Merge remote-tracking branch 'upstream/rc/1.20' into mergeback-2019-03-19

README.md

@@ -13,4 +13,4 @@ We welcome contributions to our standard library and standard checks. Do you hav
 
 ## License
 
-The LGTM queries are licensed under [Apache License 2.0](LICENSE) by [Semmle](https://semmle.com).
+The QL queries in this repository are licensed under [Apache License 2.0](LICENSE) by [Semmle](https://semmle.com).

change-notes/1.20/analysis-csharp.md

@@ -1,24 +1,21 @@
 # Improvements to C# analysis
 
-## General improvements
-
-## New queries
-
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-
 ## Changes to existing queries
 
-| *@name of query (Query ID)*  | *Impact on results*    | *How/why the query has changed*   |
+| **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-| Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positives | Results have been removed when there are additional guards on the index. |
-| Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. |
-| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. |
-| SQL query built from user-controlled sources (`cs/sql-injection`), Improper control of generation of code (`cs/code-injection`), Uncontrolled format string (`cs/uncontrolled-format-string`), Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`), Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. |
-| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer false positives | Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. |
-| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | Results have been removed when the object is an interface or an abstract class. |
-| Unused format argument (`cs/format-argument-unused`) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. |
-| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positives, more true positives | Results have been removed where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. |
+| Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. Results are now shown by default in LGTM. |
+| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. Results are now shown by default in LGTM. |
+| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positive and more true positive results | No longer highlights code where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. |
+| Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Improper control of generation of code (`cs/code-injection`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positive results | No longer reports results when there are additional guards on the index. |
+| SQL query built from user-controlled sources (`cs/sql-injection`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Uncontrolled format string (`cs/uncontrolled-format-string`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. |
+| Unused format argument (`cs/format-argument-unused`) | Fewer false positive results | No longer reports results where the format string is empty. This is often used as a default value and is not an interesting result. |
+| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer false positive results | No longer reports results for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. |
+| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | No longer reports results when the object is an interface or an abstract class. |
 | Using a package with a known vulnerability (`cs/use-of-vulnerable-package`) | More results | This query detects packages vulnerable to CVE-2019-0657. |
 
 ## Changes to code extraction
@@ -29,14 +26,13 @@
 ## Changes to QL libraries
 
 * The class `TrivialProperty` now includes library properties determined to be trivial using CIL analysis. This may increase the number of results for all queries that use data flow.
-* Taint-tracking steps have been added for the `Json.NET` package. This will improve results for queries that use taint-tracking.
+* Taint-tracking steps have been added for the `Json.NET` package. This will improve results for queries that use taint tracking.
 * Support has been added for EntityFrameworkCore, including
   - Stored data flow sources
   - Sinks for SQL expressions
-  - Data flow through fields that are mapped to the database.
+  - Data flow through fields that are mapped to the database
 * Support has been added for NHibernate-Core, including
   - Stored data flow sources
   - Sinks for SQL expressions
-  - Data flow through fields that are mapped to the database.  
+  - Data flow through fields that are mapped to the database 
 
-## Changes to the autobuilder

change-notes/1.20/analysis-java.md

@@ -1,8 +1,5 @@
 # Improvements to Java analysis
 
-## General improvements
-
-
 ## New queries
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
@@ -15,7 +12,6 @@
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
 | Arbitrary file write during archive extraction ("Zip Slip") (`java/zipslip`) | Fewer false positive results | Results involving a sanitization step that converts a destination `Path` to a `File` are no longer reported. |
-| Double-checked locking is not thread-safe (`java/unsafe-double-checked-locking`) | Fewer false positive results and more true positive results | Results that use safe publication through a `final` field are no longer reported. Results that initialize immutable types like `String` incorrectly are now reported. |
 | Result of multiplication cast to wider type (`java/integer-multiplication-cast-to-long`) | Fewer results | Results involving conversions to `float` or `double` are no longer reported, as they were almost exclusively false positives. |
 
 ## Changes to QL libraries
@@ -29,7 +25,7 @@
   collections, maps, and iterators. This affects all security queries, which
   can report more results based on such paths.
 * The `FlowSources` and `TaintTracking` libraries are extended to cover additional remote user
-  input and taint steps from the Apache Thrift, Apache Struts, Guice and Protobuf frameworks.
+  input and taint steps from the following frameworks: Guice, Protobuf, Thrift and Struts.
   This affects all security queries, which may yield additional results on projects
   that use these frameworks.
 

change-notes/1.20/analysis-javascript.md

@@ -2,7 +2,7 @@
 
 ## General improvements
 
-* Support for many frameworks and libraries has been improved, in particular including the following:
+* Support for many frameworks and libraries has been improved, in particular for:
   - [a-sync-waterfall](https://www.npmjs.com/package/a-sync-waterfall)
   - [Electron](https://electronjs.org)
   - [Express](https://npmjs.org/express)
@@ -12,7 +12,7 @@
   - [socket.io](http://socket.io)
   - [Vue](https://vuejs.org/)
 
-* File classification has been improved to recognize additional generated files, for example files from [HTML Tidy](html-tidy.org).
+* File classification now recognizes additional generated files, for example, files from [HTML Tidy](html-tidy.org).
 
 * The taint tracking library now recognizes flow through persistent storage, class fields, and callbacks in certain cases. Handling of regular expressions has also been improved. This may give more results for the security queries.
 
@@ -24,7 +24,7 @@
 
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
 |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Arbitrary file write during archive extraction ("Zip Slip") (`js/zipslip`) | security, external/cwe/cwe-022 | Identifies extraction routines that allow arbitrary file overwrite vulnerabilities. Results are hidden on LGTM by default. |
+| Arbitrary file write during archive extraction ("Zip Slip") (`js/zipslip`) | security, external/cwe/cwe-022 | Identifies extraction routines that allow arbitrary file overwrite vulnerabilities, indicating a possible violation of [CWE-022](https://cwe.mitre.org/data/definitions/22.html). Results are shown on LGTM by default. |
 | Arrow method on Vue instance (`js/vue/arrow-method-on-vue-instance`) | reliability, frameworks/vue | Highlights arrow functions that are used as methods on Vue instances. Results are shown on LGTM by default.|
 | Cross-window communication with unrestricted target origin (`js/cross-window-information-leak`) | security, external/cwe/201, external/cwe/359 | Highlights code that sends potentially sensitive information to another window without restricting the receiver window's origin, indicating a possible violation of [CWE-201](https://cwe.mitre.org/data/definitions/201.html). Results are shown on LGTM by default. |
 | Double escaping or unescaping (`js/double-escaping`) | correctness, security, external/cwe/cwe-116 | Highlights potential double escaping or unescaping of special characters, indicating a possible violation of [CWE-116](https://cwe.mitre.org/data/definitions/116.html). Results are shown on LGTM by default. |
@@ -39,24 +39,24 @@
 
