
sockaddr addr_remote;
char *msg = "Hello, world!";
char *path = getenv("PATH");
char *path = getenv("PATH"); // $ Source
// create socket
sockfd = socket(AF_INET, SOCK_STREAM, 0);
@@ -36,11 +36,11 @@ void test_sockets1()
// send something using 'send'
if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // $ Alert
// send something using 'write'
if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // $ Alert
// clean up
// ...
@@ -49,9 +49,9 @@ void test_sockets1()
int mksocket()
{
int fd;
fd = socket(AF_INET, SOCK_STREAM, 0);
return fd;
}
@@ -60,7 +60,7 @@ void test_sockets2()
int sockfd;
sockaddr addr_remote;
char *msg = "Hello, world!";
char *path = getenv("PATH");
char *path = getenv("PATH"); // $ Source
// create socket
sockfd = mksocket();
@@ -73,11 +73,11 @@ void test_sockets2()
// send something using 'send'
if (send(sockfd, msg, strlen(msg) + 1, 0) < 0) return; // GOOD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // BAD
if (send(sockfd, path, strlen(path) + 1, 0) < 0) return; // $ Alert
// send something using 'write'
if (write(sockfd, msg, strlen(msg) + 1) < 0) return; // GOOD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // BAD
if (write(sockfd, path, strlen(path) + 1) < 0) return; // $ Alert
// clean up
// ...

8
cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/tests_sysconf.cpp
View File

@@ -21,7 +21,7 @@ void test_sc_1()
int value = sysconf(_SC_CHILD_MAX);
printf("_SC_CHILD_MAX = %i\n", _SC_CHILD_MAX); // GOOD
printf("_SC_CHILD_MAX = %i\n", value); // BAD [NOT DETECTED]
printf("_SC_CHILD_MAX = %i\n", value); // $ MISSING: Alert
}
void test_sc_2()
@@ -33,9 +33,9 @@ void test_sc_2()
pathbuf = (char *)malloc(n);
if (pathbuf != NULL)
{
confstr(_CS_PATH, pathbuf, n);
confstr(_CS_PATH, pathbuf, n); // $ Source
printf("path: %s", pathbuf); // BAD [NOT DETECTED]
write(get_fd(), pathbuf, strlen(pathbuf)); // BAD
printf("path: %s", pathbuf); // $ MISSING: Alert
write(get_fd(), pathbuf, strlen(pathbuf)); // $ Alert
}
}

177
csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/assignments.ql Normal file
View File

