Merge branch 'main' of https://github.com/github/codeql into post-release-prep/codeql-cli-2.25.1

2026-04-18 05:24:01 +02:00 · 2026-03-30 10:51:12 +02:00
parent ce6e6d5db3 898d12b0be
commit 59eec7ffa2
765 changed files with 13826 additions and 27987 deletions
--- a/Practices/Control-Flow/ConstantCondition.ql
+++ b/Practices/Control-Flow/ConstantCondition.ql
@@ -43,7 +43,7 @@ module ConstCondImpl = ConstCond::Make<Location, Cfg, ConstCondInput>;
 predicate nullCheck(Expr e, boolean direct) {
  exists(QualifiableExpr qe | qe.isConditional() and qe.getQualifier() = e and direct = true)
  or
-  exists(NullCoalescingExpr nce | nce.getLeftOperand() = e and direct = true)
+  exists(NullCoalescingOperation nce | nce.getLeftOperand() = e and direct = true)
  or
  exists(ConditionalExpr ce | ce.getThen() = e or ce.getElse() = e |
    nullCheck(ce, _) and direct = false
@@ -114,7 +114,7 @@ class ConstantBooleanCondition extends ConstantCondition {

  override predicate isWhiteListed() {
    // E.g. `x ?? false`
-    this.(BoolLiteral) = any(NullCoalescingExpr nce).getRightOperand() or
+    this.(BoolLiteral) = any(NullCoalescingOperation nce).getRightOperand() or
    // No need to flag logical operations when the operands are constant
    isConstantCondition(this.(LogicalNotExpr).getOperand(), _) or
    this =
--- a/csharp/ql/src/Complexity/ComplexCondition.ql
+++ b/csharp/ql/src/Complexity/ComplexCondition.ql
@@ -12,19 +12,38 @@

 import csharp

-predicate nontrivialLogicalOperator(BinaryLogicalOperation e) {
-  not exists(BinaryLogicalOperation parent |
+abstract class RelevantBinaryOperations extends Operation { }
+
+private class AddBinaryLogicalOperationRelevantBinaryOperations extends RelevantBinaryOperations,
+  BinaryLogicalOperation
+{ }
+
+private class AddAssignCoalesceExprRelevantBinaryOperations extends RelevantBinaryOperations,
+  AssignCoalesceExpr
+{ }
+
+abstract class RelevantOperations extends Operation { }
+
+private class AddLogicalOperationRelevantOperations extends RelevantOperations, LogicalOperation { }
+
+private class AddAssignCoalesceExprRelevantOperations extends RelevantOperations, AssignCoalesceExpr
+{ }
+
+predicate nontrivialLogicalOperator(RelevantBinaryOperations e) {
+  not exists(RelevantBinaryOperations parent |
    parent = e.getParent() and
    parent.getOperator() = e.getOperator()
  )
 }

-predicate logicalParent(LogicalOperation op, LogicalOperation parent) { parent = op.getParent() }
+predicate logicalParent(RelevantOperations op, RelevantOperations parent) {
+  parent = op.getParent()
+}

 from Expr e, int operators
 where
-  not e.getParent() instanceof LogicalOperation and
+  not e.getParent() instanceof RelevantOperations and
  operators =
-    count(BinaryLogicalOperation op | logicalParent*(op, e) and nontrivialLogicalOperator(op)) and
+    count(RelevantBinaryOperations op | logicalParent*(op, e) and nontrivialLogicalOperator(op)) and
  operators > 3
 select e, "Complex condition: too many logical operations in this expression."
--- a/Code/DeadStoreOfLocal.ql
+++ b/Code/DeadStoreOfLocal.ql
@@ -84,6 +84,8 @@ class RelevantDefinition extends AssignableDefinition {
      )
    or
    this instanceof AssignableDefinitions::PatternDefinition
+    or
+    this instanceof AssignableDefinitions::AssignOperationDefinition
  }

  /** Holds if this assignment may be live. */
--- a/Abuse/UselessNullCoalescingExpression.ql
+++ b/Abuse/UselessNullCoalescingExpression.ql
@@ -15,22 +15,30 @@
 import csharp
 import semmle.code.csharp.commons.StructuralComparison

-pragma[noinline]
-private predicate same(AssignableAccess x, AssignableAccess y) {
-  exists(NullCoalescingExpr nce |
-    x = nce.getLeftOperand() and
-    y = nce.getRightOperand().getAChildExpr*()
-  ) and
-  sameGvn(x, y)
+pragma[nomagic]
+private predicate relevant(Expr left, Expr right) {
+  exists(NullCoalescingOperation nce |
+    left = nce.getLeftOperand() and
+    right = nce.getRightOperand()
+  )
 }

-private predicate uselessNullCoalescingExpr(NullCoalescingExpr nce) {
+pragma[noinline]
+private predicate same(AssignableAccess x, AssignableAccess y) {
+  exists(Expr e |
+    relevant(x, e) and
+    y = e.getAChildExpr*() and
+    sameGvn(x, y)
+  )
+}
+
+private predicate uselessNullCoalescingOperation(NullCoalescingOperation nce) {
  exists(AssignableAccess x |
    nce.getLeftOperand() = x and
    forex(AssignableAccess y | same(x, y) | y instanceof AssignableRead and not y.isRefArgument())
  )
 }