 | **Query**                                  | **Expected impact**          | **Change**                                                                   |
 |--------------------------------------------|------------------------------|------------------------------------------------------------------------------|
-| Ambiguous HTML id attribute                | Fewer false-positive results | This rule now treats templates more conservatively. Its precision has been revised to 'high'. |
-| Assignment to exports variable             | Fewer results                | This rule no longer flags code that is also flagged by the rule "Useless assignment to local variable". |
-| Client-side cross-site scripting           | More true-positive results, fewer false-positive results. | This rule now recognizes WinJS functions that are vulnerable to HTML injection. It no longer flags certain safe uses of jQuery, and recognizes custom sanitizers. |
-| Hard-coded credentials                     | Fewer false-positive results | This rule no longer flag the empty string as a hardcoded username. |
-| Insecure randomness | More results | This rule now flags insecure uses of `crypto.pseudoRandomBytes`. |
-| Reflected cross-site scripting             | Fewer false-positive results. | This rule now recognizes custom sanitizers. |
-| Stored cross-site scripting                | Fewer false-positive results. | This rule now recognizes custom sanitizers. |
-| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | Additional ways that class methods can be bound are recognized. |
-| Uncontrolled data used in network request  | More results                 | This rule now recognizes host values that are vulnerable to injection. |
-| Unused parameter                           | Fewer false-positive results | This rule no longer flags parameters with leading underscore. |
-| Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that are implictly used by JSX elements, no longer flags variables with leading underscore, and no longer flags variables in dead code. |
-| Uncontrolled data used in path expression | Fewer false-positive results | This rule now recognizes the Express `root` option, which prevents path traversal. |
-| Unneeded defensive code | More true-positive results, fewer false-positive results. | This rule now recognizes additional defensive code patterns. |
+| Ambiguous HTML id attribute                | Fewer false positive results | This query now treats templates more conservatively. Its precision has been revised to 'high'. |
+| Assignment to exports variable             | Fewer results                | This query no longer flags code that is also flagged by the query "Useless assignment to local variable". |
+| Client-side cross-site scripting           | More true positive and fewer false positive results. | This query now recognizes WinJS functions that are vulnerable to HTML injection. It no longer flags certain safe uses of jQuery, and recognizes custom sanitizers. |
+| Hard-coded credentials                     | Fewer false positive results | This query no longer flags the empty string as a hardcoded username. |
+| Insecure randomness | More results | This query now flags insecure uses of `crypto.pseudoRandomBytes`. |
+| Reflected cross-site scripting             | Fewer false positive results. | This query now recognizes custom sanitizers. |
+| Stored cross-site scripting                | Fewer false positive results. | This query now recognizes custom sanitizers. |
+| Unbound event handler receiver (`js/unbound-event-handler-receiver`) | Fewer false positive results | Additional ways that class methods can be bound are now recognized. |
+| Uncontrolled data used in network request  | More results                 | This query now recognizes host values that are vulnerable to injection. |
+| Uncontrolled data used in path expression | Fewer false positive results | This query now recognizes the Express `root` option, which prevents path traversal. |
+| Unneeded defensive code | More true positive and fewer false positive results | This query now recognizes additional defensive code patterns. |
+| Unsafe dynamic method access              | Fewer false positive results | This query no longer flags concatenated strings as unsafe method names. |
+| Unused parameter                           | Fewer false positive results | This query no longer flags parameters with leading underscore. |
+| Unused variable, import, function or class | Fewer false positive results | This query now flags fewer variables that are implictly used by JSX elements. It no longer flags variables with a leading underscore and variables in dead code. |
+| Unvalidated dynamic method call           | More true positive results | This query now flags concatenated strings as unvalidated method names in more cases. |
+| Useless assignment to property. | Fewer false positive results | This query now treats assignments with complex right-hand sides correctly. |
 | Useless conditional | Fewer results | Additional defensive coding patterns are now ignored. |
-| Useless assignment to property. | Fewer false-positive results | This rule now treats assignments with complex right-hand sides correctly. |
-| Unsafe dynamic method access              | Fewer false-positive results | This rule no longer flags concatenated strings as unsafe method names. |
-| Unvalidated dynamic method call           | More true-positive results | This rule now flags concatenated strings as unvalidated method names in more cases. |
-| Useless conditional | More true-positive results | This rule now flags additional uses of function call values. |
+| Useless conditional | More true positive results | This query now flags additional uses of function call values. |
 
 ## Changes to QL libraries
 

change-notes/1.20/analysis-python.md

@@ -11,6 +11,7 @@ Removes false positives seen when using Python 3.6, but not when using earlier v
 The API has been improved to declutter the global namespace and improve discoverability and readability.
  * New predicates `ModuleObject::named(name)` and `ModuleObject.attr(name)` have been added, allowing more readable access to common objects. For example, `(any ModuleObject m | m.getName() = "sys").getAttribute("exit")` can be replaced with `ModuleObject::named("sys").attr("exit")`
  * The API for accessing builtin functions has been improved. Predicates of the form `theXXXFunction()`, such as `theLenFunction()`, have been deprecated in favour of `Object::builtin(name)`.
+ * A configuration based API has been added for writing data flow and taint tracking queries. This is provided as a convenience for query authors who have written data flow or taint tracking queries for other languages, so they can use a similar format of query across multiple languages.
 
  ## New queries
 
@@ -30,6 +31,7 @@ The API has been improved to declutter the global namespace and improve discover
 | Comparison using is when operands support \_\_eq\_\_ (`py/comparison-using-is`) | Fewer false positive results | Results where one of the objects being compared is an enum member are no longer reported. |
 | Modification of parameter with default (`py/modification-of-default-value`) | More true positive results | Instances where the mutable default value is mutated inside other functions are now also reported. |
 | Mutation of descriptor in \_\_get\_\_ or \_\_set\_\_ method (`py/mutable-descriptor`) | Fewer false positive results | Results where the mutation does not occur when calling one of the  `__get__`, `__set__` or `__delete__` methods are no longer reported. |
+| Redundant comparison (`py/redundant-comparison`) | Fewer false positive results | Results in chained comparisons are no longer reported. |
 | Unused import (`py/unused-import`) | Fewer false positive results | Results where the imported module is used in a `doctest` string are no longer reported. |
 | Unused import (`py/unused-import`) | Fewer false positive results | Results where the imported module is used in a type-hint comment are no longer reported. |
 

change-notes/1.20/support/framework-support.rst

@@ -1,7 +1,7 @@
 Frameworks and libraries
 ########################
 
-The QL libraries and queries in this version have been explicitly checked against the libraries and frameworks listed below.
+The QL libraries and queries in version |version| have been explicitly checked against the libraries and frameworks listed below.
 
 .. pull-quote::
 

change-notes/1.20/support/java-frameworks.csv

@@ -3,8 +3,11 @@ Hibernate, Database
 iBatis / MyBatis, Database
 Java Persistence API (JPA), Database
 JDBC, Database
+Protobuf, Serialization
 Kryo deserialization, Serialization
 SnakeYaml, Serialization
 Spring JDBC, Database
 Spring MVC, Web application framework
+Struts, Web application framework
+Thrift, RPC framework
 XStream, Serialization

change-notes/1.20/support/language-support.rst

@@ -14,6 +14,6 @@ Note that where there are several versions or dialects of a language, the suppor
 .. container:: footnote-group
 
     .. [1] The best results are achieved with COBOL code that stays close to the ANSI 85 standard.  
-    .. [2] Java 11 refers to the language features used. Builds that execute on Java 6 or higher can be analyzed.
+    .. [2] Builds that execute on Java 6 to 11 can be analyzed. The analysis understands Java 11 language features.
     .. [3] JSX and Flow code, YAML, JSON, and HTML files may also be analyzed with JavaScript files. 
     .. [4] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default for LGTM.   

change-notes/1.20/support/versions-compilers.csv

@@ -8,7 +8,7 @@ C#,C# up to 7.2 together with .NET versions up to 4.7.1,"Microsoft Visual Studio
 
 .NET Core up to 2.1","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
 COBOL,ANSI 85 or newer [1]_.,Not applicable,"``.cbl``, ``.CBL``, ``.cpy``, ``.CPY``, ``.copy``, ``.COPY``"
-Java,"Java 11 [2]_. or lower","javac (OpenJDK and Oracle JDK)
+Java,"Java 6 to 11 [2]_.","javac (OpenJDK and Oracle JDK)
 
 Eclipse compiler for Java (ECJ) batch compiler",``.java``
 JavaScript,ECMAScript 2018 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhm``, ``.xhtml``, ``.vue``, ``.json`` [3]_."