@@ -0,0 +1,177 @@
class Expr extends @expr {
string toString() { none() }
}
class Location extends @location {
string toString() { none() }
}
newtype TAddedElement =
TAssignment(CompoundAssignmentExpr e) or
TLhs(CompoundAssignmentExpr e) or
TRhs(CompoundAssignmentExpr e)
module Fresh = QlBuiltins::NewEntity<TAddedElement>;
class TNewExpr = @expr or Fresh::EntityId;
class NewExpr extends TNewExpr {
string toString() { none() }
}
class TNewControlFlowElement = @control_flow_element or Fresh::EntityId;
class NewControlFlowElement extends TNewControlFlowElement {
string toString() { none() }
}
class TypeOrRef extends @type_or_ref {
string toString() { none() }
}
class Callable extends @callable {
string toString() { none() }
}
class Accessible extends @accessible {
string toString() { none() }
}
predicate assignmentKind(int kind) {
// | 63 = @simple_assign_expr
// | 80 = @add_event_expr
// | 81 = @remove_event_expr
// | 83 = @local_var_decl_expr
kind = [63, 80, 81, 83]
}
predicate compoundAssignmentKind(int kind) {
// | 64 = @assign_add_expr
// | 65 = @assign_sub_expr
// | 66 = @assign_mul_expr
// | 67 = @assign_div_expr
// | 68 = @assign_rem_expr
// | 69 = @assign_and_expr
// | 70 = @assign_xor_expr
// | 71 = @assign_or_expr
// | 72 = @assign_lshift_expr
// | 73 = @assign_rshift_expr
// | 119 = @assign_coalesce_expr
// | 134 = @assign_urshift_expr
kind = [64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 119, 134]
}
int getOperatorKindFromAssignmentKind(int kind) {
kind = 64 and result = 44 // @assign_add_expr -> @add_expr
or
kind = 65 and result = 45 // @assign_sub_expr -> @sub_expr
or
kind = 66 and result = 41 // @assign_mul_expr -> @mul_expr
or
kind = 67 and result = 42 // @assign_div_expr -> @div_expr
or
kind = 68 and result = 43 // @assign_rem_expr -> @rem_expr
or
kind = 69 and result = 54 // @assign_and_expr -> @bit_and_expr
or
kind = 70 and result = 55 // @assign_xor_expr -> @bit_xor_expr
or
kind = 71 and result = 56 // @assign_or_expr -> @bit_or_expr
or
kind = 72 and result = 46 // @assign_lshift_expr -> @lshift_expr
or
kind = 73 and result = 47 // @assign_rshift_expr -> @rshift_expr
or
kind = 119 and result = 61 // @assign_coalesce_expr -> @coalesce_expr
or
kind = 134 and result = 133 // @assign_urshift_expr -> @urshift_expr
}
predicate isAssignment(Expr ass) {
exists(int kind | assignmentKind(kind) | expressions(ass, kind, _))
}
class CompoundAssignmentExpr extends Expr {
CompoundAssignmentExpr() {
exists(int kind | compoundAssignmentKind(kind) | expressions(this, kind, _))
}
}
query predicate new_expressions(NewExpr e, int kind, TypeOrRef t) {
expressions(e, kind, t)
or
// Introduce expanded expression nodes.
exists(CompoundAssignmentExpr compound, int kind0, Expr e1, int kind1 |
expressions(compound, kind0, t) and
expressions(e1, kind1, _) and
expr_parent(e1, 0, compound)
|
Fresh::map(TAssignment(compound)) = e and kind = 63
or
Fresh::map(TLhs(compound)) = e and kind = kind1
or
Fresh::map(TRhs(compound)) = e and kind = getOperatorKindFromAssignmentKind(kind0)
)
}
query predicate new_expr_parent(NewExpr e, int child, NewControlFlowElement parent) {
if isAssignment(parent)
then
// Swap children for assignments, local variable declarations and add/remove event.
child = 0 and expr_parent(e, 1, parent)
or
child = 1 and expr_parent(e, 0, parent)
else (
exists(CompoundAssignmentExpr compound |
Fresh::map(TAssignment(compound)) = e and child = 2 and parent = compound
or
Fresh::map(TLhs(compound)) = e and child = 1 and parent = Fresh::map(TAssignment(compound))
or
Fresh::map(TRhs(compound)) = e and child = 0 and parent = Fresh::map(TAssignment(compound))
or
expr_parent(e, child, compound) and parent = Fresh::map(TRhs(compound))
)
or
// Copy the expr_parent relation except for compound assignment edges.
expr_parent(e, child, parent) and not parent instanceof CompoundAssignmentExpr
)
}
query predicate new_expr_location(NewExpr e, Location loc) {
expr_location(e, loc)
or
exists(CompoundAssignmentExpr compound |
Fresh::map(TAssignment(compound)) = e and expr_location(compound, loc)
or
Fresh::map(TLhs(compound)) = e and
exists(Expr child | expr_location(child, loc) and expr_parent(child, 0, compound))
or
Fresh::map(TRhs(compound)) = e and expr_location(compound, loc)
)
}
query predicate new_expr_call(NewExpr e, Callable c) {
expr_call(e, c) and not e instanceof CompoundAssignmentExpr
or
exists(CompoundAssignmentExpr compound |
Fresh::map(TRhs(compound)) = e and expr_call(compound, c)
)
}
query predicate new_dynamic_member_name(NewExpr e, string name) {
dynamic_member_name(e, name) and not e instanceof CompoundAssignmentExpr
or
exists(CompoundAssignmentExpr compound |
Fresh::map(TRhs(compound)) = e and dynamic_member_name(compound, name)
)
}
query predicate new_expr_access(NewExpr e, Accessible a) {
expr_access(e, a)
or
exists(CompoundAssignmentExpr compound, Expr access |
expr_parent(access, 0, compound) and
expr_access(access, a) and
Fresh::map(TLhs(compound)) = e
)
}