-from NullCoalescingExpr nce
-where uselessNullCoalescingExpr(nce)
+from NullCoalescingOperation nce
+where uselessNullCoalescingOperation(nce)
 select nce, "Both operands of this null-coalescing expression access the same variable or property."
--- a/Bugs/Collections/WriteOnlyContainer.ql
+++ b/Bugs/Collections/WriteOnlyContainer.ql
@@ -23,7 +23,9 @@ where
  ) and
  forex(Access a | a = v.getAnAccess() |
    a = any(ModifierMethodCall m).getQualifier() or
-    a = any(Assignment ass | ass.getRValue() instanceof ObjectCreation).getLValue()
+    a = any(AssignExpr ass | ass.getRValue() instanceof ObjectCreation).getLValue() or
+    a =
+      any(LocalVariableDeclAndInitExpr ass | ass.getRValue() instanceof ObjectCreation).getLValue()
  ) and
  not v = any(ForeachStmt fs).getVariable() and
  not v = any(BindingPatternExpr vpe).getVariableDeclExpr().getVariable() and
--- a/Bugs/DangerousNonShortCircuitLogic.ql
+++ b/Bugs/DangerousNonShortCircuitLogic.ql
@@ -23,7 +23,6 @@ class NonShortCircuit extends BinaryBitwiseOperation {
      or
      this instanceof BitwiseOrExpr
    ) and
-    not exists(AssignBitwiseOperation abo | abo.getExpandedAssignment().getRValue() = this) and
    this.getLeftOperand().getType() instanceof BoolType and
    this.getRightOperand().getType() instanceof BoolType
  }
--- a/Bugs/PossibleLossOfPrecision.ql
+++ b/Bugs/PossibleLossOfPrecision.ql
@@ -27,13 +27,13 @@ predicate convertedToFloatOrDecimal(Expr e, Type t) {
    t instanceof DecimalType
  )
  or
-  exists(BinaryArithmeticOperation op |
+  exists(BinaryOperation op |
    op.getAnOperand() = e and
    convertedToFloatOrDecimal(op, t)
  |
-    op instanceof AddExpr or
-    op instanceof SubExpr or
-    op instanceof MulExpr
+    op instanceof AddOperation or
+    op instanceof SubOperation or
+    op instanceof MulOperation
  )
 }

--- a/csharp/ql/src/Performance/StringConcatenationInLoop.ql
+++ b/csharp/ql/src/Performance/StringConcatenationInLoop.ql
@@ -23,7 +23,6 @@ class StringCat extends AddExpr {
 * where `v` is a simple variable (and not, for example, a property).
 */
 predicate isSelfConcatAssignExpr(AssignExpr e, Variable v) {
-  not e = any(AssignAddExpr a).getExpandedAssignment() and
  exists(VariableAccess use |
    stringCatContains(e.getRValue(), use) and
    use.getTarget() = e.getTargetVariable() and
--- a/Features/CWE-079/XSS.ql
+++ b/Features/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id cs/web/xss
 * @tags security
--- a/Features/CWE-117/LogForging.ql
+++ b/Features/CWE-117/LogForging.ql
@@ -4,7 +4,7 @@
 *              insertion of forged log entries by a malicious user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
 * @precision high
 * @id cs/log-forging
 * @tags security
--- a/Features/CWE-119/LocalUnvalidatedArithmetic.ql
+++ b/Features/CWE-119/LocalUnvalidatedArithmetic.ql
@@ -18,7 +18,7 @@
 import csharp
 import semmle.code.csharp.controlflow.Guards

-from AddExpr add, VirtualMethodCall taintSrc
+from AddOperation add, VirtualMethodCall taintSrc
 where
  // `add` is performing pointer arithmetic
  add.getType() instanceof PointerType and
--- a/Features/InsecureRandomness.ql
+++ b/Features/InsecureRandomness.ql
@@ -89,11 +89,7 @@ module Random {
        e = any(SensitiveLibraryParameter v).getAnAssignedArgument()
        or
        // Assignment operation, e.g. += or similar
-        exists(AssignOperation ao |
-          ao.getRValue() = e and
-          // "expanded" assignments will be covered by simple assignment
-          not ao.hasExpandedAssignment()
-        |
+        exists(AssignOperation ao | ao.getRValue() = e |
          ao.getLValue() = any(SensitiveVariable v).getAnAccess() or
          ao.getLValue() = any(SensitiveProperty v).getAnAccess() or
          ao.getLValue() = any(SensitiveLibraryParameter v).getAnAccess()
--- a/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/csharp/ql/src/experimental/CWE-918/RequestForgery.qll
+++ b/csharp/ql/src/experimental/CWE-918/RequestForgery.qll
@@ -211,7 +211,7 @@ module RequestForgery {
  }

  private predicate stringConcatStep(DataFlow::Node prev, DataFlow::Node succ) {
-    exists(AddExpr a |
+    exists(AddOperation a |
      a.getLeftOperand() = prev.asExpr()
      or
      a.getRightOperand() = prev.asExpr() and
--- a/Features/CWE-759/HashWithoutSalt.ql
+++ b/Features/CWE-759/HashWithoutSalt.ql
@@ -174,7 +174,7 @@ module HashWithoutSaltConfig implements DataFlow::ConfigSig {
      mc.getAnArgument() = node.asExpr()
    )
    or
-    exists(AddExpr e | node.asExpr() = e.getAnOperand()) // password+salt
+    exists(AddOperation e | node.asExpr() = e.getAnOperand()) // password+salt
    or
    exists(InterpolatedStringExpr e | node.asExpr() = e.getAnInsert())
    or