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -22,7 +22,24 @@ import semmle.code.cpp.dataflow.DataFlow
  */
 predicate conservativeDataFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
   DataFlow::localFlowStep(n1, n2) and
-  not n2.asExpr() instanceof FieldAccess
+  not n2.asExpr() instanceof FieldAccess and
+  not hasNontrivialConversion(n2.asExpr())
+}
+
+/**
+ * Holds if `e` has a conversion that changes it from lvalue to pointer or
+ * back. As the data-flow library does not support conversions, we cannot track
+ * data flow through such expressions.
+ */
+predicate hasNontrivialConversion(Expr e) {
+  e instanceof Conversion and not
+  (
+    e instanceof Cast
+    or
+    e instanceof ParenthesisExpr
+  )
+  or
+  hasNontrivialConversion(e.getConversion())
 }
 
 from LocalScopeVariable var, VariableAccess va, ReturnStmt r
@@ -39,9 +56,10 @@ where
     or
     // The data flow library doesn't support conversions, so here we check that
     // the address escapes into some expression `pointerToLocal`, which flows
-    // in a non-trivial way (one or more steps) to a returned expression.
+    // in a one or more steps to a returned expression.
     exists(Expr pointerToLocal |
       variableAddressEscapesTree(va, pointerToLocal.getFullyConverted()) and
+      not hasNontrivialConversion(pointerToLocal) and
       conservativeDataFlowStep+(
         DataFlow::exprNode(pointerToLocal),
         DataFlow::exprNode(r.getExpr())

cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll

@@ -381,9 +381,7 @@ cached class IRGuardCondition extends Instruction {
 }
 
 private ConditionalBranchInstruction get_branch_for_condition(Instruction guard) {
-  exists(ConditionalBranchInstruction branch|
-    branch.getCondition() = guard
-  )
+  result.getCondition() = guard
   or
   exists(LogicalNotInstruction cond | result = get_branch_for_condition(cond) and cond.getUnary() = guard)
 }

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected

@@ -5,3 +5,5 @@
 | test.cpp:92:2:92:12 | return ... | May return stack-allocated memory from $@. | test.cpp:89:10:89:11 | mc | mc |
 | test.cpp:112:2:112:12 | return ... | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
 | test.cpp:119:2:119:19 | return ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
+| test.cpp:149:3:149:22 | return ... | May return stack-allocated memory from $@. | test.cpp:149:11:149:21 | threadLocal | threadLocal |
+| test.cpp:171:3:171:24 | return ... | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp

@@ -143,3 +143,49 @@ char *testArray5()
 
 	return arr; // GOOD
 }
+
+int *returnThreadLocal() {
+  thread_local int threadLocal;
+  return &threadLocal; // GOOD [FALSE POSITIVE]
+}
+
+int returnDereferenced() {
+  int localInt = 2;
+  int &localRef = localInt;
+  return localRef; // GOOD
+}
+
+typedef unsigned long size_t;
+void *memcpy(void *s1, const void *s2, size_t n);
+
+char *returnAfterCopy() {
+  char localBuf[] = "Data";
+  static char staticBuf[sizeof(localBuf)];
+  memcpy(staticBuf, localBuf, sizeof(staticBuf));
+  return staticBuf; // GOOD
+}
+
+void *conversionBeforeDataFlow() {
+  int myLocal;
+  void *pointerToLocal = (void *)&myLocal; // has conversion
+  return pointerToLocal; // BAD
+}
+
+void *arrayConversionBeforeDataFlow() {
+  int localArray[4];
+  int *pointerToLocal = localArray; // has conversion
+  return pointerToLocal; // BAD [NOT DETECTED]
+}
+
+int &dataFlowThroughReference() {
+  int myLocal;
+  int &refToLocal = myLocal; // has conversion
+  return refToLocal; // BAD [NOT DETECTED]
+}
+
+int *&conversionInFlow() {
+  int myLocal;
+  int *p = &myLocal;
+  int *&pRef = p; // has conversion in the middle of data flow
+  return pRef; // BAD [NOT DETECTED]
+}

csharp/ql/src/semmle/code/csharp/security/dataflow/ConditionalBypass.qll

@@ -57,11 +57,18 @@ module UserControlledBypassOfSensitiveMethod {
     }
   }
 
+  pragma[noinline]
+  private predicate conditionControlsCall0(
+    SensitiveExecutionMethodCall call, Expr e, ControlFlow::SuccessorTypes::BooleanSuccessor s
+  ) {
+    forex(BasicBlock bb | bb = call.getAControlFlowNode().getBasicBlock() | e.controlsBlock(bb, s))
+  }
+
   private predicate conditionControlsCall(
     SensitiveExecutionMethodCall call, SensitiveExecutionMethod def, Expr e, boolean cond
   ) {
     exists(ControlFlow::SuccessorTypes::BooleanSuccessor s | cond = s.getValue() |
-      e.controlsElement(call, s)
+      conditionControlsCall0(call, e, s)
     ) and
     def = call.getTarget()
   }

docs/query-help-style-guide.md

@@ -2,7 +2,7 @@
 
 ## Introduction
 
-When you contribute a new query to Semmle/ql for inclusion in the standard queries, you should also write a query help file. This file provides detailed information about the purpose and use of the query, which is available to users in LGTM (for example [here](https://lgtm.com/rules/1506093386171/)) and on the query homepages:
+When you contribute a new query to Semmle/ql for inclusion in the standard queries, or add a custom query for analysis in LGTM, you should also write a query help file. This file provides detailed information about the purpose and use of the query, which is available to users in LGTM (for example [here](https://lgtm.com/rules/1506093386171/)) and on the query homepages:
 