1504
csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/old.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

1489
csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/semmlecode.csharp.dbscheme Normal file
View File

File diff suppressed because it is too large Load Diff

8
csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/upgrade.properties Normal file
View File

@@ -0,0 +1,8 @@
description: Remove operation kinds for operations, introduce expanded assignments and rotate assignment child expressions.
compatibility: partial
expr_parent.rel: run assignments.ql new_expr_parent
expressions.rel: run assignments.ql new_expressions
expr_location.rel: run assignments.ql new_expr_location
expr_call.rel: run assignments.ql new_expr_call
dynamic_member_name.rel: run assignments.ql new_dynamic_member_name
expr_access.rel: run assignments.ql new_expr_access

6
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
View File

@@ -12,16 +12,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
/// <summary>
/// A minimal environment for running the .NET CLI.
///
///
/// DOTNET_CLI_UI_LANGUAGE: The .NET CLI language is set to English to avoid localized output.
/// MSBUILDDISABLENODEREUSE: To ensure clean environment for each build.
/// DOTNET_SKIP_FIRST_TIME_EXPERIENCE: To skip first time experience messages.
/// DOTNET_CLI_TELEMETRY_OPTOUT: To skip any dotnet telemetry: it's unnecessary and can even cause issues.
/// </summary>
static ReadOnlyDictionary<string, string> MinimalEnvironment { get; } = new(new Dictionary<string, string>
{
{"DOTNET_CLI_UI_LANGUAGE", "en"},
{"MSBUILDDISABLENODEREUSE", "1"},
{"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"}
{"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"},
{"DOTNET_CLI_TELEMETRY_OPTOUT", "1"}
});
/// <summary>

75
csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Assignment.cs
View File

@@ -22,26 +22,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
protected override void PopulateExpression(TextWriter trapFile)
{
var operatorKind = OperatorKind;
if (operatorKind.HasValue)
{
// Convert assignment such as `a += b` into `a = a + b`.
var simpleAssignExpr = new Expression(new ExpressionInfo(Context, Type, Location, ExprKind.SIMPLE_ASSIGN, this, 2, isCompilerGenerated: true, null));
Create(Context, Syntax.Left, simpleAssignExpr, 1);
var opexpr = new Expression(new ExpressionInfo(Context, Type, Location, operatorKind.Value, simpleAssignExpr, 0, isCompilerGenerated: true, null));
Create(Context, Syntax.Left, opexpr, 0, isCompilerGenerated: true);
Create(Context, Syntax.Right, opexpr, 1);
opexpr.OperatorCall(trapFile, Syntax);
}
else
{
Create(Context, Syntax.Left, this, 1);
Create(Context, Syntax.Right, this, 0);
Create(Context, Syntax.Left, this, 0);
Create(Context, Syntax.Right, this, 1);
if (Kind == ExprKind.ADD_EVENT || Kind == ExprKind.REMOVE_EVENT)
{
OperatorCall(trapFile, Syntax);
}
if (Kind != ExprKind.SIMPLE_ASSIGN && Kind != ExprKind.ASSIGN_COALESCE)
{
OperatorCall(trapFile, Syntax);
}
}
@@ -108,56 +94,5 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
return kind;
}
/// <summary>
/// Gets the kind of this assignment operator (<code>null</code> if the
/// assignment is not an assignment operator). For example, the operator
/// kind of `*=` is `*`.
/// </summary>
private ExprKind? OperatorKind
{
get
{
var kind = Kind;
if (kind == ExprKind.REMOVE_EVENT || kind == ExprKind.ADD_EVENT || kind == ExprKind.SIMPLE_ASSIGN)
return null;
if (CallType.AdjustKind(kind) == ExprKind.OPERATOR_INVOCATION)
return ExprKind.OPERATOR_INVOCATION;
switch (kind)
{
case ExprKind.ASSIGN_ADD:
return ExprKind.ADD;
case ExprKind.ASSIGN_AND:
return ExprKind.BIT_AND;
case ExprKind.ASSIGN_DIV:
return ExprKind.DIV;
case ExprKind.ASSIGN_LSHIFT:
return ExprKind.LSHIFT;
case ExprKind.ASSIGN_MUL:
return ExprKind.MUL;
case ExprKind.ASSIGN_OR:
return ExprKind.BIT_OR;
case ExprKind.ASSIGN_REM:
return ExprKind.REM;
case ExprKind.ASSIGN_RSHIFT:
return ExprKind.RSHIFT;
case ExprKind.ASSIGN_URSHIFT:
return ExprKind.URSHIFT;
case ExprKind.ASSIGN_SUB:
return ExprKind.SUB;
case ExprKind.ASSIGN_XOR:
return ExprKind.BIT_XOR;
case ExprKind.ASSIGN_COALESCE:
return ExprKind.NULL_COALESCING;
default:
Context.ModelError(Syntax, $"Couldn't unfold assignment of type {kind}");
return ExprKind.UNKNOWN;
}
}
}
public new CallType CallType => GetCallType(Context, Syntax);
}
}

29
csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
View File

@@ -83,8 +83,22 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
{
var assignmentInfo = new ExpressionNodeInfo(Context, init, this, child++).SetKind(ExprKind.SIMPLE_ASSIGN);
var assignmentEntity = new Expression(assignmentInfo);
var target = Context.GetSymbolInfo(assignment.Left);
// If the target is null, then assume that this is an array initializer (of the form `[...] = ...`)
var access = target.Symbol is null ?
new Expression(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 0).SetKind(ExprKind.ARRAY_ACCESS)) :
Access.Create(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 0), target.Symbol, false, Context.CreateEntity(target.Symbol));
if (assignment.Left is ImplicitElementAccessSyntax iea)
{
// An array/indexer initializer of the form `[...] = ...`
access.PopulateArguments(trapFile, iea.ArgumentList.Arguments, 0);
}
var typeInfoRight = Context.GetTypeInfo(assignment.Right);
if (typeInfoRight.Type is null)
{
// The type may be null for nested initializers such as
// ```csharp
// new ClassWithArrayField() { As = { [0] = a } }
@@ -92,21 +106,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
// In this case we take the type from the assignment
// `As = { [0] = a }` instead
typeInfoRight = assignmentInfo.TypeInfo;
CreateFromNode(new ExpressionNodeInfo(Context, assignment.Right, assignmentEntity, 0, typeInfoRight));
var target = Context.GetSymbolInfo(assignment.Left);
// If the target is null, then assume that this is an array initializer (of the form `[...] = ...`)
var access = target.Symbol is null ?
new Expression(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 1).SetKind(ExprKind.ARRAY_ACCESS)) :
Access.Create(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 1), target.Symbol, false, Context.CreateEntity(target.Symbol));
if (assignment.Left is ImplicitElementAccessSyntax iea)
{
// An array/indexer initializer of the form `[...] = ...`
access.PopulateArguments(trapFile, iea.ArgumentList.Arguments, 0);
}
CreateFromNode(new ExpressionNodeInfo(Context, assignment.Right, assignmentEntity, 1, typeInfoRight));
}
else
{

6
csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
View File

@@ -41,11 +41,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
var loc = Context.CreateLocation(init.GetLocation());
var assignment = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.SIMPLE_ASSIGN, objectInitializer, child++, isCompilerGenerated: false, null));
Create(Context, init.Expression, assignment, 0);
Property.Create(Context, property);
var access = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.PROPERTY_ACCESS, assignment, 1, isCompilerGenerated: false, null));
var access = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.PROPERTY_ACCESS, assignment, 0, isCompilerGenerated: false, null));
trapFile.expr_access(access, propEntity);
Create(Context, init.Expression, assignment, 1);
}
}
}