 *   [C/C++ queries](https://help.semmle.com/wiki/display/CCPPOBJ/)
 *   [C# queries](https://help.semmle.com/wiki/display/CSHARP/)

javascript/extractor/src/com/semmle/jcorn/TokenType.java

@@ -183,7 +183,7 @@ public class TokenType {
       _class = new TokenType(kw("class")),
       _extends = new TokenType(kw("extends").beforeExpr()),
       _export = new TokenType(kw("export")),
-      _import = new TokenType(kw("import")),
+      _import = new TokenType(kw("import").startsExpr()),
       _null = new TokenType(kw("null").startsExpr()),
       _true = new TokenType(kw("true").startsExpr()),
       _false = new TokenType(kw("false").startsExpr()),

javascript/extractor/src/com/semmle/js/extractor/Main.java

@@ -37,7 +37,7 @@ public class Main {
    * A version identifier that should be updated every time the extractor changes in such a way that
    * it may produce different tuples for the same file under the same {@link ExtractorConfig}.
    */
-  public static final String EXTRACTOR_VERSION = "2019-03-11";
+  public static final String EXTRACTOR_VERSION = "2019-03-13";
 
   public static final Pattern NEWLINE = Pattern.compile("\n");
 

javascript/extractor/tests/esnext/input/yield-import.js

@@ -0,0 +1,3 @@
+function* f() {
+  yield import("foo")
+}

javascript/extractor/tests/esnext/output/trap/yield-import.js.trap

@@ -0,0 +1,177 @@
+#10000=@"/yield-import.js;sourcefile"
+files(#10000,"/yield-import.js","yield-import","js",0)
+#10001=@"/;folder"
+folders(#10001,"/","")
+containerparent(#10001,#10000)
+#10002=@"loc,{#10000},0,0,0,0"
+locations_default(#10002,#10000,0,0,0,0)
+hasLocation(#10000,#10002)
+#20000=@"global_scope"
+scopes(#20000,0)
+#20001=@"script;{#10000},1,1"
+#20002=*
+lines(#20002,#20001,"function* f() {","
+")
+#20003=@"loc,{#10000},1,1,1,15"
+locations_default(#20003,#10000,1,1,1,15)
+hasLocation(#20002,#20003)
+#20004=*
+lines(#20004,#20001,"  yield import(""foo"")","
+")
+#20005=@"loc,{#10000},2,1,2,21"
+locations_default(#20005,#10000,2,1,2,21)
+hasLocation(#20004,#20005)
+indentation(#10000,2," ",2)
+#20006=*
+lines(#20006,#20001,"}","
+")
+#20007=@"loc,{#10000},3,1,3,1"
+locations_default(#20007,#10000,3,1,3,1)
+hasLocation(#20006,#20007)
+numlines(#20001,3,3,0)
+#20008=*
+tokeninfo(#20008,7,#20001,0,"function")
+#20009=@"loc,{#10000},1,1,1,8"
+locations_default(#20009,#10000,1,1,1,8)
+hasLocation(#20008,#20009)
+#20010=*
+tokeninfo(#20010,8,#20001,1,"*")
+#20011=@"loc,{#10000},1,9,1,9"
+locations_default(#20011,#10000,1,9,1,9)
+hasLocation(#20010,#20011)
+#20012=*
+tokeninfo(#20012,6,#20001,2,"f")
+#20013=@"loc,{#10000},1,11,1,11"
+locations_default(#20013,#10000,1,11,1,11)
+hasLocation(#20012,#20013)
+#20014=*
+tokeninfo(#20014,8,#20001,3,"(")
+#20015=@"loc,{#10000},1,12,1,12"
+locations_default(#20015,#10000,1,12,1,12)
+hasLocation(#20014,#20015)
+#20016=*
+tokeninfo(#20016,8,#20001,4,")")
+#20017=@"loc,{#10000},1,13,1,13"
+locations_default(#20017,#10000,1,13,1,13)
+hasLocation(#20016,#20017)
+#20018=*
+tokeninfo(#20018,8,#20001,5,"{")
+#20019=@"loc,{#10000},1,15,1,15"
+locations_default(#20019,#10000,1,15,1,15)
+hasLocation(#20018,#20019)
+#20020=*
+tokeninfo(#20020,7,#20001,6,"yield")
+#20021=@"loc,{#10000},2,3,2,7"
+locations_default(#20021,#10000,2,3,2,7)
+hasLocation(#20020,#20021)
+#20022=*
+tokeninfo(#20022,7,#20001,7,"import")
+#20023=@"loc,{#10000},2,9,2,14"
+locations_default(#20023,#10000,2,9,2,14)
+hasLocation(#20022,#20023)
+#20024=*
+tokeninfo(#20024,8,#20001,8,"(")
+#20025=@"loc,{#10000},2,15,2,15"
+locations_default(#20025,#10000,2,15,2,15)
+hasLocation(#20024,#20025)
+#20026=*
+tokeninfo(#20026,4,#20001,9,"""foo""")
+#20027=@"loc,{#10000},2,16,2,20"
+locations_default(#20027,#10000,2,16,2,20)
+hasLocation(#20026,#20027)
+#20028=*
+tokeninfo(#20028,8,#20001,10,")")
+#20029=@"loc,{#10000},2,21,2,21"
+locations_default(#20029,#10000,2,21,2,21)
+hasLocation(#20028,#20029)
+#20030=*
+tokeninfo(#20030,8,#20001,11,"}")
+hasLocation(#20030,#20007)
+#20031=*
+tokeninfo(#20031,0,#20001,12,"")
+#20032=@"loc,{#10000},4,1,4,0"
+locations_default(#20032,#10000,4,1,4,0)
+hasLocation(#20031,#20032)
+toplevels(#20001,0)
+#20033=@"loc,{#10000},1,1,4,0"
+locations_default(#20033,#10000,1,1,4,0)
+hasLocation(#20001,#20033)
+#20034=@"var;{f};{#20000}"
+variables(#20034,"f",#20000)
+#20035=*
+stmts(#20035,17,#20001,0,"functio ... foo"")\n}")
+#20036=@"loc,{#10000},1,1,3,1"
+locations_default(#20036,#10000,1,1,3,1)
+hasLocation(#20035,#20036)
+stmtContainers(#20035,#20001)
+#20037=*
+exprs(#20037,78,#20035,-1,"f")
+hasLocation(#20037,#20013)
+exprContainers(#20037,#20035)
+literals("f","f",#20037)
+decl(#20037,#20034)
+#20038=*
+scopes(#20038,1)
+scopenodes(#20035,#20038)
+scopenesting(#20038,#20000)
+#20039=@"var;{arguments};{#20038}"
+variables(#20039,"arguments",#20038)
+isArgumentsObject(#20039)
+isGenerator(#20035)
+#20040=*
+stmts(#20040,1,#20035,-2,"{\n  yie ... foo"")\n}")
+#20041=@"loc,{#10000},1,15,3,1"
+locations_default(#20041,#10000,1,15,3,1)
+hasLocation(#20040,#20041)
+stmtContainers(#20040,#20035)
+#20042=*
+stmts(#20042,2,#20040,0,"yield import(""foo"")")
+#20043=@"loc,{#10000},2,3,2,21"
+locations_default(#20043,#10000,2,3,2,21)
+hasLocation(#20042,#20043)
+stmtContainers(#20042,#20035)
+#20044=*
+exprs(#20044,69,#20042,0,"yield import(""foo"")")
+hasLocation(#20044,#20043)
+enclosingStmt(#20044,#20042)
+exprContainers(#20044,#20035)
+#20045=*
+exprs(#20045,99,#20044,0,"import(""foo"")")
+#20046=@"loc,{#10000},2,9,2,21"
+locations_default(#20046,#10000,2,9,2,21)
+hasLocation(#20045,#20046)
+enclosingStmt(#20045,#20042)
+exprContainers(#20045,#20035)
+#20047=*
+exprs(#20047,4,#20045,0,"""foo""")
+hasLocation(#20047,#20027)
+enclosingStmt(#20047,#20042)
+exprContainers(#20047,#20035)
+literals("foo","""foo""",#20047)
+#20048=*
+entry_cfg_node(#20048,#20001)
+#20049=@"loc,{#10000},1,1,1,0"
+locations_default(#20049,#10000,1,1,1,0)
+hasLocation(#20048,#20049)
+#20050=*
+exit_cfg_node(#20050,#20001)
+hasLocation(#20050,#20032)
+successor(#20035,#20050)
+#20051=*
+entry_cfg_node(#20051,#20035)
+hasLocation(#20051,#20049)
+#20052=*
+exit_cfg_node(#20052,#20035)
+#20053=@"loc,{#10000},3,2,3,1"
+locations_default(#20053,#10000,3,2,3,1)
+hasLocation(#20052,#20053)
+successor(#20040,#20042)
+successor(#20042,#20047)
+successor(#20047,#20045)
+successor(#20045,#20044)
+successor(#20044,#20052)
+successor(#20051,#20040)
+successor(#20037,#20035)
+successor(#20048,#20037)
+numlines(#10000,3,3,0)
+filetype(#10000,"javascript")