6
csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Query.cs
View File

@@ -94,12 +94,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
child
);
Expression.Create(cx, Expr, decl, 0);
var nameLoc = cx.CreateLocation(name.GetLocation());
var access = new Expression(new ExpressionInfo(cx, type, nameLoc, ExprKind.LOCAL_VARIABLE_ACCESS, decl, 1, isCompilerGenerated: false, null));
var access = new Expression(new ExpressionInfo(cx, type, nameLoc, ExprKind.LOCAL_VARIABLE_ACCESS, decl, 0, isCompilerGenerated: false, null));
cx.TrapWriter.Writer.expr_access(access, LocalVariable.Create(cx, variableSymbol));
Expression.Create(cx, Expr, decl, 1);
return decl;
}

6
csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs
View File

@@ -176,11 +176,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
if (d.Initializer is not null)
{
Create(cx, d.Initializer.Value, ret, 0);
// Create an access
var access = new Expression(new ExpressionInfo(cx, type, localVar.Location, ExprKind.LOCAL_VARIABLE_ACCESS, ret, 1, isCompilerGenerated: false, null));
var access = new Expression(new ExpressionInfo(cx, type, localVar.Location, ExprKind.LOCAL_VARIABLE_ACCESS, ret, 0, isCompilerGenerated: false, null));
cx.TrapWriter.Writer.expr_access(access, localVar);
Create(cx, d.Initializer.Value, ret, 1);
}
if (d.Parent is VariableDeclarationSyntax decl)

4
csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
View File

@@ -116,9 +116,9 @@ namespace Semmle.Extraction.CSharp.Entities
{
var type = Symbol.GetAnnotatedType();
var simpleAssignExpr = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.SIMPLE_ASSIGN, this, child++, isCompilerGenerated: true, constValue));
Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer, simpleAssignExpr, 0));
var access = new Expression(new ExpressionInfo(Context, type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 1, isCompilerGenerated: true, constValue));
var access = new Expression(new ExpressionInfo(Context, type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 0, isCompilerGenerated: true, constValue));
trapFile.expr_access(access, this);
Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer, simpleAssignExpr, 1));
return access;
}

4
csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
View File

@@ -94,9 +94,9 @@ namespace Semmle.Extraction.CSharp.Entities
var loc = Context.CreateLocation(initializer!.GetLocation());
var annotatedType = AnnotatedTypeSymbol.CreateNotAnnotated(Symbol.Type);
var simpleAssignExpr = new Expression(new ExpressionInfo(Context, annotatedType, loc, ExprKind.SIMPLE_ASSIGN, this, child++, isCompilerGenerated: true, null));
Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Value, simpleAssignExpr, 0));
var access = new Expression(new ExpressionInfo(Context, annotatedType, Location, ExprKind.PROPERTY_ACCESS, simpleAssignExpr, 1, isCompilerGenerated: true, null));
var access = new Expression(new ExpressionInfo(Context, annotatedType, Location, ExprKind.PROPERTY_ACCESS, simpleAssignExpr, 0, isCompilerGenerated: true, null));
trapFile.expr_access(access, this);
Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Value, simpleAssignExpr, 1));
if (!Symbol.IsStatic)
{
This.CreateImplicit(Context, Symbol.ContainingType, Location, access, -1);

13
csharp/ql/campaigns/Solorigate/src/ModifiedFnvFunctionDetection.ql
View File

@@ -16,16 +16,9 @@ import experimental.code.csharp.Cryptography.NonCryptographicHashes
from Variable v, Literal l, LoopStmt loop, Expr additional_xor
where
maybeUsedInFnvFunction(v, _, _, loop) and
(
exists(BitwiseXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
xor2.getAnOperand() = v.getAnAccess()
)
or
exists(AssignXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
xor2.getAnOperand() = v.getAnAccess()
)
exists(BitwiseXorOperation xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
xor2.getAnOperand() = v.getAnAccess()
)
select l, "This literal is used in an $@ after an FNV-like hash calculation with variable $@.",
additional_xor, "additional xor", v, v.toString()

2
csharp/ql/integration-tests/all-platforms/autobuild/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/autobuild_slnx/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/binlog/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/binlog_multiple/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

18
csharp/ql/integration-tests/all-platforms/blazor/Files.expected
View File

@@ -14,12 +14,12 @@
| BlazorTest/obj/Debug/net10.0/EmbeddedAttribute.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/EmbeddedAttribute.cs |
| BlazorTest/obj/Debug/net10.0/ValidatableTypeAttribute.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/ValidatableTypeAttribute.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs |

6
csharp/ql/integration-tests/all-platforms/blazor/XSS.expected
View File

@@ -3,8 +3,8 @@
| BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
| BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
edges
| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
models
| 1 | Sink: Microsoft.AspNetCore.Components; MarkupString; false; MarkupString; (System.String); ; Argument[0]; html-injection; manual |
| 2 | Source: Microsoft.AspNetCore.Components; SupplyParameterFromQueryAttribute; false; ; ; Attribute.Getter; ReturnValue; remote; manual |
@@ -14,5 +14,5 @@ nodes
| BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
| BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | semmle.label | access to property QueryParam : String |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
subpaths

2
csharp/ql/integration-tests/all-platforms/blazor/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

18
csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/Files.expected
View File

@@ -8,13 +8,13 @@
| BlazorTest/Components/Routes.razor |
| BlazorTest/Components/_Imports.razor |
| BlazorTest/Program.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs |
| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs |
| test-db/working/implicitUsings/GlobalUsings.g.cs |

6
csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.expected
View File

@@ -3,8 +3,8 @@
| BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
| BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
edges
| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
models
| 1 | Sink: Microsoft.AspNetCore.Components; MarkupString; false; MarkupString; (System.String); ; Argument[0]; html-injection; manual |
| 2 | Source: Microsoft.AspNetCore.Components; SupplyParameterFromQueryAttribute; false; ; ; Attribute.Getter; ReturnValue; remote; manual |
@@ -14,5 +14,5 @@ nodes
| BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
| BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | semmle.label | access to property QueryParam : String |
| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
subpaths

2
csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/conditional_compilation/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/cshtml/Files.expected
View File

@@ -5,4 +5,4 @@
| obj/Debug/net10.0/cshtml.GlobalUsings.g.cs:0:0:0:0 | obj/Debug/net10.0/cshtml.GlobalUsings.g.cs |
| obj/Debug/net10.0/cshtml.RazorAssemblyInfo.cs:0:0:0:0 | obj/Debug/net10.0/cshtml.RazorAssemblyInfo.cs |
| obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs |
| obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
| obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |

2
csharp/ql/integration-tests/all-platforms/cshtml/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/cshtml_standalone/Files.expected
View File

@@ -1,4 +1,4 @@
| Program.cs |
| Views/Home/Index.cshtml |
| test-db/working/implicitUsings/GlobalUsings.g.cs |
| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |

2
csharp/ql/integration-tests/all-platforms/cshtml_standalone/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/cshtml_standalone_disabled/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/cshtml_standalone_net6/Files.expected
View File

@@ -1,4 +1,4 @@
| Program.cs |
| Views/Home/Index.cshtml |
| test-db/working/implicitUsings/GlobalUsings.g.cs |
| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/[...]/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/[...]/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |

4
csharp/ql/integration-tests/all-platforms/cshtml_standalone_net6/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "6.0.418"
"version": "10.0.201"
}
}
}

2
csharp/ql/integration-tests/all-platforms/diag_dotnet_incompatible/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/diag_missing_project_files/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/diag_missing_xamarin_sdk/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/diag_recursive_generics/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

2
csharp/ql/integration-tests/all-platforms/dotnet_10/global.json
View File

@@ -1,5 +1,5 @@
{
"sdk": {
"version": "10.0.100"
"version": "10.0.201"
}
}

Some files were not shown because too many files have changed in this diff Show More