javascript/ql/src/Security/CWE-022/ZipSlip.ql

@@ -6,7 +6,7 @@
  * @kind path-problem
  * @id js/zipslip
  * @problem.severity error
- * @precision medium
+ * @precision high
  * @tags security
  *       external/cwe/cwe-022
  */

javascript/ql/src/Security/Summaries/AllConfigurations.qll

@@ -1,34 +1,25 @@
 /**
- * Imports the standard library and all taint-tracking configuration classes from the security queries.
+ * Imports the standard library and a selection of taint-tracking configuration classes
+ * from the security queries.
+ *
+ * To enable flow summarization for other queries, import their configuration classes here.
  */
 
 import javascript
-import semmle.javascript.security.dataflow.BrokenCryptoAlgorithm
-import semmle.javascript.security.dataflow.CleartextLogging
-import semmle.javascript.security.dataflow.CleartextStorage
 import semmle.javascript.security.dataflow.ClientSideUrlRedirect
 import semmle.javascript.security.dataflow.CodeInjection
 import semmle.javascript.security.dataflow.CommandInjection
-import semmle.javascript.security.dataflow.ConditionalBypass
-import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentials
-import semmle.javascript.security.dataflow.DifferentKindsComparisonBypass
 import semmle.javascript.security.dataflow.DomBasedXss as DomBasedXss
-import semmle.javascript.security.dataflow.FileAccessToHttp
-import semmle.javascript.security.dataflow.HardcodedCredentials
-import semmle.javascript.security.dataflow.InsecureRandomness
-import semmle.javascript.security.dataflow.InsufficientPasswordHash
 import semmle.javascript.security.dataflow.NosqlInjection
 import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
 import semmle.javascript.security.dataflow.RegExpInjection
 import semmle.javascript.security.dataflow.RemotePropertyInjection
-import semmle.javascript.security.dataflow.RequestForgery
 import semmle.javascript.security.dataflow.ServerSideUrlRedirect
 import semmle.javascript.security.dataflow.SqlInjection
 import semmle.javascript.security.dataflow.StackTraceExposure
 import semmle.javascript.security.dataflow.StoredXss as StoredXss
 import semmle.javascript.security.dataflow.TaintedFormatString
 import semmle.javascript.security.dataflow.TaintedPath
-import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTampering
 import semmle.javascript.security.dataflow.UnsafeDeserialization
 import semmle.javascript.security.dataflow.XmlBomb
 import semmle.javascript.security.dataflow.XpathInjection

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -570,10 +570,24 @@ private predicate reachableFromInput(
   callInputStep(f, invk, input, nd, cfg) and
   summary = PathSummary::level()
   or
-  exists(DataFlow::Node mid, PathSummary oldSummary, PathSummary newSummary |
+  exists(DataFlow::Node mid, PathSummary oldSummary |
     reachableFromInput(f, invk, input, mid, cfg, oldSummary) and
-    flowStep(mid, cfg, nd, newSummary) and
-    summary = oldSummary.append(newSummary)
+    appendStep(mid, cfg, oldSummary, nd, summary)
+  )
+}
+
+/**
+ * Holds if there is a step from `pred` to `succ` under `cfg` that can be appended
+ * to a path represented by `oldSummary` yielding a path represented by `newSummary`.
+ */
+pragma[noinline]
+private predicate appendStep(
+  DataFlow::Node pred, DataFlow::Configuration cfg, PathSummary oldSummary, DataFlow::Node succ,
+  PathSummary newSummary
+) {
+  exists(PathSummary stepSummary |
+    flowStep(pred, cfg, succ, stepSummary) and
+    newSummary = oldSummary.append(stepSummary)
   )
 }
 

javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll

@@ -216,7 +216,7 @@ private newtype TTypeBackTracker = MkTypeBackTracker(boolean hasReturn) {
  *   t.start() and
  *   result = (< some API call >).getArgument(< n >).getALocalSource()
  *   or
- *   exists (DataFlow::TypeTracker t2 |
+ *   exists (DataFlow::TypeBackTracker t2 |
  *     result = myCallback(t2).backtrack(t2, t)
  *   )
  * }

javascript/ql/src/semmle/javascript/frameworks/Electron.qll

@@ -16,7 +16,7 @@ module Electron {
   /**
    * An instantiation of `BrowserWindow` or `BrowserView`.
    */
-  abstract private class NewBrowserObject extends BrowserObject, DataFlow::TrackedNode {
+  abstract private class NewBrowserObject extends BrowserObject, DataFlow::SourceNode {
     DataFlow::NewNode self;
 
     NewBrowserObject() { this = self }
@@ -250,10 +250,10 @@ module Electron {
     /**
      * An additional flow step  via an Electron IPC message.
      */
-    private class IPCAdditionalFlowStep extends DataFlow::Configuration {
-      IPCAdditionalFlowStep() { this instanceof DataFlow::Configuration }
+    private class IPCAdditionalFlowStep extends DataFlow::AdditionalFlowStep {
+      IPCAdditionalFlowStep() { ipcFlowStep(this, _) }
 
-      override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
         ipcFlowStep(pred, succ)
       }
     }

javascript/ql/test/library-tests/frameworks/Electron/BrowserObject.expected

@@ -4,11 +4,7 @@
 | electron.js:3:10:3:48 | new Bro ... s: {}}) |
 | electron.js:4:5:4:46 | bv |
 | electron.js:4:10:4:46 | new Bro ... s: {}}) |
-| electron.js:35:14:35:14 | x |
-| electron.js:36:12:36:12 | x |
-| electron.js:39:1:39:7 | foo(bw) |
 | electron.js:39:5:39:6 | bw |
-| electron.js:40:1:40:7 | foo(bv) |
 | electron.js:40:5:40:6 | bv |
 | electron.ts:3:12:3:13 | bw |
 | electron.ts:3:40:3:41 | bv |

javascript/ql/test/library-tests/frameworks/Electron/IpcFlow.ql

@@ -1,9 +1,5 @@
 import javascript
 
-class TestConfig extends DataFlow::Configuration {
-  TestConfig() { this = "TestConfig" }
-}
-
-from TestConfig cfg, DataFlow::Node pred, DataFlow::Node succ
-where cfg.isAdditionalFlowStep(pred, succ)
+from DataFlow::AdditionalFlowStep afs, DataFlow::Node pred, DataFlow::Node succ
+where afs.step(pred, succ)
 select pred, succ

javascript/ql/test/library-tests/frameworks/Electron/WebContents.expected

@@ -1,4 +1,2 @@
-| electron.js:39:1:39:19 | foo(bw).webContents |
-| electron.js:40:1:40:19 | foo(bv).webContents |
 | electron.ts:4:3:4:16 | bw.webContents |
 | electron.ts:5:3:5:16 | bv.webContents |

javascript/ql/test/query-tests/Security/Summaries/ExtractFlowStepSummaries.expected

@@ -1,20 +1,11 @@
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | BrokenCryptoAlgorithm |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | ClearTextStorage |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | ClientSideUrlRedirect |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | CommandInjection |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | ConditionalBypass |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | CorsMisconfigurationForCredentials |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | DifferentKindsComparisonBypass |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | DomBasedXss |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | FileAccessToHttp |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | InsecureRandomness |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | InsufficientPasswordHash |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | NosqlInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | ReflectedXss |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | RemotePropertyInjection |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | RequestForgery |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | ServerSideUrlRedirect |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | SqlInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | StackTraceExposure |
@@ -25,23 +16,14 @@
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | data | (return (member h (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | BrokenCryptoAlgorithm |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | ClearTextStorage |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | ClientSideUrlRedirect |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | CommandInjection |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | ConditionalBypass |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | CorsMisconfigurationForCredentials |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | DifferentKindsComparisonBypass |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | DomBasedXss |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | FileAccessToHttp |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | InsecureRandomness |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | InsufficientPasswordHash |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | NosqlInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | RegExpInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | RemotePropertyInjection |
-| (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | RequestForgery |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | ServerSideUrlRedirect |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | SqlInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | StackTraceExposure |
@@ -52,23 +34,14 @@
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
 | (parameter 0 (member h (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member h (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | BrokenCryptoAlgorithm |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | ClearTextStorage |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | ClientSideUrlRedirect |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | CommandInjection |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | ConditionalBypass |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | CorsMisconfigurationForCredentials |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | DifferentKindsComparisonBypass |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | DomBasedXss |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | FileAccessToHttp |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | InsecureRandomness |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | InsufficientPasswordHash |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | NosqlInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | ReflectedXss |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | RemotePropertyInjection |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | RequestForgery |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | ServerSideUrlRedirect |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | SqlInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | StackTraceExposure |
@@ -79,23 +52,14 @@
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | BrokenCryptoAlgorithm |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | ClearTextStorage |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | ClientSideUrlRedirect |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | CommandInjection |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | ConditionalBypass |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | CorsMisconfigurationForCredentials |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | DifferentKindsComparisonBypass |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | DomBasedXss |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | FileAccessToHttp |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | InsecureRandomness |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | InsufficientPasswordHash |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | NosqlInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | RegExpInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | RemotePropertyInjection |
-| (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | RequestForgery |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | ServerSideUrlRedirect |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | SqlInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | StackTraceExposure |
@@ -106,23 +70,14 @@
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
 | (parameter 0 (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notASink (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | BrokenCryptoAlgorithm |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | ClearTextStorage |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | ClientSideUrlRedirect |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | CommandInjection |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | ConditionalBypass |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | CorsMisconfigurationForCredentials |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | DifferentKindsComparisonBypass |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | DomBasedXss |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | FileAccessToHttp |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | InsecureRandomness |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | InsufficientPasswordHash |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | NosqlInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | ReflectedXss |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | RemotePropertyInjection |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | RequestForgery |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | ServerSideUrlRedirect |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | SqlInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | StackTraceExposure |
@@ -133,23 +88,14 @@
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | BrokenCryptoAlgorithm |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ClearTextStorage |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ClientSideUrlRedirect |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | CommandInjection |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ConditionalBypass |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | CorsMisconfigurationForCredentials |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | DifferentKindsComparisonBypass |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | DomBasedXss |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | FileAccessToHttp |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | InsecureRandomness |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | InsufficientPasswordHash |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | NosqlInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | RegExpInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | RemotePropertyInjection |
-| (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | RequestForgery |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | ServerSideUrlRedirect |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | SqlInjection |
 | (parameter 0 (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | (return (member notATaintedSource (root https://www.npmjs.com/package/infer-sources))) | taint | StackTraceExposure |

javascript/ql/test/query-tests/Security/Summaries/ExtractSinkSummaries.expected

@@ -5,9 +5,7 @@
 | (parameter 0 (member commandInjection (root https://www.npmjs.com/package/infer-sources))) | data | CommandInjection |
 | (parameter 0 (member commandInjection (root https://www.npmjs.com/package/infer-sources))) | taint | CommandInjection |
 | (parameter 0 (member hashPass (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
-| (parameter 0 (member hashPass (root https://www.npmjs.com/package/infer-sources))) | data | InsufficientPasswordHash |
 | (parameter 0 (member hashPass (root https://www.npmjs.com/package/infer-sources))) | taint | CodeInjection |
-| (parameter 0 (member hashPass (root https://www.npmjs.com/package/infer-sources))) | taint | InsufficientPasswordHash |
 | (parameter 0 (member mkdirp (root https://www.npmjs.com/package/infer-sources))) | taint | TaintedPath |
 | (parameter 0 (member multiple (root https://www.npmjs.com/package/infer-sources))) | data | CodeInjection |
 | (parameter 0 (member multiple (root https://www.npmjs.com/package/infer-sources))) | data | CommandInjection |
@@ -15,10 +13,8 @@
 | (parameter 0 (member multiple (root https://www.npmjs.com/package/infer-sources))) | taint | CommandInjection |
 | (parameter 0 (member redirect (root https://www.npmjs.com/package/infer-sources))) | data | ServerSideUrlRedirect |
 | (parameter 0 (member redirect (root https://www.npmjs.com/package/infer-sources))) | taint | ServerSideUrlRedirect |
-| (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | data | InsecureRandomness |
 | (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | data | ReflectedXss |
 | (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | data | StoredXss |
-| (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | taint | InsecureRandomness |
 | (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | taint | ReflectedXss |
 | (parameter 0 (member reflected (root https://www.npmjs.com/package/infer-sources))) | taint | StoredXss |
 | (parameter 0 (member regexpInj (root https://www.npmjs.com/package/infer-sources))) | data | RegExpInjection |
@@ -33,9 +29,7 @@
 | (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | data | Xxe |
 | (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |
 | (parameter 0 (member xmlBomb (root https://www.npmjs.com/package/infer-sources))) | taint | Xxe |
-| (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | data | InsecureRandomness |
 | (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | data | XpathInjection |
-| (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | taint | InsecureRandomness |
 | (parameter 0 (member xpathInj (root https://www.npmjs.com/package/infer-sources))) | taint | XpathInjection |
 | (parameter 0 (member xxe (root https://www.npmjs.com/package/infer-sources))) | data | XmlBomb |
 | (parameter 0 (member xxe (root https://www.npmjs.com/package/infer-sources))) | taint | XmlBomb |

javascript/ql/test/query-tests/Security/Summaries/ExtractSourceSummaries.expected

@@ -1,15 +1,11 @@
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | ClientSideUrlRedirect |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | CodeInjection |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | CommandInjection |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | ConditionalBypass |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | CorsMisconfigurationForCredentials |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | DifferentKindsComparisonBypass |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | DomBasedXss |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | NosqlInjection |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | ReflectedXss |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | RegExpInjection |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | RemotePropertyInjection |
-| (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | RequestForgery |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | ServerSideUrlRedirect |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | SqlInjection |
 | (parameter 0 (parameter 0 (member listen (root https://www.npmjs.com/package/infer-sources)))) | taint | TaintedFormatString |

python/ql/src/Expressions/Comparisons/UselessComparisonTest.ql

@@ -15,6 +15,14 @@
 import python
 import semmle.python.Comparisons
 
+/* Holds if the comparison `comp` is of the complex form `a op b op c` and not of
+ * the simple form `a op b`.
+ */
+private predicate is_complex(Expr comp) {
+    exists(comp.(Compare).getOp(1))
+    or
+    is_complex(comp.(UnaryExpr).getOperand())
+}
 
 /** A test is useless if for every block that it controls there is another test that is at least as
  * strict and also controls that block.
@@ -22,7 +30,7 @@ import semmle.python.Comparisons
 private predicate useless_test(Comparison comp, ComparisonControlBlock controls, boolean isTrue) {
     controls.impliesThat(comp.getBasicBlock(), comp, isTrue) and
     /* Exclude complex comparisons of form `a < x < y`, as we do not (yet) have perfect flow control for those */
-    not exists(controls.getTest().getNode().(Compare).getOp(1))
+    not is_complex(controls.getTest().getNode())
 }
 
 private predicate useless_test_ast(AstNode comp, AstNode previous, boolean isTrue) {

python/ql/src/Statements/StatementNoEffect.ql

@@ -95,6 +95,14 @@ predicate in_raises_test(Expr e) {
     )
 }
 
+/** Holds if expression has the form of a Python 2 `print >> out, ...` statement */
+predicate python2_print(Expr e) {
+    e.(BinaryExpr).getLeft().(Name).getId() = "print" and
+    e.(BinaryExpr).getOp() instanceof RShift
+    or
+    python2_print(e.(Tuple).getElt(0))
+}
+
 predicate no_effect(Expr e) {
     not e instanceof StrConst and
     not ((StrConst)e).isDocString() and
@@ -107,7 +115,8 @@ predicate no_effect(Expr e) {
         not maybe_side_effecting_attribute(sub)
     ) and
     not in_notebook(e) and
-    not in_raises_test(e)
+    not in_raises_test(e) and
+    not python2_print(e)
 }
 
 from ExprStmt stmt

python/ql/src/semmle/python/dataflow/TaintTracking.qll

@@ -0,0 +1,3 @@
+/* For compatibility with other language implementations */
+
+import semmle.python.security.TaintTracking

python/ql/src/semmle/python/security/TaintTracking.qll

@@ -125,13 +125,6 @@ abstract class TaintKind extends string {
      */
     predicate additionalFlowStepVar(EssaVariable fromvar, EssaVariable tovar) { none() }
 
-    /** Holds if this kind of taint can start from `expr`.
-     * In other words, is `expr` a source of this kind of taint.
-     */
-    final predicate startsFrom(ControlFlowNode expr) {
-        expr.(TaintSource).isSourceOf(this, _)
-    }
-
     /** Holds if this kind of taint "taints" `expr`.
      */
     final predicate taints(ControlFlowNode expr) {
@@ -318,6 +311,18 @@ abstract class Sanitizer extends string {
 
 }
 
+/** Hold if `sanitizer` is valid. A sanitizer is valid if there is
+ * a `TaintTracking::Configuration` that declares `sanitizer` or
+ * there are no `TaintTracking::Configuration`s.
+ */
+private predicate valid_sanitizer(Sanitizer sanitizer) {
+    not exists(TaintTracking::Configuration c)
+    or
+    exists(DataFlow::Configuration c | c.isSanitizer(sanitizer))
+    or
+    exists(TaintTracking::Configuration c | c.isSanitizer(sanitizer))
+}
+
 /** DEPRECATED -- Use DataFlowExtension instead.
  *  An extension to taint-flow. For adding library or framework specific flows.
  * Examples include flow from a request to untrusted part of that request or
@@ -584,12 +589,19 @@ private newtype TTaintedNode =
             n.(TaintSource).isSourceOf(kind, context)
         )
         or
+        exists(DataFlow::Configuration config, TaintKind kind |
+            taint = TaintFlowImplementation::TTrackedTaint(kind) and
+            config.isSource(n) and context.getDepth() = 0 and
+            kind instanceof GenericFlowType
+        )
+        or
         TaintFlowImplementation::step(_, taint, context, n) and
         exists(TaintKind kind |
             kind = taint.(TaintFlowImplementation::TrackedTaint).getKind()
             or
             kind = taint.(TaintFlowImplementation::TrackedAttribute).getKind(_) |
             not exists(Sanitizer sanitizer |
+                valid_sanitizer(sanitizer) and
                 sanitizer.sanitizingNode(kind, n)
             )
         )
@@ -839,26 +851,37 @@ library module TaintFlowImplementation {
         or
         call_taint_step(fromnode, totaint, tocontext, tonode)
         or
-        fromnode.getNode().(DataFlowNode).getASuccessorNode() = tonode and
-        fromnode.getContext() = tocontext and
-        totaint = fromnode.getTrackedValue()
-        or
-        exists(CallNode call |
-            fromnode.getNode().(DataFlowNode).getAReturnSuccessorNode(call) = tonode and
-            fromnode.getContext() = tocontext.getCallee(call) and
+        exists(DataFlowNode fromnodenode |
+            fromnodenode = fromnode.getNode() and
+            (
+                not exists(TaintTracking::Configuration c)
+                or
+                exists(DataFlow::Configuration c | c.isExtension(fromnodenode))
+                or
+                exists(TaintTracking::Configuration c | c.isExtension(fromnodenode))
+            )
+            |
+            fromnodenode.getASuccessorNode() = tonode and
+            fromnode.getContext() = tocontext and
             totaint = fromnode.getTrackedValue()
-        )
-        or
-        exists(CallNode call |
-            fromnode.getNode().(DataFlowNode).getACalleeSuccessorNode(call) = tonode and
-            fromnode.getContext().getCallee(call) = tocontext and
-            totaint = fromnode.getTrackedValue()
-        )
-        or
-        exists(TaintKind tokind |
-            fromnode.getNode().(DataFlowNode).getASuccessorNode(fromnode.getTaintKind(), tokind) = tonode and
-            totaint = fromnode.getTrackedValue().toKind(tokind) and
-            tocontext = fromnode.getContext()
+            or
+            exists(CallNode call |
+                fromnodenode.getAReturnSuccessorNode(call) = tonode and
+                fromnode.getContext() = tocontext.getCallee(call) and
+                totaint = fromnode.getTrackedValue()
+            )
+            or
+            exists(CallNode call |
+                fromnodenode.getACalleeSuccessorNode(call) = tonode and
+                fromnode.getContext().getCallee(call) = tocontext and
+                totaint = fromnode.getTrackedValue()
+            )
+            or
+            exists(TaintKind tokind |
+                fromnodenode.getASuccessorNode(fromnode.getTaintKind(), tokind) = tonode and
+                totaint = fromnode.getTrackedValue().toKind(tokind) and
+                tocontext = fromnode.getContext()
+            )
         )
         or
         exists(TaintKind tokind |
@@ -1038,8 +1061,18 @@ library module TaintFlowImplementation {
             prev.(DataFlowVariable).getASuccessorVariable() = var
         )
         or
-        origin.getNode().(DataFlowNode).getASuccessorVariable() = var and
-        context = origin.getContext()
+        exists(DataFlowNode originnode |
+            originnode = origin.getNode() and
+            (
+                not exists(TaintTracking::Configuration c)
+                or
+                exists(DataFlow::Configuration c | c.isExtension(originnode))
+                or
+                exists(TaintTracking::Configuration c | c.isExtension(originnode))
+            ) and
+            originnode.getASuccessorVariable() = var and
+            context = origin.getContext()
+        )
         or
         exists(TrackedTaint taint, EssaVariable prev |
             tainted_var(prev, context, origin) and
@@ -1062,6 +1095,7 @@ library module TaintFlowImplementation {
             exists(TaintKind kind |
                 kind = origin.getTaintKind() and
                 not exists(Sanitizer san |
+                    valid_sanitizer(san) |
                     san.sanitizingDefinition(kind, def)
                     or
                     san.sanitizingNode(kind, def.(EssaNodeDefinition).getDefiningNode())
@@ -1184,6 +1218,7 @@ library module TaintFlowImplementation {
         exists(TaintKind kind |
             kind = origin.getTaintKind() |
             not exists(FunctionObject callee, Sanitizer sanitizer |
+                valid_sanitizer(sanitizer) and
                 callee.getACall() = call.getCall() and
                 sanitizer.sanitizingCall(kind, callee)
             )
@@ -1197,6 +1232,7 @@ library module TaintFlowImplementation {
             var = test.getInput() and
             tainted_var(var, context, origin) and
             not exists(Sanitizer sanitizer |
+                valid_sanitizer(sanitizer) and
                 sanitizer.sanitizingEdge(kind, test)
             )
             |
@@ -1246,6 +1282,7 @@ library module TaintFlowImplementation {
             var = uniphi.getInput() and
             tainted_var(var, context, origin) and
             not exists(Sanitizer sanitizer |
+                valid_sanitizer(sanitizer) and
                 sanitizer.sanitizingSingleEdge(kind, uniphi)
             )
         )
@@ -1438,6 +1475,109 @@ class CallContext extends TCallContext {
 
 }
 
+
+/** Data flow module providing an interface compatible with
+ * the other language implementations.
+ */
+module DataFlow {
+
+    class FlowType = TaintKind;
+
+    /** Generic taint kind, source and sink classes for convenience and
+     * compatibility with other language libraries
+     */
+
+    class Node = ControlFlowNode;
+
+    class PathNode = TaintedNode;
+
+    class Extension = DataFlowExtension::DataFlowNode;
+
+    abstract class Configuration extends string {
+
+        bindingset[this]
+        Configuration() { this = this }
+
+        abstract predicate isSource(Node source);
+
+        abstract predicate isSink(Node sink);
+
+        predicate isSanitizer(Sanitizer sanitizer) { none() }
+
+        predicate isExtension(Extension extension) { none() }
+
+        predicate hasFlowPath(PathNode source, PathNode sink) {
+            this.isSource(source.getNode()) and
+            this.isSink(sink.getNode()) and
+            source.getTaintKind() instanceof GenericFlowType and
+            sink.getTaintKind() instanceof GenericFlowType
+        }
+
+        predicate hasFlow(Node source, Node sink) {
+            exists(PathNode psource, PathNode psink |
+                psource.getNode() = source and
+                psink.getNode() = sink and
+                this.isSource(source) and
+                this.isSink(sink) and
+                this.hasFlowPath(psource, psink)
+            )
+        }
+
+    }
+
+}
+
+private class GenericFlowType extends DataFlow::FlowType {
+
+    GenericFlowType() {
+        this = "Generic taint kind"  and
+        exists(DataFlow::Configuration c)
+    }
+
+}
+
+module TaintTracking {
+
+    class Source = TaintSource;
+
+    class Sink = TaintSink;
+
+    class PathSource = TaintedPathSource;
+
+    class PathSink = TaintedPathSink;
+
+    class Extension = DataFlowExtension::DataFlowNode;
+
+    abstract class Configuration extends string {
+
+        bindingset[this]
+        Configuration() { this = this }
+
+        abstract predicate isSource(Source source);
+
+        abstract predicate isSink(Sink sink);
+
+        predicate isSanitizer(Sanitizer sanitizer) { none() }
+
+        predicate isExtension(Extension extension) { none() }
+
+        predicate hasFlowPath(PathSource source, PathSink sink) {
+            this.isSource(source.getNode()) and
+            this.isSink(sink.getNode()) and
+            source.flowsTo(sink)
+        }
+
+        predicate hasFlow(Source source, Sink sink) {
+            this.isSource(source) and
+            this.isSink(sink) and
+            source.flowsToSink(sink)
+        }
+
+    }
+
+}
+
+
 pragma [noinline]
 private predicate dict_construct(ControlFlowNode itemnode, ControlFlowNode dictnode) {
     dictnode.(DictNode).getAValue() = itemnode

python/ql/test/2/library-tests/locations/strings/test.expected

@@ -5,7 +5,7 @@
 | 16 | 5 | 17 | 7 | ef |
 | 21 | 1 | 21 | 8 | string |
 | 24 | 1 | 24 | 10 | \n\n\n\n |
-| 27 | 1 | 27 | 14 | \\u0123\\u1234 |
+| 27 | 1 | 27 | 14 | \u0123\u1234 |
 | 30 | 1 | 30 | 9 | word |
 | 33 | 1 | 33 | 14 | \n\n\n\n0 |
 | 36 | 1 | 39 | 3 | \nline 0\nline 1\n |

python/ql/test/2/query-tests/Imports/encoding_error/EncodingError.expected

@@ -1 +0,0 @@
-| EncodingError.py:5:8:5:8 | Encoding Error | 'ascii' codec can't decode byte 0xc3 in position 47: ordinal not in range(128) |

python/ql/test/2/query-tests/Imports/syntax_error/EncodingError.expected

@@ -1 +1 @@
-| bad_encoding.py:11:19:11:19 | Encoding Error | 'ascii' codec can't decode byte 0x82 in position 82: ordinal not in range(128) |
+| bad_encoding.py:11:19:11:19 | Encoding Error | 'utf8' codec can't decode byte 0x82 in position 82: invalid start byte |

python/ql/test/2/query-tests/Imports/syntax_error/SyntaxError.expected

@@ -1 +1 @@
-| nonsense.py:1:1:1:1 | Syntax Error | Syntax Error (in Python 2.7). |
+| nonsense.py:1:14:1:14 | Syntax Error | Syntax Error (in Python 2.7). |

python/ql/test/2/query-tests/Imports/syntax_error/nonsense.py

@@ -1,4 +1,4 @@
- `Twas brillig, and the slithy toves
+`Twas brillig, and the slithy toves
   Did gyre and gimble in the wabe:
 All mimsy were the borogoves,
   And the mome raths outgrabe.

python/ql/test/query-tests/Expressions/comparisons/test.py

@@ -86,3 +86,8 @@ def odasa6782_v3(protocol):
         pass
     else:
         raise ValueError()
+
+#Inverted complex test
+if not (0 > stop >= step) and stop < 0:
+    pass
+

python/ql/test/query-tests/Statements/no_effect/test.py

@@ -133,3 +133,7 @@ def do_action(action):
         stop()
     else:
         raise ValueError(action)
+
+#Python 2 print
+print >> out, message
+